SecureZIP™ for iSeries User's Guide - PKWare

SecureZIP for iSeries
User’s Guide
SZIU-V8R0000
PKWARE Inc.

PKWARE Inc.
9009 Springboro Pike
Miamisburg, Ohio 45342
Sales: 937-847-2374
Support: 937-847-2687
Fax: 937-847-2375
Web Site: http://www.pkware.com
Sales - Email: pksales@pkware.com
Support - http://www.pkware.com/support
8.1 Edition (2005)
SecureZIP for iSeries , PKZIP for iSeries, PKZIP for MVS, PKZIP for zSeries, PKZIP for
OS/400, PKZIP for VSE, PKZIP for UNIX, and PKZIP for Windows are just a few of the
many members in the PKZIP ® family. PKWARE, Inc. would like to thank all the individuals and
companies -- including our customers, resellers, distributors, and technology partners -- who
have helped make PKZIP ® the industry standard for Trusted ZIP solutions. PKZIP ® enables our
customers to efficiently and securely transmit and store information across systems of all
sizes, ranging from desktops to mainframes.
This edition applies to the following PKWARE, Inc. licensed program:
SecureZIP for iSeries (Version 8, Release 1, 2005)
PKZIP is a registered trademark of PKWARE Inc. SecureZIP is a trademark of PKWARE Inc.
Other product names mentioned in this manual may be a trademark or registered trademarks
of their respective companies and are hereby acknowledged.
Any reference to licensed programs or other material, belonging to any company, is not
intended to state or imply that such programs or material are available or may be used. The
copyright in this work is owned by PKWARE, Inc., and the document is issued in confidence for
the purpose only for which it is supplied. It must not be reproduced in whole or in part or used
for tendering purposes except under an agreement or with the consent in writing of PKWARE,
Inc., and then only on condition that this notice is included in any such reproduction. No
information as to the contents or subject matter of this document or any part thereof either
directly or indirectly arising there from shall be given or communicated in any manner
whatsoever to a third party being an individual firm or company or any employee thereof
without the prior consent in writing of PKWARE, Inc.
Copyright © 1989 - 2005 PKWARE, Inc. All rights reserved.

Contents
PREFACE............................................................................................................. 1
Notices ........................................................................................................................ 1
About this Manual...................................................................................................... 1
Conventions Used in this Manual ............................................................................ 2
Related Publications.................................................................................................. 3
Related IBM Publications .......................................................................................... 3
Related Information on the Internet ......................................................................... 4
User Help and Contact Information.......................................................................... 4
1 SECUREZIP FOR ISERIES............................................................................ 5
Data Compression ..................................................................................................... 5
ZIP Archives ............................................................................................................... 6
Cyclic Redundancy Check ........................................................................................ 6
Encryption .................................................................................................................. 7
Large Files Considerations....................................................................................... 7
Large File Support Summary ................................................................................... 7
Large File Support File Capacities ........................................................................... 7
Cross Platform Compatibility ................................................................................... 8
ZIP File Format Specification.................................................................................... 9
Release Summary .................................................................................................... 10
New Features in SecureZIP for iSeries Release 8.1.............................................. 10
New Features in SecureZIP for iSeries Release 8.0.............................................. 10
SecureZIP for iSeries Restrictions ......................................................................... 10
2 DATA SECURITY ......................................................................................... 12
Encryption ................................................................................................................ 12
Authentication .......................................................................................................... 13
Data Integrity .......................................................................................................... 13
Digital Signature Validation .................................................................................... 13
Digital Signature Source Validation........................................................................ 14
iii

Public-Key Infrastructure and Digital Certificates................................................ 14
Public-Key Infrastructure (PKI)............................................................................... 14
X.509 ...................................................................................................................... 15
Digital Certificates................................................................................................... 15
Certificate Authority (CA)........................................................................................ 15
Private Key ............................................................................................................. 15
Public Key............................................................................................................... 16
Certificate Authority and Root Certificates ............................................................. 16
Types of Encryption Algorithms ............................................................................ 16
FIPS 46-3, Data Encryption Standard (DES) ......................................................... 16
Triple DES Algorithm (3DES) ................................................................................. 16
Advanced Encryption Standard (AES) ................................................................... 17
Comparison of the 3DES and AES Algorithms ...................................................... 17
RC4 ........................................................................................................................ 18
Key Management...................................................................................................... 18
Passwords and PINS ............................................................................................... 19
Recipient Based Encryption ................................................................................... 19
Random Number Generation .................................................................................. 19
Integrity of Public and Private Keys....................................................................... 20
Meeting Current Challenges ................................................................................... 20
Industry-Specific Mandates .................................................................................... 20
Data Encryption........................................................................................................ 22
Cross Product Matrix.............................................................................................. 23
Operating System Levels ....................................................................................... 23
Windows Compatibility ........................................................................................... 23
General Questions to help you get started with SecureZip for iSeries .................. 24
User Encryption Examples ..................................................................................... 26
Zip Compress File(s) and Write to an Archive File................................................. 27
Display the contents of an Archive File .................................................................. 28
Incorrect Password Use ......................................................................................... 29
3 GETTING STARTED WITH SECUREZIP FOR ISERIES............................. 30
Basic Features of SecureZIP for iSeries................................................................ 30
Extended Features of SecureZIP for iSeries ......................................................... 30
Invoking SecureZIP for iSeries Services ............................................................... 31
SecureZIP for iSeries Differences with other Platforms ...................................... 31
Use of SAVF Method................................................................................................ 32
4 SECUREZIP FOR ISERIES INSTALLATION............................................... 33
Unloading SecureZIP for iSeries from Tape.......................................................... 33
Unloading SecureZIP for iSeries from a CD-ROM ................................................ 34
METHOD A. LODRUN Command.......................................................................... 34
METHOD B. RSTLIB Command ............................................................................ 34
Using FTP to iSeries to Transfer a PKZIP Save File............................................. 35
Restoring SecureZIP for iSeries Product Library from a Save File .................... 35
iv

Installation Procedures ........................................................................................... 35
Licensing Requirements ......................................................................................... 36
Trial Period ............................................................................................................. 36
Release Licensing .................................................................................................. 36
Reporting Environment........................................................................................... 36
Updating License Files ........................................................................................... 37
Licensed Product Features .................................................................................... 38
Record Layouts ...................................................................................................... 40
Reporting ................................................................................................................ 42
Conditional Use ...................................................................................................... 44
Operating Environment ........................................................................................... 44
PKZDTA5 Data Area .............................................................................................. 45
How to Change the Standard PKZIP Library Name............................................... 45
Alternate Install from SAVF with Non-Standard Library Name .............................. 46
Running Without the PKZIP Library in the Library List........................................... 46
5 FILE SELECTION AND NAME PROCESSING............................................ 48
ZIP Processing File Selection................................................................................. 48
Primary File Selection Inputs.................................................................................. 48
File Exclusion Inputs ............................................................................................... 50
Input ZIP Archive Files ............................................................................................ 51
SPOOL File Selecting .............................................................................................. 51
6 ZIP FILES ..................................................................................................... 52
Data Format - Text Records vs. Binary Records .................................................. 52
File Attributes ........................................................................................................... 53
PC Shared Drives Format........................................................................................ 54
7 FILE EXTRACTING PROCESS ................................................................... 55
Extracting Files to the QSYS Library File System ................................................ 55
Authority Settings ................................................................................................... 56
Extracting Files to the IFS....................................................................................... 57
Path Considerations ............................................................................................... 57
Changing the path(s).............................................................................................. 57
File Type Considerations........................................................................................ 57
Extracting Spool Files ............................................................................................. 58
8 ISERIES FILE PROCESSING SUPPORT.................................................... 61
QSYS (Library File System) .................................................................................... 61
QSYS Summary ..................................................................................................... 61
IFS (Integrated File System).................................................................................... 62
Directories and Current Directory........................................................................... 62
Path and Path Names ............................................................................................ 62
Stream Files ........................................................................................................... 63
Other IFS Objects................................................................................................... 63
v

File Systems in the IFS .......................................................................................... 63
Document Library Services File System (QDLS) ................................................... 64
Optical File System (QOPT)................................................................................... 65
Using QSYS.LIB via the Integrated File System Interface..................................... 66
IFS Summary.......................................................................................................... 67
SAVF.......................................................................................................................... 67
Compressing a SAVF file ....................................................................................... 67
Extracting Records into a SAVF file ....................................................................... 67
Overwriting Current SAVF File ............................................................................... 68
Compressing Spool Files........................................................................................ 68
9 ZIP ARCHIVES ............................................................................................. 70
“Old” ZIP Archive..................................................................................................... 71
“Temporary” Archive File ....................................................................................... 71
“New” ZIP Archive ................................................................................................... 71
Self-Extracting Archive............................................................................................ 71
10 ABOUT SECURITY, CERTIFICATES, AND ENCRYPTION........................ 75
Keywords, Phrases, and Acronyms Used in This Chapter.................................. 75
Accessing Public and Private Key Certificates .................................................... 76
Public Key Certificate ............................................................................................. 76
Private Key Certificates .......................................................................................... 76
Enterprise Security Configuration ......................................................................... 77
Contents of the Configuration Profile ..................................................................... 77
File and Data Base (DB) (Local Certificate Store) ................................................. 79
LDAP Profile (Networked Certificate Store) ........................................................... 80
Certificate Store Administration and Configuration............................................. 80
Access x.509 Public and Private Key Certificates.................................................. 80
Local Certificate Store ............................................................................................ 80
Certificate Authority and Root Certificates Stores.................................................. 80
Certificate Revocation List Stores .......................................................................... 81
Local Certificate Locator Database ........................................................................ 81
LDAP Certificate Store ........................................................................................... 81
Certificate Authority, Root Certificates and CRL Store Administration............. 82
Local Certificate Store Administration .................................................................. 84
Build Private and Public Store Paths...................................................................... 84
Initialize and Build Certificate Locator Database:................................................... 85
Directory Certificate Store Configuration - LDAP................................................. 86
Testing the LDAP Connection ................................................................................ 86
Getting Started with PKWARE Test Digital Certificates....................................... 87
Step 1: Define IFS Certificate Stores .................................................................... 88
Step 2: Extract Test Certificates, Inlist, Inputs, and Stores................................... 89
Step 3: Setup Security Configuration File with PKCFGSEC Command ............... 90
Step 4: Add Trusted Roots and Intermediate Certificates to the Certificate Stores.91
Step 5: Build the Certificate Locator Database with PKBLDCDB ......................... 92
Step 6: Compress File with Public Digital Certificates .......................................... 93
Step 7: View Details of Archive ............................................................................. 94
vi

Step 8: Decrypting File with Private Key Certificates............................................ 94
Step 9: Using Input List File for ENTPREC Certificate List................................... 95
Step 10: Sign Files and Archive with Private Keys ............................................... 96
Step 11: Authenticate Signed Files and Archive................................................... 97
Step 12: Sign Files and Archive with PK Test 9 Certificate .................................. 99
Step 13: Add CA to Make the Trust Valid and Then Sign Archive........................ 99
Step 14: Revoke PK Test 9 Certificate and Confirm Revocation........................ 100
Filename Encryption.............................................................................................. 102
How SecureZIP Encrypts File Names.................................................................. 102
When SecureZIP Encrypts File Names................................................................ 102
Encrypting File Names When You Update an Archive......................................... 103
Opening and Viewing an Archive that Has Encrypted File Names ...................... 103
Security Examples ................................................................................................. 104
SecureZIP using Recipients or Combo ................................................................ 104
SecureZIP Encryption Using a Recipients List..................................................... 105
SecureZIP Encryption using LDAP search for Recipients ................................... 106
UNZIP Compressed File(s) from an Archive File Using Recipients.................. 106
Unzip Output using Recipients ............................................................................. 107
View the Contents of an Archive File................................................................... 107
View Detail Display............................................................................................... 108
11 PKZIP COMMAND ..................................................................................... 110
PKZIP Command Summary with Parameter Keyword Format.......................... 110
PKZIP Command Keyword Details....................................................................... 116
12 PKUNZIP COMMAND ................................................................................ 152
PKUNZIP Command Summary with Parameter Keyword Format..................... 152
PKUNZIP Command Keyword Details.................................................................. 156
13 PKCFGSEC “CONFIGURE SECURITY PARAMETERS” COMMAND..... 176
PKCFGSEC Command Summary with Parameter Keyword Format ................ 176
Usage Notes......................................................................................................... 176
PKCFGSEC Command Keyword Details ............................................................. 180
Windows Compatibility ......................................................................................... 198
14 PKLDAPTST “LDAP TEST” COMMAND.................................................. 199
PKLDAPTST Command Summary with Parameter Keyword Format............... 199
PKLDAPTST Command Keyword Details............................................................ 200
15 PKBLDCDB “BUILD CERTIFICATE DATABASE” COMMAND............... 203
PKBLDCDB Command Summary with Parameter Keyword Format ................ 203
PKBLDCDB Command Keyword Details ............................................................. 204
vii

16 PKQRYCDB “QUERY CERT DATABASE” COMMAND .......................... 210
PKQRYCDB Command Summary with Parameter Keyword Format............... 210
PKQRYCDB Command Keyword Details............................................................. 210
17 PKSTORADM “CERTIFICATE STORE ADMINISTRATION” COMMAND215
PKSTORADM Command Summary with Parameter Keyword Format ............. 215
PKSTORADM Command Keyword Details .......................................................... 216
18 PROCESSING WITH GZIP......................................................................... 227
Introduction to GZIP (GNU zip)............................................................................. 227
GZIP Archive Files Used By SecureZIP for iSeries ............................................ 228
Cross Platform Compatibility ............................................................................... 229
GZIP Restrictions ................................................................................................. 229
Special Note on GZIP Passwords........................................................................ 229
Processing GZIP Archives .................................................................................... 229
GZIP Compressing............................................................................................... 230
GZIP Extracting .................................................................................................... 230
Sample GZIP Processing ...................................................................................... 231
Compressing a file................................................................................................ 231
19 MESSAGES................................................................................................ 232
AQZ0001 - AQZ0799 Messages ............................................................................ 234
AQZ0800 - AQZ0899 *VIEW Display Messages................................................... 288
AQZ8xxx Configuration Messages....................................................................... 302
AQZ9xxx LICENSE Messages............................................................................... 311
ZPCA801x – ZPCA899x Messages ....................................................................... 321
A PERFORMANCE CONSIDERATIONS ...................................................... 335
Interactive Performance ........................................................................................ 335
Compression Type Performance.......................................................................... 335
Data Type Selection............................................................................................... 336
Archive Placement (IFS or in a Library)............................................................... 336
ZIP64 Processing Considerations........................................................................ 336
Encryption Performance ....................................................................................... 337
Extended Attributes Selections............................................................................ 337
B EXAMPLES ................................................................................................ 339
Example 1 - PKUNZIP Files to a New or Different Library ................................. 339
Example 2 - CLP with Override for Stdout and Stderr to an OUTQ .................. 340
Example 3 - Creating an Archive in Personal Folders (QDLS).......................... 341
viii

Example 4 - Processing Archive on a CD (QOPT) .............................................. 342
Example 5 - Compressing files from a CD (QOPT)............................................. 343
Example 6 - Compressing CL with MSG Checking ............................................ 344
Example 7 – Compressing Spool Files Samples ................................................ 345
Example 8 – PKZSPOOL The Last Spool File of Current Job ........................... 346
Example 9 - CL to Compress All Spool Files for a Job to a PDF ..................... 346
C MEMORY ERRORS.................................................................................... 348
D EXTERNAL NAME CONVERSION PROGRAM CVTNAME...................... 349
Sample CVTNAME.................................................................................................. 350
E LIST FILES ................................................................................................. 356
Creating List Files .................................................................................................. 356
Using List Files as Input........................................................................................ 356
F TRANSLATION TABLES ........................................................................... 358
Standard Code Page Support with Tables .......................................................... 358
International Code Page Support ......................................................................... 359
Translation Table Layout...................................................................................... 360
Creating New Translation Table Members........................................................... 360
Example of PKZTABLES (USASCII) Translation Table....................................... 360
G IMPLEMENTATION CONSIDERATIONS .................................................. 362
Key Features........................................................................................................... 362
H SPOOL FILES CONSIDERATIONS........................................................... 364
Spool File Selections............................................................................................. 364
SPLF Attributes .................................................................................................... 364
PDF Creation Attributes ....................................................................................... 365
I HISTORY OF CHANGES ........................................................................... 367
RELEASE 5.6 September 2003 ............................................................................ 367
RELEASE 5.5 January 2003 ................................................................................. 368
RELEASE 5.5.1 – March 2003 ............................................................................... 369
RELEASE 5.5.2 – May 2003 ................................................................................... 370
J CREATING COMMANDS WITH NEW DEFAULTS ................................... 371
K EXTENDED ATTRIBUTES......................................................................... 372
Standard QSYS Library File System Attributes .................................................. 372
ix

Physical Files (both Source and Data)................................................................. 372
SAVF .................................................................................................................... 373
Standard IFS Attributes......................................................................................... 373
Advanced Encryption Attributes .......................................................................... 373
DATABASE Attributes ........................................................................................... 373
File Physical Attributes ......................................................................................... 374
File Field Attributes............................................................................................... 375
Key Field Attributes .............................................................................................. 376
Database Attribute Considerations....................................................................... 376
Source File Considerations .................................................................................. 377
Spool File Attributes.............................................................................................. 377
L FIPS-197 CERTIFICATION OF PKZIP FOR AES...................................... 378
Advanced Encryption Standard FIPS Validation ................................................ 378
The AES Algorithm ................................................................................................ 378
AES Key Sizes ........................................................................................................ 378
M CONTACT INFORMATION ........................................................................ 380
PKWARE, Inc. ......................................................................................................... 380
PROBLEM REPORTING ..................................................................................... 380
PROBLEM REPORTING (General) ..................................................................... 380
PROBLEM REPORTING (Licensing)................................................................... 381
GLOSSARY...................................................................................................... 382
INDEX ............................................................................................................... 394
x

Preface
The PKZIP ® family of products consists of high performance data compression
software. The archives resulting from compression by SecureZIP for iSeries can be
transported or transmitted to other operating system platforms where they will
undergo decompression by PKUNZIP or an acceptable substitute.
Notices
Licensing requirements have changed for this release. See “Licensing Requirements”
in Chapter 4 for more details.
About this Manual
This manual provides the information needed to utilize SecureZIP for iSeries in an
operational environment. It is assumed that people using this manual have a good
understanding of (Control Language) CL and dataset processing. Note that the
contents of this manual apply to the following operating systems:
• OS/400
• iSeries
• Chapter 1. Provides a general description of the SecureZIP product, which is
applicable to all supported platforms. It goes on to describe the OS/400
specific features of the SecureZIP for iSeries product and provides a simple
description of how the SecureZIP for iSeries product is used to provide the
compression and decompression of datasets.
• Chapter 2. Provides a general discussion of data security along with specific
implementations of encryption
• Chapter 3. Provides all of the general getting started information for invoking
PKZIP and PKUNZIP. This chapter explains the details associated with
compression, decompression, restrictions, migration, and a complete view of
the general SecureZIP for iSeries features.
• Chapter 4. Provides detailed information and guidance on installation from
tape, CD-ROM, using FTP, general installation procedures, and licensing
procedures
• Chapter 5. Provides all of the general file selection and naming processing to
include: primary file selection, exclusions, and ZIP archive files
• Chapter 6. Provides a summary of the ZIP file data formats, such as text
versus binary, and file attributes
1

• Chapter 7. Provides all of the general rules for extracting files to the QSYS
library file system, integrated file system (IFS), and spool files
• Chapter 8. Provides information regarding the OS/400 file processing support
for library, integrated file system, SAVF (save files), and spool files
• Chapter 9. Provides detailed information regarding old ZIP files, temporary
archives, and new ZIP archives
• Chapter 10. Provides s quick reference to how to start using certificates and
file name encryption and discusses how to utilize SecureZIP for iSeries to
secure your data
• Chapter 11. Provides a summary and detail of the PKZIP command’s
parameters with keyword formats and details
• Chapter 12. Provides a summary and detail of the PKUNZIP command’s
parameters with keyword formats and details
• Chapter 13. Provides a summary and detail of the PKCFGSEC command’s
parameters with keyword formats and details
• Chapter 14. Provides a summary and detail of the PKLDAPTST command’s
parameters with keyword formats and details
• Chapter 15. Provides a summary and detail of the PKBLDCDB command’s
parameters with keyword formats and details
• Chapter 16. Provides a summary and detail of the PKQRYCDB command, used
to query the certificate locator database files or a certificate file in the IFS
• Chapter 17. Describes the PKSTORADM (Certificate Store Administration)
command
• Chapter 18. Describes the GZIP archive format and the GZIP processing
supported by SecureZIP for iSeries
• Chapter 19. Lists and explains SecureZIP-generated messages
• Glossary. Contains a glossary of OS/400 specific terms
• Index. Contains a detailed list of terms and their locations within this
document
This manual is intended for persons responsible for implementing and using
SecureZIP for iSeries. The manual assumes that the reader has a good
understanding of CL and dataset processing.
Conventions Used in this Manual
Throughout this manual, the following conventions are used:
The use of the Courier font indicates text that may be found in control language
(CL), parameter controls, or printed output.
The use of italics indicates a value that must be substituted by the user, for example,
a dataset name. It may also be used to indicate the title of an associated manual or
the title of a chapter within this manual.
Bullets (•) indicate items (or instructions) in a list.
2

The use of in a command definition indicates a mandatory
parameter.
The use of [square brackets] in a command definition indicates an optional
parameter.
A vertical bar (|) in a command definition is used to separate mutually exclusive
parameter options or modifiers.
Related Publications
The PKZIP family of products includes the following manuals:
• SecureZIP for iSeries User's Guide
• PKZIP for iSeries User's Guide
• SecureZIP for zSeries User's Guide
• PKZIP for zSeries User's Guide
• PKZIP for zSeries & PKZIP for VSE Messages and Codes
• PKZIP for VSE User's Guide
• PKZIP for Command Line - UNIX User's Guide
• PKZIP for Command Line - Windows User's Guide
Related IBM Publications
IBM manuals relating to the SecureZIP for iSeries product include:
• System Messages: This manual documents messages issued by the iSeries
operating system. The descriptions explain why the component issued the
message, provide the actions of the operating system, and suggest responses
by the applications programmer, system programmer, and/or operator.
• OS/400 CL Programming (SC41-5721): This manual provides a widerange
discussion of iSeries e Advanced Series programming topics, including:
Control language programming, iSeries e Advanced Series programming
concepts, objects and libraries, and message handling.
• OS/400 CL Reference (SC41-5722 thru SC41-5726): This manual may
be used in the iSeries Information Center to find information on the following
CL reference topics: OS/400 commands, OS/400 objects, command
description format, command parts, command syntax, about syntax
diagrams, CL character sets and values, object naming rules, expressions in
CL commands, and command definition statements.
• Integrated File System Introduction (SC41-5711): This book provides
an overview of the integrated file system includes these topics:
• What is the integrated file system?
• Why might you want to use it
• Integrated file system concepts and terminology
• Interfaces you can use to interact with the integrated file system
3

• APIs and techniques you can use to create programs that interact with the
integrated file system
• Characteristics of individual file systems
• File Management (SC41-5710): This manual describes the data
management portion of the Operating System/400 licensed program. Data
management provides applications with access to input and output file data
that is external to the application. There are several types of these input and
output files, and each file type has its own characteristics. In addition, all of
the file types share a common set of characteristics.
• DDS Reference (RBAF-P000-00): This manual contains detailed
instructions for coding the data description specifications (DDS) for files that
can be described externally. These files are the physical, logical, display,
printer, and intersystem communications functions, hereafter referred to as
ICF files.
Related Information on the Internet
PKWARE, Inc.
www.pkware.com
FTP site
Product Downloads
Product Manuals
National Institutes of Standards Computer Security Resource Center
http://csrc.ncsl.nist.gov
Information on AES development
http://csrc.nist.gov/encryption/aes/
Information on key Management
http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html/
RSA BSAFE ® Content library
http://www.rsasecurity.com
User Help and Contact Information
For Licensing, please contact the Sales Division at 937-847-2374 or email
PKSALES@PKWARE.COM.
For Technical Support assistance, please contact the Product Services Division at
937-847-2687 or email technical support or visit the support web site
Appendix M lists the types of information needed to resolve issues with the product.
4

1 SecureZIP for iSeries
SecureZIP for iSeries uses two main commands—PKZIP and PKUNZIP—to control
its high-performance data compression functionality. The PKZIP command launches a
utility that compresses files and places them in a ZIP format archive. PKUNZIP
reverses this process: it decompresses data in a ZIP archive created by SecureZIP or
another file compression program and restores the files to their original form. Both
commands are controlled by options that allow a variety of functions to be
performed.
Multiple levels of processing control are available through the use of customized
option modules, shared command lists, and individual job inputs. In addition to file
selection, features such as compression levels and performance selections can be
specified. Also, a 32-bit cyclic redundancy check (CRC) is a standard feature used to
guarantee data integrity.
A ZIP archive is platform-independent; therefore, data compressed (ZIPPED) on one
platform, for example, UNIX, can be decompressed (UNZIPPED) on another platform,
for example, OS/400 and MVS/ESA, by using a compatible version of PKUNZIP.
Data Compression
Because data compression techniques reduce file size, a compressed data file will use
less storage space and can be transferred in a faster, more efficient manner. A file
can be compressed (a ZIP candidate) to a compact size (ZIPPED file), and then to
use the file again, it must be uncompressed or extracted to its original size
(UNZIPPED file).
One easy data compression method eliminates repeating or redundant data by
replacing it with representative information that will be used when restoring the
data. An example of this data compression technique is the Run-Length Encoding
method, which applies to redundant data where a repeating character (the run) is
represented as a count or value (the length). The compressed form is the repeated
character with its count.
Example: B 2 2 2 2 E H H H H H H H H H
Compressed: B *4 2 E *9 H
Note: The efficiency of this method is dependent upon the amount of redundancy in
the data.
5

To perform a thorough compression operation, more advanced algorithms and
enhanced techniques are required. SecureZIP for iSeries uses just such methods
to achieve maximum results.
ZIP Archives
SecureZIP for iSeries is capable of storing compressed data in ZIP archives. There
is no limit to the number of archives you may create.
ZIP archive capability:
• ZIP archive refers to any valid ZIP-format file created by a PKZIP ® 4.xcompatible
product.
• ZIP64 refers to ZIP archives that include the ZIP64 format that can handle
more than 65,534 files and files that exceed 4 GB. (See “Large Files
Considerations”).
• Each standard archive can store up to 65,534 files.
• Files that are over 4 GB have to be archived with GIZP or by using the Large
File Support.
• Each standard archive may contain up to 4 GB of data. ZIP64 is required for
larger archives.
For each file in the archive, the following information is stored with the compressed
data:
• Filename.
• File directory date and time.
• File’s initial CRC value (see Cyclic Redundancy Check).
• Method of compression used.
• SecureZIP for iSeries version required for file extraction.
• File size, uncompressed.
• File size, compressed.
Some files may contain the following additional information:
• The version of SecureZIP for iSeries that created the file.
• File attributes.
• Any comment about the file.
• Any comment about the archive.
• Platform specific attributes (see Cross Platform Compatibility).
• If encrypted and what method of encryption.
Cyclic Redundancy Check
Cyclic redundancy check (CRC) is a method used to verify the integrity of a data file
after it is restored from a ZIP archive.
6

Before a file is compressed, a SecureZIP for iSeries algorithm computes a 32 bit
hexadecimal value for its data. The CRC value is stored in a file that is within the ZIP
archive. When the data in the file is extracted, SecureZIP for iSeries processes it
again using the same algorithm to produce a second CRC value. Once the file is
processed, the original CRC value is compared to the new CRC value to ensure that
they match.
Note: If the data is the same as its previous state, the same CRC value will be
produced. When the two CRC values are compared, and should the extracted value
not match the stored, initial value, the integrity of the file is in question and
SecureZIP for iSeries reports the results. In this case, it is possible the data was
corrupted within the ZIP Archive.
Encryption
SecureZIP for iSeries can encrypt data for security control and provide a password
lockout for extracting data. Various security levels are available, with multiple
encryption algorithms. See Chapter 2 for a description of security features in
SecureZIP for iSeries.
Large Files Considerations
Large File Support Summary
The large file support feature known as ZIP64 throughout this manual was added to
PKZIP for iSeries in release 5.6. This separately licensed feature of SecureZIP for
iSeries provides several enhancements relating to capacity, size, and performance.
Some of the key features include:
Processing support (ZIP and UNZIP) for Archives enabled with the standard ZIP64
formats from other platforms.
An increased ZIP archive file capacity is raised from 65,534 to the theoretical limit of
4,294,967,295 files.
An increased user file size handler, raised from 4 Gigabytes minus 1 byte (32 bit
binary counter) to a theoretical limit of 9 Exabytes (64 bit binary counter).
An increased support for ZIP archive sizes exceeding 4 Gigabytes (same as user file
size limit).
The preceding values are given only as theoretical limits. In practice, there are
reasonable limitations due to the availability of resources along with processing
tolerances.
Note: 4 GB or Gigabyte is equal to 4,294,967,295 bytes. 9 EB or Exabyte is equal to
9,223,372,036,854,775,807 bytes.
Large File Support File Capacities
The original .ZIP file format has faithfully met the needs of computer users since it
was introduced by PKWARE in 1989. As computer technology has advanced over
time, storage capacities have increased dramatically. These increases make the
7

numbers and sizes of files that seemed unimaginable ten years ago a reality today.
To extend the utility of the .ZIP file format to meet these changing system needs,
PKWARE extended the .ZIP file format to support more than 65,535 files per archive
and archive sizes greater than 4 Gigabytes (GB). This is known as the ZIP64 format.
The specification for the .ZIP file format has been publicly available and distributed
by PKWARE in a file called APPNOTE.TXT. This file documents the internal data
structures and layout that define a .ZIP archive. The extensions introduced by
PKWARE fully supports all the features of your existing archives and newer versions
of PKZIP that supports these new extensions will continue to read all of your current
archives. Prior to the PKZIP for iSeries 5.6 release, versions of PKZIP on the
OS/400 were limited to storing no more than 65,534 files in a .ZIP archive.
Another limitation that existed prior to the 5.6 version of the PKZIP for iSeries was
that a single .ZIP archive or files in archive could not be larger than 4 GB
(4,294,967,295 bytes). The extended ZIP64 file format specification available with
PKZIP 5.6 supports creating .ZIP archives containing over 4 billion files and with
sizes larger than 9 quintillion bytes. These are only theoretical limits and most
iSeries systems and other computer systems in common use today do not have
enough storage capacity, CPU or available memory to create and store ZIP64
archives approaching these limits.
The practical limits imposed by a typical iSeries system in use today and configured
with various memory sizes will support compressing up to approximately 265,000
files. Compressing this number of files can take a long time, not only for the
compression process, but to manage the directories and properties of each of these
files.
Your available system resources (processor speed, DADS, Memory, and other
processing) limits the performance you can expect from SecureZIP when processing
large numbers of files or large archives. If you are compressing large numbers of
files on an iSeries with insufficient memory or other resources you can expect slow
processing.
When compressing large files, it is a good idea to have your archives set up to be
stored in the IFS rather than in a library/file. The overhead is much less when storing
the archive in the IFS. It is even more important when updating or adding to an
archive where the temporary archive will also be processed in the IFS
Versions of PKZIP for iSeries prior to 5.6 will not recognize these new features and
will be unable to view or extract any files in your archives that are dependent on
these ZIP64 features. Also, any ZIP compatible programs you may be using from
other companies will not be able to access all of the contents of your large archives.
They may report that an archive is too large, or they may incorrectly report that the
archive has errors. To ensure access to data in your large archives, always use
genuine PKZIP/SecureZIP from PKWARE.
Cross Platform Compatibility
Cross platform compatibility provides SecureZIP for iSeries its ability to allow data
to move between different computer operating environments. SecureZIP was
intentionally designed for cross platform use. Regardless of platform, SecureZIP for
iSeries archives are compatible with PKZIP for zSeries, PKZIP for MVS, PKZIP
for OS/400, PKZIP for VSE, PKZIP for UNIX, PKZIP for LINUX, PKZIP for
DOS, and PKZIP for Windows to name a few. Because SecureZIP for iSeries
8

automatically converts the data between EBCDIC and ASCII, files prepared on the
host are readable on any PC or UNIX system. The internal format of a ZIP archive is
identical regardless of which platform compressed the files that the archive contains.
If you want to transfer data across platforms using any other ZIP utility, you should
always run a test to verify the cross platform compatibility.
SecureZIP for iSeries uses the same ZIP file format used by other ZIP compatible
products, independent of the platform on which it is running. SecureZIP for iSeries
archives are not platform dependent allowing greater flexibility in file usage. Data
can be zipped on one platform, for example UNIX, and unzipped onto another
platform, such as OS/400. To do this, SecureZIP for iSeries converts the data
structure into the ZIP format and saves the appropriate file information in the ZIP
archival directory entries.
ZIP File Format Specification
The following table lists features of the ZIP file format specification supported on the
zSeries and iSeries platforms.
ZIP Feature Version MVS/zSeries OS400/iSeries
Default 1.0
File represents a volume label 1.1 Not supported Not supported
File represents a folder 2.0 Not supported Not supported
Deflate compression 2.0 2.x 2.x
Traditional encryption 2.0 2.x 2.x
Deflate64 compression 2.1 Not supported Not supported
DCL Implode compression 2.5 Not supported Not supported
File is a patched data set 2.7 Not supported Not supported
File uses Zip64 size extensions 4.5 5.6 5.6
BZip2 compression 4.6 Not supported Not supported
DES encryption 5.0 8.0 8.0
3DES encryption 5.0 8.0 8.0
RC2 encryption 5.0 Not supported Not supported
RC4 encryption 5.0 8.0 8.0
AES encryption 5.1 5.5 5.5
Certificate encryption using non-OAEP key wrapping 6.1 8.0 8.0
Central Directory Encryption (File Name Encryption) 6.2 8.0 8.0
If you want to transfer data across platforms using any other ”ZIP compatible”
product, you should check with the supplier first to confirm which versions of PKZIP
it is compatible with.
For more information regarding data formats, see “Data Format - Text Records vs.
Binary Records” in Chapter 6 for a discussion regarding special considerations when
transferring files between different platform types.
9

Release Summary
New Features in SecureZIP for iSeries Release 8.1
• File and archive signing
• File and archive authentication
• Digital signing and authentication
• Support for a static certificate revocation list
• Master recipient/contingency key for use with strong encryption
• New command PKSTORADM – Certificate Store Administration
• New command PKQRYCDB – Query Certificate Locator Database
New Features in SecureZIP for iSeries Release 8.0
• Product separation: PKZIP for iSeries and SecureZIP for iSeries
• BSAFE ® encryption
• More encryption algorithms for strong security
• Performance improvement with AES encryption
• ZIP and UNZIP supports encrypting and decrypting using digital certificates.
• Support for storing and managing digital certificates
• Support for utilizing directory integration (LDAP) for public certificate access
• File name encryption
• More translations tables included for ASCII-EDCDIC translations
• Provided the ability to have embedded spaces in the EXCLUDE file names
• Added the new option *LIBS to Spool File selection parameter SFQUEUE. By
specifying *LIBS (Library Scan) for the OUTQ and a valid OUTQ library name,
PKZIP will only select spool files from all OUTQs in the specified library.
• Expanded the CRTLIST file name parameter to handle up to 255 characters
for longer paths in the IFS
• Added *SIMULATE to the CRTLIST parameter in the PKZIP command.
*SIMULATE will list all files selected instead of writing the selected list to a
file.
• Default Changes: For SecureZIP ADVCRYPT is now AES256
• New Commands: PKCFGSEC –Update Security Configuration, PKLDAPTST -
LDAP Testing, and PKBLDCDB –Build Certificate Locator Database
SecureZIP for iSeries Restrictions
Due to various iSeries processing characteristics, the following restrictions should be
carefully reviewed to determine the best way to proceed when using SecureZIP for
iSeries:
10

SecureZIP for iSeries in the QSYS file system will only work with objects that have
an object type of *FILE and an attribute of PF-DTA, PF-SRC, and SAVF. To process
other objects such as *PGM, *CMD, etc., use the SAVF method (see “Use of SAVF
Method” in Chapter 3).
SecureZIP for iSeries in the integrated file system (IFS) will only work with stream
files (*STRM) and directories (*DIR).
Special database functionality, such as triggers, file constraints, alternate collating
sequence, and logical files are not stored in an archive. To maintain this
functionality, use the SAVF method (see “Use of SAVF Method”).
Special database fields for large objects (LOB) are not supported. These fields
include: character large objects (CLOBs), double-byte character large objects
(DBCLOBs), and binary large objects (BLOBs). In cases where the database contains
one of these types of fields, use the SAVF Method.
11

2 Data Security
This chapter details how SecureZIP for iSeries can strongly encrypt data for
security control and protection. Much of the reference information in this chapter
derives from the National Institutes of Standards and Technology. The NIST
Computer Security Resource Center web site, http://csrc.ncsl.nist.gov/, contains
FAQ’s and documentation relating to computer security along with the Federal
Information Processing Standard (FIPS) documents. In addition, the PKWARE web
site, WWW.PKWARE.COM, contains information relating to security and links to the
RSA Security, Inc web site that describes in detail the BSAFE implementation used in
SecureZIP for iSeries.
The following sections describe encryption, authentication, types of algorithms in
use, information about specific mandates requiring the use of secure data and how
SecureZIP for iSeries will secure that data. Examples of how SecureZIP for
iSeries can be used are provided in Chapter 10. Documentation for each command
can be found in the subsequent chapters.
Encryption
Encryption provides confidentiality for data. The data to be protected is called
plaintext. Encryption transforms the plaintext data into an unreadable form, called
ciphertext, using an encryption key. Decryption transforms the ciphertext back into
plaintext using a decryption key. Several algorithms have been approved in FIPS for
the encryption of general purpose data. Each of these algorithms is a symmetric key
algorithm, where the encryption key is the same as the decryption key. In order to
maintain the confidentiality of the data encrypted by a key, the key must be known
only by the entities that are authorized to access the data. These symmetric key
algorithms are commonly known as block cipher algorithms, because the encryption
and decryption processes each operate on blocks (chunks) of data of a fixed size.
FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose
data. The protection of keys is discussed below under Key Management.
SecureZIP for iSeries uses symmetric key algorithms when encrypting user data.
12

Authentication
Authentication is the process of validating digital signatures that may be attached to
files in an archive or to an archive’s central directory.
Authentication is a separate operation from data encryption. Whereas encryption is
concerned with preventing parties from accessing sensitive data (such as private
medical or financial information), authentication confirms that information actually
comes unchanged from the purported source.
Authenticating digitally signed data both verifies the signature and validates the
signed data.
Data Integrity
SecureZIP uses a cyclic redundancy check (CRC) to ensure that data is successfully
transferred into and out of a ZIP archive. The CRC process creates a unique hash
value “thumbprint” from the original data stream. The thumbprint is regenerated at
the receiving end and compared with the hash of the source for equality. The
thumbprint value is stored independently of the data stream and is used during
UNZIP processing to complete validation of the data.
SecureZIP extends the concept of the CRC in two ways for the purpose of providing
a tamper-resistant container within the ZIP archive. First, more rigorous HASH
algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG
command) in place of the 32-bit CRC to accurately reflect the uniqueness of the data
stream. Second, the hash value is encrypted within a digital signature using a
private-key certificate to protect it from tampering.
For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-
1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-
1.htm.
SecureZIP for iSeries provides two commands, SIGN_ARCHIVE and SIGN_FILES,
to intiate the creation of digital signatures within the ZIP archive. The AUTHCHK
command is used to perform a tamper check operation using the digital signature
and hash.
Digital Signature Validation
SecureZIP makes use of certificate-based encryption within the public key
infrastructure (PKI) to generate and validate digital signatures. PKI provides an
authentication chain for certificates to guarantee that the signature was created by
the purported source. SecureZIP supports the certificate chain authentication
process by including necessary identification information within the ZIP archive.
Subsequently, the certificate(s) used for signing can be authenticated through a
complete chain of trust.
To complete the chain of trust, a root (or self-signed) certificate representing the
certificate’s issuing organization is installed on the authenticating system. This
provides the receiving organization with the authority to declare how the final trust
sequence should be treated. Signatures based on certificates from certificate
authorities (CA) that are not authorized or trusted are declared as being untrusted
by SecureZIP.
13

Additional facets of validating a certificate’s viability for use include a defined range
of dates within which a certificate may be used and whether the certificate has been
declared to have been revoked. Configurable SecureZIP policies (EXPIRED and
REVOKED attributes) provide support to ensure that the certificates involved in
authentication also adhere to these restrictions.
SecureZIP for iSeries provides a means to install and access the certificates
necessary for signing and authentication. The AUTHCHK command, along with
configured policy settings governs the type (archive directory or data files) and level
of authentication that is to be performed.
Digital Signature Source Validation
A final step in completing the authentication process is to ensure that the archive
and/or file data was sent from a particular source. Up to this point, using the
previous two aspects of authentication, we are certain that the archive directory
and/or files were signed with a private-key certificate that came from a trusted
source (CA) and that the data stream has not been tampered with since it was
placed into the ZIP archive. However, these steps alone do not guarantee that a
different party under the same root/CA chain did not perform the signing operation.
SecureZIP for iSeries provides an optional parameter in the AUTHCHK command
to declare the specific party from whom the data is expected.
Public-Key Infrastructure and Digital Certificates
Public-Key Infrastructure (PKI)
Use of digital certificates for encryption and digital signing relies on a combination of
supporting elements known as a public-key infrastructure (PKI). These elements
include software applications such as SecureZIP that work with certificates and keys
as well as underlying technologies and services.
The heart of PKI is a mechanism by which two cryptographic keys associated with a
piece of data called a certificate are used for encryption/decryption and for digital
signing and authentication. The keys look like long character strings but represent
very large numbers. One of the keys is private and must be kept secure so that only
its owner can use it. The other is a public key that may be freely distributed for
anyone to use to encrypt data intended for the owner of the certificate or to
authenticate signatures.
How the Keys Are Used
With encryption/decryption, a copy of the public key is used to encrypt data such
that only the possessor of the private key can decrypt it. Thus anyone with the public
key can encrypt for a recipient, and only the targeted recipient has the key with
which to decrypt.
With digital signing and authentication, the owner of the certificate uses the private
key to sign data, and anyone with access to a copy of the certificate containing the
public key can authenticate the signature and be assured that the signed data really
proceeds unchanged from the signer.
14

Authentication has one additional step. As an assurance that the signer is who he
says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s
certificate itself is signed by an issuing certificate authority (CA). The CA in effect
vouches that Bob is who he says he is. The CA signature is authenticated using the
public key of the CA certificate used. This CA certificate too may be signed, but at
some point the trust chain stops with a self-signed root CA certificate that is simply
trusted. The PKI provides for these several layers of end-user public key certificates,
intermediate CA certificates, and root certificates, as well as for users’ private keys.
X.509
X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509
specifies, among other things, standard formats for public-key certificates. A publickey
certificate consists of the public portion of an asymmetric cryptographic key (the
public key), together with identity information, such as a person’s name, all signed
by a certificate authority. The CA essentially guarantees that the public key belongs
to the named entity.
Digital Certificates
A digital certificate is a special message that contains a public key and identify
information, such as the owner’s name and perhaps email address, about the owner.
An ordinary, end-user digital certificate is digitally signed by the CA that issued it to
warrant that the CA issued the certificate and has received satisfactory
documentation that the owner of the certificate is who he says he is. This warrant,
from a trusted CA, enables the certificate to be used to support digital signing and
authentication, and encryption of data uniquely for the owner of a certificate.
For example, Web servers frequently use digital certificates to authenticate the
server to a user and create an encrypted communications session to protect
transmitted secret information such as Personal Identification Numbers (PINs) and
passwords.
Similarly, an email message may be digitally signed, enabling the recipient of the
message to authenticate its authorship and that it was not altered during
transmission.
To use PKI technology in SecureZIP for iSeries for encryption and to attach digital
signatures, you must have a digital certificate. To learn how to get a digital
certificate and to use certificates for encryption, see Chapter 10.
Certificate Authority (CA)
A certificate authority (CA) is a company (usually) that, for a fee, will issue a publickey
certificate. The CA signs the certificate to warrant that the CA issued the
certificate and has received satisfactory documentation that the owner of the new
certificate is who he says he is.
Private Key
A digital certificate contains both private and public portions of an asymmetric
cryptographic key together with identity information, such as a person's name and
(possibly) email address. The private portion of the key is called the private key and
15

is used to decrypt data encrypted with the associated public key and to attach digital
signatures.
A private key must be accessible solely by the owner of the certificate because it
represents that person and provides access to encrypted data intended only for the
owner.
SecureZIP for iSeries uses a private key maintained in x.509 PKCS#12 format.
This means that the private key cannot be accessed unless a password is entered for
each SecureZIP request.
Public Key
A public key consists of the public portion of an asymmetric cryptographic key in a
certificate that also contains identity information, such as the certificate owner’s
name.
The public key is used to authenticate digital signatures created with the private key
and to encrypt files for the owner of the key’s certificate.
For information on the digital enveloping process SecureZIP for iSeries uses for
certificate-based encryption, see the Secure .ZIP Envelopes whitepaper at the
PKWARE Web site.
Certificate Authority and Root Certificates
End entity certificates and their related keys are used for signing and authentication.
They are created at the end of the trust hierarchy of certificate authorities. Each
certificate is signed by its CA issuer and is identified in the “Issued By” field in the
end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such
certificates are known as intermediate CA certificates. At the top of the issuing chain
is a self-signed certificate known as the root.
SecureZIP for iSeries uses public-key certificates in PKCS#7 format. The
intermediate CA certificates are maintained independently from the ROOT
certificates.
Types of Encryption Algorithms
FIPS 46-3, Data Encryption Standard (DES)
The FIPS (Federal Information Processing Standards) specification 46-3 formerly
specified the DES algorithm for use in Federal government applications. In 2004, the
specification was changed such that DES is no longer approved for Federal
government applications.
Triple DES Algorithm (3DES)
Triple DES is a more recent algorithm related to DES. Triple DES is a method for
encrypting data in 64-bit blocks using three 56-bit keys by combining three
successive invocations of the DES algorithm.
16

ANSI X9.52 specifies seven modes of operation for 3DES and three keying options:
1) the three keys may be identical (one key 3DES), 2) the first and third key may be
the same but different from the second key (two key 3DES), or 3) all three keys may
be different (three key 3DES). One key 3DES is equivalent to DES under the same
key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key
3DES provides more security than one key 3DES (or DES), and three key 3DES
achieves the highest level of security for 3DES. NIST recommends the use of three
different 56-bit keys in Triple DES for Federal Government sensitive/unclassified
applications.
SecureZIP for iSeries uses three-key 3DES when Triple DES is selected as the data
encryption algorithm.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197
is the result of a multiyear, worldwide competition to develop a replacement
algorithm for DES. The winning algorithm (originally known as Rijndael) was
announced in 2000 and adopted in FIPS 197 in 2001.
The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible
key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the
different key sizes is AES-x, where x is the size of the AES key. NIST considers all
three AES key sizes adequate for Federal Government sensitive/unclassified
applications.
Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release
recapping NIST’s position
SecureZIP for iSeries uses AES as the default encryption algorithm.
Comparison of the 3DES and AES Algorithms
Both the 3DES and AES algorithms are considered to be secure for the foreseeable
future. Below are some points of comparison:
• 3DES builds on DES implementations and is readily available in many
cryptographic products and protocols. The AES algorithm is new; although
many implementers are quickly adding the algorithm to their products, and
protocols are being modified to incorporate the algorithm, it may be several
years before the AES algorithm is as pervasive as 3DES.
• The AES algorithm was designed to provide better performance (e.g., faster
speed) than 3DES.
• Although the security of block cipher algorithms is difficult to quantify, the
AES algorithm, at any of the key sizes, appears to provide greater security
than 3DES. In particular, the best attack known against AES-128 is to try
every possible 128-bit key (i.e., perform an exhaustive key search, also
known as a brute force attack)). By contrast, although three key 3DES has a
168-bit key, there is a “shortcut” attack on 3DES that is comparable, in the
number of required operations, to performing an exhaustive key search on
112-bit keys. However, unlike exhaustive key search, this shortcut attack
requires a lot of memory. Assuming that such shortcut attacks are not
discovered for the AES algorithm, the uses of the AES algorithm may be more
appropriate for the protection of high-risk or long-term data.
17

• The smallest AES key size is 128 bits; the recommended key size for 3DES is
168 bits. The smaller key size means that fewer resources are needed for the
generation, exchange, and storage of key bits.
• The AES block size is 128 bits; the 3DES block size is 64 bits. For some
constrained environments, the smaller block size may be preferred; however,
the larger AES block size is more suitable for cryptographic applications,
especially those requiring data authentication on large amounts of data.
See http://www.nist.gov/public_affairs/releases/g00-176.htm for a press release
describing NIST’s position on the two algorithms.
With a block cipher algorithm, the same plaintext block will always encrypt to the
same ciphertext block whenever the same key is used. If the multiple blocks in a
typical message were to be encrypted separately, an adversary could easily
substitute individual blocks, possibly without detection. Furthermore, data patterns
in the plaintext would be apparent in the ciphertext. Cryptographic modes of
operation have been defined to alleviate these problems by combining the basic
cryptographic algorithm with a feedback of the information derived from the
cryptographic operation.
FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for
the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the
Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the
Output Feedback (OFB) mode.
SecureZIP for iSeries uses Cipher Block Chaining for data encryption.
RC4
The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a
variable key-size stream cipher with byte-oriented operations. The algorithm is
based on the use of a random permutation. Analysis shows that the period of the
cipher is overwhelmingly likely to be greater than 10 100 . Eight to sixteen machine
operations are required per output byte, and the cipher can be expected to run very
quickly in software. Independent analysts have scrutinized the algorithm and it is
considered secure.
RC4 is used for secure communications, as in the encryption of traffic to and from
secure web sites using the SSL protocol.
Key Management
The proper management of cryptographic keys is essential to the effective use of
cryptography for security. Keys are analogous to the combination of a safe. If the
combination becomes known to an adversary, the strongest safe provides no security
against penetration. Similarly, poor key management may easily compromise strong
algorithms. Ultimately, the security of information protected by cryptography directly
depends on the strength of the keys, the effectiveness of mechanisms and protocols
associated with keys, and the protection afforded the keys.
Cryptography can be rendered ineffective by the use of weak products, inappropriate
algorithm pairing, poor physical security, and the use of weak protocols. All keys
need to be protected against modification, and secret and private keys need to be
protected against unauthorized disclosure. Key management provides the foundation
18

for the secure generation, storage, distribution, and destruction of keys. Another role
of key management is key maintenance, specifically, the update/replacement of
keys.
Further information is available on key management at the NIST Computer Security
Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
Passwords and PINS
FIPS 112, Password Usage, provides guidance on the generation and management of
passwords that are used to authenticate the identity of a system user and, in some
instances, to grant or deny access to private or shared data. This standard
recognizes that passwords are widely used in computer systems and networks for
these purposes, although passwords are not the only method of personal
authentication, and the standard does not endorse the use of passwords as the best
method.
The password used to encrypt a file with SecureZIP may be from 1 to 200 characters
in length. Different passwords may be used for various files within a ZIP archive,
although only one password may be specified per run.
The password is not stored in the ZIP archive and, as a result, care must be taken to
keep passwords secure and accessible by some other source.
Recipient Based Encryption
Password-based encryption depends on both the sender and receiver knowing, and
providing intellectual input (the password) in clear text. The password is used to
derive a binary master session key for each decryption run. No key information is
kept within the ZIP Archive, therefore both parties must retain the password in an
external location.
Recipient-based encryption provides a means by which the master session key (MSK)
information can be hidden, protected, and carried within the ZIP Archive. This is
done by using technique known as Digital Enveloping with public key Encryption. The
technique requires that the creating process have a copy of the recipient's public key
Digital Certificate, which is used to protect and store the MSK. In addition, the
receiving side must have a copy of the recipient’s private key digital certificate. With
these two pieces of information in place, there is no need for users to retain or recall
a password for decryption.
Random Number Generation
Random numbers are used within many cryptographic applications, such as the
generation of keys and other cryptographic values, the generation of digital
signatures, and challenge response protocols. Some approved algorithms to produce
random numbers have been specified in FIPS 186-2, Digital Signature Standard. An
effort is in progress by the Financial Services Committee of ANSI to develop a
random number generation standard.
19

Integrity of Public and Private Keys
Public and private keys must be managed properly to ensure their integrity. The key
owner is responsible for protecting private keys. The private signature key must be
kept under the sole control of the owner to prevent its misuse. The integrity of the
public key, on the other hand, is established through a digital certificate issued by a
certificate authority that cryptographically binds the individual’s identity to his or her
public key. Binding the individual’s identity to the public key corresponds to the
protection afforded to an individual’s private signature key.
A PKI includes the ability to recover from situations where an individual’s private
signature key is lost, stolen, compromised, or destroyed; this is done by revoking
the digital certificate that contains the private signature key’s corresponding public
key. The user then creates or is issued a new public/private signature key pair, and
receives a new digital certificate for the new public key.
The certificate authority (CA) plays a critical role in ensuring the integrity of public
keys in the PKI. Upon being presented with proper evidence of identity (usually
through a separate entity called a Registration authority), the CA issues a digital
certificate which contains the applicant’s public key, identity, and other information
(such as duration of the certificate), all signed by the CA’s private signature key. The
certificate may then be distributed or placed in publicly available databases, called
repositories. The CA operates under a Certificate Policy (CP) and Certification
Practices Statement (CPS) that collectively describe the CA’s responsibilities and
duties to its customers and trading partners. These policies include how the CA is
conducting its affairs in compliance with its contracts and, where applicable, federal
or state laws. The uses for which a certificate may be employed depend upon the
requirements surrounding its issuance; for example, the method of identity proofing
by the RA before certificate issuance and how well the private signature key is
protected.
Meeting Current Challenges
The need to secure sensitive data during transport and storage is increasingly
evident. Combining proven data compression technology with sophisticated data
security capabilities provides a logical mechanism for securely and efficiently storing
and transferring sensitive information. Millions of users around the world already rely
on and trust the ZIP format to store and exchange data. By offering support for
multiple levels of encryption, SecureZIP for iSeries is now advancing the usability
and accessibility of file security, enabling ZIP users to achieve more secure and
efficient modes of data communication than were previously possible.
SecureZIP for iSeries enables support for encryption and meets government
established requirements by applying strong encryption (DES, RC4, 3DES and AES).
See Appendix L for FIPS-197 AES Certification of PKZIP.
Industry-Specific Mandates
Financial Services Modernization Act - Gramm-Leach-Bliley Act (GLBA), also known
as the Financial Services Modernization Act, permits the cross ownership of banks,
brokerage firms and insurance companies, which was banned during the Great
Depression. Prompted by the merger of Citicorp and Travelers Insurance, which also
owned brokerage house Salomon Smith Barney, to form what is now known as
20

Citigroup, the GLB Act was enacted in 1999 to enable financial services firms to
provide a wide range of services to their customers. To protect sensitive customer
information, the GLB Act requires institutions to ensure the privacy and security of
customer data. Compliance with these security standards requirements is essential
and organizations must have their infrastructures audited to ensure they are meeting
federal guidelines.
The Electronic Signature Act - A digital signature is now just as valid as a
handwritten one. The Electronic Signature Act went into effect in 2000 and states
that a digital signature is legally binding. However, there has been no simple
software tool that a business can give to an employee, or a customer for that matter,
that allows individuals to easily invoke a digital signature on a file. By accepting
digital signatures, companies can more expeditiously eliminate paper documents
from processes that once required handwritten ones-such as filing an application for
a loan or opening a new brokerage account online. This streamlines business' ability
to process transactions by eliminating the need and cost of human intervention, and
it promises to improve customer satisfaction.
The Health Insurance Portability and Accountability Act (HIPAA)- HIPAA allows for
the secure exchange of patient records between insurance companies and agencies,
including clearing houses and the Medicare and Medicaid programs, with the aim of
simplifying administration. HIPAA stipulates that industry participants should be able
to exchange documentation electronically and that electronic signatures are binding.
Those transmitting the data over networks are responsible for encrypting patient
data to assure patient privacy is not compromised. Meeting critical HIPAA electronic
security requirements using SecureZIP extends the trusted de-facto standard ZIP
archive in an evolutionary way to provide persistent secure archive for sensitive
medical records for online transmission or transport. The United States Department
of Health and Human Services has established rolling deadlines for supporting
HIPAA, with some already in effect while others are yet to be determined. HHS
recommends, however, that affected healthcare providers implement standards prior
to any established deadlines. Meeting HIPAA security and electronic signature
requirements now helps protect against fraud and abuse of patient information. Once
the rules take effect, those entities that do not protect sensitive patient information
as mandated by HIPAA could face criminal penalties and fines of $25,000 per
individual per year.
The Basel II Capital Accord - Basel II is an amended regulatory framework that
has been developed by the Bank of International Settlements that requires all
internationally active banks, at every tier within the banking group, to adopt similar
or consistent risk-management practices for tracking and publicly reporting exposure
to operational, credit and market risks. It requires the identification of risks that a
company is exposed to, a report detailing the processes in place for identifying and
measuring future risk, and confirmation that sufficient cash reserves are available to
cover all risk exposure – capital held must be closely matched to risks undertaken.
UK Data Protection Act - The Data Protection Act 1998 came into force on March
1, 2000 and implements the EC Directive. It applies to computerized personal data
as well as data held in structured manual files. There are eight principles put in place
by the DPA to make sure that sensitive personal information is handled properly.
They say that data must be:
21

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate
• Not kept for longer than is necessary
• Processed in line with the individual’s rights
• Secure
• Not transferred to countries without adequate protection
Data Encryption
SecureZIP for iSeries security functions include strong encryption tools using RSA
BSAFE and the PKWARE implementation of the Advanced Encryption Standard.
SecureZIP for iSeries provides the option for password encryption using DES, RC4,
3DES and AES.
RSA High-Quality Security - RSA Security submits its Crypto-C products for FIPS
140 testing and validation. FIPS 140-1 and FIPS 140-2 are U.S. Government
standards which specify the security requirements to be satisfied by a cryptographic
module. RSA Security supports this testing and certification with over 20 years of
experience in the security industry.
SecureZIP for iSeries uses a multi-layer key generation process, based on a userspecified
password of up to 200 characters, and/or a user’s digital certificate, that
creates a unique internal key for each file being processed. In addition, the same
password will result in a different system generated key for each file.
SecureZIP for iSeries also implements the use of Cipher Block Chaining (CBC) to
further enhance industry standard encryption algorithms. This feature ensures that
each block of data is uniquely modified, further protecting the data from fraudulent
access.
SecureZIP for iSeries encryption is activated through the use of the -PASSWORD
and -RECIPIENT commands. If a value is present for either setting, whether through
commands or default settings, then encryption will be attempted in accordance with
other settings (for example, -ADVCRYPT); however, if ADVCRYPT=NONE is specified,
then encryption will be bypassed.
The following matrix illustrates cross-product compatibility of encrypted data and
general encryption options available on the operating systems supported by PKZIP.
22

Cross Product Matrix
The following table shows encryption methods and features available with various
PKWARE products.
ENCRYPTION
TYPES/
PRODUCTS
Generic ZIP
Utilities
PKZIP for
Windows
PKZIP for
UNIX
PKZIP for
OS/400
PKZIP for
zSeries
SecureZIP for
zSeries
PKZIP for VSE
PKZIP for
MVS 5.5
PKZIP for
iSeries
SecureZIP for
iSeries
96 bit
Password
X
PKWARE
Certificate*
128, 192, &
256-bit AES
Password
BSAFE®
AES 128,
192, & 256-
bit
CIPHER-
BLOCK
CHAINING
X X X X X X
X X X X X X
X X X
X X X X X
X X X X X X
X
X X X
X X X X X
X X X X X X
BSAFE®
DES, 3DES,
& RC4
*Archives created under PKZIP for Windows and PKZIP for UNIX using the setting
Strong: Recipient List or Password can be decrypted with the password on iSeries
systems running release 8.0 or later.
Operating System Levels
V5R1M0 or above is required to run certificate-based operations.
Windows Compatibility
When using BSAFE AES encryption with recipients, there is a cross-system
compatibility issue to be addressed by the user community. Windows operating
systems running pre-Windows XP may experience a decryption problem depending
on the state of the private-key certificate on the workstation. During the Windows
certificate import process, a dialog check-box "Mark the private key as exportable"
may be selected. If this option was not selected, then Windows will not allow an AES
encrypted file to be decrypted unless the master session key was wrapped with
3DES.
The setting of the parameter is enterprise wide and is set using the PKCFGSEC
command. When turned on, the MSK3DES flag is set in the NDH/DIB; indicating that
23

the master session key information is protected with 3DES when recipients are
specified.
PKZIP for Windows has a variance in processing for 6.0 and 7.x due to OAEP
processing. PKZIP for Windows 5.0 through 6.0 used OAEP processing. However,
that was found to be incompatible with SmartCards, so 6.1 and above began setting
the NO_OAEP flag in the NDH/DIB flags and stopped creating OAEP encryption-mode
files.
SecureZIP for iSeries will always set NO_OAEP, therefore PKZIP for Windows 5.0 -
6.0 will not be able to read recipient-based files from the large platforms.
SecureZIP for iSeries should be able to detect whether the NO_OAEP flag is set
and successfully extract either. No change in logic is required within the SecureZIP
high-level code, but the low-level EVTCERTD code should handle the switch based on
the flag.
General Questions to help you get started with SecureZip for
iSeries
How do I activate encryption in SecureZIP for iSeries?
Encryption is activated through the use of the PASSWORD (and/or ENTPREC for
SecureZIP) parameters. If a value is present for either setting then encryption will be
attempted in accordance with other settings (such as ADVCRYPT). However, if
ENTPREC (*NONE) is specified, then encryption will be bypassed.
Note that certificate-based encryption with ENTPREC for recipients is only supported
by SecureZIP. In addition, this mode of encryption requires that one of the Strong
ENCRYPTION Methods (minimum 128-bit) be selected.
How does Master Recipient / Contingency Key affect activation?
When SecureZIP is used to encrypt data, either with ENTPREC or PASSWORD, then a
recipient specified in the enterprise security configuration file is automatically
included. However, simply setting a master recipient in the enterprise security
configuration file does not cause encryption to take place.
How does recipient-based encryption differ from password?
Password-based encryption depends on both the sender and receiver knowing, and
providing input (the password) in clear text. The password is used to derive a binary
master session key for each decryption run. No key information is kept within the
ZIP Archive, therefore both parties must retain the password in an external location.
Recipient-based encryption provides a means by which the master session key (MSK)
information can be hidden, protected, and carried within the ZIP archive. This is done
by using technique known as digital enveloping with public key encryption. The
technique requires that the creating process have a copy of the recipient's public key
digital certificate, which is used to protect and store the MSK. In addition, the
receiving side must have a copy of the recipient's private key digital certificate. With
these two pieces of information in place, there is no need for users to retain or recall
a password for decryption.
24

What is a digital certificate store?
Recipient-based encryption requires that public and private key certificates be used
by SecureZip for iSeries. These are kept in file streams encoded according to the
X.509 standard. A certificate store is the location of where various types of
certificates are kept and accessed.
The primary stores used by SecureZip for iSeries include:
CSPUB: Certificate store for individual public-key X.509 certificates on the local
system.
CSPRVT: Certificate store for individual private-key X.509 certificates on the local
system.
CSCA: Certificate store For Certificate authority public-key X.509 certificates on the
local system.
CSROOT: Certificate store for the trusted root public-key X.509 certificates on the
local system.
CSCRL: Certificate revocation list store static CRL processing on the local system.
LDAP: Certificate store for individual public-key X.509 certificates accessible via a
TCPIP network.
Can both recipient-based and password encryption be used together?
Yes, when both ENTPREC for recipient and PASSWORD settings are used, to encrypt
a file, the master session key is derived from the password and also protected by
using public key encryption. This means that a ZIP file may be decrypted either by a
user who knows the password, or who has their private key certificate available.
How does ENCRYPTION METHOD pertain to recipient or password
encryption?
Public/private key encryption using BSAFE is used to digitally envelope the master
session key information. Once the master session key is determined, an independent
file session key is derived (which is unique for each file) to encrypt the file data with
a symmetric algorithm specified by ADVCRYPT. Several algorithms are supplied with
SecureZip for iSeries. Any algorithm may be specified for use with PASSWORD.
However, only those prefixed with "BSAFE" are valid for use with ENTPREC for
recipients.
Which encryption settings should I choose?
Various external factors such as legislative requirements or corporate policy may
influence your decision to select an algorithm or mode of encryption. However, when
operating within those requirements, the following SecureZip for iSeries
information may be of value.
NIST has instructional information regarding password versus certificate-based (PKI)
encryption. In general, certificate-based encryption is accepted to be more secure
than password-based encryption.
With the exception of supporting the older 96-bit "Standard" SecureZip for iSeries
ADVCRYPT, newer algorithms are provided at a minimum of 128 bits.
PKWARE provides interoperability between OS/390, zOS, OS400, iSeries, UNIX and
Windows for all algorithms provided with ADVCRYPT with its product set at release
25

8.0 and above. This includes more advanced algorithms with minimum key lengths of
128 bits.
Older releases of PKWARE products, including PKZIP for VSE and PKZIP for VM
support "Standard" 96-bit encryption for wider cross-platform compatibility when
required.
When RECIPIENT PKI exchanges are required, then ADVCRYPT must specify
algorithms that begin with BSAFE.
Password-based AES encryption is supported by PKWARE products at release 5.5 or
higher.
BSAFE_AES and AES password-based encryption are 100% compatible. Archives
created with PKZIP for iSeries Release 5.5 can be bi-directionally exchanged with
SecureZip or PKZIP products using the BSAFE AES algorithms.
The BSAFE algorithms provided for the OS/400 and iSeries products are highperformance
algorithms. The 128-bit BSAFE algorithms out-perform the older 96-bit
PKZIP "Standard" algorithm.
How many recipients can be specified?
The ZIP file format specification allows for a maximum recipient list size of 3,275.
This can be restricted further by other file attributes associated with the data, and by
run-time capacity limitations (such as virtual storage). (Note: Approximately 20
bytes are required for each recipient within the ZIP Archive central directory record
for each file. This area is limited to 64K in size). At this time the command allows 30
recipients so to reach the max would require using the Inlist approach.
What is Filename Encryption?
Someone who cannot decrypt the contents of an archive may still be able to infer
sensitive information just from the unencrypted names of files. To prevent this, you
can encrypt the names of files in addition to their contents. Encrypted file names can
be viewed in the clear—that is, unencrypted—only when the archive is opened by an
intended recipient, if the archive was encrypted using a recipient list, or by someone
who has the password, if the archive was encrypted using a password.
SecureZip for iSeries encrypts file names using your current settings for (strong)
encryption method and algorithm. File names can be encrypted using either strong
password encryption or a recipient list (or both). You must use one of the strong
encryption methods: you cannot encrypt file names using traditional,
ADVCRYPT(ZIPSTD), which uses a 96-bit key.
Encrypting names of files and folders in an archive encrypts and hides a good deal of
other internal information about the archive as well. To encrypt file names,
SecureZip for iSeries encrypts the archive's central directory, where virtually all
such metadata about the archive is stored. Be aware, however, that archive
comments are not encrypted even when you encrypt file names. Do not put sensitive
information in an archive comment.
User Encryption Examples
Below are examples of how to invoke encryption processing using PKZIP commands.
26

Zip Compress File(s) and Write to an Archive File
This is the main PKZIP compression screen. Here you specify the method and mode
of encryption.
File Compression
8.0 (PKZIP)
Type choices, press Enter.
Archive Zip File name . . . . .
List Include file or pattern . .
+ for more values
'/pkzshare/encryption/as400.des3.zip'
'/pkzshare/encryption/*.txt'
Type of processing . . . . . . . *ADD *ADD, *UPDATE, *FRESHEN ..
Compression Level . . . . . . . *SUPERFAST *FAST, *NORMAL, *MAX...
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ........
Advance Encryption :
Method . . . . . > 3des
ZIPSTD, AES128, AES192...
Mode . . . . . . > BSAFE
PKWARE, BSAFE
More...
F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel
F13=How to use this display F24=More keys
Parameter ARCHIVE required.
Placing the cursor on the “Method” and hitting F4 presents the next screen that
allows you to select one of the encryption methods to use.
Specify Value for Parameter ADVCRYPT
Type choice, press Enter.
Method . . . . . . > 3DES
ZIPSTD
AES128
AES192
AES256
3DES
DES
RC4_128
When the next screen appears if you do not enter a password no encryption
processing is completed on the file(s) to be archived. If you desire encryption, you
must enter the password twice; once in the Archive Password and again in the Verify
Password.
File Compression
8.0 (PKZIP)
Type choices, press Enter.
Archive Password . . . . . . . .
Verify Password . . . . . . . .
Archive File Type . . . . . . . *ifs *DB, *IFS
Files to Zip Type . . . . . . . *ifs *DB, *IFS, *IFS2, *DBA, *SPL
Before/After Selection . . . . . *NO *NO, *BEFORE, *AFTER
Date for Selection . . . . . . . 0 Date mmddyyyy
File Name actions . . . . . . . *SUFFIX *NONE, *DROP, *SUFFIX
External Conversion Flags . . . *NONE Character value, *NONE
Create Self Extract Archive . . *MAINTAIN *MAINTAIN, WINDOWS, AIX...
Bottom
27

F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel
F13=How to use this display F24=More keys
Following is the output of the PKZIP run.
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2004/02/13
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Scanning files in *IFS for match ...
Found 2 matching files
Compressing /pkzshare/encryption/appnote.txt in BINARY mode
Add /pkzshare/encryption/appnote.txt -- Deflating (69%) encrypt(BSAFE 3DES)
Compressing /pkzshare/encryption/readme.txt in BINARY mode
Add /pkzshare/encryption/readme.txt -- Deflating (58%) encrypt(BSAFE 3DES)
PKZIP Compressed 2 files in Archive /pkzshare/encryption/as400.des3.zip
PKZIP Completed Successfully
Commands generated from the PKZIP screen using the retrieve key after the PKZIP
run.
Previous commands and messages:
Command Entry
COSMOS
Request level: 4
(No previous commands or messages)
Bottom
Type command, press Enter.
===> PKZIP ARCHIVE('/pkzshare/encryption/as400.des3.zip')
FILES('/pkzshare/encryption/*.txt') ADVCRYPT(3DES BSAFE) PASSWORD() VPASSWORD()
TYPARCHFL(*IFS) TYPF
Display the contents of an Archive File
When the files within an archive have strong encryption the “!” (bang) character is
placed in front of the file name to inform you that you must have the correct
password to view or extract the file.
File Extraction
8.0 (PKUNZIP)
Type choices, press Enter.
Archive Zip File name . . . . .
List Include file or pattern . .
+ for more values
'/pkzshare/encryption/as400.des3.zip'
*ALL
Type of processing . . . . . . . *VIEW *VIEW, *EXTRACT, *NEWER...
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ...
Press ENTER to end terminal session.
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2004/02/13
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
PKZIP for iSeries(tm) is running under Beta release B1
Archive: /pkzshare/encryption/as400.des3.zip 33451 bytes 2 files
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
97182 Defl:F 30230 69% 01-30-04 13:16 223c2ea4 !/pkzshare/encryption/
appnote.txt
28

5747 Defl:F 2710 53% 10-06-03 15:14 d193af9b !/pkzshare/encryption/
readme.txt
-------- ------- ---- -------
102929 32940 68% 2 files
PKUNZIP extracted 0 files
PKUNZIP Completed Successfully
Incorrect Password Use
The following illustration is an example of what to expect if you enter an incorrect
password. The error message indicates that the file(s) were skipped because of an
incorrect password and that PKUNZIP completed with errors.
PKZIP for iSeries(tm) Compression Utility Version 8.0.0, 2004/02/17
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
PKZIP for iSeries(tm) is running under Beta release B1
PKUNZIP Archive: /pkzshare/encryption/as400.des.zip
Archive Comment:"PKZIP for iSeries by PKWARE"
Searching Archive /pkzshare/encryption/as400.des.zip for files to extract
skipping: /pkzshare/encryption/appnote.txt incorrect password
skipping: /pkzshare/encryption/readme.txt incorrect password
Caution: zero files tested in /pkzshare/encryption/as400.des.zip.
2 file(s) skipped because of incorrect password
PKUNZIP Completed with Errors
Press ENTER to end terminal session.
29

3 Getting Started with SecureZIP for
iSeries
SecureZIP for iSeries is a broad, flexible product on the iSeries, and AS/400
platforms, allowing for compression and decompression of files. It is fully compliant
with other PKZIP-compatible compression products running on other operating
systems.
Because the PKZIP standard for text data storage is ASCII, SecureZIP for iSeries
facilitates conversion between the ASCII and EBCDIC character sets. Therefore,
compressed text files can be transferred between IBM mainframe environments and
systems using the ASCII character sets, including UNIX, DOS, SecureZIP for
iSeries, PKZIP for zSeries, and PKZIP for VSE.
In addition to PKZIP-format archive support, SecureZIP for iSeries can also
produce and manipulate (GNU) GZIP-format archives. See Chapter 18.
Basic Features of SecureZIP for iSeries
SecureZIP for iSeries is generally compatible with PKZIP 2.x, and as such, has
the following features:
Compliance with compression programs on other platforms, including Windows,
LINUX, UNIX, DOS, SecureZIP for iSeries , PKZIP for zSeries, and PKZIP for
VSE.
• User-selected compression ratios.
• Storage capability of 65,535 files within one ZIP Archive.
• Compression of files of up to 4 gigabytes.
• A maximum ZIP archive size of 4 gigabytes.
• Data integrity assurance using 32-bit CRC error detection.
• Translation of data to a system-independent format, thus providing easy file
transfers within a mixed or varied file environment.
Extended Features of SecureZIP for iSeries
SecureZIP for iSeries also offers a series of extended features such as creation of
GZIP archive, spool files support, large file support (files greater than 4 GB and files
30

in archive exceeding 65,535), advanced encryption and self-extracting archives. All
licensable features can be found in “Licensed Product Features” in Chapter 4.
Invoking SecureZIP for iSeries Services
Three main commands control SecureZIP for iSeries functionality in the OS/400
operating environments. The commands are:
• PKZIP - Launches compression utility
• PKUNZIP - Launches archive extraction utility
• PKZSPOOL - Launches compression utility for spool files
Each of the commands can be invoked interactively, submitted for a batch run, or
used anywhere that an iSeries command can be issued.
Help panels for each command can be activated by using the F1 (help) key.
SecureZIP for iSeries Differences with other Platforms
This section covers the differences between SecureZIP for iSeries and other
versions, including versions that run on other operating systems or platforms. Most
of the differences are due to the QSYS library file type system and the iSeries objectoriented
base.
Attributes
(non-extended)
ANSI comments
Archive file date
controls PKZIP
Archive Comments
PKZIP
File naming
differences
Various MS/DOS options support the selection of files by file
attributes such as hidden, read-only, and system. These
attributes are not meaningful on the OS/400 file system.
Because OS/400 does not support ANSI control codes,
related options are not supported. When unzipping from an
archive, the archive comment will be displayed, but ANSI
control codes in this comment will not be masked out. This
could cause attribute changes on the iSeries display.
DOS options control whether the ZIP file date is updated or
retained when altering the archive. Because the last used
date on OS/400 is not under program control or alterable by
a command, these options are not supported.
DOS options allow editing of comments for individual files in
an archive. This version supports editing of a file’s text
description, but is not recommended for batch running, or for
a large number of files due to the interactive message
responses required.
The files used in the QSYS library file system have their own
naming style. Each file associated with a library file and
members would be depicted as library/file(member). Usually,
all file names are stored as open system file names with
directories, ending with a file name. For a detailed
description and techniques see Chapter 8.
31

HELP
Mixed Case
Filenames
PKZIP for DOS has options to display a list of commands.
Because SecureZIP for iSeries uses iSeries commands, the
help system is built for each command and is activated by
PF1 on each parameter.
When using the IFS (integrated file system), the file names
are case sensitive and act like other file systems (UNIX,
DOS, Windows, etc.). When using the QSYS library file
system, the file names are always in UPPER CASE.
Occasionally, when trying to update and archive (or select
from an archive), you may encounter a case sensitive
search. Use PKUNZIP view to get the exact name stored.
This would be appropriate when doing a PKZIP TYPE(
*DELETE) where the selection file would need to match.
Use of SAVF Method
At this time, only physical files with attributes of PF-DTA, PF-SRC, and SAVF in the
QSYS file system, stream files and directories in the IFS, and spool files can be
processed by SecureZIP for iSeries. Also, some special database functionality such
as triggers, file constraints, alternate collating sequence, and large object fields, are
not stored in the archives.
To overcome some of the restrictions listed above, SecureZIP for iSeries can
compress and decompress SAVF. The objects to be compressed are saved to a SAVF
using SAVOBJ or SAVLIB. The SAVF is then compressed to an archive using PKZIP.
To restore the data, first use PKUNZIP to re-create the SAVF, and then use RSTOBJ
or RSTLIB to restore objects from within the decompressed SAVF. SAVF are binary
and only pertain to OS/400.
32

4 SecureZIP for iSeries Installation
This chapter describes the process of receiving SecureZIP for iSeries, either by
tape, CD-ROM or by FTP, the process of setting the environment (optional) and the
process of installing the license. These processes consists of building the SecureZIP
for iSeries version library, adding the library to your library list, optionally setting
environmental pointers and running the install license command with an authorized
license.
Even though the default library for SecureZIP for iSeries Version 8.0 patch level 0
is PKW81051S and is referenced in this manual, the library name for the product can
be named otherwise to suit your environmental needs. The SecureZIP for iSeries
product is distributed with a predefined library of PKW810vrT (where vr is the
minimum OS/400 operation system release supported, T is the product type,
P=PKZIP and S=SecureZIP). V5R1M0 would be 51. If you would like to use another
library name or would like to run SecureZIP for iSeries without it being in the
library list, review the operating environment discussion later in this chapter.
It is recommended that you use a generic name for the library that will be used for
production (such as PKZIP or PKZIPPROD). This will allow new updates to be
implemented without changing a lot of CL programs or processes. To use another
library name, review the procedures described later in this chapter (section
“Operating Environment”) on how to use the CALL PKZSETLIB program to change the
standard library name or run without the library in your library list.
Unloading SecureZIP for iSeries from Tape
The SecureZIP for iSeries installation tape contains a SAVF file with the product
library for the OS/400. The file PKW810vrT library contains SecureZIP for iSeries
Version 8.0 patch level 0 with the OS/400 version specified as vr (OS/400 version,
target release, and modification for the product build, for example, 51 for V5R1M0)
and T is the product type.
To unload the required library for SecureZIP for iSeries, load the tape and issue
the following command:
RSTLIB SAVLIB( PKW810vrT) DEV(tapnn)
Where vr is the version, release, and modification level, T is product type, and
tapnn is the appropriate tape device name.
33

At this point the PKZIP library exists on your system and you can proceed to the
section, “Restoring SecureZIP for iSeries Product Library from a Save File.”
Unloading SecureZIP for iSeries from a CD-ROM
The SecureZIP for iSeries installation from a CD-ROM can be performed using
either of the following two methods. One method is to use the LODRUN command
and the second method would be to restore the library manually. First load the
SecureZIP for iSeries CD into the optical unit and note the device name (usually
OPT01).
METHOD A. LODRUN Command
At a command line type LODRUN DEV(*OPT) or LODRUN DEV(optical device).
LODRUN will first display the following screen showing the default library with the
version of SecureZIP for iSeries that will be installed from the CD. The display will
wait for a valid library and the pressing of the Enter key to install SecureZIP for
iSeries. If the F3 or F12 key is pressed the install will end without installing the
product.
LODRUN screen example:
SecureZIP for iSeries (tm)
Version V8.0.0
Install SecureZIP for iSeries (tm) to Library PKW81051S
(Note: Library Must Not Exist)
Press Enter to Continue
F3-Exit
F12-Cancel
Error message Area------------------------------------------------------
Next the install process will restore the SecureZIP for iSeries product to the library
requested and add the new library to the library list. Then using the program PKZIP
program PKZSETLIB, all settings for commands, data area and help files will be
resolved to the new library.
At this point, SecureZIP for iSeries is in your library list and is ready to load keys
(DEMO or registered) using the INSTPKLIC command as describe later in this
chapter.
METHOD B. RSTLIB Command
The SecureZIP for iSeries installation CD-ROM contains a Save file with the
product library for the OS/400. The PKW810vrT library contains SecureZIP for
iSeries Version 8.0 patch level 0 with the OS/400 version specified as vr (OS/400
version, Target Release, and Modification for the product build, for example, 510 for
V5R1M0) and T is product type.
To unload the required library for SecureZIP for iSeries, load the CD-ROM and
issue the following command:
RSTLIB SAVLIB( PKW810vrT) DEV(optnn) OPTFILE(pkzip)
34

Where vr is the version, release, T is product type and optnn is the correct optical
device name to use.
Using FTP to iSeries to Transfer a PKZIP Save File
1. After downloading the product self-extracting file to your PC, extract it. The
save file is named PKW81051S.SAV. Be sure to note the path to this file, as it
will be required in your FTP session (defaults to
C:\PKZIP\PKAS4R\PKW81051S.SAV).
2. Start an iSeries workstation type session, and then sign on with sufficient
authority to perform the commands used below.
3. Create a save file on the iSeries - CRTSAVF YourLIB/PKZIP810. The TCP/IP
network server must be running (or start the TCP/IP network server with
STRTCP).
4. Start a PC-based FTP session with your normal FTP procedures and send the
PC file in binary mode to the iSeries SAVF you created, or run the following:
5. Type "FTP" at the command prompt.
6. Open the iSeries IP address and sign on (ftp> open 208.222.150.11 as an
example).
7. Next, type "BIN" at the command line (this will transfer the file as a binary
object which is required).
8. Now type "PUT" and then the local file name (in other words, "PUT
C:\PKZIP\PKAS4R\PKW81051S.SAV")
9. Finally, you type your remote file name (the destination):
(YourLIB/PKZIP810) and the FTP transfer of the file should start.
Restoring SecureZIP for iSeries Product Library from a Save File
At this time you should have the save file built on your system. Now you can restore
the library from the save file.
RSTLIB SAVLIB(PKW81051S) DEV(*SAVF) SAVF(YourLIB/PKZIP810)
RSTLIB(your_pkzip_lib)
where "your_pkzip_lib" - is the name you want to call the restored PKZIP library.
At this point the SecureZIP for iSeries product library should exist on iSeries and
you can proceed to the Installation procedures below.
If you want, you can now delete the save file created earlier with:
DLTF YourLIB/PKZIP810
Installation Procedures
The SecureZIP for iSeries product library should now exist on the iSeries. All
objects including the library are owned by QPGMR. The objects’ owner can be change
35

to any valid owner with the CHGOBJOWN command. The SecureZIP for iSeries
library should now be added to the library list (ADDLIBLE your_pkzip_lib).
If you keep the PKZIP library name at PKW81051S, then you do not need to take this
additional step. If you change the name from PKW81051S to something else, then
you will need to run a program to setup your PKZIP Environment. In this case you
will type on a command line, "CALL PKZSETLIB your_pkzip_lib", where
"your_pkzip_lib" is the name of the PKZIP library you restored. This will link the
objects to your PKZIP library name. For more information see “How to Change the
Standard PKZIP Library Name” later in this chapter.
Licensing Requirements
SecureZIP for iSeries is a licensed product. Without proper licensing, the product
can only be used to view archives. Product features and license types can be licensed
separately as the user’s needs dictate. The license key will contain all of the
elements necessary to validate a customer’s use of SecureZIP for iSeries.
The licensing process is comprised of several key elements that are described in the
following sections.
Trial Period
You will need to contact your reseller or PKWARE, Inc. Sales at 937.847.2374, or
email Sales at pksales@pkware.com to initialize your version of SecureZIP for
iSeries for the 15-day DEMO. If you do not work in the USA, please refer to the
GLOBAL CONTACTS.TXT file to contact a dealer in your region.
Release Licensing
Each release of SecureZIP for iSeries requires that a new license key be obtained
from Customer Service and that a new license record be generated. The new release
will fail with AQZ9077 "License Keys have invalid version setting" if the license file is
used from a previous release.
Reporting Environment
To report on the status of a license at your location, you can run the environment
“WHATOSV” program by doing a program call:CALL WHATOSV. It will provide a
report similar to:
PKWARE WHATOSV Current Operating Environment Thu May 15 12:05:49 2003
SecureZIP for iSeries (tm) Version 8.0.0 with build date 2003/05/14
Current PKZIP Library is PKW81051S
IBM iSeries Model 9406, Type 270-23E7
Serial Number , PRC Group < P10>, OS is at V5R2M0.
Press ENTER to end terminal session.
The output of this report is what you will need to send to your reseller or PKWARE
sales representative to obtain a DEMO code.
36

Note: The PKZIP Library must be added to the library list prior to
running this program.
Please have the output of this report handy when speaking with your reseller or
account rep. You will be expected to supply the following additional information:
• Company name
• Company contact
• Phone number
• Contact email
Updating License Files
Installing the PKZIP license activation keys is done by adding the licensing
information into a source file member (one is provided with distribution library call
PKZLICIN) and then running the install license program to activate.
Trial activation is accomplished by first editing the member PKWARELIC and adding
the company customer record and keys supplied by PKWARE, Inc. One way of editing
the member would to use the following command with the correct library:
EDTF FILE(PKW81051S/PKZLICIN) MBR(PKWARELIC)
or
STRSEU SRCFILE(PKW81051S/PKZLICIN) SRCMBR(PKWARELIC)
Remember since this a source file member and you use the EDTF command that the
data will start in column 13, because the source sequence number and date stamp is
in the true columns 1 thru 12.
For example:
EDTF FILE(PKW81051S /PKZLICIN) MBR(PKWARELIC)
Edit File: PKW81051S /PKZLICIN(PKWARELIC)
Record : 1 of 3 by 8 Column : 13 92 by 74
Control :
CMD ..+....2....+....3....+....4....+....5....+....6....+....7....+....8....+.
************Beginning of data**************
*LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel
55 A4CMD1NR 000014581 PKWARE Internal Demo Customer
99 CMDOAXB1 20030703 0107X8WTP10
************End of Data********************
F2=Save F3=Save/Exit F12=Exit F15=Services F16=Repeat find
Notice in this case the columns on the ruler shows column 13 for the first column of
the license data.
For Example:
STRSEU SRCFILE(PKW81051S/PKZLICIN) SRCMBR(PKWARELIC) :
Columns . . . : 1 71 Edit PKW81051S/PKZLICIN
SEU==>
PKWARELIC
37

FMT ** ...+... 1 ...+... 2 ...+... 3 ...+... 4 ...+... 5 ...+... 6 ...+... 7
*************** Beginning of data *************************************
0001.00 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel
0002.00 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer
0003.00 99 CMDOAXB1 20030703 0107X8WTP10
****************** End of data ****************************************
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F10=Cursor F11=Toggle
F16=Repeat find F17=Repeat change F24=More keys
Once you have typed or copied the license information provided by PKWARE, you will
need to save these changes by pressing F3 and exit the edited member by pressing
F3 again. Next, run the install program using the following command:
INSTPKLIC INFILE(*LIBL/PKZLICIN) INMBR(PKWARELIC) or prompt F4
Type choices, press Enter.
Install SecureZIP for iSeries License (INSTPKLIC)
Type . . . . . . . . . . . . . *INSTALL *INSTALL, *VIEW
Input Control File . . . . . . . PKZLICIN Name, PKZLICIN
Library name . . . . . . . . . *LIBL Name, *LIBL
Control Member . . . . . . . . . pkwarelic Name, *FIRST
Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
By executing the INSTPKLIC command, the LICENSE dataset will be updated and a
report will be produced that will reflect the state of SecureZIP for iSeries at your
location.
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
Rec - 1 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel
Rec - 2 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer
Rec - 3 99 CMDOAXB1 20030703 0107X8WTP10
Compression - Evaluation set to expire in 23 days on 20030703
Decompression - Evaluation set to expire in 23 days on 20030703
Database File Handlers- Evaluation set to expire in 23 days on 20030703
IFS File Handlers - Evaluation set to expire in 23 days on 20030703
GZIP - Evaluation set to expire in 23 days on 20030703
Spool Files - Evaluation set to expire in 23 days on 20030703
Self Extracting - Evaluation set to expire in 23 days on 20030703
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully
Press ENTER to end terminal session.
Licensed Product Features
The license key will be comprised of codes to reflect the product features selected by
the customer.
38

Licensing Product Type Cross Reference with Features Codes.
Type
Feature
Code
PKZIP SecureZIP Standard
77
Enterprise
BASE Module 01 X X X X X
Compression 02 X X X X X
Decompression 03 X X X X X
GZIP 04 Opt X X X
66
x Demo
Days
Directory Integration 05 N/A Opt Opt Opt X
(SecureZIP
Only)
ADVANCED
Encryption
06 N/A Opt N/A X
(SecureZIP
Only)
99
X
(SecureZIP
Only)
Decryption 07 Included Included X X X
(SecureZIP
Only)
Spool File Support 08 Opt X N/A X X
Self Extraction
Creator
10 Opt X N/A X X
39

Licensing Features Code Descriptions
The following table shows the product features available:
Feature
Code
Type
Description
01 Base Module The base module is either PKZIP or SecureZIP (depending on the
product has been selected and which licensed code was issued).
02 Compression This licensable module allows for the compression of data into a ZIP
file. This license is required to read the input data and write out the
archive or ZIP file.
03 Decompression This licensable module allows for the decompression of data from a
ZIP file or an archive. This license is required to read the ZIP archive
and to write the OS/400 datasets during the extraction routine.
04 GZIP Support This licensable module allows a user to read and write GZIP
compatible files. GZIP files created using PKZIP for iSeries can be
extracted with any compatible GZIP utility on any other platform.
05 Directory Integration This module allows the use of LDAP for certificate accessing.
06 Advanced Encryption
Module
This licensable module allows a user to compress files with advanced
encryption methods, encrypt files with certificates, sign files/archives,
and authenticate files/archives.
07 Decryption This licensable module allows a user to extract files with advanced
encryption methods.
08 Spool File Handler This licensable module allows a user to compress and extract spool
files. The module also allows the spool file to be converted another
format, such as a PDF or text format.
10 Self Extract Support This licensable feature allows the creation and maintenance of self
extracting archives.
Splash Screens:
SecureZIP:
SecureZIP(tm) for iSeries Compression Utility Version 8.0.0B, 2004/07/21
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
SecureZIP(tm) is a trademark of PKWARE (R), Inc.
PKZIP:
PKZIP for iSeries(tm) Compression Utility Version 8.0.0B, 2004/07/21
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP(R) is a registered trademark of PKWARE (R), Inc.
Record Layouts
The record layouts for control file records (portions of which your reseller of
PKWARE, Inc. will provide) are described below for each type. Remember, the
columns are relative to column 1 in a source file and if you use EDTF then column 1
is now column 13.
40

Comment Control Card
Comment cards are free format and begin with an * in column 1.
Customer Control Card
Customer records always begin with a “55” or ‘57”.
Control
Code
Check
Characters
Customer
Number
Customer
Name
Format 55 cccccccc nnnnnnnnn xxx . . . xxx
Columns 1-2 4-11 13-21 23-74
Length 2 8 9 50
55 Feature Control Code (always a 55 or 57)
cccccccc
nnnnnnnnn
xxx . . . xxx
Feature Control Card
Check Character (supplied by PKWARE, Inc.)
Customer Number (supplied by PKWARE, Inc.)
Customer Name (supplied by customer - must be
alphanumeric (AA-99)
Feature
Code
Check
Characters
Expiration
Date
Hardware
Information
Format ff cccc yyyymmdd ssssssstttt
Columns 1-2 4-11 13-20 22-33
Length 2 8 8 12
ff
cccccccc
yyyy year (2001)
mm month (01-12)
Feature Control Code (provided by PKWARE, Inc.)
Check Character (provided by PKWARE, Inc.)
dd day (01-31)
sssssss
CPU serial # (12345ABC)
tttt
CPU Processing Group (P10)
By executing this command, the LICENSE dataset will be updated and a report will
be produced that will reflect the state of SecureZIP for iSeries at your location.
Install Demo
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
Rec - 1 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel
Rec - 2 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer
Rec - 3 99 CMDOAXB1 20030703 0107X8WTP10
Compression - Evaluation set to expire in 23 days on 20030703
Decompression - Evaluation set to expire in 23 days on 20030703
Database File Handlers- Evaluation set to expire in 23 days on 20030703
IFS File Handlers - Evaluation set to expire in 23 days on 20030703
41

GZIP - Evaluation set to expire in 23 days on 20030703
Advanced Encryption - Evaluation set to expire in 23 days on 20030703
Spool Files - Evaluation set to expire in 23 days on 20030703
Self Extracting - Evaluation set to expire in 23 days on 20030703
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully
Press ENTER to end terminal session.
Install Basic
SecureZIP for iSeries (tm) Compression Utility Version 8.0, 2003/07/12
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
Rec - 1 *LICENSED BY PKWARE 07/13/01 WSS
Rec - 2 55 B7LJJ3A0 110531837
My Company Name, Dayton OH
Rec - 3 *
yyyymmdd ssssssssttt
Rec - 4 77 lLTJ1233 20020801 0107X8WTP10
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully
Install Single
SecureZIP for iSeries (tm) Compression Utility Version 8.0, 2003/07/12
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
Rec - 1 *LICENSED BY PKWARE 07/13/01 WSS
Rec - 2 55 X1LT83K1 110531837
My Company Name, Dayton OH
Rec - 3 *
yyyymmdd ssssssttttii
Rec - 4 *
ssssssssttt
Rec - 5 01 LLTB7233 20030801 0107X8WTP10
Rec - 6 02 ELTH823F 20030801 0107X8WTP10
Rec - 7 03 RLTB723U 20030801 0107X8WTP10
Rec - 8 04 MLTH823B 20030801 0107X8WTP10
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully
Reporting
To report on the status of a license at your location, you can run the license program
with the following command: INSTPKLIC TYPE(*VIEW).
Examples from above:
View Demo
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
*********************************************
A License Report requested on 0107X8WT from CPU Serial#
8.0 Product Licensed to Customer # 000014581 -PKWARE Internal Demo Customer
*********************************************
Compression -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
Decompression -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
GZIP -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
42

IFS File Handlers -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
Database File Handlers-DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
Advanced Encryption -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
Spool Files -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
Self Extracting -DEMO with 23 Days remaining (07/03/2003)
Contact PKWARE, Inc. for Licensing
*********************************************
Press ENTER to end terminal session.
View Single
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
*********************************************
A License Report requested on 0107X8WT from CPU Serial#
8.0 Product Licensed to Customer # 000003079 -Key Testers Inc.
*********************************************
Compression
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Decompression
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
GZIP
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
IFS File Handlers :Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Database File Handlers:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Advanced Encryption :Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Spool Files
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Self Extracting :Licensed -Expires 00/00/0000 for processors:
*********************************************
Press ENTER to end terminal session.
View Single with Exception
SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Machine ID = 0107X8WT, Processor Group = P10
*********************************************
A License Report requested on 0107X8WT from CPU Serial#
8.0 Product Licensed to Customer # 000003079 -Key Testers Inc.
*********************************************
Compression
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Decompression
:Licensed -Expires 02/28/2400 for processors:
43

Serial# 0107X8WT Processor Type P10
*********************************************
GZIP
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
IFS File Handlers :Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Database File Handlers:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Advanced Encryption :Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Spool Files
:Licensed -Expires 02/28/2400 for processors:
Serial# 0107X8WT Processor Type P10
*********************************************
Self Extracting :Licensed -Expires 00/00/0000 for processors:
Serial# 0107X8WT is Not Licensed. Use Of The Product will CEASE in 7 days
(6/17/2003)
*********************************************
Press ENTER to end terminal session
Conditional Use
PKWARE, Inc. recognizes that there may be periods where the licensing environment
established by the customer is no longer valid. Circumstances such as disaster
recovery processing or the installation or upgrade of new processors will affect the
environment. To accommodate the customer, SecureZIP for iSeries has a process
that will allow a customer to continue using the product for a period of five days.
During this time, error messages will be displayed on the console (as well as the
printout) for each execution of SecureZIP for iSeries. At the end of the grace
period, if the license keys are not updated, the product will no longer function in any
environment other than to view an archive. This five-day grace period is designed in
such a way that it will not cease to function on a weekend or the Monday following
the five-day grace period.
During this process you must contact your reseller or PKWARE, Inc. at 1-937-847-
2687 to obtain licensing to allow use beyond the conditional period.
Operating Environment
SecureZIP for iSeries is distributed in a standard library, such as PKW81051S
where the 800 is the version release of SecureZIP for iSeries and 510 is the
minimum OS/400 operation system release that it supports (such as V5R1M0). The
SecureZIP for iSeries library contains programs, commands, help panels, message
file, license files, translation source file, command source file, CL source file
(CVTNAME CL program and examples), and the SecureZIP for iSeries control data
area necessary to run the product. As released, the distributed library PKW81051S
must be in the library list and the library name must be the same as distributed.
The library name used by SecureZIP for iSeries is determined by the data area
PKZDTA5.
44

PKZDTA5 Data Area
The “PKZDTA5” data area is required to be in the library list in order run the
programs and commands of SecureZIP for iSeries. The data area is 50 bytes in
length with the following layout:
Bytes 1 thru 10 - Library name for the product (required to run the product).
Bytes 11 thru 20 - Release Levels for SecureZIP for iSeries.
Bytes 21 thru 40 - Distribution and Generation Information only.
Bytes 41 thru 50 - Global settings.
Byte 41 - Disallow wildcard selection
N = Wildcard selection is permitted (default).
Y = Wildcard selection with PKZIP is not permitted.
An example of the “DSPDTAARA PKZDTA5” output might look like:
Display Data Area
Data area . . . . . . . : PKZDTA5
Library . . . . . . . : PKW81051S
Type . . . . . . . . . : *CHAR
Length . . . . . . . . : 50
Text . . . . . . . . . : SecureZIP for iSeries Library-V8.0
Value
Offset *...+....1....+....2....+....3....+....4....+....5
0 'PKW81051S V8.0 NNOV5R1M0 N '
The running of SecureZIP for iSeries requires the data area to determine the
library name to use for running the commands, help panels, and message file.
How to Change the Standard PKZIP Library Name
To assist the customer in changing the environment for running the SecureZIP for
iSeries product, the program “PKZSETLIB” has been included in the distribution
library. PKZSETLIB will set the PKZDAT5 data area’s library name and will change the
commands and help panels to recognize the library links.
An example of how use PKZSETLIB to change the standard library name to a user
environment library name is shown in the steps below:
1. Rename the SecureZIP for iSeries standard library to the new library name:
RNMOBJ OBJ('PKW81051S) OBJTYPE(*LIB) NEWOBJ(newlib)
2. Verify that newlib is in library list with ADDLIBLE or EDTLIBL:
ADDLIBLE newlib
3. Execute PKZSETLIB program to change the data area and change links:
CALL PKZSETLIB ('newlib')
4. Display the PKZDTA5 data area and verify that the Library has been changed.
DSPDTAARA PKZDTA5 (Positions 1 thru 10 should contain newlib)
5. Test the commands PKZIP or PKUNZIP to make sure they execute correctly.
45

At this point the “newlib” is the new SecureZIP for iSeries library for this
environment and will need to be placed in the library list to run.
Alternate Install from SAVF with Non-Standard Library Name
After the SAVF is ready to restore the library, a slight modification to the commands
as shown in above will be required. In the RSTLIB command you will specify “newlib”
in the parameter RSTLIB to restore the library with the new library name.
For example:
RSTLIB SAVLIB('PKW81051S) DEV(*SAVF) SAVF(mylib/ PKW810)
RSTLIB(newlib)
To complete the installation, do the following:
1. Add the “newlib” to your library list with ADDLIBLE:
ADDLIBLE newlib
2. Execute the PKZSETLIB program to change data area and change links:
CALL PKZSETLIB ('newlib')
3. Display the PKZDTA5 data area and verify that the Library has been changed.
DSPDTAARA PKZDTA5 (Positions 1 thru 10 should contain newlib)
4. Test the commands PKZIP or PKUNZIP to make sure they execute correctly.
At this point the “newlib” is the new SecureZIP for iSeries library for this
environment and will need to be placed in the library list to run.
Running Without the PKZIP Library in the Library List
SecureZIP for iSeries can run without the library in the library list as long as a
data area as described above is in a library that is in the library list. One method is
qualifying the command with the library name, such as:
mylibrary/PKZIP ARCHIVE(‘myarchive/V5(test1)’ FILES(“testlib/*all’)
The other method copies the commands to a library that exist in their library List.
Note: The running of SecureZIP for iSeries requires the data area to determine
the library name to use for running the commands, help panels, and message files.
The following are five steps to run SecureZIP for iSeries without its distribution
library in the library list.
Assume 'PKW81051S’ is the SecureZIP for iSeries library and the customer’s
library MYlibrary is in the customer’s standard library list. We will now add three new
objects to the library MYlibrary.
1. Create a new data area in the chosen library MYlibrary:
CRTDTAARA DTAARA(MYlibrary/PKZDTA5) TYPE(*CHAR) LEN(50)
TEXT('PKZIP control data area')
2. Next set the data area value to the same values found in supplied data area
in the PKZIP Library.
“DSPDTAARA 'PKW81051S/PKZDTA5” output might look like:
46

Display Data Area
Data area . . . . . . . : PKZDTA5
Library . . . . . . . : PKW81051S
Type . . . . . . . . . : *CHAR
Length . . . . . . . . : 50
Text . . . . . . . . . : SecureZIP for iSeries Library-V8.0
Value
Offset *...+....1....+....2....+....3....+....4....+....5
0 'PKW81051S V8.0 NNOV5R1M0 N '
3. Now change the data area:
CHGDTAARA DTAARA(MYlibrary/PKZDTA5)
VALUE(''PKW81051S V8.0xxxV5R1M0')
4. Next we need to copy the two commands to the MYlibrary Library.
CRTDUPOBJ OBJ(PKZIP) FROMLIB(PKW81051S) OBJTYPE(*CMD)
TOLIB(MYlibrary)
RTDUPOBJ OBJ(PKUNZIP) FROMLIB(PKW81051S) OBJTYPE(*CMD)
TOLIB(MYlibrary)
At this point, PKZIP will work for all users that have the library MYlibrary in
their library list.
Note: When installing another SecureZIP for iSeries version the same process
should be followed in order to pick up the latest settings of the data area and
commands.
Next ensure the SecureZIP for iSeries library is NOT in your library list and run a
few sample tests for PKZIP and PKUNZIP to make sure the product works.
47

5 File Selection and Name Processing
ZIP Processing File Selection
This section discusses how file selection is performed for ZIP processing with
SecureZIP for iSeries. The primary commands used for ZIP processing are
discussed here, along with some overview notes and known restrictions.
This section also discusses how files are selected within an iSeries environment.
Remember, ZIP directory entries within a ZIP archive will be defined in a systemindependent
format, which is not iSeries compatible.
Note: Directory entries within a ZIP archive are actually in a format compatible with
UNIX systems and have been translated into the ASCII character set. In addition, the
dataset level separators are typically set as the forward slash (“/”), not the period
(“.”) as in iSeries, although this can be controlled through command actions in
SecureZIP for iSeries.
See Chapter 8 for further information on how SecureZIP for iSeries handles file
name interchanges between iSeries and common ZIP format.
Primary File Selection Inputs
SecureZIP for iSeries will only process:
• iSeries objects of type FILE (only with attributes PF-SRC, PF-DTA, and SAVF).
• IFS stream files (*STMR) and IFS directories(*DIR).
• Spool files.
Other objects must first be unloaded into an iSeries save file (SAVF) before they can
be processed by SecureZIP for iSeries (see: Use of SAVF Method).
The FILES parameter in both PKZIP and PKUNZIP specifies which files are to be
processed for all files except spool files (SPLF have their own selection parameters).
One or more names can be specified, and each name is in either OS/400 QSYS
format, or IFS format, depending on F2ZTYPE settings. An asterisk may be used at
the end of the library name, file name, or member name to select names beginning
with the prefix used. To select all members of a file, *ALL may be used. To select all
files in a library *ALL may be used (as long as it is qualified by at least a library
48

name), for example, FILES('mylib/*ALL' ). If *ALL is specified without at least a
qualifying library name, the specification is ignored and no files will be selected.
The SecureZIP for iSeries QSYS file system expands a partial file specification in
several ways to make file specification more convenient. Each file specification may
consist of a filename; a library name; a file name and member name; a library name
and file name; or a library name, file name, and member name. iSeries SAVF may
also be selected, but because a *SAVF file does not contain members, a SAVF will
not be selected if a member name was included in the file specification.
In the Integrated file system, each file specification may consist of a directory, a
path of directories, a directory and file, or a path of directories and file.
The various combinations that may be used are shown below:
File
Type
File specification Expanded As Notes
QSYS library*/ library*/*all(*all) Finds all files in libraries
beginning with library.
fileinlib *LIBL/fileinlib(*ALL) Searches library list for
all files called fileinlib. If
a matching file is found,
all of its members will
be selected. If a SAVF
is found, it will be
selected.
fileinlib*(mem*) *LIBL/fileinlib*(mem*) Searches library list for
all files beginning with
fileinlib. If a matching
file is found, members
beginning with mem*
will be selected. If a
SAVF is found, it will
NOT be selected
because the file
specification includes a
member name.
library*/file* library*/file*(*ALL) Searches libraries that
begin with library prefix
and for files that begin
with file prefix. If a
matching file is found,
all of its members will
be selected. If a SAVF
is found, it will be
selected.
49

File
Type
File specification Expanded As Notes
library*/file*(memo*) library*/file*(mem*) Searches libraries that
begin with library prefix
and files that begin with
file prefix. If a matching
file is found, members
beginning with mem
prefix will be selected.
If a SAVF is found, it will
not be selected
because the file
specification includes a
member name.
IFS Dir/* Dir/*all Searches all files in
path DIR.
Spool
Files
N/A
Uses parameters:
SPLFILE, SFUSER,
SFQUEUE, SFFORM,
SFUSRDTA,
SFSTATUS,
SFJOBNAM, and/or
SPLNBR.
Note: If parameter TYPE(*DELETE) is used, then the file name format for these
names must be in MS/DOS format (that is, if CVTFLAG has not been used). See the
FILES keyword. Files may also be excluded. See the EXCLUDE keyword.
The valid parameter values for the FILES keyword are as follows:
'file specification 1' 'file specification 2'...'file_specification nn'
This is the list of one or more file specifications, separated by spaces.
For example:
mylib/myfile(prf*)
mylib/*all(*all)
By default, SecureZIP for iSeries does a match on files in the QSYS library system
with no case sensitivity and in the IFS with case sensitivity. Some IFS file systems
contain case sensitive file names. To force SecureZIP for iSeries to perform noncase
sensitive file name matching use TYPFL2ZP(*IFS2).
File Exclusion Inputs
Using similar file specification techniques as described above in the Primary file
Selection Inputs section, SecureZIP for iSeries can specify from one to many file
patterns that will be used to exclude files that were selected with the FILE
parameter. The files can be inputted into the command parameter EXCLUDE or into a
text file that can be processed by parameter EXCLFILE.
Care should be taken when using wildcards excluding inputs to ensure that FILES
and EXCLUDE parameters select the desired files.
50

Input ZIP Archive Files
During a FRESHEN or UPDATE request, files contained within the existing ZIP archive
are added to a candidate list. Names stored previously are used to search the system
files for viability (any file names not found in the system remain in the ZIP archive).
SPOOL File Selecting
The FILES parameter is not used to select spool files for compression, but instead
uses its own selection parameters.
There are eight positional parameters that can be specified to select the spool files:
the SPOOL FILE NAME (SPLFILE), the SPOOL FILE NUMBER (SPLNBR), the user that
created the files (SFUSER), the OUTQ that the file is residing (SFQUEUE), the form
type specified (SFFORM), the user data tag associated with the spool file
(SFUSRDTA), the status of the spool file (SFSTATUS), or the specific job name/user
name/job number (SFJOBNAM). Only files that meet all of the selection values will be
selected.
If the parameter SFJOBNAM is coded, the job must exist and the parameter SFUSER
will be ignored, since it is already part of the SFJOBNAM parameter.
51

6 ZIP Files
Data Format - Text Records vs. Binary Records
Binary data is stored in a ZIPPED archive in its original format. Binary data may be
graphics or numbers that are already in “computer format.” Therefore, no translation
is done, and EBCDIC will remain EBCDIC. The length of binary records in UNZIP
processing is determined by the archive’s fixed-length records. SecureZIP for
iSeries will fill the available block automatically according to allocation
specifications.
In the context of ZIPPED archives, a “text file” is one that is stored in the ASCII
format. A text file contains records of data, each separated by a delimiter to signify
the end of the record.
Note: An EBCDIC file containing text information (such as source code) can be
stored in its original format by using BINARY, but it is not considered to be a “text”
file within the ZIP architecture.
SecureZIP for iSeries uses the default line delimiter CR-LF (X’0D0A’) at the end of
each text record. Text file members in the QSYS library file system use new line
characters (NL=X’15’) internally. SecureZIP for iSeries will handle the CR-LF and
NL in both extraction and compressions automatically.
At the time of PKUNZIP file extraction, SecureZIP for iSeries will convert text data
from ASCII to EBCDIC by using a translation table. During installation, several
translation tables are available, and the customization process will select one of the
translation tables as a default. Additional translation tables may be created through
the customizing procedure.
Situations may arise in unique platform interchanges, or when working with text files
from other countries where the default text translation table is not adequate. Users
may select any available translation table by using TRAN and FTRAN parameters.
SecureZIP for iSeries extracts text records stored in the ZIP archive by examining
data for record delimiter and file terminator indicators. Using these indicators,
SecureZIP for iSeries aligns records in accordance with target file attributes.
Text files (such as program source code) are held within an archive using the ASCII
character set for compatibility with other versions of PKZIP ® . For these to be usable
on OS/400, they must be converted to the IBM EBCDIC character set. Additionally,
the carriage return and line feed characters must be removed before writing lines to
52

a file because OS/400 files are record-based and do not use control characters to
separate records or lines. Text files usually have spaces at the end of a line. When
using the text file handlers, SecureZIP for iSeries has less data to read because
the input/output routines remove trailing spaces and replace them with a new line
character. This improves SecureZIP for iSeries performance.
When extracting files from an archive, SecureZIP for iSeries must know whether
to perform text conversions. SecureZIP for iSeries stores an indicator in the
archive file’s local header defining if a file is binary or text-based. Because this
indicator may be wrong in some circumstances, use the FILETYPE keyword to specify
whether text conversions are required. When adding files to an archive, SecureZIP
for iSeries will flag the file according to the FILETYPE used.
SecureZIP for iSeries uses translation tables that should be suitable for most
customers, but some users may wish to alter the tables. The procedure for changing
the translation tables is discussed. If text files are only used on iSeries, then the
FILETYPE(*EBCDIC) may be used. This uses iSeries files “as is” for the file (which are
faster for text files), but does not translate the data to ASCII. This will provide a
small improvement in performance.
Additionally, SecureZIP for iSeries will translate each character in a text file from
EBCDIC character format to ASCII character format by default. This is done using
one of the two internal translation tables, which are named UKASCII and USASCII. It
is recognized that these translation tables may not suffice for all countries or all
situations, especially on those sites where text files are received from several
different countries for processing into a single format. The source of the translation
tables used by the PKZIP and PKUNZIP programs has been supplied, together with
instructions for modifying the tables to create additional files (see Appendix F for
details). This enables sites to modify the translation table as required.
In a case where FILETYPE is neither *TEXT nor *BINARY, *DETECT is the default
mode. PKZIP will read up to 64K of data from the input file and scan it for nontranslatable
text characters using the active text translation table. If any characters
will not translate successfully using this method, the entire file will be treated as if
*BINARY has been used.
Note: One exception to this is X’00’ or the NULL terminator character, which is
commonly used in C language. The NULL character will be allowed within the files. If
file type is of a file in the archive is unknown whether it is text or binary, the user
may use the TYPE(*VIEW) and VIEWOPT(*DETAIL) parameters to examine the file
attributes.
File Attributes
Within each ZIP archive there are two different directories providing information
about the files held in that archive. A local directory is included at the front of each
file, with information pertaining to each file (for example: file size and date ZIPPED),
and a central directory is located at the end of the ZIP archive. The central directory
lists the complete contents of the ZIP archive and is the primary source of
information for UNZIP processing.
SecureZIP for iSeries will store extended attributes about the file that can be
useful in recreating the file during UNZIP processing. See Appendix K.
53

PC Shared Drives Format
One common mistake made when extracting a text file to a shared drive folder in the
IFS where the file will be used by a Windows application is to extract the file in text
mode. Extracting a file as a TEXT file on the iSeries will cause PKUNZIP to translate
the file to the EBCDIC format since this is the native iSeries format. The Windows
application expects the file to be in ASCII, so therefore this file should be extracted
using binary, since the files are stored in ASCII in the archive.
54

7 File Extracting Process
Extracting Files to the QSYS Library File System
When extracting files to the QSYS library file system using TYPFL2ZP(*DB), some
items to consider are 1) does the file exist or will a new file be create?, 2) did the file
come from SecureZIP for iSeries or did it come from another platform?, 3) are the
files text type files from another platform where I need to know the record length,
etc. These are just a few questions that might impact how you want to extract the
files.
If the file does not exist and if the file did not come from SecureZIP for iSeries,
you should provide a record length for the file with the parameter DFTDBRECLN. If
the file is coming from SecureZIP for iSeries or PKZIP for zSeries the record
length will be in the extra data. If the file is from SecureZIP for iSeries and the
parameter was DBSERVICE(*YES), the complete database definition from the
extract data for database will be used to create the file.
If the file is to be created as text and the record length is too short then you will
receive messages indicating the records are being truncated.
Two common parameters that are used to alter or guide the extraction process are
the EXDIR and DROPPATH parameters. EXDIR provides the path library or library/file
that the file will be extracted to when no library or path exist for the files in the
archive. Of course, this is where the DROPPATH comes in to drop the first path or
library with *LIB or to remove all paths in a name with *ALL.
For example, files in an archive might look like this:
Archive/#1:
My Document/myfiles/test/myheader.txt
My Document/myfiles/test/mydata.txt
My Document/myfiles/test/mytrailer.txt
Archive/#2:
QGPL/QCLSRC/MYCL01
QGPL/QCLSRC/MYCL02
QGPL/QCLSRC/MYCL03
QGPL/QCLSRC/MYCL04
In archive #1 lets assume that all three text files are of different records lengths. If
we want to extract each with their own length, we would have to make three runs to
55

create the files with different parameters. Or we could use CRTPF and create each of
the files so the files would exist with the proper record length.
PKUNZIP ARCHIVE('Archive/#1') FILES('My
Document/myfiles/test/myheader.txt') TYPE(*EXTRACT)
EXDIR('MYLIB/MYHEADER') DROPPATH(*ALL) DFTDBRECLN(50)
CVTTYPE(*DROP)
PKUNZIP ARCHIVE('Archive/#1') FILES('My Document/myfiles/test/mydata.txt')
TYPE(*EXTRACT) EXDIR('MYLIB/MYDATA') DROPPATH(*ALL) DFTDBRECLN(150)
CVTTYPE(*DROP)
PKUNZIP ARCHIVE('Archive/#1') FILES('My
Document/myfiles/test/myheader.txt') TYPE(*EXTRACT)
EXDIR('MYLIB/MYTRAILER') DROPPATH(*ALL) DFTDBRECLN(20)
CVTTYPE(*DROP)
The commands above would create three files in library MYLIB, with all files having
different record lengths.
Now suppose the files already exist with the names and record lengths. In this case,
we could do all three files at once with:
PKUNZIP ARCHIVE('Archive/#1') TYPE(*EXTRACT) EXDIR('MYLIB/?MBR')
DROPPATH(*ALL) CVTTYPE(*DROP) OVERWRITE(*YES)
The MBR will force each member name to also become the file name.
In archive #2, let’s assume that we want to extract the CL source member and place
them in a different library call MYNEWLIB. If the QCLSRC file does not exist and the
archive was not built with DBSERVICE(*YES), then you would need to do a
CRTSRCPF FILE(MYNEWLIB/QCLSRC)
to have the file setup correctly for source files. If the QCLSRC file already exist in
MYNEWLIB or the archive was built with DBSERVICE(*YES), then no special handling
is required.
Authority Settings
When extracting files into the QSYS library file system, whether the files came from
the AS/400 or another platform, the authorities are not taken from the archive, but
from the user’s current environment settings. The file’s authority is not stored in the
archive.
If a library is required to be created, PKUNZIP would create the library as if the
current user was issuing a CRTLIB command. For standard settings, it might create
the library with the following authority settings:
Data --Object Authorities--
User Authority Exist Mgt Alter Ref
*PUBLIC *RWX
USER *RWX X X X X.
If the file does not exist, PKUNZIP will be required to create the file. If the file does
exist no authorities are changed. If the file is created, the authority will be the same
as if the user was issuing a CRTPF command in their environment. For most standard
settings, it would create the file with the following authority settings:
56

Data --Object Authorities--
User Authority Exist Mgt Alter Ref
*PUBLIC *RWX
MYOWNER *RWX X X X X
Extracting Files to the IFS
When extracting files to the integrated file system with TYPFL2ZP(*IFS), record
lengths are not a concern as they were in the QSYS library file system. The main
considerations when extracting to the IFS is “what paths do you want for the file, or
should the file be stored in EBCDIC or ASCII”.
Path Considerations
If the name of files in the archive, starts with ‘/’, then with no other changes this will
be extracted to the root of the system with the first name in the path. This form of
pathname is called a fully qualified path.
If the name does not start with a ‘/’, the item will be extracted to the paths based on
the current directory (DSPCURDIR). This form of pathname is called a relative path.
In both cases if the path(s) does not exist, the path(s) will be created with the
attributes of the parent folder.
Changing the path(s)
In cases where the path that is stored with a name of the file in archive is not
desired, then using the EXDIR and DROPPATH parameters should help guide the file
to where it should be placed.
Using EXDIR, you can define the path of the file(s) that will be extracted. If you need
to remove the path of the file in the archive, you can use DROPPATH(*ALL) to
remove all the paths before extracting or you can use DROPPATH(*LIB) to remove
only the first path name.
Again the coding of EXDIR follows the same rule with regards to fully qualified path
or relative path.
File Type Considerations
When extracting a file, the decision to whether the contents of file should be stored
in ASCII or EBCDIC needs to be made.
If the file is not a text file, it does not matter and should be stored as binary. If the
file is text, and will be used by a PC program, chances are the data is expected to be
in ASCII. Since the files are stored in the archive as ASCII, these files should be
extricated as TYPEFILE(*BINARY). If the file is to be used by an AS/400 application
or will be translated later, then chances are the file should be stored in EBCDIC. In
this case use TYPEFILE(*TEXT) to extract the file in EBCDIC.
57

Authority Settings
If directories are required to be created during the extraction, the authority settings
will be created according to the create directory definitions of the DTAAUT(*INDIR)
and OBJAUT(*INDIR) parameters.
The authority for the directory being created is determined by the directory it is
being created in. The directory immediately preceding the new directory determines
the authority. A directory created in the root is assigned the public authority given to
objects in the root directory. A directory created in QDLS for a folder defaults to
*EXCLUDE for a first level folder. If created in the second level or greater, the
authority of the previous level is used. The QOpenSys and root file systems use the
parent directory's DTAAUT value.
The object authority is based on the authority for the directory where this directory is
being created.
For IFS files, the access permissions flags of the file are captured. For Example:
• S_IRUSR - Read permission for the file owner
• S_IWUSR - Write permission for the file owner
• S_IXUSR - Search permission (for a directory) or execute permission (for a
file) for the file owner
• S_IRGRP - Read permission for the file's group
• S_IWGRP - Write permission for the file's group
• S_IXGRP - Search permission (for a directory) or execute permission (for a
file) for the file's group
• S_IROTH - General read permission
• S_IWOTH - General write permission
• S_IXOTH - General search permission (for a directory) or general execute
permission (for a file)
These access permission flags will be set for the owner that is running the PKUNZIP
job and not the original owner.
Other user permissions from the parent folder will also be set for the file.
For example, the folder being extracted into has *PUBLIC as *EXCLUDE, the
extracted file will also have *PUBLIC as *EXCLUDE.
Extracting Spool Files
When extracting spool files with PKUNZIP, the attributes at the time of compression,
will be preserved except for new spool file numbers. That will be generated.
Parameter SPLUSRID is for the user ID on the new extracted spool file. If it is *DFT
the original user ID will stay with the new spool file. Parameter SFQUEUE is for the
OUTYQ and OUTQ library that the new extracted spool file will be placed. If *DFT is
specified then the original OUTQ will be used to place the spool file.
58

Note on extracting Spool Files: To create or extract spool file with
PKUNZIP, the user must have *USE authority to the API QSPCRTSP.
The normal setting for the API QSPCRTSP is Authority
PUBLIC(*EXCLUDE). The API authority is set this way so that system
administrators can control the use of this API. This API has security
implications because you can create spooled file from the data of
another spooled file. To allow user to extract spool files change the
API authority on a need basis.
When extracting a spool file with PKUNZIP, the new spooled file will be created with
attributes based on values taken from the spooled file attributes when PKZIP
archived the spool file. The spool file’s file number, job, job user, job number, date,
and time are controlled by IBM OS/400 operating system during the creation of a
spool file.
The new spool file that is created by the PKUNZIP is spooled under one of two jobs
and is dictated by IBM’s create spool file API. The job is determined by the username
field from the attributes. If the user name is the current user, it is a part of the
user's job and is owned by the user profile that the job was started with. First the
user profile for the user name must already exist. When using the user id override
(parameter SPLUSRID), the spool file will be now belong to the override user.
If the ownership of the new spooled file is assigned to a different user by a different
user profile name in the user-name field from the attributes, then the current user
must have *SPLCTL authority to assign the spooled file to another user. When this is
done, the new spooled file is by the user specified in the user name field or override
parameter. The new spooled file is then part of a special system job (QPRTJOB) that
is created for each user.
The new spooled file is placed on the output queue specified in the output queue
name field from the original spool file attributes. If the parameter SFQUEUE is used it
will override the attribute for the output queue.
In both cases, the spooled file name is the one contained in the spooled file
attributes parameter. The spooled file number will be the next sequential one
available for the job that the spooled file becomes a part of.
OS/400 authority requirements when extracting spool files:
• Special Authority - *SPLCTL. This authority is needed if you are creating a
spooled file for another user.
• Output Queue Authority -*USE
• Output Queue Library Authority - *EXECUTE
• Object QSPCRTSP API Authority -*USE
The following are several examples of results of extracting spool files:
Start with archiving the following spool files that were created with job MYJOB1 and
user EVWSS:
File File Nbr Job User Number Date Time
QSYSPRT 397 MYJOB1 EVWSS 010893 12/11/02 13:35:29
QSYSPRT 398 MYJOB1 EVWSS 010893 12/11/02 13:36:09
QSYSPRT 399 MYJOB1 EVWSS 010893 12/11/02 13:36:09
59

Now extract with job MYJOB1 and user EVWSS but now on a different day and job
number:
File File Nbr Job User Number Date Time
QSYSPRT 2 MYJOB1 EVWSS 010927 12/12/02 09:57:42
QSYSPRT 3 MYJOB1 EVWSS 010927 12/12/02 09:57:42
QSYSPRT 4 MYJOB1 EVWSS 010927 12/12/02 09:57:42
Next extract with job MYJOB2 and user EVWSS but now on a different day and job
number:
File File Nbr Job User Number Date Time
QSYSPRT 2 MYJOB2 EVWSS 010928 12/12/02 09:59:06
QSYSPRT 3 MYJOB2 EVWSS 010928 12/12/02 09:59:06
QSYSPRT 4 MYJOB2 EVWSS 010928 12/12/02 09:59:06
Next, using the user, override with the SPLUSRID(WSS) and submit MYJOB1 with
user EVWSS.
File File Nbr Job User Number Date Time
QSYSPRT 26 QPRTJOB WSS 010118 12/12/02 10:02:50
QSYSPRT 27 QPRTJOB WSS 010118 12/12/02 10:02:50
QSYSPRT 28 QPRTJOB WSS 010118 12/12/02 10:02:50
Notice that the job was changed to QPRTJOB since the user being extracted was
different than the user running the Job.
Next being signed on as user WSS, submit a job MYJOB11 with the job parameter
USER profile specified for user EVWSS.
SBMJOB CMD(PKUNZIP ARCHIVE('atest/splftst/tst02')
TYPE(*EXTRACT)) JOB(MYJOB11) USER(EVWSS)
File File Nbr Job User Number Date Time
QSYSPRT 2 MYJOB11 EVWSS 010936 12/12/02 10:25:25
QSYSPRT 3 MYJOB11 EVWSS 010936 12/12/02 10:25:25
QSYSPRT 4 MYJOB11 EVWSS 010936 12/12/02 10:25:25
60

8 iSeries File Processing Support
SecureZIP for iSeries can support files maintained in both the traditional QSYS
library file system and in IFS (integrated file system) along with supporting spool
files.
QSYS (Library File System)
The QSYS file system supports the iSeries library structure. This file system provides
access to database files and all other iSeries object types that the library manages.
On the IBM iSeries system, each QSYS type file (also called a file object) has a
description that details the file characteristics and how the data associated with the
file is organized into records, and, in many cases, the fields associated for each
record. Whenever a file is processed, the iSeries uses this description.
Of the objects in the library system, SecureZIP for iSeries will only process
physical files that have an attribute type of PF-DTA (physical data files), PF-SRC
(physical source file), or SAVF (save files).
QSYS files always exist in a library, and the PF-DTA and PF-SRC files (if data exist)
will always have one to many members in the file. Therefore, PF-DTA and PF-SRC
files have a name format of “library/file(member).” A SAVF (a special type of iSeries
file for saving and restoring iSeries objects) does not have any members giving a file
format of “library/file.” Because SAVF types are handled in a special way, they are
given additional consideration (see SAVF and use of SAVF method).
QSYS Summary
If the archive file is to be in the QSYS library system, set parameter
TYPARCHFL(*DB).
If the file being compressed or extracted is in the QSYS library system, set
parameter TYPFL2ZP(*DB).
If the list files (see Appendix E) are to be in the QSYS library system, set parameter
TYPLISTFL(*DB).
61

Format Summary:
PF-DTA
PF-SRC
SAVF
LIBRARY/FILE(MEMBER)
LIBRARY/FILE(MEMBER)
LIBRARY/FILE
IFS (Integrated File System)
The integrated file system is a part of iSeries which supports stream input/output
and storage management similar to personal computer and UNIX operating systems,
while providing an integrating structure over all information stored in the iSeries.
The key features of the integrated file system are:
• Support for storing information in stream files that can contain long
continuous strings of data. These strings of data might be, for example, the
text of a document or the picture elements in a picture. The stream file
support is designed for efficient use in client/server applications.
• A hierarchical directory structure that allows objects to be organized by
specifying the path through the directories to an object for access to an
object.
• A common view of stream files stored locally on iSeries, Integrated Netfinity
Server for iSeries, or a remote Windows NT server. Stream files can also be
stored remotely on a local Area Network (LAN) server.
Directories and Current Directory
A directory is a special object that is used to locate objects by names specified by
users. Each directory contains a list of objects that are attached to it, and that list
may include other directories.
The current directory is the first directory in which the operating system locates files,
and where it also stores temporary files and output files. When you request an
operation for an object, such as a file, the system searches for the object in the
current directory, unless a different directory path is specified. The current directory
is similar in nature to the current library. If the file selection does not start with ‘/’
(Root Directory), the files should be in the path of the current directory.
Path and Path Names
A path name (also called a pathname on some systems) informs the system how to
locate an object. The path name is expressed as a sequence of directory names
followed by the name of the object. Individual directories and the object name are
separated by a slash (/) character. An example might be: directory1/directory2/file.
For convenience, the back slash (\) can be used instead of the slash in integrated file
system commands.
There are two ways of indicating a path name:
An absolute path name begins at the highest level, or root directory (which is
identified by the / character). For example, consider the following path from the /
directory to the file named testit: /mydept/myfiles/testit.
62

If the path name does not begin with the / character, the system assumes that the
path begins at your current directory. This type of path name is called a relative path
name. For example, if your current directory is mydept and it has a sub-directory
named myfiles containing the file testit, the relative path name to the file is:
myfiles/testit. Notice that the path name does not include the name of the current
directory. The first item in the name is the directory or object at the next level below
the current directory.
Stream Files
A stream file is a randomly accessible sequence of bytes with no further structure
imposed by the system. The integrated file system provides support for storing and
operating on information in the form of stream files. Documents that are stored in
iSeries folders are stream files. Other examples of stream files are PC files and the
files in UNIX systems. An integrated file system stream file is a system object that
has an object type of *STMF.
Other IFS Objects
There are other object types (such as link objects, etc.) in the IFS which at this time
are not supported by SecureZIP for iSeries.
File Systems in the IFS
There are currently ten (10) file systems that are part of the integrated file system.
Each file system is a major sub-tree in the IFS directory structure. A file system
provides the support to access specific segments of storage that are organized as
logical units. These logical units on the iSeries are files, directories, libraries, and
objects.
Each of these file systems has a set of logical structures and rules for interacting
with information in storage. These structures and rules may be (and often are)
different from one file system to another. The IFS treats the library support and
folders support as separate file systems.
The ten file systems are:
• “root” - / file system. This file system takes full advantage of stream file
support and hierarchical directory structure of the integrated file system. The
root file system has the characteristics of the Disk Operating System (DOS)
and OS/2 file systems. Most of references throughout this guide refer to the
“root” system.
• QDLS - Document Library Services file system. This file system provides
access to documents and folders. See IBM’s Office Services Concepts and
Programmer’s Guide (SH21-0703) for additional information.
• QOPT - Optical file system. This file system provides access to stream
data that is stored on optical media (such as CDs). See IBM’s Optical Support
(SC41-5310) for additional information.
• QSYS.LIB - Library file system. This file system supports the iSeries
library structure and provides access to database files and all of the other
iSeries object types that the library support manages.
63

• NFS - Network File System. This file system provides the user with access
to data and objects that are stored on a remote NFS server. An NFS server
can export a network file system that NFS clients will then mount
dynamically. See IBM’s OS/400 Network File System Support (SC41-5714) for
additional information.
• QFileSvr.400. This file system provides access to other file systems that
reside on remote iSeries systems. See IBM’s Integrated File System
Introduction (SC41-5711) for additional information.
• QNetWare - QNetWare file system. This file system provides access to
local or remote data and objects that are stored on a server that runs Novell
NetWare 4.10 or 4.11 or to standalone PC servers running Novell Netware
3.12, 4.10, 4.11, or 5.0. A user can mount NetWare file systems over existing
local file systems dynamically. See File Management (SC41-5710) for
additional information.
• QNTC Windows NT Server file system. This file system provides access to
data and objects that are stored on a server running Windows NT 4.0 or
higher. It allows iSeries applications to use the same data as Windows NT
clients. This includes access to the data on a Windows NT Server that is
running on an integrated PC Server. See IBM’s OS/400-iSeries Integration
with Windows NT Server (SC41-5439) for details.
• QOpenSys - Open Systems file system. This file system is compatible
with UNIX-based open system standards, such as POSIX and XPG. Like the
root file system, this file system takes advantage of the stream file and
directory support that is provided by the integrated file system. In addition, it
supports case-sensitive object names. See IBM’s Integrated File System
Introduction (SC41-5711) for additional information.
• UDFS - User-Defined File System. This file system resides on the Auxiliary
storage pool (ASP) of the user’s choice. The user creates and manages this
file system. See IBM’s Integrated File System Introduction (SC41-5711) for
additional information.
SecureZIP for iSeries works with all file systems, but the rules of each file system
must be adhered to or a file I/O error will most likely occur. In most cases, the files
can be compressed and extracted in one run when all the file names and paths meet
the file system’s rules. When creating an archive file in one file system, one
restriction is that when using the TMPPATH option, the temp path must also be in the
same file system as the archive files.
On the following pages are rules for some of the most used file systems.
Document Library Services File System (QDLS)
The QDLS file system supports the folders structure. It provides access to documents
and folders. Additionally, it supports iSeries folders and document library objects
(DLOs) and supports data stored in stream files.
Considerations and Limitations:
• You must be enrolled in the system distribution directory when working with
objects in QDLS.
• QDLS converts the lowercase English alphabetic characters a through z to
uppercase when used in object names. Therefore, a search for object names
64

using only those characters is not case sensitive. All other characters are case
sensitive in QDLS.
• Each component of the path name can consist of just a name, such as:
/QDLS/MYFLR1/MYDOC1 - or - a name plus an extension (similar to a DOS
file extension), such as: /QDLS/MYFLR1/MYDOC1.TXT.
• The name in each component can be up to 8 characters long, and the
extension (if any) can be up to 3 characters long. The maximum length of the
path name is 82 characters, assuming an absolute path name that begins
with /QDLS.
• The directory hierarchy within QDLS can be 32 levels deep.
• Must have proper authority within the path.
• The folders in the path must already exist.
• PKZIP will not create folders at this time.
• For more details, see the “Rules for Specifying Folder and Document Names”
discussion in the publication CL Reference.
Optical File System (QOPT)
The QOPT file system provides access to stream data that is stored on optical media
(such as CDs). Additionally, it provides a hierarchical directory structure (similar to
PC operating systems such as DOS and OS/2), is optimized for stream file
input/output, and supports data stored in stream files (known as DSTMF or
Distributed Stream Files).
Considerations and Limitations:
• QOPT converts the lowercase English alphabetic characters a to z to
uppercase when used in object names. Therefore, a search for object names
using only those characters is not case-sensitive. For more details, see the
publication Optical Support.
• The path name must begin with a slash (/) and contain no more than 294
characters. The path is made up of the file system name, the volume name,
the directory and sub-directory names, and the file name. For example:
/QOPT/VOLUMENAME/DIRECTORYNAME/SUBDIRECTORYNAME/FILENAME
• The file system name (/QOPT) is required.
• The volume name is required and can be up to 32 characters long.
• You can include one or more directories or sub-directories in the path name,
but QOPT requires none. The total number of characters in all directory
names and sub-directory names (including the leading slash) cannot exceed
256 characters. Directory and file names allow any character except X'00'
through X'3F', X'FF', lowercase alphabetic characters, and the following
characters:
• Asterisk (*)
• Hyphen (-)
• Question mark (?)
• Quotation mark (")
65

• Greater than (>)
• Less than (

For information about code pages, see the publication National Language Support.
IFS Summary
Only directories and stream files are supported by SecureZIP for iSeries.
If the archive file is to be in IFS, set parameter TYPARCHFL(*IFS).
If the file being compressed or extracted is in IFS, set parameter TYPFL2ZP(*IFS)
If the files to be selected for compression are to be non-case sensitive set parameter
TYPARCHFL(*IFS2).
If the list files are to be in IFS (see Appendix E), set parameter TYPLISTFL(*IFS).
Format Summary:
Directory Directory1/directory2 will be current
directory
Stream File filename or directory/filename will be current
directory
Full Path
/Directory1/Directory2/filename
For more information, see the IBM publication Integrated File System Introduction
(SC41-5711) or visit the IBM web site.
SAVF
SAVF, denoted by the OS/400 system TYPE(*FILE) and ATTR(SAVF), is a special
form of file designed specifically to handle save/restore data in the iSeries system.
Some SAVF special characteristics are:
• The SAVF is always processed as binary with all records being 528 characters
in length.
• Only a save and restore iSeries function can update or change data.
• A SAVF will not be selected if a member name is included in the file
specification.
• A SAVF is a means to compress other iSeries object types (programs,
modules, commands, logical files, triggers, etc.) that are in the iSeries system
by first doing a SAVLIB or SAVOBJ for those objects to a SAVF. Then you can
compress and extract the SAVF.
Compressing a SAVF file
The only difference when compressing a SAVF is not to specify a member (only
library/file). If a member is specified, then no SAVF types will be compressed.
Extracting Records into a SAVF file
It is helpful before extracting records from a ZIP archive to be aware of what file
names and file attributes are being stored for the compressed file. VIEWOPT(
67

*DETAIL) may be used on the archive to verify the information. An attribute is stored
in the archive header that identifies if the file is a SAVF. The PKUNZIP program will
also retain the original attribute from the extended attributes, such as SAVF
description and library description.
A common problem in some iSeries environments is that some users may not have
the authority to the SAVF commands which can result in failures.
Overwriting Current SAVF File
When extracting a compressed file, it may be desirable to overwrite the existing file.
By using the OVERWRITE(*YES) parameter, PKUNZIP will first issue a CLRSAVF
command to clear the save file. This demonstrates why care should be taken when
extracting a SAVF.
Compressing Spool Files
SecureZIP for iSeries has the ability to select, compress and extract spool files.
Not only can a spool file be compressed, they can be converted to other document
formats that will allow the document file to be distributed and read by other media
and software.
All spool files are eligible for compression but only spool file types *SCS, *IPDS are
supported for text document conversion.
By using the PKZIP command and setting parameter TYPFL2ZP(*SPL), other
parameters will be shown to help select the spool files. To assist, a new command
PKZSPOOL is provided to sequenced the selections and to eliminate parameters that
are not valid for the selection of spool files.
Spool file parameters specifies the group of spool files that are to be selected. Eight
positional values can be specified to select the spool files: the spool file name
(SPLFILE), the spool file number (SPLNBR), the user that created the files (SFUSER),
the OUTQ that the file is residing (SFQUEUE), the form type specified (SFFORM), the
user data tag associated with the spool file (SFUSRDTA), the status of the spool file
(SFSTATUS), or the specific job name/user name/job number (SFJOBNAM). Only files
that meet all of the selection values will be selected. A sample of the default
selection parameters is shown in the window below:
Selection sample using the PKZSPOOL command.
Type choices, press Enter.
SPLF File Compression 8.0 (PKZSPOOL)
Archive Zip File name . . . . . > myar
Spool File . . . . . . . . . . . *ALL Spool File Name, *All
Spool File User . . . . . . . . *CURRENT User ID, *CURRENT, *ALL
+ for more values
Output Queue Name . . . . . . . *ALL OutQ name, *ALL
Library . . . . . . . . . . .
Library, *LIBL, *CURLIB
Print Form Type . . . . . . . . *ALL Form Type, *STD, *ALL
Print File User Specified Data *ALL User Data, *all
Spool Files Status . . . . . . . *ALL *ALL, *READY, *HELD...
+ for more values
68

Spool File Job Name . . . . . .
Job name, blank for all
User . . . . . . . . . . . . .
User Id
Job Number . . . . . . . . . .
Job Number
Spooled file number . . . . . . *ALL 1-9999, *ALL, *LAST
Target File Format . . . . . . . *SPLF *SPLF, *TEXT, *PDF, *TEXT1...
Target File Name . . . . . . . . *GEN1
Type of processing . . . . . . . *ADD *ADD, *UPDATE, *FRESHEN ..
Compression Level . . . . . . . *SUPERFAST *NO, *FAST, *NORMAL, *MAX...
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ........
Zip Spool Files . . . . . . . . *SPL *SPL
Archive Password . . . . . . . .
After defining what spool files are to be selected for compression, you will need to
define the file format the spool file should be stored in the archive. At this time,
there three formats: *SPLF (spool file native mode), *TEXT (ASCII text document
with three variations of how a new page is handled) and *PDF (Adobe portable
document format).
For use with *TEXT and *PDF there are three variations of storing the file name in
the archive with the parameter SFTGFILE. SFTGFILE (*GEN1) will generate a very
specific name using most of the spool file name attributes to form the file name so
that it will not be a duplicated. The name will be built as follows:
"Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool- File-
Number.Suffix"
For example: "MYJOB/BILLS/#152681/INVOICE/F0021.SPLF"
The suffix is dependent on the SFTARGET setting. *SPLF can only be stored
as SFTGFILE (*GEN1).
SFTGFILE (*GEN1P) will generate the same specific name generated by *GEN1
except the ‘/’ for folders will all be replaced by ‘.’ to make the file name one lone
name. For example:
MYJOB.BILLS.#152681.INVOICE.F0021.SPLF
SFTGFILE (*GEN2) uses the spool file name and appends the spool file number
followed by the suffix that is depended on the SFTARGET setting. Caution should be
taken in that a duplicate file name in the archive could be created. An example of
GEN2 is a spool file INVOICE with spool file number of 21 that will be converted to a
text file will generate a file name of INVOICE21.TXT.
In cases where a very specific name is desired for the file in archive name,
SFTGFILE() can be coded with the name. This is designed for selecting only one file
at a time otherwise file names will be duplicated. Alternatively, you could add coding
to the CVTNAME routine and use the CVTFLAG to generate the desired file name.
69

9 ZIP Archives
A ZIP archive is the storage facility for files that are compressed (or simply stored)
using the PKZIP product. The basic archive can hold up to 65,535 files, which may
have been compressed by up to 99% of their original size. Data integrity is validated
by a cyclic redundancy check (CRC) to maintain integrity of the data from the
compression through the extraction process. If the archive contains the ZIP64
archive format, the archive can support more than the 65,535 files and can be larger
than 4 Gig (See “Large Files Considerations”). In addition to the data, file attributes
are retained, allowing extraction of the same file characteristics without the need of
control card specifications. An archive can exist in three possible states during
processing, described as “old archive,” “temporary archive,” and “new archive.” An
explanation of the functions of each of these is described in the sections below.
A ZIP archive is transferable between platforms. That is, files that are compressed by
PKZIP on one platform may be extracted by PKZIP on a different platform,
maintaining identical data.
This chapter describes the types of files used by SecureZIP for iSeries and
provides a description of the way in which they are accessed by SecureZIP for
iSeries ZIP archives.
SecureZIP for iSeries (by default) creates a new archives in the *DB file system as
members of PF-DTA files with 132-byte records. The archive file is given a text field
of “file created by SecureZIP for iSeries.” The archive member is given a text field
of “Member created by SecureZIP for iSeries.” If you wish to create your own
archive (perhaps to have a larger record size, for performance) then you can do so,
but try to adhere to the following:
• When you create the file, do not create any members in it.
• After having created the file, change the MAXMBRS parameter for the file
from 1 to *NOMAX.
A ZIP archive holds files internally in one of several formats, which are compatible
with other platforms supported by PKZIP. These formats are described here, and
several commands are available for transforming files into one of these formats as
they are compressed. You may specify in which format a file is stored using the
FILETYPE(*BINARY) or FILETYPE(*TEXT) command parameters. OS/400 SAVF are
always stored as *BINARY type. If you do not specify FILETYPE(*BINARY) or
(*TEXT), then the PKZIP and PKUNZIP programs both will default to
FILETYPE(*DETECT). For more information, see FILETYPE(*DETECT).
70

“Old” ZIP Archive
When the PKZIP or PKUNZIP command is run, the ZIP archive (which is specified by
use of the ARCHIVE parameter is known as the old ZIP archive, except when the
TYPE(*ADD) parameter is being used to create a new ZIP archive. The old ZIP
archive may have been created by SecureZIP for iSeries during an earlier
operation or may have been created by PKZIP on another platform and transferred
from there. When a ZIP archive is being updated (or when PKUNZIP is extracting
files from a ZIP archive), the necessary details are taken from the old ZIP archive. It
should be noted that when SecureZIP for iSeries is updating a ZIP archive, it takes
the necessary data from the old ZIP archive, merges it with any new data, and
transfers it to a new ZIP archive (in a temporary member in the same iSeries file as
the old archive). When all updating is completed, SecureZIP for iSeries deletes the
old ZIP archive and then renames the new ZIP archive to the same name as the old
ZIP archive. For this reason a file containing a ZIP archive should allow for at least
one temporary member to be allocated. When SecureZIP for iSeries creates an
archive file, it uses MAXMBRS(*NOMAX).
“Temporary” Archive File
A temporary archive file refers to an archive work in progress. SecureZIP for
iSeries will always use a temporary archive file and its definition depends on the file
system. If the file system type is IFS, then the temporary archive file will be in the
same directory of the specified new archive. If the file system type is QSYS, the
temporary archive file will become a member of the specified archive file. The
temporary file or member will have a unique name PKnnnnnnnn (where nn
represents an internal random number). When the file has been completed
successfully, the temporary name will be renamed to the specified name in the
ARCHIVE parameter. If this is a process in which an old archive is being updated,
then (if successful) the old archive will be deleted before the rename. If a problem
occurs, the temporary archive may stay with the temporary name. View the job log if
this happens to determine the status of the archive.
“New” ZIP Archive
When the processing of the temporary dataset is finalized, SecureZIP for iSeries
creates a new ZIPPED archive that is the modified “after” version of the old archive.
The modified name of the old archive and specified allocation information is
transferred automatically to the new archive after updating, and the old Archive is
deleted. A new ZIP archive is created when an old ZIP archive is updated, or when a
TYPE(*ADD) parameter (see Chapter 11) is used with SecureZIP for iSeries where
there is no old ZIP archive.
Self-Extracting Archive
The self extracting programs are held as binary entities in the file PKZIPSFX of the
SecureZIP for iSeries library. The appropriate member is loaded and the
executable data copied to the beginning of the Archive as a preamble when
requested.
71

The resulting archive can still be processed by SecureZIP for iSeries as a normal
ZIP Archive.
When an input archive containing a self-extraction preamble is passed to SecureZIP
for iSeries for PKZIP processing and no value is supplied by SELFXTRACT, the
default of *MAINTAIN will keep any preamble if one exist. If the parameter
SELFXTRACT(*REMOVE) is supplied then the PREAMBLE is removed when writing the
new archive.
A self-extracting archive can be created from an existing archive by using
SELFXTRACT with a valid self-extractor. If the original archive contained a preamble,
it will be removed and the newly specified preamble will be inserted.
When transferring a self-extracting archive to a target system, be sure to transfer
the archive in binary format and adhere to requirements for executables in that
environment. (For example, a Windows program should be saved with an application
extension of EXE, and a UNIX file attribute should have executable authorization set
via the UNIX chmod command).
The self-extraction programs provided are at the 2.5 level of PKZIP. As such, the
following restrictions apply to the operation of the self-extraction program(s). Care
should be taken to control the creation of the self-extracting archive within these
restrictions, although the resulting archive may still be processed with PKZIP
programs at higher levels that support these features.
• The number of files in the archive should be limited to 65,535 or less.
• Strong encryption is not supported.
• The size of the archive should not exceed 4 gigabytes.
• The uncompressed size of individual files should be less than 4 gigabytes.
• Some target file systems (such as Windows FAT and UNIX kernals earlier than
release 2.4) do not support files greater than 2 gigabytes.
To assist in the usage of the self-extraction programs on the target systems, some of
the command parameters are listed below. Note that some parameters may not be
valid on all systems. By executing the transferred self-extracting archive on the
target system with “-help”, the commands syntax appropriate to that system will be
displayed.
Usage: sfx.exe [options] [.ZIP archive] [files...]
Where sfx.exe = the name of the self-extracting executable file
Options:
after
before
console
extract files that are newer than or equal to a specified date
suboptions:
"date specification" [format: mmddyy or mmddyyyy]
e.g.: sfx.exe -aft=12311999 file.zip
extract files that are older than a specified date
suboptions:
"date specification" [format: mmddyy or mmddyyyy]
e.g.: sfx.exe -bef=12311999 file.zip
display the contents of specified archived files on your screen
e.g.: sfx.exe -con= file.zip readme.txt
directories recreate directory path while extracting including any
sub-directories
e.g.: sfx.exe -dir file.zip
72

exclude
extract
help
Id
include
larger
license
locale
lowercase
mask
more
newer
noextended
older
overwrite
exclude specified files from being extracted
e.g.: sfx.exe -exc=*.txt file.zip
extract files from the .ZIP archive
suboptions:
all [extract everything in archive]
freshen [extract if newer than destination copy]
update [extract if newer or not in destination directory]
e.g.: sfx.exe -ext=all file.zip
display help screen
e.g.: sfx.exe -help
preserve original file uid/gid. Must be root/file owner (UNIX only)
include specified files for extraction
e.g.: sfx.exe -inc=*.txt file.zip
extract files that are the specified size (in bytes) and larger
suboptions:
a numerical value (in bytes) that indicates a minimum desired
file size
e.g.:sfx.exe -larger=400
displays license information
e.g.: sfx.exe -lic
reads and/or adjusts the locale variable for date and time format
input
suboptions:
environment [read system variable and apply accordingly]
"valid country name" [for example locale=germany]
e.g.: sfx.exe -loc=us -aft=12311999 file.zip
change filenames to lower case on extraction
e.g.: sfx.exe -lowercase
remove specified file attributes upon extraction
suboptions:
archive [mask archive attribute from file(s)/folder(s)]
hidden [mask hidden attribute from file(s)/folder(s)]
system [mask system attribute from file(s)/folder(s)]
readonly [mask read-only attribute from file(s)/folder(s)]
none [do not mask attributes from file(s)/folder(s)]
all [mask all attributes from file(s)/folder(s)]
e.g.: sfx.exe -mask=archive,readonly file.zip
display output one screen at a time
e.g.: sfx.exe -more file.zip
process only those files that are newer than a specified
(calendar) day in the past
suboptions:
a numerical value (in calendar days) that indicates some
date in the past relative to the current date
e.g.: sfx.exe -newer=2
suppress the extraction of extended attributes
e.g.: sfx.exe -noex file.zip
process only those files that are older than a specified
(calendar) day in the past
suboptions:
a numerical value (in calendar days) that indicates some
date in the past relative to the current date
e.g.: sfx.exe -older=2
overwrite existing files
prompt [prompt before overwriting]
all [always overwrite]
73

never [never overwrite]
e.g.: sfx.exe -o=all file.zip
password
print
silent
smaller
sort
test
times
translate
version
volume
warning
specify a decryption password
e.g.: sfx.exe -pass=grendel file.zip
print the specified archived file
suboptions:
"print device name" [for example print=lpt1]
e.g.: sfx.exe -print=lpt2 file.zip readme.txt
suppress warning messages when extracting
e.g.: sfx.exe -silent file.zip
extract files that are the specified size (in bytes) and
smaller
suboptions:
a numerical value (in bytes) that indicates a maximum desire
file size
e.g.:sfx.exe -smaller=400
sort files when extracting
suboptions:
crc [sort by crc value]
date [sort by date of the file]
extension [sort by file extension]
name [sort by file name]
natural [sort in the order that the file was archived]
ratio [sort by compression ratio]
size [sort by file size]
none [do not sort]
e.g.: sfx.exe -sort=size file.zip
test the integrity of archived files
suboptions:
all [test everything in archive]
freshen [test if newer than destination copy]
update [test if newer or not in destination directory]
e.g.: sfx.exe -test=all file.zip
preserve specified file date/time stamp
suboptions:
access [preserve accessed date/time stamp on extraction]
modify [preserve modified date/time stamp on extraction]
create [preserve created date/time stamp on extraction]
all [preserve all date/time stamps on extraction]
none [do not preserve date/time stamps on extraction]
e.g.: sfx.exe -time=access,modify file.zip
translate the end of line sequence for give operating system
suboptions:
DOS [convert to DOS style line endings]
MAC [convert to MAC style line endings]
unix [convert to unix style line endings]
e.g.:sfx.exe -translate=unix
display SFX version and return appropriate value to the shell
suboptions:
major [return major version number]
minor [return minor version number]
step [return step or patch version number]
e.g.: sfx.exe -ver=step
restore the volume label when extracting
e.g.: sfx.exe -vol file.zip
prompt to continue after warning message
e.g.: sfx.exe -warn file.zip
74

10 About Security, Certificates, and
Encryption
This section discusses how to use SecureZIP for iSeries to secure your data.
Elements that are required to make a SecureZIP for iSeries archive are discussed
in detail. These elements, when selectively used, combine to create a SecureZIP for
iSeries archive or allow the extraction of a file or files from a SecureZIP for
iSeries created archive.
A series of commands and CLPs are provided to assist you in building and
maintaining the SecureZIP certificate store. They come standard with SecureZIP for
iSeries. The SecureZIP commands that are used to accomplish these tasks are
shown in this chapter, along with notes and comments.
Keywords, Phrases, and Acronyms Used in This Chapter
SecureZIP for iSeries introduces new terminology to users that are familiar with
PKZIP. These expressions directly relate to the security features inherent in
SecureZIP for iSeries.
• Public key certificate(s)
• Private key certificate(s)
• Data base profile (local certificate store)
• LDAP profile (networked certificate store)
• Password
• Recipient
• Master recipient (contingency recipient)
• Configuration profile
• Certificate store
• Certificate authority intermediate store
• Trusted root store
• Certificate revocation list (CRL) store
• Enterprise security configuration
• Common name
75

• Path
• Certificate configuration
• PING
• TCP/IP
• User certificate
• Certificate authority
• Recipient database
• Recipient searches
• Filename encryption
Accessing Public and Private Key Certificates
SecureZIP for iSeries provides access to both public and private key certificates
through a set of IFS files and a DB2 locator database when the parameter
ENTPREC(*DB:...) or ENTPREC(*FILE:...) is requested.
In addition, ENTPREC(*LDAP:...) requests are resolved through configured network
definitions.
Public Key Certificate
Certificate-based encryption allows the exchange of encrypted data without the
security risks of exchanging or retaining a password. This form of encryption uses a
public-key digital certificate when creating an archive and it then uses a
corresponding private-key certificate by the recipient to decrypt the archive. Digital
certificates may be identified and selected by naming information, such as "common
name" or an email address.
To do this SecureZIP for iSeries performs a process called digital enveloping using
digital certificates when encrypting data for specified public key recipients. Access
the Secure .ZIP Envelopes whitepaper at the PKWARE web site.
The public key certificate consists of the public portion of an asymmetric
cryptographic key (the "public key"), together with identity information, such as a
person's name, all of which is signed by a certificate authority (CA). The CA
essentially guarantees that the public key belongs to the named entity.
Private Key Certificates
To UNZIP a file that has been encrypted with a public-key certificate, the receiver
must supply a matching private-key certificate. This is done by including ENTPREC
parameter that specifies the location of the private-key certificate along with its
associated access password. Note that this password is not used to encrypt a file but
rather to access the private-key certificate.
ENTPREC parameters can be coded directly (up to 30 entries) or can point to the
Inlist input stream file. One method is for each user to create an Inlist for their
private key information and define the security such that only their user ID can read
76

this profile Inlist. A private-certificate Inlist designates a saved repository of the
private key certificates.
Enterprise Security Configuration
SecureZIP utilizes an enterprise security configuration file to define the enterprise
policies. With the command PKCFGSEC, you can view the policies or make revisions
to these policies. PKCFGSEC updates and views the SecureZIP security configuration
file. This configuration file is where the enterprise security options and defaults
reside. It is recommended that you define your standard enterprise options in a CL
using the PKCFGSEC command. Then as changes occur or new versions are
upgraded the CL can be run to reset the parameters. This will also help if you need
to temporarily change one or more settings, as the CL provides a quick means to
reset the configuration back to the enterprise setting.
It is suggested that a specific user ID (such as ZIPADMN), user or group be assigned
to administrate the enterprise configuration. This can be accomplished by changing
the security for the configuration file PKZCFG in the SecureZIP library with the
EDTOBJAUT command. First *Public should be changed to use only the file PKZCFG;
then set the administrator as the owner with security for changes. For example:
Edit Object Authority
Object . . . . . . . : PKZCFG Owner . . . . . . . : ZIPADMN
Library . . . . . : PKW810XXS Primary group . . . : *NONE
Object type . . . . : *FILE ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.
Object secured by authorization list . . . . . . . . . . . .
*NONE
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *USE X
ZIPADMN *ALL X X X X X
Contents of the Configuration Profile
Below is a sample of the PKCFGSEC command. For more information about the
command, see Chapter 13. Before running SecureZIP for iSeries, it is
recommended that all parameters be reviewed and defined for your enterprise.
SecureZIP Secure Config 8.1 (PKCFGSEC)
Type Processing . . . . . . . . *UPDATE *UPDATE, *VIEW
ZIP Secure Settings:
SecureZIP Active . . . . . *YES *NO, *YES, *SAME
AES 3DES Keys . . . . . . . *YES *NO, *YES, *SAME
Password . . . . . . . . . *NO *NO, *RQD, *SAME
Recipient Secure . . . . . *NO *NO, *RQD, *SAME
File Signing . . . . . . . *NO *NO, *SAME
Archive Signing . . . . . *NO *NO, *SAME
File Authentication . . . *NO *NO, *SAME
Archive Authentication . . *NO *NO, *SAME
File Name Encryption . . . *NO *NO, *RQD, *OPT, *SAME
Strong Encryption:
Lockdown Method . . . . . > AES
*SAME, *NONE, AES, AES128...
77

Mode . . . . . . . . . . > BSAFE
PKWARE, BSAFE, *SAME
Hash . . . . . . . . . . > *SHA1
*SAME, *SHA1
Archive Password Specs:
Min Length . . . . . . . . > 1
1-200, *SAME
Max Length . . . . . . . . > 200
1-200, *SAME
Hardening Options . . . . . > 0 *SAME, 0, 1, 2
Signing Settings:
Signing Hash . . . . . . . . > *SHA1
*SAME, *SHA1, *MD5
Validate Level . . . . . > *VALIDATE
Lockdown Filters . . . . > *NO
*NO, *YES, *SAME
Filters . . . . . . . . . > *ALL
*SAME, *ALL, *NONE...
+ for more values
Authenticate Filters:
Validate Level . . . . . > *VALIDATE
Lockdown Filters . . . . > *NO
*NO, *YES, *SAME
Filters . . . . . . . . . > *ALL
*SAME, *ALL, *NONE...
+ for more values
Encryption Filters:
Validate Level . . . . . > *VALIDATE
Lockdown Filters . . . . > *NO
*NO, *YES, *SAME
Filters . . . . . . . . . > *ALL
*SAME, *ALL, *NONE...
+ for more values
Decryption Filters:
Validate Level . . . . . > *NONE *VALIDATE, *WARN, *NONE...
Revocation Settings:
CRL Type . . . . . > *NONE *STATICCRL, *NONE, *SAME
Revoke Level . . . . . . *SAME *NONE, *SAME
Certificate Validation Level:
Cert. Best Fit . . . . . . . > *NONE
*NONE, *LATESTVALID...
Cert. Secure Type . . . . . > *NONE
*NONE, *ENCRYPTION...
Certificate DataBase Locator:
Active? . . . . . . . . . . > *YES
*NO, *YES, *SAME
Store Type . . . . . . . . > *LIB
*LIB, *SAME
Sequence . . . . . . . . . > 0 0-9
Library . . . . . . . . . . > PKW81051S DB Library
Search Mode . . . . . . . . > *EMAIL *EMAIL, *CN, *SAME
Certificate PUBLIC Store:
Store Type . . . . . . . . > *PATH
*PATH, *SAME
Sequence . . . . . . . . . > 1 0-9
Store Location . . . . . . > '/pkzshare/CStores/Public'
Certificate PRIVATE Store:
Store Type . . . . . . . . > *PATH
*PATH, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/Private'
Certificate CA Store:
Store Type . . . . . . . . > *FILE
*FILE, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/CA/pkwareCA.store'
Certificate ROOT Store:
Store Type . . . . . . . . > *FILE
*FILE, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/Root/pkwareRT.store'
Certificate CRL Store:
Store Type . . . . . . . . > *FILE
*FILE, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/CRL/pkwareCRL.store'
Certificate Work Path:
Path Location . . . . . . . > '/pkzshare/CStores/CTemp'
Enterprise Encrypt Recipient:
LookUp Type . . . . . . . . > *MBRSET *NONE, *DB, *LDAP, *FILE...
Recipient . . . . . . . . . > 'pkwareCertAdmin04.cer'
Required . . . . . . . . . . > *RQD
*RQD, *OPT, *SAME
LDAP Definitions:
Nbr Active LDAPs . . . . . > 3
1-99, *NONE, *SAME
Primary LDAP:
78

1 Network Name . . . . . . > '192.168.132.25'
1 Port . . . . . . . . . . > 389 1-9999
1 Sequence . . . . . . . . > 1 0-9
1 TimeOut . . . . . . . . . > 0 0-9999
1 Access User . . . . . . . > 'PKWAREADDEV\test'
1 Access Password . . . . . > 'xxxxxx'
1 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN
1 Start Node . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'
1 Test . . . . . . . . . . > N N, Y
Secondary LDAP:
2 Network Name . . . . . . > '192.168.115.15'
2 Port . . . . . . . . . . > 389 1-9999
2 Sequence . . . . . . . . > 2 0-9
2 TimeOut . . . . . . . . . > 0 0-9999
2 Access User . . . . . . . > 'cn=Jon Smith,ou=browndeer,o=pkware,c=US,cn=
user,dc=cosmos,dc=pkware,dc=com'
2 Access Password . . . . . > 'xxxxxxx'
2 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN
2 Start Node . . . . . . . >
'o=pkware,c=US,cn=user,dc=cosmos,dc=pkware,d=com'
2 Test . . . . . . . . . . > N N, Y
Tertiary LDAP:
3 Network Name . . . . . . > '192.168.115.32'
3 Port . . . . . . . . . . > 4389 1-9999
3 Sequence . . . . . . . . > 3 0-9
3 TimeOut . . . . . . . . . > 0 0-9999
3 Access User . . . . . . . > ''
3 Access Password . . . . . > 'xxxxxx'
3 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN
3 Start Node . . . . . . . > 'o=PKWARE'
3 Test . . . . . . . . . . > Y N, Y
File and Data Base (DB) (Local Certificate Store)
During SecureZIP for iSeries processing that requires encryption intended for an
ENTPREC, the associated public-key certificate(s) must be located. One way of
designating which public-key recipients to include is through an IFS file or by using
the DB to locate the recipients with the ENTPREC parameter. By using DB or LDAP,
this allows for recipient selection based on name or email address through a
configured database of certificates on the system that is executing SecureZIP for
iSeries. The lookup type would be the type of recipient search that will be used for
the recipient string.
1. *DB - The recipient string is defined to search using the certificate locator
database to access the digital certificate.
2. *LDAP - The recipient string is defined to search using the LDAP server to access
the digital certificate.
3. *FILE - The recipient string is defined to read a specific file in a specific path in the
IFS in order to access the digital certificate.
79

4. *MBRSET - The recipient string is defined to read this specific file from the
enterprise public certificate store to access the digital certificate.
5. *INLIST - The recipient string defines a specific file that will contain one to many
recipients.
Your technical support staff is responsible for configuring the local certificate store
and should provide you with information on which method they prefer.
LDAP Profile (Networked Certificate Store)
During SecureZIP for iSeries processing that requires encryption intended for a
recipient, the associated public-key certificate(s) must be located.
One way of designating which public-key recipients to include is through the LDAP
interface to a directory server in the ENTPREC parameters. This allows for recipient
selection based on name, email address or other installation-configured LDAP fields.
One or more LDAP compliant servers may be configured for searching.
Your technical support staff is responsible for configuring the LDAP-compliant
directory that stores certificates and will provide you with information on the
enterprise approach for your facility.
Certificate Store Administration and Configuration
Access X.509 Public and Private Key Certificates
SecureZIP for iSeries introduces new modules that utilize RSA’s BSAFE Cert-C
Toolkit to access X.509 public and private key certificates. The access to the various
certificate stores by this task is governed by various forms of the ENTPREC
parameter, as well as by a suite of new configuration commands.
All local certificates are stored in a path of the IFS and the store paths are defined
using the PKCFGSEC command. The other method of certificate access is through the
LDAP. The first step of the startup is to define the public and private stores and their
security. The next part is to define a procedure to maintain the certificates.
Local Certificate Store
SecureZIP for iSeries provides access to both public and private key certificates
through a set of local IFS paths which contain the certificate files. These paths are
defined using the PKCFGSEC command.
Certificate Authority and Root Certificates Stores
End entity certificates and their related keys are used for signing and authentication.
They are created at the end of the trust hierarchy of certificate authorities. Each
certificate is signed by its CA issuer and is identified in the “Issued By” field in the
end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such
certificates are known as intermediate CA certificates. At the top of the issuing chain
is a self-signed certificate known as the root.
80

SecureZIP for iSeries uses public-key certificates in PKCS#7 format as a store
format. The intermediate CA certificates are maintained independently from the root
certificates. These files are defined to SecureZIP in the PKCFGSEC with the CSCA and
CSROOT parameters.
Certificate Revocation List Stores
If a certificate revocation list (CRL) is to be used, the certificate revocation list store
will contain all CRLs for revocation processing. The CRL store is separate from the CA
store for more efficient certificate processing. The store is defined in PKCFGSEC with
parameters CSCRL. To use the CRL, SecureZIP needs to know that a static CRL is
used. This is defined with the REVKEP parameter in PKCFGSEC.
Local Certificate Locator Database
SecureZIP for iSeries comes with one new physical file PKZCF1F and three logical
files: PKZCF1LCN, PKZCF1LEM and PKZCF1LPH. These files are part of the certificate
locator database used for certificate processing. These files are activated by
changing the security settings using the PKCFGSEC command. To use these files, see
Chapter 15.
This locator database allows access to the public and private certificates using the
common name, email address or public hash key.
Here again, for security reasons, it is suggested that a specific user ID (such as
ZIPADMN), user, or group be assigned to administrate the database. This can be
accomplished by changing the security for the configuration file PKZCF1F and the
logical files in the SecureZIP library with the EDTOBJAUT command. First change
*Public to only *Use for the files, and then set the administrator as the owner with
security for changes. For example:
Edit Object Authority
Object . . . . . . . : PKZCF1F Owner . . . . . . . : ZIPADMN
Library . . . . . : PKW810XXS Primary group . . . : *NONE
Object type . . . . : *FILE ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.
Object secured by authorization list . . . . . . . . . . . .
*NONE
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *USE X
ZIPADMN *ALL X X X X X
LDAP Certificate Store
SecureZIP for iSeries also provides access to public key certificates located in an
external LDAP (Lightweight Directory Access Protocol) server via a TCP/IP network
connection.
Each LDAP server to be used should be defined with the PKCFGSEC command.
Each certificate store is described in detail in the following sections.
81

Usage Notes:
It is recommended that, as you define your enterprise configuration, you build it in a
CL source. This will provide the ability to reset the configuration quickly if it gets
changed or destroyed. One way is to copy the DFTCFGSEC member of QCLSRC in
your zip library to a secure source file for your custom changes. Then update this
custom configuration CL as you build your system.
Certificate Authority, Root Certificates and CRL Store
Administration
This section assists with allocating the components necessary to support the local DB
and with administering the certificates in it.
The following stores are maintained by the utility PKSTORADM:
Intermediate
Certificate
Authority
Trusted Root
Certificate
Authority
Certificate
Revocation List
A store of issuing certificates files associated with the end-entity
certificates. These certificates are used to authenticate the
validity of an end-entity digital signature on a receiving system.
They are also included in a SecureZIP archive when a signing
operation is performed.
Other system types may refer to this store as “CA”.
A store of issuing certificates that are classified as “self signed,”
meaning that each one is at the top of a hierarchy of issuing
CAs. These certificates are used to authenticate the validity of
an end-entity digital signature on a receiving system. They are
considered “trusted” by virtue of their installation on an
authenticating system. They are included in a SecureZIP
archive when a signing operation is performed.
Other system types may refer to this store as “ROOT”.
A store of certificate revocation lists published by each CA.
Other system types may refer to this store as “CRL”.
First define the path and file name with PKCFGSEC parameters: CSCA (intermediate
certificate authority), CSROOT (trusted root certificate authority), and CSCRL
(certificate revocation list).
Packaged in the TSTCERTS archive are three empty initialized stores
(pkwareCA.store, pkwareRT.store, and pkwareCRL.store) that can be
restored to your directories. After restoring the store files, you can name the files
anything that you want to match your definition in PKCFGSEC.
For example:
1. Create the store paths:
MD DIR('/myroot/pkware/CStore/CA') Certificate Authority Store
MD DIR('/myroot/pkware/CStore/Root') Trusted Authority Root Store
MD DIR('/myroot/pkware/CStore/CRL) Certificate Revocation List
82

2. Extract the initialized stores:
Extract initialized empty CA intermediate certificate store:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.store')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CA’)
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract initialized empty trusted root store:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareRT.store')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Root’)
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract initialized empty revocation list store:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCRL.store')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CRL')
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
3. Change the security of the files and paths.
It is suggested that a specific user ID (such as ZIPADMN), user, or group be
assigned to administrate the stores. This can be accomplished by changing the
security for the paths and files created above with the CHGAUT and CHGOWN
commands. First change *Public to only *Use for the files, and then set the
administrator as the owner with security for changes.
For example changes for the Root Store path and file might be:
Change ownership to ZIPADMN:
CHGOWN OBJ('/myroot/pkware/CStores/Root/') NEWOWN(ZIPADMN)
CHGOWN OBJ('/myroot/pkware/CStores/Root/pkwareRT.store')
NEWOWN(ZIPADMN)
Change *PUBLIC for use of root path and file:
CHGAUT OBJ('/myroot/pkware/CStores/Root') USER(*PUBLIC) DTAAUT(*R)
OBJAUT(*NONE)
CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(*PUBLIC)
DTAAUT(*R) OBJAUT(*NONE)
Change ZIPADMN for all security:
CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(ZIPADMN)
DTAAUT(*RWX) OBJAUT(*ALL)
CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(ZIPADMN)
DTAAUT(*RWX) OBJAUT(*ALL)
If any other users or groups are defined for the path or file remove them by using
the WRKLNK command and displaying authority.
83

Display Authority
Object . . . . . . . . . . . . :
Owner . . . . . . . . . . . . :
Primary group . . . . . . . . :
Authorization list . . . . . . :
/myroot/pkware/CStores/Root/pkwareRT.store
ZIPADMN
*NONE
*NONE
Data --Object Authorities--
User Authority Exist Mgt Alter Ref
*PUBLIC *R
ZIPADMN *RWX X X X X
At this point you can use the PKSTORADM command to import the trusted roots and
the intermediate certificates.
It is very important that you control the addition of trusted roots to your root store
since they will define the certificate chains to be trusted.
Local Certificate Store Administration
This section assists with allocating the components necessary to support the local DB
to administer the certificates within it.
Build Private and Public Store Paths
This section describes the process to build the public and private certificate paths in
the IFS.
The public store is a path in the IFS that contains files with X.509 public certificate
files known as PEM files.
The private store is a path in the IFS that contains a file with X.509 public certificate
and private key packaged as a file.
SecureZIP can work with certificates and keys in the following file formats:
Format
PEM
PKCS#12
PKCS#7
Not
Supported
for public
and private
keys
Description
Contains a single end-entity public-key certificate. It may be in
Base-64 encoded (ASCII text with ASCII headers) or DERencoded
binary format.
Common file extensions: .pem, .cer, .key, .crt
Contains a single end-entity private-key certificate (and its public
key). By definition, it is in binary format.
Common file extensions: .pfx, .p12
Contains one or more CA (and or Root) certificates
Common file extension: .p7b
For example:
84

1. Define the public and private stores paths with the PKCFGSEC command using
the CSPUB and CSPRVT parameters.
2. Create the public and private store paths:
MD DIR('/myroot/pkware/CStore/Public') Public store path
MD DIR('/myroot/pkware/CStore/Private') Private store path
Initialize and Build Certificate Locator Database:
This section describes the process to build the certificate locator databases. The
databases are distributed with product as empty files, but the DSS source is also
distributed in case they ever need to be rebuilt. An easier way to rebuild the
database is to clear the physical file member (CLRPFM).
1. Clear the file:
CLRPFM FILE(PKW81051S/PKZCF1F) MBR(*FIRST)
OR
Build the databases with the CRTCERTDB CL program. CRTCERTDB will create
the “iSeries Certificate Locator” physical file PKZCF1F and its associated
logical files:
• PKZCF1LCN “Certificate locator by CN (Common Name)”
• PKZCF1LEM “Certificate locator by EM (Email Address)”
• PKZCF1LFN “Certificate locator by FN (Friendly Name)”
• PKZCF1LPH “Certificate locator by Public Hash”.
The program will create the files in the target library parameter of the
program such as Call CRTCERTDB ‘PKW81051S’.
2. Define the paths and places for the certificates in the proper directories.
3. By using the PKCFGSEC command, update the certificate store settings for
the certificates and set the CERTDB settings for the certificate database
locator.
4. Run the PKBLDCDB as many times as necessary to process your certificates in
the IFS stores.
5. Run the PKQRYCDB to view the certificates in the locator database.
The following stores are maintained by the utility PKBLDCDB:
Store
Public
Description
A store for end-entity certificates used to identify encryption
recipients or for authentication of digital signatures. Certificate
files in this store contain only public keys; they do not contain
private keys. SecureZIP for iSeries represents these
certificates held in the local certificate store through the ISPF
interface as “CER” entries. Other system types may refer to this
store as “Other People” or “Address Book”
85

Store
Private
Description
A store for end-entity certificate files with their respective private
keys. Private keys are used to decrypt files or perform digital
signing. SecureZIP for iSeries represents these certificates
held in the local certificate store through the ISPF interface as
“PFX” entries.
(Private keys in this store are encrypted using PKCS#8 format
and PKCS#5 version 2.)
Other system types may refer to this store as “Personal” or “MY
Store”
Directory Certificate Store Configuration - LDAP
This section assists with defining the network connectivity to access certificate stores
in an LDAP-compliant directory. Certificate stores are often located on an LDAP
server. Please note that prior to using LDAP services to locate public key digital
certificates for recipient processing, network connections must be defined.
Command settings will be kept in a LDAP SecureZIP for iSeries enterprise security
configuration file.
To assist in entering the correct settings that are defined in the configuration file
using the PKCFGSEC command, there is a LDAP test command (PKLDAPTST). This
command verifies that the settings are correct and shows the type of response to
expect. With PKLDAPTST, the LDAP connection parameters can be coded manually.
However, the PKCFGSEC command has the ability to run the LDAP test to assist in
properly formatting the LDAP parameters and to test connectivity to the desired
LDAP server.
Testing the LDAP Connection
For more information, see the PKLDAPTST command in Chapter 14.
The presence of a server can be established by using the PING and PKLDAPTST
command:
SecureZIP LDAP Test
8.1 (PKLDAPTST)
Type choices, press Enter.
Action Type . . . . . . . . . . *SUMMARY *SUMMARY, *DETAIL
Server Name or IP . . . . . . . > '192.168.132.25'
Port Number . . . . . . . . . . 389 Character value
Access User . . . . . . . . . . > 'PKWAREADDEV\test'
Access Password . . . . . . . .
Start Node . . . . . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'
Search Filter . . . . . . . . . '(cn=*)(userCertificate=*)'
Max Item . . . . . . . . . . . . > 100
Character value
Or
PKLDAPTST SNAME('192.168.132.25') USER('PKWAREADDEV\test')
PASSWORD(‘xxxx’)
STRNODE('cn=users,dc=pkwareaddev,dc=com') MAXI(100)
Sample results:
86

PKLDAPTEST LDAP Test Starting 2004/07/22 06:23:34
PKLDAPTESTT Parameters:Action
- Server Port
- User Password
- Start Node
- Search Filter
- Max Items to Search ,100
LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds
LDAP_intialTest - --SizeLimit=100 TimeLimit=0
LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds
LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds
LDAP_intialTest - --LDAP Search ...... 21 entries found
LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds
LDAP_intialTest - Total Entries=21
PKLDAPTESTT LDAP Testing Ending RC=0
When creating a configuration for an LDAP server at a new network address, it is
recommended that a PING test be performed first using the PING command.
OPTION - PING
The PING option will perform a "TSO PING" command to verify that the network
address can be resolved and the associated IP address reached. Once completed, a
BROWSE of the output will be automatically presented. Be aware that some network
administrators may turn off PING response capabilities, so it is possible that the
PING may time out even if the network name (e.g. www.pkware.com) can be
resolved to an IP address.
PING '192.168.132.25'
Verifying connection to host system 192.168.132.25.
PING reply 1 from 192.168.132.25 took 91 ms. 256 bytes. TTL 125.
PING reply 2 from 192.168.132.25 took 22 ms. 256 bytes. TTL 125.
PING reply 3 from 192.168.132.25 took 91 ms. 256 bytes. TTL 125.
PING reply 4 from 192.168.132.25 took 20 ms. 256 bytes. TTL 125.
PING reply 5 from 192.168.132.25 took 20 ms. 256 bytes. TTL 125.
Round-trip (in milliseconds) min/avg/max = 20/48/91.
Connection verification statistics: 5 of 5 successful (100 %).
Possible errors:
• The network address cannot be resolved by the domain name server (DNS).
TCP3202 Unknown host www.unknown-name.com
• Network services may be down along the routes to reach the IP address.
HOST unreachable
• The specified host may not be up, or is not accepting PING requests.
Timed out
Getting Started with PKWARE Test Digital Certificates
Included with the SecureZIP library is an archive containing two public certificates,
two corresponding PKCS#12 private keys files, a test public certificate with private
key for CRL testing, one CRL file to apply, three initialized stores, and several
samples Inlist files. See the $readme.txt to see content description.
87

These certificates are provided to assist in initial certificate testing and are not
needed to run SecureZIP.
Note that the test certificates are not trusted certificates and were
not issued by a trusted certificate authority. They should never be
used for production or for securing any of your organization’s
sensitive data. They are provided for testing only.
The archives in the distribution library (assuming PKW81051S) would be the file
named TSTCERTS with the member called TSTCERTS.
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')
SecureZIP(TM) for iSeries Compression Utility Version 8.1.0, 2005/03/08
Copyright. 1989-2005 PKWARE, Inc. All Rights Reserved.
SecureZip(tm) is a trademark of PKWARE (R), Inc.
SecureZIP(TM) for iSeries is running under Beta release B2
Archive: PKW810XXS/TSTCERTS(TSTCERTS) 17424 bytes 22 files
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
785 Defl:F 324 59% 03-08-05 07:29 6ca9e42e $readme.txt
654 Defl:F 489 25% 02-09-05 13:18 2d32433a crl1.crl
786 Defl:F 658 16% 12-27-04 13:18 4458cfef pktestdb3.crt
2106 Defl:F 2058 2% 12-27-04 13:18 1773a716 pktestdb3.p12
786 Defl:F 660 16% 12-27-04 13:17 6bc95df5 pktestdb4.crt
2106 Defl:F 2052 3% 12-27-04 13:18 ba20cadd pktestdb4.p12
2106 Defl:F 2055 2% 03-07-05 12:41 b7f957bb pktestdb9.pfx
3573 Defl:F 1882 47% 02-09-05 13:17 0c6cc373 pktica_ca.cer
3565 Defl:F 1878 47% 02-09-05 13:15 60f503e4 pkwareCA.crt
37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwareca.p7b
37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwarecrl.p7b
1192 Defl:F 691 42% 02-09-05 13:15 40f1ec95 pkwareroot.cer
37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwarert.p7b
49 Stored 49 0% 02-25-05 10:50 b5002c1b tstauth_db3.inlist
51 Stored 51 0% 01-10-05 12:14 3a6ddda4 tstauth_mb3.inlist
47 Stored 47 0% 02-25-05 10:50 18df8708 tstauth_mb4.inlist
52 Stored 52 0% 02-25-05 10:50 7c830a06 tstpriv_db4.inlist
45 Stored 45 0% 02-25-05 10:50 cddd548c tstpriv_mb3.inlist
78 Defl:F 52 33% 02-25-05 10:50 e6816f7e tstpubl_1.inlist
83 Defl:F 72 13% 02-25-05 10:51 f3e66e5b tstpubl_2.inlist
55 Stored 55 0% 02-25-05 10:51 d110fa75 tstsign_db3.inlist
51 Stored 51 0% 02-25-05 10:51 441dad6d tstsign_mb4.inlist
-------- ------- ---- -------
18281 13311 27% 22 files
SecureUNZIP extracted 0 files .
The following steps can be automated for testing using the included CL program
TSTCERTS. The source is located in the QCLSRC file of the distribution library. Before
using the TSTCERTS CL program, make any modification required for your
environment and then compile the CL program. The TSTCERTS program requires two
external parameters. The first parameter is the SecureZIP library. The second
parameter is the base path where the certificate store will reside (for example:
‘/myroot/pkware’). This base path must exist before running TSTCERTS.
Step 1: Define IFS Certificate Stores
First you will need to decide where the certificate stores will be located in the IFS
and then create the following folders in that path. After creating the paths, take time
to set all the proper authorities for each path. If an administrator will be assigned,
you can set the group ID as the owner. It is recommend that *PUBLIC should only
88

have read authority to the files once you enter production. Assuming that you will be
creating the stores in the directory called ‘/myroot/pkware’, create the following
directories in that base path:
MD DIR('/myroot/pkware/CStore')
Be sure to define the folder
security
MD DIR('/myroot/pkware/CStore/Public')
Public Store
MD DIR('/myroot/pkware/CStore/Private')
Private Store
MD DIR('/myroot/pkware/CStore/CA')
Certificate Authority Store
MD DIR('/myroot/pkware/CStore/Root')
Trusted Authority Root
Store
MD DIR('/myroot/pkware/CStore/CRL')
Certificate Revocation List
MD DIR('/myroot/pkware/CStore/CTemp')
Admin Temp Work Area
MD DIR('/myroot/pkware/CStore/Testzips')
MD DIR('/myroot/pkware/CStore/InList')
For initial archives for
testing and inputs to admin
Used for testing Inlist
samples
The contents can be deleted after the test is competed, but the enterprise
configuration should be reviewed for production.
Note: if you need to start over and want to clear the certificate locator database for
testing, you can clear the database with:
CLRPFM FILE(PKW81051S/PKZCF1F) MBR(*FIRST).
Caution should be taken to make sure you are clearing a test-only database.
Step 2: Extract Test Certificates, Inlist, Inputs, and Stores
Extract public test certificates:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')
FILES('pktestdb3.crt' 'pktestdb4.crt’)
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Public')
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract private test certificates:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')
FILES('pktestdb3.p12' 'pktestdb4.p12' 'pktestdb9.pfx' )
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Private')
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract initialized empty CA certificate intermediate store:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.store')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CA')
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract initialized empty trusted root store:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareRT.store')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Root')
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract initialized empty revocation list store:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCRL.store')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CRL')
89

DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Extract sample test Inlist files:
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')
FILES('*inlist')
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/InList’)
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Restore test inputted certs and CRL to Testzips area
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')
FILES('pkwareCA.cer' 'pkwareRoot.cer'
'pktica_ca.crt' 'crl1.crl' )
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Testzips')
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)
Step 3: Setup Security Configuration File with PKCFGSEC
Command
First, verify what the current settings in the security configuration with:
PKCFGSEC TYPE(*VIEW)
Next, update the certificate stores and activate the certificate locator database.
1. Activate signing and authentication with filename encryption optional.
PKCFGSEC TYPE(*Update)
SECTYPE(*YES *YES *SAME *SAME *YES *YES *YES *YES *OPT)
2. Define all of the store paths and files with CSPUB, CSPRVT, CSCA, CSROOT,
CSCRL.
3. Define the certificate database settings with CERTDB. Make certain that the
correct library is specified or errors will occur later.
4. Define certificate policies for signing (SIGNPOL), encryption (ENCRYPOL), and
authentication (AUTHPOL).
5. Define the static CRL settings with REVKEPOL.
6. We could define a contingency key or master recipient at this time with
ENTPREC
PKCFGSEC TYPE(*Update)
SECTYPE(*YES *YES *SAME *SAME *YES *YES *YES *YES *OPT)
CERTDB(*YES *LIB 0 PKW81051S *EMAIL)
CSPUB(*PATH 0 '/myroot/pkware/CStore/Public')
CSPRVT(*PATH 0 '/myroot/pkware/CStore/Private')
CSCA(*FILE 0 '/myroot/pkware/CStore/CA/pkwareCA.store')
CSROOT(*FILE 0 '/myroot/pkware/CStore/ROOT/pkwareRT.store')
CSCRL(*FILE 0 '/myroot/pkware/CStore/CRL/pkwareCRL.store')
CWRKPATH('/myroot/pkware/CStore/CTemp')
REVKEPOL(*STATICCRL *NONE)
SIGNPOL(*SHA1 *VALIDATE *NO (*ALL))
AUTHPOL(*VALIDATE *NO (*ALL))
ENCRYPOL(*VALIDATE *NO (*ALL))
ENTPREC(*NONE) LDAPACTV(*NONE)
90

Step 4: Add Trusted Roots and Intermediate Certificates to the
Certificate Stores.
Using the PKSTORADM store administrator maintenance command, we should import
all the trusted roots first, followed by all CA certificates.
But first we need to think about the security of our stores. Most installations will
want to have a specific user, user ID, or group perform store maintenance and let
the users of SecureZIP have only read access to the stores. It is suggested that
*PUBLIC be only allowed to read the stores. For example, if we have a user ID of
ZIPADMIN that is the only user that has the authority to do maintenance, then the
paths and stores might have a sample authority setting as follows:
Object . . . . . . . . . . . . : /myroot/pkware/CStore/Root/pkwareRT.store
Data --Object Authorities--
Opt User Authority Exist Mgt Alter Ref
*PUBLIC *RX X
ZIPADMIN *RWX X X X X
First you might want to verify all the stores to make sure they are OK and empty.
PKSTORADM RUNTYPE(*VERIFY) STYPE(*ALL)
PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:10:19
ZPCA000I SUCCESS: CA Store '/myroot/pkware/CStore/CA/pkwareCA.store' verified
successfully. 0 certificates found.
ZPCA000I SUCCESS: Root Store '/myroot/pkware/CStore/ROOT/pkwareRT.store'verified
successfully. 0 certificates found.
ZPCA000I SUCCESS: CRL store '/myroot/pkware/CStore/CRL/pkwareCRL.store'
successfully verified. 0 revocation lists found.
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
Now add the PKWARE test trusted root certificate to the root store:
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT)
FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')
PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:10:19
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/
pkwareRT.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;F
N=PKTESTDB Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBR
oot@nowhere.com;ROOT
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/Root/pkw
areRT.store' to disk.
ZPCA000I Added 1 of a possible 1 certificates to the ROOT store.
ZPCA000I 0 certificates in the ROOT store before the Add command.
ZPCA000I 1 certificates in the ROOT store after the Add command.
PKSTORADM Store Admin ending------0
Now add the PKWARE test intermediate certificate authority certificate to the CA
store:
91

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA)
FNAME(‘/myroot/pkware/CStore/Testzips/pkwareCA.cer’)
PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:12:36
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pk
wareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareCA.cer;CER=1;FN=PK
WARE Test Intermediate Cert;TP=2B3C27C30067690EFB77A8A84DAB1D39A1368906;SN=01
;E=PKTESTDBIC@nowhere.com;CA
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwar
eCA.store' to disk.
ZPCA000I Added 1 of a possible 1 certificates to the CA store.
ZPCA000I 0 certificates in the CA store before the Add command.
ZPCA000I 1 certificates in the CA store after the Add command.
PKSTORADM Store Admin ending------0
Step 5: Build the Certificate Locator Database with PKBLDCDB
First build the public keys. In this case, we can use the *DIRECTORY option since all
the public certificates are in one folder. You can use your user ID for the new owner
or the ZipAdmin. If you do not have proper authority, then you will receive an API
error when the CHGAUT command is issued. The database is ok, but the authority of
the file may not be what you intended.
PKBLDCDB MAINT(*UPDATE) MTYPE(*DIRECTORY) CTYPE(*PUBLIC)
FNAME('/myroot/pkware/CStore/Public') DUPOPT(*REPLACE)
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))
PKBLDCDB Update SecureZIP Cert DataBase starting------2004/07/23 10:47:15
Sample Authorty:
PKBLDCDB Running Update Mode--Replace Duplicates---
PKBLDCDB Adding
PKBLDCDB Adding
PKBLDCDB Run Totals:
Total Records Added =2
Total Records Updated =0
Total Duplicateds Found =0
Total Records In Error =0
Total Records Processed =2
PKBLDCDB Scan ending------
Usually when updating private certificates you will use the *FILE option since each
private key will have a different password. The best practice is to have the individual
to whom the certificate was issued run the PKBLDCDB command since, for security
reasons, he or she should be the only one with access to the password used to
export the certificate file.
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE)
FNAME('/myroot/pkware/CStore/Private/pktestdb4.p12')
DUPOPT(*REPLACE) PASSWORD('PKWARE')
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))
PKBLDCDB Update SecureZIP Cert DataBase starting------2004/07/23 10:53:17
Sample Authorty:
PKBLDCDB Running Update Mode--Replace Duplicates---
92

PKSCANCRT Private Cert will be processed (6)
PKBLDCDB Adding
PKBLDCDB Run Totals:
Total Records Added =1
Total Records Updated =0
Total Duplicateds Found =0
Total Records In Error =0
Total Records Processed =1
PKBLDCDB Scan ending------
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE)
FNAME('/myroot/pkware/CStore/Private/pktestdb3.p12')
DUPOPT(*REPLACE) PASSWORD('PKWARE')
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE)
FNAME('/myroot/pkware/CStore/Private/pktestdb9.pfx')
DUPOPT(*REPLACE) PASSWORD('PKWARE')
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))
Step 6: Compress File with Public Digital Certificates
The first ZIP test will use both of the public certificates and 256-bit AES algorithm to
encrypt and compress one file to an archive in the folder that was created earlier.
This test will use the *MBRSET and *FILE types for the selection of the certificates.
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC01.zip')
FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256)
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
ENTPREC((*MBRSET pktestdb3.crt)
(*FILE '/myroot/pkware/CStore/Public/pktestdb4.crt'))
Scanning files in *DB for match ...
Total Recipients processed 2
Archive Recipient List:
CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com
Found 1 matching files
Compressing PKW81051S/$CONTACT($CONTACT) in TEXT mode
Add PKW81051.S/$CONTACT/$CONTACT -- Deflating (80%) encrypt(BSAFE AES 256
Key)
SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC0
1.zip
SecureZIP Completed Successfully
The second ZIP test will use both of the public certificates and AES256 algorithm to
encrypt and compress one file to an archive in the folder. This test will use the *DB
with email and common name for the selection of the certificates.
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC02.zip')
FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256)
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
ENTPREC((*DB 'EM=PKTESTDB3@nowhere.com')
(*DB 'CN=PKWARE Test4'))
Scanning files in *DB for match ...
Total Recipients processed 2
Archive Recipient List:
CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com
93

Found 1 matching files
Compressing PKW81051S/$CONTACT($CONTACT) in TEXT mode
Updating:PKW81051.S/$CONTACT/$CONTACT Deflating (80%) encrypt(BSAFE AES 2
56Key)
SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC0
2.zip
SecureZIP Completed Successfully
Step 7: View Details of Archive
By performing a PKUNZIP with TYPE(*VIEW) VIEWOPT(*ALL), you will see the
recipients, and the number of recipients, that can be found in the certificate
database. It will also list each recipient and show each common name and email
address.
Archive: /myroot/pkware/CStore/Testzips/TestC01.zip 2259 bytes 1 file
Archive Comment:"PKZIP for iSeries by PKWARE"
Filename: PKW81051.S/$CONTACT/$CONTACT
Detected File type: Text Encrypt=Strong Encrypted
Created by: PKZIP for iSeries(tm) 8.1
Minimum to Extract: PKZIP 5.1 Or Greater
Compression method: Deflated [Fast]
Date and Time 2004 Jul 23 10:10:56
Compressed size: 1702 bytes
Uncompressed size: 5451 bytes
32-bit CRC value (hex): f091572d
Extended attributes: yes, [Length = 218]
Strong Encryption AES 256 Key (BSAFE).
Algorithm Key 256, Security type Certificate Key
Number Certifcate Recipients 2
Recipient List:
CN=PKWARE Test4, EM=PKTESTDB4@nowhere.com
CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com
Record Length: 80
Lib Text Desc: SecureZIP for iSeries(tm) Lib-V8.1.0B
File Text Desc: SecureZIP for iSeries(tm) Contact Information
Mbr Text Desc: SecureZIP for iSeries(tm) Contact Information
Source or Data: PF-DTA
File Comment:"none"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found 1 file, 5451 bytes uncompressed, 1702 bytes compressed: 69%
SecureUnZip extracted 0 files
SecureUnZip Completed Successfully 1
Step 8: Decrypting File with Private Key Certificates
In order to decrypt the file you will need to provide at least one valid private
certificate with the password that matches a recipient on the archive.
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC01.zip')
TYPE(*TEST)
TYPARCHFL(*IFS)
ENTPREC((*DB 'CN=PKWARE Test4' ('PKWARE')))
OR
ENTPREC((*MBRSET 'pktestdb3.crt' ('PKWARE')))
ENTPREC((*FILE '/myroot/pkware/CStore/Public/pktestdb4.crt'
('PKWARE')))
ENTPREC((*DB 'EM=PKTESTDB4@nowhere.com' ('PKWARE')))
ENTPREC((*INLIST
94

'/myroot/pkware/CStore/InList/tstpriv_mb3.inlist'))
Step 9: Using Input List File for ENTPREC Certificate List
The encryption recipients parameter can read a file with a recipient list. This is
activated by using the *INLIST followed by the file to use for the recipients list.
path/filename
Enter the file path and name of the file to read. The
layout depends on which file system you want to read
the file from.
Library File System:
The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
Usage Notes:
• For an Inlist that contains a password to open a private certificate, make sure
that the security is sufficient to only allow the owner of the certificate to have
read access. Otherwise this would leave a security hole where others could
browse the password.
• The path/filename depends on the settings of the TYPLISTFL (*DB or *IFS)
parameter.
• For more information on using list files see “Using List Files as Input” in
Appendix E.
Each entry on a list file should begin with “{RECEPIENT=” and end with the character
“}”. Each entry is separated by the “;” (semi-colon). The information for each
recipient is the same as described in the ENTPREC parameter, except *INLIST is
invalid for lookup type. If an entry is not required such as password just enter the
separator.
Format: {RECEPIENT=Lookup Type;Recipient;Password;Required}
*...+....1....+....2....+....3....+....4....+....5....+....6..
{RECEPIENT=db;EM=robb.roy@pkware.com;;RQD}
{RECEPIENT=file;/pkzshare/CStores/Public/suesmith04.cer;;OPT}
{RECEPIENT=LDAP;EM=kevin.Goodguy@pkware.com;;OPT}
{RECEPIENT=LDAP;EM=troy.theman@pkware.com;;OPT}
****** END OF DATA ******
The ENTPREC parameter would look like the following to process the ENTPREC Inlist:
ENTPREC( (*INLIST 'ATEST/INLIST(techsup1)' *N))
Test Inlist tstpriv_mb3.inlist:
....+....1....+....2....+....3....+....4....+....5..
************Beginning of data**************
{AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}
************End of Data********************
95

Test inlist tstpriv_db4.inlist:
....+....1....+....2....+....3....+....4....+....5.
************Beginning of data**************
{RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}
************End of Data********************
An example to decrypt a file that was encrypted with pktestdb3 public certificate.
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC02.zip')
TYPE(*TEST) TYPARCHFL(*IFS) TYPLISTFL(*IFS)
ENTPREC((*inlist '/myroot/pkware/CStore/InList/tstpriv_mb3.inlist'))
Digital Certificate Request List:Encryption Recipients
Rqrd *MbrSet - pktestdb3.p12
Encryption Recipients List-----------1 processed:
UNZIP Archive: /myroot/pkware/CStore/Testzips/TestC01.zip
Searching Archive /myroot/pkware/CStore/Testzips/TestC01.zip for files to extract
Testing: WSS810S/$CONTACT/$CONTACT
WSS810S/$CONTACT/$CONTACT tested OK
No errors detected in compressed data of
/myroot/pkware/CStore/Testzips/TestC01.zip.
SecureUNZIP Completed Successfully
Step 10: Sign Files and Archive with Private Keys
Create an archive and sign the files in the archive by two signers and then sign the
archive directory. Note that signing requires the private key.
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')
FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256)
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
ENTPREC((*DB 'EM=PKTESTDB3@nowhere.com')
(*DB 'CN=PKWARE Test4'))
SIGNERS((*FILE *MBRSET 'pktestdb3.p12' (PKWARE) )
(*ALL *MBRSET 'pktestdb4.p12' (PKWARE)) )
Scanning files in *DB for match ...
2 Encryption Recipients processed
Encryption Recipients List:
--CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com
--CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com
2 File Signers processed
File Signers List:
--CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com
--CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com
1 Archive Signer processed
Archive Signer List:
--CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com
Found 1 matching files
Compressing PKW810XXS/$CONTACT($CONTACT) in TEXT mode
Add PKW810XX.S/$CONTACT/$CONTACT -- Deflating (80%) encrypt(BSAFE AES 256Key)
SecureZIP Compressed 1 files in Archive
/myroot/pkware/CStore/Testzips/TestC03.zip
SecureZIP Completed Successfully
96

Step 11: Authenticate Signed Files and Archive
When doing a basic view of the newly signed archive, notice that only the archive
directory signatures are validated. To validate the signature of the files would require
a TYPE(*TEST).
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')
TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB)
AUTHCHK((*ARCHIVE *MBRSET 'pktestdb4.crt')) AUTHPOL(*WARN (*ALL))
1 Archive Signer processed
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 7053 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
5451 Defl:F 1702 69% 01-11-05 13:34 f091572d
!PKW810XX.S/$CONTACT/$CONTACT
-------- ------- ---- -------
5451 1702 69% 1 file
Archive has been Digitally Signed.
Archive was signed by "PKWARE Test4" and verified
SecureUNZIP extracted 0 files
SecureUNZIP Completed Successfully
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')
TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) VIEWOPT(*ALL)
AUTHPOL(*WARN *ARCHIVE (*SYSTEM))
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file
Filename: PKW810XX.S/$CONTACT/$CONTACT
Detected File type: Text Encrypt=Strong Encrypted
Created by: PKZIP for iSeries(tm) 8.1
Zip Spec to Extract: 6.1 Or Greater
Compression method: Deflated [Fast]
Date and Time 2005 Jan 11 16:05:36
Compressed size: 1702 bytes
Uncompressed size: 5451 bytes
32-bit CRC value (hex): f091572d
Extended attributes: yes, [Length = 4598]
Strong Encryption AES 256 Key (BSAFE).
Algorithm Key 256, Security type Certificate Key
Number Certifcate Recipients 2
Recipient List:
CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com
CN=PKWARE Test4, EM=PKTESTDB4@nowhere.com
Record Length: 80
Lib Text Desc: SecureZip for iSeries(tm) Lib-V8.1.0B
File Text Desc: SecureZip for iSeries(tm) Contact Information
Mbr Text Desc: SecureZip for iSeries(tm) Contact Information
Source or Data: PF-DTA
A subfield with ID 0x0014 (Certificate Store) and 3369 data bytes
A subfield with ID 0x0016 (Archive Signature) and 245 data bytes
File Signature: CN=PKWARE Test4; EM=PKTESTDB4@nowhere.com; S/N=04
File Signature: CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com; S/N=03
File Comment:"none"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found 1 file, 5451 bytes uncompressed, 1702 bytes compressed: 69%
Archive has been Digitally Signed.
Archive was signed by "PKWARE Test4" and verified
SecureUNZIP extracted 0 files
SecureUNZIP Completed Successfully
97

Do a VIEWOPT(*SECURE) and you will notice that the internal archive store is
displayed (see certificate listing). This store contains all public certificates of the
signatories including the full chain of each signatory.
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')
TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) VIEWOPT(*SECURE)
AUTHPOL(*WARN (*ALL))
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
5451 Defl:F 1702 69% 01-11-05 16:05 AES256
!PKW810XX.S/$CONTACT/$CONTACT
-------- ------- ---- -------
5451 1702 69% 1 file
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file
Certificate Listing:
#1:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com;
#2:CN=PKWARE Test4; EM=PKTESTDB4@nowhere.com;
#3:CN=PKTESTDB Root; EM=PKTESTDBRoot@nowhere.com;
#4:CN=PKWARE Test Intermediate Cert; EM=PKTESTDBIC@nowhere.com;
Archive has been Digitally Signed.
Archive was signed by "PKWARE Test4" and verified
SecureUNZIP extracted 0 files
SecureUNZIP Completed Successfully
When the files in the archive are tested or extracted, the archive signature is
validated first and then, after each file has been tested, the file’s signatures are
tested. If no AUTHCHK parameter is entered, all signatures are validated.
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')
TYPE(*TEST) TYPARCHFL(*IFS) TYPFL2ZP(*DB)
ENTPREC((*DB 'CN=PKWARE Test3' 'PKWARE'))
1 Encryption Recipients processed
UNZIP Archive: /myroot/pkware/CStore/Testzips/TestC03.zip
Searching Archive /myroot/pkware/CStore/Testzips/TestC03.zip for files to
extract
Archive was signed by "PKWARE Test4" and verified
Testing: PKW810XX.S/$CONTACT/$CONTACT
File was signed by "PKWARE Test4" and verified
File was signed by "PKWARE Test3" and verified
PKW810XX.S/$CONTACT/$CONTACT tested OK
No errors detected in compressed data of
/myroot/pkware/CStore/Testzips/TestC03.zip.
SecureUNZIP Completed Successfully
98

Step 12: Sign Files and Archive with PK Test 9 Certificate
Try signing an archive with the PKWARE test 9 certificate, which does not have an
intermediate certificate in the CA store. The attempt will fail because of the trust
settings.
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')
FILES('PKW81051s/$CONTACT')
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )
Scanning files in *DB for match ...
Required Signer or Authenticator failed selection process
Digital Certificate Request List:Archive Signer
Rqrd *MbrSet Not Usable - pktestdb9.pfx
Required Recipient Failed
Archive Signer List-----------0 processed:
CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com
--Certificate Invalid:Certificate is Not Trusted;
SecureZIP Compressed 0 files in Archive
/myroot/pkware/CStore/Testzips/TestC04.zip
SecureZIP Completed with Errors
Press ENTER to end terminal session.
Step 13: Add CA to Make the Trust Valid and Then Sign Archive.
If we now add the intermediate certificate that “PKWARE test 9” certificate uses, the
PKZIP command will sign the archive.
Add new CA certificate to the CA store:
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA)
FNAME('/myroot/pkware/CStore/Testzips/pktica_ca.crt')
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pk
wareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pktica_ca.crt;CER=1;FN=P
KWARE Test Intermediate Cert A;TP=C405A5BC36942149D5C212CB6C213C4F1FE893E6;SN
=02;E=PKTESTDBICA@nowhere.com;CA
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwar
eCA.store' to disk.
ZPCA000I Added 1 of a possible 1 certificates to the CA store.
ZPCA000I 1 certificates in the CA store before the Add command.
ZPCA000I 2 certificates in the CA store after the Add command.
PKSTORADM Store Admin ending------0
Press ENTER to end terminal session.
99

Run PKZIP to sign the archive with PK test certificate 9.
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')
FILES('PKW81051s/$CONTACT')
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )
Scanning files in *DB for match ...
Digital Certificate Request List:Archive Signer
Rqrd *MbrSet - pktestdb9.pfx
Archive Signer List-----------1 processed:
CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com
Found 1 matching files
Compressing PKW810XXS/$CONTACT($CONTACT) in TEXT mode
Add PKW810XX.S/$CONTACT/$CONTACT -- Deflating (80%)
SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/Te
stC04.zip
SecureZIP Completed Successfully
Press ENTER to end terminal session.
Run PKUNZIP to test the authentication for a specific authenticator.
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
AUTHCHK((*ALL *MBRSET 'pktestdb9.pfx' (PKWARE) ))
Digital Certificate Request List:File Signers
Rqrd *MbrSet - pktestdb9.pfx
File Signers List-----------1 processed:
Digital Certificate Request List:Archive Signer
Rqrd *MbrSet - pktestdb9.pfx
Archive Signer List-----------1 processed:
Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C
ONTACT
-------- ------- ---- -------
5451 1069 80% 1 file
Archive has been Digitally Signed.
Archive was signed by "PKWARE Test9;" and verified
SecureUNZIP extracted 0 files
SecureUNZIP Completed Successfully
Step 14: Revoke PK Test 9 Certificate and Confirm Revocation
Now apply the certificate revocation list to revoke the PKWARE test 9 certificate.
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CRL) STYPE(*CRL)
FNAME('/myroot/pkware/CStore/Testzips/crl1.crl')
100

PKSTORADM SecureZIP CA Store Administration starting------2005/03/08 15:20:38
ZPCA000I SUCCESS: Added certificate '/myroot/pkware/CStore/Testzips/crl1.
crl' to store '/myroot/pkware/CStore/CRL/pkwareCRL.store'.
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CRL/pkwa
reCRL.store' to disk.
ZPCA000I Added 1 out of 1 certificates to the CRL store.
ZPCA000I 0 entries in the CRL store before the Add command.
ZPCA000I 1 entries in the CRL store after the Add command.
PKSTORADM Store Admin ending------0
Press ENTER to end terminal session.
Run PKZIP to test the authentication and signing. The attempt will fail since the
signing certificate was revoked.
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')
FILES('PKW81051s/$CONTACT')
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )
Scanning files in *DB for match ...
Required Signer or Authenticator failed selection process
Digital Certificate Request List:Archive Signer
Rqrd *MbrSet Not Usable - pktestdb9.pfx
Required Recipient Failed
Archive Signer List-----------0 processed:
CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com
--Certificate Invalid:Certificate has been Revoked;
Input Archive was found to be Digitally Signed.
Archive Authentication check unsuccessful
Archive was Signed by "PKWARE Test9;" but NOT verified.
--Contents have not been altered
--Certificate Invalid:Certificate has been Revoked;
Run being terminated for Authentication failure
SecureZIP Compressed 0 files in Archive /myroot/pkware/CStore/Testzips/Te
stC04.zip
SecureZIP Completed with Errorsy
Run PKUNZIP to test the authentication. The test will fail since the signing certificate
was revoked. If we did not have the AUTHPOL (*SYSTEM *ALL), you would only see
that archive was signed. The AUTHPOL is what activates the authentication
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
AUTHCHK((*ALL *MBRSET 'pktestdb9.pfx' (PKWARE) ))
AUTHPOL(*SYSTEM *ALL (*NOTREVOKED))
Digital Certificate Request List:File Signers
Rqrd *MbrSet - pktestdb9.pfx
File Signers List-----------1 processed:
Digital Certificate Request List:Archive Signer
Rqrd *MbrSet - pktestdb9.pfx
Archive Signer List-----------1 processed:
Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C
ONTACT
101

-------- ------- ---- -------
5451 1069 80% 1 file
Archive has been Digitally Signed.
Archive Authentication check unsuccessful
Archive was Signed by "PKWARE Test9;" but NOT verified.
--Contents have not been altered
--Certificate Invalid:Certificate has been Revoked;
SecureUNZIP extracted 0 files
SecureUNZIP Completed with Errors
Run PKUNZIP to test the authentication with a revoked signer but using AUTHPOL to
ignore the revoked status of the signer.
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')
TYPARCHFL(*IFS) TYPFL2ZP(*DB)
AUTHPOL(*SYSTEM *ALL (*NOTREVOKED))
Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C
ONTACT
-------- ------- ---- -------
5451 1069 80% 1 file
Archive has been Digitally Signed.
Archive was signed by "PKWARE Test9;" and verified
SecureUNZIP extracted 0 files
SecureUNZIP Completed Successfully
Filename Encryption
How SecureZIP Encrypts File Names
SecureZIP for iSeries encrypts file names using your current settings for (strong)
encryption method and algorithm. File names can be encrypted using either strong
password encryption, a recipient list, or both. You must use one of the strong
encryption methods. You cannot encrypt file names using traditional
ADVCRYPT(ZIPSTD), which uses a 96-bit key.
Note: Encrypting names of files and folders in an archive encrypts and hides a good
deal of other internal information about the archive as well. To encrypt file names,
SecureZIP for iSeries encrypts the archive's central directory, where virtually all
such metadata about the archive is stored.
Be aware, however, that archive comments are not encrypted even when you
encrypt file names. Do not put sensitive information in an archive comment.
When SecureZIP Encrypts File Names
With archives that do not already contain encrypted file names:
SecureZIP for iSeries encrypts file names whenever you update an archive
requesting FNE(*YES): including Add, Freshen, Update, Delete and Copy.
102

SecureZIP for iSeries encrypts file names only when you provide encryption
parameters such as PASSWORD and/or ENTPREC for recipients and set parameter
FNE(*YES).
Encrypting File Names When You Update an Archive
If you turn on the setting to encrypt file names and then update an archive that
already contains no encrypted files with unencrypted file names, SecureZIP for
iSeries encrypts all the filenames in the archive.
If the archive contains any files whose contents are already encrypted, SecureZIP
for iSeries will bypass an attempt to add filename encryption.
If you update an archive that already contains files with encrypted file names,
SecureZIP for iSeries uses the current ADVCRYPT setting to determine whether
filenames should be encrypted in the output archive.
If FNE(*YES) is enabled when updating an archive already containing filename
encryption, SecureZIP for iSeries encrypts the new archive directory using the
same password or recipient list originally used to encrypt file names in the archive.
Newly supplied values for PASSWORD or RECIPIENT are discarded. However, if a
PASSWORD is used to access the input archive for the update process to begin, it
must match the original password used to create the encrypted archive directory.
Note:
Once file names in an archive are encrypted, you cannot change the password or
recipient list used.
You cannot change the encryption method on files that are already in an archive that
contains encrypted file names.
Filename encryption is not compatible with GZIP and will not be used if requested.
Opening and Viewing an Archive that Has Encrypted File Names
An archive that contains encrypted file names requires SecureZIP for iSeries 8.0 or
later to open it. To view the filename encrypted archive encryption detail and not the
archive's content, use TYPE(*VIEW) VIEWOPT(*FNEALL).
The version number is not a version of the SecureZIP for iSeries program but
rather a version of the ZIP file format. Version 8.0 of the program uses features of
the 6.20 ZIP file format specification (ZipSpec) that are not available in earlier
versions. All preceding versions of the program used earlier versions of the ZipSpec.
When opening an archive, SecureZIP for iSeries automatically decrypts file names
for anyone on a recipient list for the encrypted file names, (or the correct password if
PASSWORD was specified when the archive was updated with ADVCRYPT).
If file names are encrypted using a password (with or without a recipient list),
SecureZIP for iSeries requires the correct password when anyone who is not on
the recipient list tries to open the archive. If the correct password is not entered,
PKZIP does not open the archive.
103

Security Examples
Below are examples of how to invoke SecureZIP for iSeries processing using PKZIP
and PKUNZIP commands with sample output listings.
SecureZIP using Recipients or Combo
When protection modes of "Recipient" or "Combo" are selected, recipients can be
designated such that a password is not required to extract the data.
If a password is entered, the lines will be concatenated to create a single password
string of up to 200 characters and each line must begin and end with a non-blank.
Each recipient is represented by a public-key x.509 digital certificate. The public-key
certificates can be stored and accessed in one or more of the following locations:
• Individual data sets in an IFS path
• The local certificate store database as described by DB profile
• One or more network LDAP servers as described by LDAP Profile
Recipient designations:
1. ENTPREC( (*LDAP;CN=Joe Smith))
2. ENTPREC( (*file;'/PKZIP/CERTSTOR/PRIVATE/MAS2004';’abcdef’; RQD))
3. ENTPREC( (*db;EM=somebody@somewhere.com))
4. A. ENTPREC( (*MBRSET;MAS2004;’abcdef’;RQD))
B. ENTPREC( (*MBRSET;MAS2004;;RQD))
It is important to note the following:
• CN=Joe Smith may return more than one recipient digital certificate. The
LDAP entry for Joe Smith may contain multiple certificates, such as one for
each year of employment with the company, since certificates are frequently
valid for only one year.
• A local IFS path has a certificate loaded into file MAS2004, which may
represent a specific person's 2004 certificate. In this case, the RQD indicates
that the certificate is required for processing to be performed. In addition,
this certificate is a private key certificate, so the export password is necessary
for the public key portion to be extracted from it.
• *db;EM= (or CN= for common name) may be used to locate a public key
certificate from within the local certificate store database. Private key
certificates may also be stored in the database, in which case the correct
private key passwords are required to access them.
• *MBRSET demonstrates how to enter only the file name. The path will come
from the store defined in the enterprise security configuration file. Since the
4A item has a password entered, the private store will be used. The 4B item
contains no password therefore the public store will be used.
104

SecureZIP Encryption Using a Recipients List
A. PKZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')
FILES('/pkzshare/aV80Test/recp/Test cases.txt')
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO)
ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12)
ENTPREC((*DB 'EM=Bill.Somebody@pkware.com' *N *RQD)
(*FILE '/pkzshare/CStores/pkware_testcerts/pktestdb3.crt')
(*MBRSET 'pktestdb3.crt'))
Notice there were three inputted recipient requests, and there were four recipients
used for the archive.
First, the CN=PKWCADMIN was added because the enterprise security settings
defined a master recipient that will be added when doing strong encryption.
Second, the EM=Bill.Somebody, found two certificates in the database locator.
Third, since the pktestdb3.crt file was found two times using two different access
methods, we only used it once for the process.
Displayed output from example A.
Scanning files in *IFS for match ...
Total Recipients processed 4
Archive Recipient List:
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com
CN=PKWCADMIN EMail=none
CN=BILL SOMEBODY EMAIL=BILL.SOMEBODY@PKWARE.COM
CN=William Somebody EMail=bill.Somebody@pkware.com
Found 1 matching files
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test010.zip
Store
B. PKZIP ARCHIVE('/pkzshare/aV80Test/test011.zip')
FILES('/pkzshare/aV80Test/recp/Test cases.txt')
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO)
ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12)
ENTPREC((*DB 'CN=Bill Somebody' *N *RQD)
(*FILE '/pkzshare/CStores/pkware_testcerts/pktestdb3.crt')
(*MBRSET 'pktestdb4.crt') )
In this example, notice the request is for CN= and not EM=. This resulted in only one
certificate to process from this database request.
Displayed output from example B.
Scanning files in *IFS for match ...
Total Recipients processed 4
Archive Recipient List:
CN=PKWARE Test2 EMail=PKTESTDB3@nowhere.com
CN=PKWARE Test1 EMail=PKTESTDB1@nowhere.com
CN=PKWCADMIN EMail=none
CN=Bill Somebody EMail=bill.somebody@pkware.com
Found 1 matching files
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test011.zip
SecureZIP Completed Successfully
105

Store
C. PKZIP ARCHIVE('/pkzshare/aV80Test/test012.zip')
FILES('/pkzshare/aV80Test/recp/Test cases.txt')
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPLISTFL(*IFS)
STOREPATH(*NO) ADVCRYPT(AES256) PASSWORD(pkware12)
VPASSWORD(pkware12)
ENTPREC((*DB 'CN=Bill Somebody' *N *RQD)
(*INLIST '/inlist/tstpubl2.inlist'))
This example used the Inlist option to read in a list of recipients:
INLIST file '/inlist/tstpubl2.inlist':
************Beginning of data**************
{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD}
{RECIPIENT=DB;CN=PKWARE Test4;;OPT}
************End of Data********************
Displayed output from example C.
Scanning files in *IFS for match ...
Total Recipients processed 4
Archive Recipient List:
CN=PKWCADMIN EMail=none
CN=Bill Somebody EMail=bill.Somebody@pkware.com
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com
CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com
Found 1 matching files
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test012.zip
SecureZIP Completed Successfully
SecureZIP Encryption using LDAP search for Recipients
D. PKZIP ARCHIVE('/pkzshare/aV80Test/test013.zip')
FILES('/pkzshare/aV80Test/recp/Test cases.txt')
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPLISTFL(*IFS)
STOREPATH(*NO) ADVCRYPT(AES256)
ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' *N *RQD))
Displayed output from example D.
Scanning files in *IFS for match ...
Total Recipients processed 2
Archive Recipient List:
CN=PKWCADMIN EMail=none
CN=William Somebody EMail=bill.Somebody@pkware.com
Found 1 matching files
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test013.zip
SecureZIP Completed Successfully
UNZIP Compressed File(s) from an Archive File Using Recipients
Since we will be extracting/testing files that were encrypted with our public keys, we
will need the private key to decrypt the file. Below are several examples with one
106

eing correct and the others showing possible errors with bad certificates or wrong
password for the private key.
Unzip Output using Recipients
To decrypt a file with recipients, a valid password for the certificate is required.
Below is a valid test of example A.
A PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')
TYPARCHFL(*IFS) TYPE(*TEST)
ENTPREC((*MBRSET 'pktestdb3.p12' 'PKWARE') )
Displayed output from test of example A.
Total Recipients processed 1
UNZIP Archive: /pkzshare/aV80Test/test010.zip
Searching Archive /pkzshare/aV80Test/test010.zip for files to extract
Testing: Test cases.txt
Test cases.txt tested OK
No errors detected in compressed data of /pkzshare/aV80Test/test010.zip.
SecureUNZIP Completed Successfully
B PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')
TYPARCHFL(*IFS) TYPE(*TEST)
ENTPREC((*MBRSET 'pktestdb3.cer'))
Displayed output from test of example B.
Required Recipient failed selection process
Recipient Requires Password for Private Key
Required Recipient Failed
C PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')
TYPARCHFL(*IFS) TYPE(*TEST)
ENTPREC((*MBRSET 'pktestdb1.p12' 'PKWAREXX'))
Displayed output from test example C with a bad password for the private key.
Required Recipient failed selection process
Inputted Recipient Listing
Rqrd *MbrSet Cert Open Failure pktestdb3.p12
Required Recipient Failed
View the Contents of an Archive File
When a file has been encrypted, one of the following indicators describing the
strength of encryption is displayed before the file name.
A PKUNZIP ARCHIVE('/pkzshare/aV80Test/test013.zip')
TYPARCHFL(*IFS) TYPE(*view)
Displayed output from example A.
Archive: /pkzshare/aV80Test/test010.zip 2024 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
107

4234 Defl:F 1722 59% 03-23-04 14:04 11cc5542 !Test cases.txt
-------- ------- ---- -------
4234 1722 59% 1 file
Notice the “!” in front of the file in archive name. This indicates that this file is
encrypted with strong encryption. A “+” would indicate that only 96-bit encryption
was used.
View Detail Display
The view detail option not only shows the encryption algorithm used to encrypt but
will also display any certificate information that is available.
B PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')
TYPARCHFL(*IFS) TYPE(*view) VIEWOPT(*ALL)
Displayed output from example B.
Archive: /pkzshare/aV80Test/test010.zip 2024 bytes 1 file
Filename: Test cases.txt
Detected File type: Binary Encrypt=Strong Encrypted
Created by: PKZIP for iSeries(tm) 8.1
Zip Spec to Extract: 6.1 Or Greater
Compression method: Deflated [Fast]
Date and Time 2004 Mar 23 14:04:06
Compressed size: 1722 bytes
Uncompressed size: 4234 bytes
32-bit CRC value (hex): 11cc5542
Unix file attributes (100777 octal):
-rwxrwxrwx
MS-DOS file attributes (00 hex):
none
Extended attributes: yes, [Length = 138]
Strong Encryption AES 256 Key (BSAFE).
Algorithm Key 256, Security type Password and Certificate Key
Number Certifcate Recipients 4
Recipient List:
CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com
CN=PKWCADMIN, EM=(none)
CN=Bill Somebody, EM=bill.Somebody@pkware.com
CN=William Somebody, EM=bill.Somebody@pkware.com
IFS: Creation Time Wed Mar 24 17:23:44 2004
IFS: Access Time Thu Sep 16 19:41:11 2004
IFS: Modification Time Tue Mar 23 19:04:06 2004
IFS: Code Page 1252
File Comment:"none"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found 1 file, 4234 bytes uncompressed, 1722 bytes compressed: 59%
C PKUNZIP ARCHIVE('/pkzshare/aV80Test/test013.zip')
TYPARCHFL(*IFS) TYPE(*view) VIEWOPT(*ALL)
Displayed output from example C.
Archive: /pkzshare/aV80Test/test013.zip 1660 bytes 1 file
Filename: Test cases.txt
Detected File type: Binary Encrypt=Strong Encrypted
Created by: PKZIP for iSeries(tm) 8.1
Zip Spec to Extract: 6.1 Or Greater
Compression method: Deflated [Fast]
Date and Time 2004 Mar 23 14:04:06
Compressed size: 1398 bytes
Uncompressed size: 4234 bytes
32-bit CRC value (hex): 11cc5542
Unix file attributes (100777 octal):
-rwxrwxrwx
MS-DOS file attributes (00 hex):
none
108

Extended attributes: yes, [Length = 98]
Strong Encryption AES 256 Key (BSAFE).
Algorithm Key 256, Security type Certificate Key
Number Certifcate Recipients 2
Recipient List:
CN=PKWCADMIN, EM=(none)
CN=William Somebody, EM=bill.Somebody@pkware.com
IFS: Creation Time Wed Mar 24 17:23:44 2004
IFS: Access Time Thu Sep 16 20:10:44 2004
IFS: Modification Time Tue Mar 23 19:04:06 2004
IFS: Code Page 1252
File Comment:"none"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found 1 file, 4234 bytes uncompressed, 1398 bytes compressed: 67%
SecureUNZIP extracted 0 files
109

11 PKZIP Command
PKZIP Command Summary with Parameter Keyword Format
If the OS/400 command prompt screen is to be used, the command format is simply:
PKZIP. There also is a command PKZSPOOL which is the same command as PKZIP,
but has the parameter TYPFL2ZP set to *SPL for spool files. The parameters are also
re-sequenced to give preference to parameters dealing specifically with spool files.
The command prompt screen is displayed when Enter or PF4 is pressed. The
parameter keywords are displayed on this screen, together with the available
keyword options. The required options can be selected before PF4 is pressed to
accept the selections. If the command and parameter keywords are entered together
on the command line the required format is:
PKZIP keyword1(option) keyword2(option) . . . keywordn(option)
Keywords are demarcated by spaces. The keyword “ARCHIVE” is the only positional
keyword where the keyword is not required. Whenever the word “path” is used, its
meaning depends on the file system that is being used. If IFS is used, path refers to
the open system true path type. If the library systems or *DB is used, path means
library/file and then the file name refers to the member name.
TYPE( *ADD )
{*UPDATE}
{*FRESHEN}
{*MOVEA}
{*MOVEF}
{*MOVEU}
{*DELETE}
ADVCRYPT( {ZIPSTD} )
{AES128}
{AES192}
{AES256}
{3DES}
{DES}
{RC4_128}
ARCHIVE( Archive Zip File name with path )
ARCHTEXT( {*NONE} )
Archive File Text description
110

AUTHCHK( Authenticators )
Authenticate Type
{*FILE}
{*ARCHIVE}
{*ALL}
Lookup Type {*DB }
{*LDAP}
{*FILE}
{*MBRSET}
{*INLIST}
Recipient
Password (if Private)
Required {*RQD }
{*OPT}
{Recipient String}
{Certificate password}
AUTHPOL ( Authenticate Filters: )
Validate Level { *SYSTEM }
{*WARN }
{*VALIDATE}
Validate Level { *NONE }
{*ARCHIVE }
Filters {*SYSTEM }
{*ALL}
{*NONE}
{*TAMPER}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTAMPER}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
COMPAT( {*NONE} )
{*PK400}
COMPRESS( {*FAST} )
{*MAX}
{*STORE}
{*TERSE)
CRTLIST( {*NONE} )
path/filename
{*SIMULATE}
CVTDATA(
External Pgm Conversion Extended Data)
CVTFLAG( {*NONE} )
External Pgm Conversion Flags
CVTTYPE( {*NONE} )
{*DROP}
{*SUFFIX}
DATEAB( mmddyyyy )
DATETYPE( {*NO} )
{*BEFORE}
{*AFTER}
DBSERVICE( ({*NO} )
{*YES)
DELIM ( ({CRLF} )
{CR }
{LF }
{LFCR }
111

DFTARCHREC( {132} )
{decimal number}
DIRNAMES( {*YES} )
{*NO}
DIRRECRS( {*NONE} )
{*FULL}
{*NAMEONLY}
ENTPREC( Lookup Type; Recipient; Password; Required )
Lookup Type {*DB }
{*LDAP}
{*FILE}
{*MBRSET}
{*INLIST}
Recipient
{Recipient String}
Password (if Private) {Certificate password}
Required {*RQD }
{*OPT}
ENCRYPOL ( Encryption Filters: )
Validate Level {*SYSTEM }
{*WARN }
{*VALIDATE}
Filters {*SYSTEM }
{*ALL}
{*NONE}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
EXCLFILE( {*NONE} )
path/filename
EXCLUDE( file_specification 1, )
file_specification 2,
file_specification n
EXTRAFLD( {*YES} )
{*NO}
{*CENTRAL}
{*LOCAL}
{*BOTH same as *YES}
ERROPT( {*END} )
{*SKIP}
FILES( file_specification 1, )
file_specification 2,
file_specification n
FILESTEXT( {*NO} )
{*ALL}
{*NEW}
{*UPDATE}
FILETYPE( {*TEXT} )
{*BINARY}
{*EBCDIC}
{*FIXTEXT}
{*DETECT}
112

FNE( {*YES | *NO} )
{*YES | *NO}
FTRAN( {*INTERNAL} )
Member Name
GZIP( {*YES} )
{*NO}
IFSCDEPAGE( {*NO} )
Code-page
INCLFILE( {*NONE} )
path/filename
MSGTYPE( {*PRINT} )
{*SEND
{*BOTH}
PASSWORD( Archive Password )
SELFXTRACT ( {*MAINTAIN} )
{*REMOVE}
(WINDOWS}
{AIX}
{HP_UNIX}
{SUN_UNIX}
{LINUXINTEL}
SFUSER ( {*CURRENT} )
{user id 1}
{user id 2}
{user id 5)
SFQUEUE ( {*ALL} )
{Library/OUTQ }
SFFORM ( {*ALL} )
{*STD}
{Spool File Form Type }
SFUSRDTA ( {*ALL} )
{Spool File User data}
SFSTATUS ( {*ALL} )
{*READY}
(*HELD }
{*CLOSED}
{*SAVED }
{*PENDING}
{*DEFERRED}
SFJOBNAM ( {blanks } )
{*}
{Job-name//Userr-Name/Job Number}
SFTARGET ( {*SPLF} )
{*TEXT}
{*TEXT1}
{*TEXT2}
{*TEXTFC}
{*PDF}
{*PDFLETTER}
{*PDFLEGAL}
113

SFTGFILE ( {*GEN1} )
{*GEN2}
{*GEN1P}
{path/filename }
SIGNERS( Signer )
Signing Type
{*FILE}
{*ARCHIVE}
{*ALL}
Lookup Type {*DB }
{*LDAP}
{*FILE}
{*MBRSET}
{*INLIST}
Recipient
Password (if Private)
Required {*RQD }
{*OPT}
SIGNPOL ( Signing Filters: )
Validate Level {*SYSTEM }
{*WARN }
{*VALIDATE}
Filters {*SYSTEM }
{*ALL}
{*NONE}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
{Recipient String}
{Certificate password}
STOREPATH( {*NO} )
{*YES}
SPLFILE ( {*ALL} )
{Spool File Name }
SPLNBR ( {*ALL} )
{*LAST}
{Spool File Number 1-9999}
STOREPATH( {*NO} )
{*YES}
TMPPATH( {*CURRENT} )
Temporary Path
TRAN( {*INTERNAL} )
Member Name
TYPARCHFL( {*DB} )
{*IFS}
TYPFL2ZP( {*DB} )
{*IFS}
{*IFS2}
{*DBA}
{*SPL}
TYPLISTFL( {*DB} )
{*IFS}
VERBOSE( {*NORMAL} )
{*NONE}
114

{*ALL}
{*MAX}
VPASSWORD( Archive Verify Password )
115

PKZIP Command Keyword Details
TYPE
TYPE(ADD|DELETE|EXTRACT|FRESHEN|MOVEA|MOVEF|MOVEU|UPDATE |VIEW)
The TYPE keyword specifies the type of action PKZIP should perform on the ZIP
archive.
The possible actions are:
*ADD
*UPDATE
*FRESHEN
*MOVEA
*MOVEF
*MOVEU
*DELETE
The *ADD option is the default and adds a selection of
files to the archive file. If an archive is already present,
it will be written over by the new archive file.
The *UPDATE option updates files which are already in
the archive file with a newer version and will also add
newly selected files that are not present in the archive
file.
The *FRESHEN option updates ONLY the files which
already exist in an archive file. If the date/time of the
file is newer than the date/time of the file in the archive,
the file will be compressed and replace the one in the
archive.
The *MOVEA (Move and Add option) option performs the
*ADD option, and upon completion of a successful PKZIP
command, the actual file will be deleted.
The *MOVEF (Move and Freshen option) option performs
the *FRESHEN option, and upon completion of a
successful PKZIP command, the actual file will be
deleted.
The *MOVEU (Move and Update option) option performs
the *UPDATE option, and upon completion of a
successful PKZIP command, the actual file will be
deleted.
The *DELETE option removes entries from the archive
file based upon the selection of FILES and EXCLUDE
parameters. The format of the FILES and EXCLUDE
parameters should be in the format of the files as seen
in the archive.
ADVCRYPT
ADVCRYPT(ZIPSTD|ASE128|AES192|AES256|DES|3DES|RC4_128 PKWARE|BSAFE)
When a ZIP action is requested to save a file in an archive, and a password is
provided, SecureZIP for iSeries will use an encryption method to protect the data.
116

This command value specifies which algorithm to employ. There are two modes of
encryption: RSA BSAFE and PKWARE. See Chapter 2.
Possible encryptions are:
ZIPSTD
*NONE
AES128
AES192
AES256
DES
3DES
RC4_128
This algorithm is the original algorithm used in PKZIP
2.x products and is compatible with other PKZIP 2.04g
products that support standard encryption. Unless the
installation defaults module has been tailored differently,
this is the default value for PKZIP for iSeries if you
choose to encrypt a file.
No Encryption
Advanced Encryption Standard 128-bit key algorithm,
also known as Rijndael.
Advanced Encryption Standard 192-bit key algorithm,
also known as Rijndael.
Advanced Encryption Standard 256-bit key algorithm,
also known as Rijndael. This is the default value for
SecureZIP for iSeries.
Data Encryption Standard.
Triple Data Encryption Standard.
RC4 is a stream cipher created by RSA.
Usage Notes:
PKUNZIP will detect automatically which encryption method was specified during the
ZIP process and operate accordingly.
During a PKZIP (ZIP) run, only one encryption method may be specified, and that
method will be used for each file that is operated on.
By executing PKZIP at different times, various files within the archive may be saved
with differing levels (and types) of encryption. That is, some files may not be
protected at all, while others may have different methods and/or passwords.
A “+” character is shown in a view to indicate standard encryption protection is used
for a file.
A “!” character is shown in a View to indicate advanced encryption (AES) protection
is used for a file.
ARCHIVE
ARCHIVE(archive ZIP file name with path)
Specifies the path/file name or the library/file name of the SecureZIP for iSeries
archive to be processed. If the file exists, PKZIP will overwrite the file, otherwise
PKZIP will create the file for you. Depending on which file system you choose, the
path or library must exist. This is a required parameter.
The format depends on whether you will be using the archive file in the library file
system, or the IFS (Integrated File System).
117

See parameter TYPARCHFL for file system type information.
Library File System
Format is library/file(member). If member is omitted, it
will be created with the file name. If the file is not
found, it will be created with a default length specified in
parameter DFTARCHREC (which has a default of 132).
If you want to create a file manually to use a larger
record length, create it with no members and with the
parameter MAXMBRS with *NOMAX, or with a high
excepted limit. If the Library is not specified, the file
name will be searched using *LIBL. If the file name is
not found, the file will be created in the users *CURLIB.
If a library is specified and does not exist, PKZIP will
create the library.
Integrated File System (IFS)
Open system path followed by the archive file name.
The path and file name can up to 256 characters and
may contain embedded spaces.
ARCHTEXT
ARCHTEXT(*NONE| Archive File Text description)
Specifies text that will be stored in the archive as the archive's file comment.
*NONE
*DEFAULT
*CLEAR
No new archive comment will be stored.
The default PKWARE comment will be stored.
Clear any comment that may be stored in an archive.
Archive File Text description
Up to 255 characters that are stored as the archive's file
comments.
AUTHCHK
Authenticator Certificates:
File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE, *MBRSET...
Authenticator . . . . . . . ______________________________
Password (If Private) . . . ______________________________
Required . . . . . . . . . . *RQD *RQD, *OPT
+ for more values _
Or
AUTHCHK((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))
AUTHCHK((*ALL *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
AUTHCHK((*FILE *DB ‘EM=bill.somebody@pkware.com' () *OPT))
AUTHCHK((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)
118

This parameter specifies that digital signature authentication processing should be
performed for specific signers. Separate authentication processing may be specified
for either the archive central directory or files by using multiple commands.
Optionally, specific signers may be specified to authenticate against. This parameter
is used in conjunction with the AUTHPOL parameters and its settings.
It is possible that more than one certificate may be returned for a single common
name or email search. As a result, each one will be added to the list of validating
sources.
When no specific certificates are requested, any signatories found in the archive are
validated in accordance with the systems or current AUTHPOL Filters policy settings.
There are five options for AUTHCHK.
Authenticator Type File/Archive
(*FILE |*ARCHIVE |*ALL)
This designates the type of authentication that is to be performed. Either ARCHIVE,
FILE or ALL may be specified on each item, but by using ALL or archive with the
*RQD option will result in error since the archive can only have one signatory. If the
lookup type is *INLIST, then this option will be ignored and will pickup from the
records in the inlist file.
• *FILE – The signed files will be authenticated with this authenticator.
• *ARCHIVE - The archive directory will be authenticated with this
authenticator.
• *ALL – Both the signed files and the archive directory will be authenticated
with this authenticator.
Lookup Type
(*DB |*FILE |*LDAP |*MBRSET |*INLIST)
The lookup type would be the type of authenticator search to be used for the
authenticator string to look up the public key.
• *DB - The authenticator string is defined to search using the certificate
locator database to access the digital certificate.
• *FILE - The authenticator string is defined to read a specific file in a specific
path in the IFS in order to access the digital certificate.
• *LDAP - The recipient string is defined to search using the LDAP server to
access the digital certificate.
• *MBRSET - The authenticator string is defined to read this specific file from
the enterprise public certificate store to access the digital certificate.
• *INLIST- The authenticator string defines a specific file that will contain one
to many AUTHCHK. The TYPLISTFL parameter must specify the file type for
the inlist.
Authenticator
(The authenticator string name)
The authenticator string format depends on what was specified for the lookup type.
• If lookup type is *DB, the authenticator string will either be an email address
or the common name of the certificate. This depends on the configuration
setting in PKCFGSEC parameter CERTDB. To override the default selection
119

mode, you can prefix the string with EM= for email, or CN= for the common
name.
For example:
AUTHCHK((*FILE *DB ‘bill.somebody@pkware.com' () *RQD)
(*ARCHIVE *DB ‘CN=bill somebody' () *RQD)
(FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))
• If lookup type is *FILE, the authenticator string is defined to read a specific
file in a specific path of the IFS. This file should be a public key X.509 file or
public key X.509 certificate with a private key file.
For example:
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' ()
*RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path
'/pkzshare/CStores/public’.
• If type is *LDAP, the authenticator string will either be an email address or
the common name of the certificate depending on the search mode
configuration setting in PKCFGSEC parameter LDAP. To override the default
selection mode, you can prefix the string with EM= for email address, or CN=
for the common name.
For example:
AUTHCHK ((*ARCHIVE *LDAP ‘bill.somebody@pkware.com' () *RQD)
(*FILE *LDAP ‘CN=bill somebody' () *OPT)
(*FILE *LDAP ‘EM=bill.somebody@pkware.com' () *RQD))
• If lookup type is *MBRSET, the authenticator string is defined to read a
specific file from the public certificate store and/or the private certificate store
of the IFS. This file should be a public key X.509 file or public key X.509
certificate with a private key file.
For example:
AUTHCHK((*ALL *MBRSET 'pkwareCertAdmin04.cer' () *RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of
the public certificate store defined in the enterprise security configuration
public store (parameter CSPUB). If a password is included, the file is searched
for in the enterprise security configuration private store (parameter CSPRIV).
• If lookup type is *INLIST, the authenticator string defines a full file name of
an input list file that contains records of AUTHCHK shortcut parameters. The
type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set
and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format
of the AUTHCHK shortcut parameters are defined below in the *INLIST usage
section.
Password
This designates the password that is required for a private key certificate with a
private key (PKCS#12 file). When a value is specified, the target must be an X.509
PKCS#12 public key certificate with the private key.
120

The PASSWORD value may contain blanks and is delimited by the closing right
parenthesis ")" of the signing command.
Required
(*RQD|*OPT|*SAME)
If *RQD, then this authenticator must be found during the selection, and the
certificate must be a valid certificate with a private key, or the ZIP/UNZIP run will
fail.
Usage Notes:
Passwords are masked out in all output displays.
A local certificate store configuration is required to complete the TRUST processing of
this command.
Processing is terminated if none of the requested certificates can be accessed,
regardless of the “R” required flag. If multiple requests are made and at least one
signature is found, processing continues normally.
For inlist that contains a password to open a private certificate, make sure that the
security is sufficient to only allow the owner of the certificate to have read access.
Otherwise this would leave a security hole where other users could browse the
password.
*INLIST Usage:
If *INLIST is defined on the AUTHCHK parameter, then the authenticator filed will be
a file that SecureZIP will read to include the authenticator. The format is very similar
to the AUTHCHK parameter described above except that each line authenticator
starts with “{AUTHCHK=” and is terminated by the “}” character, with the semicolon
“;” as a separator for each entry.
{AUTHCHK=Authenticator Type, Lookup Type; Authenticator; Password; Required}
Authenticator Type
Lookup Type
Authenticator
Password
Required
Examples:
See Authenticator Type in AUTHCHK
See Lookup Type in AUTHCHK excluding the INLIST
See Authenticator in AUTHCHK.
See Password in AUTHCHK.
See Required in AUTHCHK, but use RDQ for *RQD and OPT for
*OPT.
Sample 1: tstauth_db1.inlist.
{AUTHCHK=FILE;DB;EM=PKTESTDB4@nowhere.com;;RQD}
Sample 2: tstauth_mb2.inlist.
{AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}
121

Sample 3: tstauth_mb3.inlist.
{AUTHCHK=ALL;MBRSET;pktestdb3.pfx;PKWARE;RQD}
AUTHPOL
Authenticate Filters:
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...
Validate Type . . . . . *ARCHIVE *ARCHIVE, *NONE
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...
+ for more values
Or
AUTHPOL(*WARN *ARCHIVE (*SYSTEM) )
AUTHPOL(*WARN *FILE (*NOTTRUSTED) )
AUTHPOL(*SYSTEM *ALL (*ALL *NOTEXPIRED) )
This parameter defines the processing options and filters that should apply if a
signed file or signed archive is encountered.
Validate Level (*VALIDATE |*WARN |*SYSTEM)
The validate level specifies the type of authentication processing that should take
place if a file or archive is encountered. The default is *SYSTEM and, unless it is
modified, SecureZIP will use the enterprise setting from PKCFSEC.
• *VALIDATE – Indicates that when authentication takes place and a failure
occurs based on the filters, the run will be considered a failure and the
message issued at the end will indicate one or more errors during the run.
• *WARN - Indicates that when authentication place and a failure occurs, the
failure is only considered a warning. The messages at the end of the run will
not consider any failed authentications as errors.
• *SYSTEM – Indicates the authentication processing that is set in the
environmental setting will be used.
Validate Type (*ARCHIVE |*NONE)
The validate type specifies that archive authentication should take place if an archive
has been signed. The default is *NONE and anything other than *NONE requires the
Enhanced Encryption Feature..
• *ARCHIVE - Indicates that only a signed archive will be authenticated.
• *NONE - Indicates no authentication will take place even though a file or
archive has been signed.
Filters (*SYSTEM |*ALL |*NONE |*TAMPER |*TRUSTED |*EXPIRED |*REVOKED
|*NOTAMPER |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED )
The authentication filter policies settings are defined in the enterprise security file
supplied by the SecureZIP administrator (See PKCFGSEC). These global policy
122

settings can be revised with sub-parameter values. The variables are cumulative
from the global setting.
• *SYSTEM – All filter policies are from the global settings.
• *ALL - This sub-parameter activates all levels of authentication. If followed
by negating sub-levels, then all but those negating levels are activated. For
example: *ALL NOTEXPIRED means that expired certificates will not cause an
authentication error, but TRUST and TAMPERCHECK must both be satisfied.
• *NONE – Will negate all the policies.
• *TAMPER – This sub-parameter signifies that a verification of the data
stream should be done against the digital signature.
• *TRUSTED – This sub-parameter signifies that the entire certificate authority
chain must be validated. This includes locating the root (self-signed)
certificate on the local system.
• *EXPIRED – This sub-parameter signifies that certificate date range
validation should be performed on the certificates (including the certificate
authority chain). Although the term “expired” is used, a certificate that has
not yet reached its valid data range specification will fail.
• *REVOKED - A certificate owner may request that the issuing certificate
authority declare a certificate to be revoked and thereby no longer consider
that certificate to be valid. The authentication operation will fail if any of the
certificates in the trust chain are found to have been revoked, or if the
revocation status could not be determined
• *NOTAMPER – Negates the *TAMPER filter.
• *NOTTRUSTED – Negates the *TRUSTED filter.
• *NOTEXPIRED - Negates the *EXPIRED filter.
• *NOTREVOKED – Negates the *REVOKED filter.
COMPAT
COMPAT(*NONE|*PK400)
Specifies that PKZIP will create and store extended data field information in another
supported format or previous version. At this time, only “PKZIP Version 4.0 for
OS/400” is supported.
The allowable values are:
*NONE
*PK400
The extended data fields will be in SecureZIP for
iSeries Versions 5.0 and above formats.
The extended data fields will output to the archive in the
format used by “PKZIP Version 4.0 for OS/400” product.
This option should be used if the archive file will be
extracted by “PKZIP Version 4.0 for OS/400” and the
attributes are required to create the files. The files can
be extracted without this option, but the files may have
123

to be manually created in order to have the proper
attributes (such as record length and text descriptions).
COMPRESS
COMPRESS(*FAST|*SUPERFAST|*MAX|*STORE|*TERSE)
Specifies the compression method or level to be used during a run of PKZIP. This is
used to specify the amount and speed of compression that is required for any
updated files.
The allowable values are:
*FAST
*SUPERFAST
*MAX
*NORMAL
*STORE
*TERSE
This selection provides ample compression at a fast rate.
This is the default selection. This will compress in the
fastest time, but will compress the files by the least
amount.
This level provides the maximum compression possible,
but will also take the longest in time to process.
The normal compression level provides good
compression amount at a reasonable speed.
No compression. Store will also be used if the other
methods tried result in a file larger than the original.
This selection provides a terse compression algorithm
provided with the iSeries by IBM as an API. This is
much faster but is less efficient than FASTEST, and can
only be decompressed on the iSeries. Do not use this
option if you wish to unzip the archive on another
platform.
CRTLIST
CRTLIST(*NONE| path/filename | *SIMULATE)
Specifies that PKZIP will create an output file with a list of entries that would have
been compressed based upon the selection criteria in the FILES and EXCLUDE
parameters.
See parameter TYPLISTFL for file system type.
*NONE
Default. No list file will be created.
path/filename
Enter the file path and name of the file to create. The
layout depends on which file system you want to create
the file in.
Library File System: The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
124

*SIMULATE
Will simulate the file selection and show the selection as
a printed or message list instead of writing to a list file.
CVTDATA
CVTDATA(External Program Conversion Extended Data)
Specifies the extended data that is passed to the external program CVTNAME. When
CVTFLAG is not *NONE, the contents of the parameter are passed to provide
extended flexibility in controlling how the iSeries names are stored in the archive.
See Appendix D for more details on the external program.
External Program Conversion Extended Data
Specify up to 255 bytes of unedited data which is passed
to the exit program CVTNAME to assist in controlling the
program logic.
CVTFLAG
CVTFLAG(*NONE| Conversion Flags)
Specifies the flags passed to the external program CVTNAME. These are used to
control how the iSeries names are stored in the archive. See Appendix D for more
details on the external program.
*NONE
Conversion Flags
Conversion exit is not active.
Specify a five-byte flag that is passed to the exit
program CVTNAME to control the program logic. If the
name passed back is blank, then conversion is referred
back to the setting of the CVTTYPE parameter.
CVTTYPE
CVTTYPE(*NONE|*DROP|*SUFFIX)
Specifies how the iSeries library and file names are stored in the archive. Since the
length of the library name, file name, and member name can each be up to 10
characters, and MS/DOS format requires a maximum of 8 characters with an optional
extension, this option allows name compatibility.
The allowable values are:
*SUFFIX This forces any iSeries name with more than 8
characters to create a name of 8 characters and a
period(.), followed by characters 9 and 10 to be
considered an extension to suffix.
*NONE
This leaves the iSeries name as the archive name.
*DROP This forces any iSeries name with more than 8
characters, to drop characters 9 thru 19.
125

DATEAB
DATEAB(mmddyyyy)
Used with DATETYPE parameter, DATEAB specifies the date to be used to compare
with the files latest modification date for file selection. The format is mmddyyyy,
where “mm” is a valid month (01-12), “dd” is valid day of the month, and “yyyy” is
the four digits of the year (2001).
DATETYPE
DATETYPE(*NO|*BEFORE|*AFTER)
Specifies if PKZIP should select files based upon a file modification date.
The allowable values are:
*NO
*BEFORE
*AFTER
No date selection will take place.
Files with a modification date before the date in
DATETYPE will be selected.
Files with a modification date on or after the date in
DATETYPE will be selected.
DBSERVICE
DBSERVICE (*NO|*YES)
Specifies if the iSeries special database extended file attributes describing the
database file, fields and keys are to be store in the archives. This will force the
option EXTRAFLD(*YES). The database will also be stored in binary mode. This mode
can produce larger archive files.
The allowable values are:
*NO
*YES
Does not store database extended services attributes.
Stores the database extended service attributes in the
archive file and treat non-SAVF as a database.
DFTARCHREC
DFTARCHREC(132|Record Length)
Specifies the record length to use when creating an archive file in the QSYS library
system. If the TYPARCHFL parameter is *DB, and the archive file does not exist, the
archive file will be created with the record length specified in this parameter.
Note: A large record length will leave a high residual number if only one byte is use
in the last record.
The allowable values are:
126

132 Default is record length of 132 to match previous
versions.
Record Length A decimal number from 50 to 32000.
DELIM
DELIM(CRLF |CR |LF |LFCR)
When compressing a text file (not binary), the DELIM parameter specifies what
characters are to be appended at the end of records to serve as delimiters. The
delimiter is removed from the record when it is decompressed.
The allowable values are:
CRLF
CR
LF
LFCR
This is the default selection. Specifies for SecureZIP
for iSeries to use the default delimiter CR-LF (x’0D0A’)
at the end of each text record.
Appends an ASCII carriage return (hex 0D).
Appends an ASCII line feed character (hex 0A).
Appends an ASCII line feed character (hex 0A0D).
Note that transfers of MS-DOS records uses a CRLF for a delimiter,
while UNIX records use a LF.
DIRNAMES
DIRNAMES(*YES|*NO)
Specifies to store directories as an entry. This is valid only for files in IFS.
*YES
*NO
Store the directories as entries in the archive.
Do not store directories as an archive entry.
DIRRECRS
DIRRECRS(*NONE|*FULL|*NAMEONLY)
IFS only. Specifies whether to search recursively through directories for file selection,
or only search the current, specified directory.
The allowable values are:
*NONE
*FULL
Search only the current, specified directory.
Search through all directories by starting with the
current, specified directory for selected files. If *FULL is
used, and * is for file selections, all files found in all
directories below the current directory will be selected.
127

*NAMEONLY
To be considered a hit, the full path and file name must
match the selection statements exactly.
ENTPREC
Encryption Recipients :
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE...
Recipient . . . . . . . . . ______________________________________
Password (If Private) . . . ______________________________________
Required . . . . . . . . . . *RQD *RQD, *OPT
+ for more values _
Or
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.pfx'
(‘mypassword’) *RQD))
ENTPREC((*DB ‘EM=bill.Somebody@pkware.com' () *RQD))
ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))
ENTPREC((*INLIST 'ATEST/INLIST(ENGNEER1)' *N)
The encryption/decryption recipient parameter defines one to many Recipients which
is to be included for the ZIP and UNZIP process. This parameter allows 1-4 types of
certificate searches to take place along with providing the ability for an include file
that may contain the recipients.
The specification of this recipient ENTPREC parameter, triggers encryption to take
place during ZIP processing utilizing the found recipients along with any password
that may be entered.
There are four entries for the ENTPREC parameter (lookup type, recipient, password,
and required).
Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)
The Lookup type would be the type of recipient search that will be used for the
recipient string.
• *DB - The recipient string is defined to search using the Certificate Locator
Database to access the digital certificate.
• *LDAP - The recipient string is defined to search using the LDAP server to
access the digital certificate.
• *FILE - The recipient string is defined to read a specific file in a specific path
in the IFS in order to access the digital certificate.
• *MBRSET - The recipient string is defined to read this specific file from the
enterprise public certificate store to access the digital certificate.
• *INLIST - The recipient string defines a specific file that will contain 1 to
many recipients.
Recipient (The recipient string name)
The recipient string format depends on what was specified for the Lookup type.
128

• If type is *DB: The recipient string will either be an email address or the
common name of the certificate. This depends on the configuration setting in
PKCFGSEC parameter CERTDB. To override the default selection mode, you
can prefix the string with EM= for email address or CN= for the common
name.
For example:
ENTPREC((*DB ‘bill.Somebody@pkware.com' () *RQD)
(*DB ‘CN=bill Somebody' () *RQD)
(*DB ‘EM=bill.Somebody@pkware.com' () *RQD))
• If type is *LDAP: The recipient string will either be an email address or the
common name of the certificate depending on the search mode configuration
setting in PKCFGSEC parameter LDAP. To override the default selection mode,
you can prefix the string with EM= for email address or CN= for the common
name.
For example:
ENTPREC((*LDAP ‘bill.Somebody@pkware.com' () *RQD)
(*LDAP ‘CN=bill Somebody' () *OPT)
(*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))
• If type is *FILE: The recipient string is defined to read a specific file in a
specific path of the IFS. This file should be public-key X.509 file or privatekey
X.509 certificate file.
For example:
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path
‘/pkzshare/CStores/public’.
• If type is *MBRSET: The recipient string is defined to read a specific file from
public certificate store / private certificate store of the IFS. This file should be
public-key X.509 file or private-key X.509 certificate file.
For example:
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of the
public certificate store defined in the Enterprise Security Configuration public
store(parameter CSPUB). If a password was included, the file would be searched for
in the Enterprise Security Configuration private store (parameter CSPRIV).
• If the type is *INLIST: The recipient string defines a full file name of an input
list file that contains records of ENTPREC shortcut parameters. The type of file
will in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path
file name in the IFS if TYPLISTFL(*IFS) is set. The format of the ENTPREC
shortcut parameters are define below in the *INLIST usage section.
Password
(Private Cert Password)
The password is required only if the certificate that is being selected is a private
certificate. This option should be omitted if a public certificate will be utilized.
129

Required
(*RQD|*OPT|*SAME)
If *RQD, then this recipient must be found during the selection, and the certificate
must be valid, or the ZIP/UNZIP run will fail.
Usage Notes:
The ZIP process only requires a X.509 public-key format certificate to encrypt files.
The UNZIP process requires X.509 private-key format certificate file to decrypt files
and this will the input of a password.
For inlist that contains a password to open a private certificate, make sure that the
security is sufficient to only allow the owner of the certificate to have read access.
Otherwise this would leave a security hole where other users could browse the
password.
*INLIST Usage:
If *INLIST is defined on the ENTPREC parameter, then the recipient field will be a file
that SecureZIP will read to include recipients. The format is very similar to the
ENTPREC parameter describe above except each line recipient starts with
“{RECIPIENT=” and is terminated by the “}” character with the semi-colon “;” as a
separator for each entry.
{RECIPIENT=Lookup Type; Recipient; Password; Required}
Lookup Type See Lookup Type in ENTREC excluding the INLIST
Recipient
Password
Required
*OPT.
Examples:
See Recipient in ENTREC.
See Password in ENTREC.
{RECIPIENT=MBRSETEM; mypassword;RQD}
See Required in ENTREC, but use RDQ for *RQD and OPT for
Sample 1: tstpriv_db4.inlist.
{RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}
Sample 2: tstpriv_mb3.inlist.
{RECIPIENT=MBRSET;pktestdb3.pfx;PKWARE;RQD}
Sample 3: tstpubl1.inlist.
{RECIPIENT=MBRSET;pktestdb3.crt;;RQD}
{RECIPIENT=MBRSET;pktestdb4.crt;;OPT}
130

Sample 4: tstpubl2.inlist.
{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD}
{RECIPIENT=DB;CN=PKWARE Test4;;OPT}
ENCRYPOL
Encryption Filters:
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...
+ for more values
Or
ENCRYPOL(*WARN (*SYSTEM) )
ENCRYPOL(*WARN (*ALL *NOTTRUSTED) )
ENCRYPOL(*SYSTEM (*ALL *NOTEXPIRED) )
This parameter defines the processing options and filters that should apply when the
ENTPREC is used to encrypt files with certificate keys.
Validate Level (*VALIDATE |*WARN |*SYSTEM)
The validate level specifies the type of encryption certificate error processing that is
used if certificates are specified in ENTPREC. If *SYSTEM is specified, the enterprise
setting from PKCFSEC is used. If the enterprise setting is defined as lockdown, then
this parameter cannot be revised and a warning will be issued if a change is
detected.
• *SYSTEM - Indicates the authentication processing that is set in the
environmental setting will be used.
• *VALIDATE – Indicates that when encryption with certificates (ENTPREC
parm) takes place and a failure based on the filters occurs, the run will be
considered a failure and the message issued at the end will indicate one or
more errors during the run.
• *WARN - Indicates that when encryption with certificates (ENTPREC parm)
takes place and a failure based on the filters occurs, the failure is only
considered a warning. The messages at the end of the run will not consider
any failed filters for encryption certificates as errors.
Filters (*SYSTEM |*ALL |*NONE |*TRUSTED |*EXPIRED |*REVOKED |*NOTTRUSTED
|*NOTEXPIRED |*NOTREVOKED)
The ENTPREC certificate filter policies settings are defined in the enterprise security
file supplied by the SecureZIP administrator (see PKCFGSEC). These global policy
settings can be revised with sub-parameter values, but if the enterprise setting is
defined as lockdown, this parameter cannot be revised and a warning will be issued if
a change is detected. The variables are cumulative from the global setting.
• *SYSTEM – All filter policies are from the global settings.
131

• *ALL - This sub-parameter activates all levels of authentication. If followed
by negating sub-levels, then all but those negating levels are activated. For
example: *ALL, NOTEXPIRED means that expired certificates will not cause an
authentication error, but TRUST and REVOKE must both be satisfied.
• *NONE – Will negate all the policies.
• *TRUSTED – This sub-parameter signifies that the entire certificate authority
chain must be validated. This includes locating the root (“self-signed”)
certificate on the local system.
• *EXPIRED – This sub-parameter signifies that certificate date range
validation should be performed on the certificates (including the certificate
authority chain). Although the term “expired” is used, a certificate that has
not yet reached its valid data range specification will fail.
• *REVOKED - A certificate owner may request that the issuing certificate
authority declare a certificate to be revoked and thereby no longer consider
that certificate to be valid. The encryption certificate request will fail if any of
the certificates in the trust chain are found to have been revoked or if the
revocation status could not be determined.
• *NOTTRUSTED – Negates the *TRUSTED filter.
• *NOTEXPIRED - Negates the *EXPIRED filter.
• *NOTREVOKED – Negates the *REVOKED filter.
ERROPT
ERROPT(*END|*SKIP)
Specifies what action to take if an error occurs while processing (selecting or
compressing) a spool file.
The allowable values are:
*END
*SKIP
The PKZIP will end without completing the compression
of the file. The archive is not updated.
The program will skip the file with the input error and
continue to process all other files to completion.
Message AQZ0022 will be issued at the end to indicate
that an error occurred.
EXCLFILE
EXCLFILE(*NONE| path/filename)
This parameter specifies the file containing the list of files to be excluded. This can
be used with or without the EXCLUDE parameter. See parameter TYPLISTFL for file
system type information.
*NONE
No list file will be processed.
132

path/filename
Enter the file path and name of the file to process. The
layout depends on which file system you want the file
created.
Library File System:
The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
EXCLUDE
EXCLUDE(file_specification1, file_specification2,... file_specification n )
Specifies the files and file specification patterns that will be excluded from the PKZIP
run. One or more names can be specified. Each name should be in the OS/400 file
system format, such as, QSYS is library/file(member) and IFS is directory/file, and
can include wildcards “*” and “?.”
Note: If TYPE(*VIEW) is being used, then the format for these names is the
MS/DOS format.
The PKZIP program can also exclude file specifications by using the list file
parameter EXCLFILE with a list of names to exclude.
Please refer to Chapter 5 for details of file specification formatting.
The valid parameter values for the FILES keyword are as follows:
'file_specification1'
'file_specification2'
'file_specification n'
EXTRAFLD
EXTRAFLD(*YES|*NO)
Specifies if the basic SecureZIP for iSeries extended file attributes should be
stored in the archive. Some basic file attributes are record size, library text
description, file text description, etc.
The allowable values are:
*YES
*NO
*CENTRAL
*LOCAL
Store the basic normal iSeries file attributes. See
Appendix K for more definitions. This is the default and
will be the same as coding *BOTH.
Do not store any extended attributes.
Stores the basic normal iSeries file attributes in only the
archive’s central directory. This will reduce the overall
archive size by only storing the attributes in the Central.
Stores the basic normal iSeries file attributes in only the
archive’s local directory. Warning: PKUNZIP only
133

*BOTH
utilizes the central directory for extended data
attributes.
Stores the basic normal iSeries file attributes in both the
archive’s central directory and local directory.
Migration consideration: if the archive will be processed by an earlier
release of PKZIP for OS/400 and the attributes are required, then
*BOTH should be coded.
FILES
FILES(file_specification1, file_specification2,... file_specification n)
Specifies the files and file specification patterns that will be selected in the PKZIP
process. One or more names can be specified. Each name should be in the OS/400
file system format, such as, QSYS is library/file(member) and IFS is directory/file,
and can include wildcard “*” and “?.” For the IFS, the path and file name can up to
256 characters and can contain embedded spaces.
Note: If TYPE(*VIEW) or TYPE(*DELETE) is being used, then the format for these
names is the MS/DOS format.
The PKZIP program can also have file specifications selections to include by using the
list file parameter INCLFILE with a list of names to select.
Files may also be excluded. See the EXCLUDE parameter.
Please refer to Chapter 5 for details of file specification formatting.
The valid parameter values for the FILES keyword are as follows:
'file_specification1'
'file_specification2'...
'file_specification n'
FILESTEXT
FILESTEXT(*NO|*ALL|*NEW|*UPDATE)
Specifies if PKZIP allows the editing (and the type of editing performed) of a file’s
text comments that are stored in an archive.
The allowable values are:
*NO
*ALL
*NEW
No comment editing (the default).
Add comments or edit comments for all files in the
archive.
Add comments only for new files that are added to the
archive.
134

*UPDATE
Add or edit the comments of files that are added,
updated, or freshened in the archive. Only file
comments of files that are affected by a change are
eligible for editing.
FILETYPE
FILETYPE(*BINARY|*DETECT|*EBCDIC|*FIXTEXT|*TEXT)
Specifies whether the files selected are treated as text or binary data. For text files
added to an archive, trailing spaces in each line are removed, the text is converted
to ASCII (based on the translation tables) by default, and a carriage return and line
feed (CR/LF) are added to each line before the data is compressed into the archive.
Binary files are not converted.
The default is *DETECT; where PKZIP attempts to make a determination based on
the nature of the data itself. The program will read in a portion of the data, evaluate
it, and determine the appropriate process.
Note: This will lower performance time. A message will display the type used when
compressing.
Use of text file option is usually faster because PKZIP has to process less data than
with *BINARY, but more processing may also take place to perform the translation.
If the file is a SAVF or a database file (with DBSERVICE(*YES)), then the file will be
processed as binary regardless of what option is specified.
*BINARY
*DETECT
*EBCDIC
*FIXTEXT
*TEXT
Specifies that the files selected are binary files and no
translation should be performed.
The PKZIP program will try to determine the data type
of text or binary.
Specifies that the files selected are text files and leaves
it in EBCDIC without performing any translation. This is
good only if the files are to be used on an iSeries or
IBM-type mainframe. If they will be unzipped to a PC
file, then a translation from EBCDIC to ASCII is required.
Specifies that the files selected are text files with a fixed
record length based on the iSeries file’s record length
and translation will be performed using the translate
tables specified in the TRAN option. This means the
compressed file will contain records with trailing spaces
followed by a CR and LF. This is only valid for QSYS
library file types as files in the IFS do not contain a
record length.
Specifies that the files selected are text files and
translation will be performed using the translate tables
specified in the TRAN option.
135

FND
FNE(*YES|*NO
*YES|*NO
File Name Encryption :
Create FNE Archive . . . . . *NO *NO, *YES
Overwrite In FNE . . . . . . *NO *NO, *YES
FNE(*NO *NO)
Specifies the activation and use of the file name encryption feature.
The first option controls the creation of an archive with file name encryption.
*NO
*YES
Do not create the new/updated archive as filenameencrypted
archive.
Create the new or updated archive into a filenameencrypted
archive. If the archive exist, then the security
features will be defined by the inputted FnE archive. If
no archive exist, the new filename-encrypted archive will
use the encryption method define with ADVCRYPT
parameter and the PASSWORD and/or ENTPREC
parameters.
The second option controls the overwriting of a filename-encrypted input
archive to remove the filename encryption. This option is used with the first
option of *NO (do not create an filename-encrypted archive), and with an
existing filename-encrypted archive is input for update. Coding this option to
*NO indicates that you know that the input archive is filename-encrypted and
you want overwrite it to produce an archive that is not filename-encrypted.
*NO
*YES
Do not allow an existing filename-encrypted archive to
be changed to a non-filename-encrypted archive.
Allow an existing filename-encrypted archive to be
changed to a non-filename-encrypted archive when
archive is updated.
FTRAN
FTRAN(*INTERNAL| Member Name)
Specifies the translation table for use in translating "file names, comments, and
password" from the iSeries EBCDIC character set to the character set used in the
archive file (normally ASCII character set). A default internal table is predefined. See
Appendix F for additional information.
*INTERNAL
Use the predefined internal table for translation. Using
this is initially faster because PKZIP does not have to
parse the override table.
136

membername
Specify the member name in the file PKZTABLES that
will be parsed and used to translate "file names and
comments" files to the archive character set. The
member should have the exact format of member
UKASCII in file PKZTABLES. See Appendix F for
information on defining translation tables.
GZIP
GZIP(*YES|*NO)
If this option is set to *YES, PKZIP will create a compressed archive in the GZIP
format. The GZIP format only allows for one file or member per archive and all text
data is stored in ISO 8859- 1 (LATIN- 1) character set. The GZIP format is very
different from the SecureZIP for iSeries archive format, a program that can
process PKZIP ® archives will not necessarily process a GZIP archive correctly. The
GZIP archive created conforms to the GZIP specifications RFC1951 and RFC1952.
Do not use this option if the archive is to be unzipped on another platform where
GZIP compatibility is not confirmed.
The allowable values are:
*YES
The PKZIP program will create a compressed archive in
the GZIP format.
*NO The PKZIP program will create an archive in the PKZIP ®
format. This is the default.
IFSCDEPAGE
IFSCDEPAGE(*NO| Code-Page)
If this option is set to *NO, PKZIP will read IFS files using the code page that is
registered for the file. Otherwise, PKZIP will read IFS files with the specified code
page.
This parameter also controls the spool file ASCII conversion for *TEST and *PDF
documents. When *NO is specified for spool Files, the conversion will use code page
819.
The allowable values are:
*NO
Code-Page
The PKZIP program will read IFS files with the code page
registered for the file. If the file is a spool file, the code
page 819 will be used. This is the default.
The PKZIP program will read IFS files with the specified
code page value. If the file is a spool file, it is the code
page that a spool file will use for ASCII translation.
137

INCLFILE
INCLFILE(*NONE| path/filename)
This parameter specifies the file containing the list of files to be selected for
inclusion. This can be used with or without the FILES parameter. See parameter
TYPLISTFL for file system type information.
*NONE
path/filename
No Include list file will be processed. This is the default.
Enter the file path and name of the file to process. The
layout depends on which file system you want to create
the file in.
Library File System:
The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
MSGTYPE
MSGTYPE(*PRINT|*SEND|*BOTH)
Specifies where the display of messages and information should be shown. The
PKZIP program has the ability to send messages that appear on the log and/or the
ability to print to stdout and stderr. If working interactively, stdout and stderr will
show upon the dynamic screen. If submitted via batch, you can override them to
print in an OUTQ or build a CL and save them to an outfile.
*SEND
*PRINT
*BOTH
Send the information to the log with send message
commands.
Send the information to stdout and stderr.
Send the information to the log with send message
commands and also to stdout and stderr.
PASSWORD
PASSWORD(Archive Password)
Specifies a password for files being added to an archive. This password may be up to
64 characters in length and is case sensitive. All files selected for archiving will be
encrypted using the specified password.
Note: There is no way to extract the password used from the archive data. If the
password is forgotten, the file will become inaccessible. If files in an archive need to
have different passwords, PKZIP must be run for each password required.
Since the password is entered in EBCDIC, the translation table referenced in the
FTRAN parameter is used to translate it to ASCII. Care should be take when using
the FTRAN override and when using a password. To use password-protected files, the
same FTRAN override option is required.
138

SELFXTRACT
SELFXTRACT (*MAINTAIN| WINDOWS| UNIX| LINUX| *REMOVE)
This licensed feature specifies the action to take concerning self extracting archives.
The actions are to maintain the current archive as is, create the new archive with a
self extracting preamble, or to remove the self extracting preamble if one exist in the
archive.
The self extracting programs are held as binary entities in the SecureZIP for
iSeries library in the file PKZIPSFX. The appropriate member is loaded and the
executable data copied to the beginning of the archive as a preamble when
requested.
The resulting archive can still be processed by SecureZIP for iSeries as a normal
ZIP archive.
The allowable values are:
MAINTAIN
WINDOWS
AIX
HP_UNIX
SUN_UNIX
LINUXINTEL
*REMOVE
If the current archive contains a self extracting
preamble, it will be maintained at the beginning of the
updated archive.
The Windows version of the self extracting preamble will
be installed to archive. (Microsoft Windows 95 and later)
The AIX version of the self extracting preamble will be
installed to archive. (IBM AIX Version 4.0 and later)
The HP UNIX version of the self extracting preamble will
be installed to archive. (HP/UX Version 9.0 and later)
The Sun UNIX version of the self extracting preamble
will be installed to archive. (Sun Solaris 2.3 (SunOS 53)
and later)
The Linux version of the self extract preamble (if
available) will be installed to archive. (LINUX Kernel 2.x
for Intel Note:libc-5 must be installed on the target
system.)
If the current archive contains a self extracting
preamble, it will be removed.
SFUSER
SFUSER (*CURRENT|*ALL |User Name List)
Specifies the user names that created spool files that will be selected. This value is
ignored if SFJOBNAM is coded.
The allowable values are:
*CURRENT
Only files created by the user running this command are
selected.
139

*ALL
User Name
Files created by all users are selected.
Specify up to 10 user names. Only files created by
those users are selected.
SFQUEUE
SFQUEUE (*ALL |Name|*LIBS)
Specifies the output queue that will be searched for the spool file selections. If no
OUTQ library is specified, it will default to *LIBL.
The allowable values are:
*ALL
OUTQ
OUTQ Library
*LIBS
Files on any device-created or user-created output
queue are selected.
The OUTQ that will be searched.
The library where the OUTQ resides. Defaults to *LIBL.
*LIBS will search all OUTQ that exist in the specified
OUTQ Library. If *LIBS is selected then the library
cannot be blank, nor contain *LIBL nor *CURRENT.
SFFORM
SFFORM (*ALL | *STD| Form Type)
Specifies the spool file form type that is on the spool files that will be selected.
The allowable values are:
*ALL
*STD
Form Type
Files for all form types are selected.
Only files that specify the standard form type are
selected.
Only spool files with this specific form type will be
selected.
SFUSRDTA
SFUSRDTA (*ALL| User Data)
The user data tag associated with the spool file to select.
The allowable values are:
*ALL
User Data
Files with any user data tag specified are selected.
Only spool files with this specific user data tag will be
selected.
140

SFSTATUS
SFSTATUS (*ALL |*READY|*HELD|*CLOSED|*SAVED|*PENDING|*DEFERRED)
Specifies the statuses of the spool files to be selected. Up to four statuses can be
selected for one run.
The allowable values are:
*ALL
*READY
*HELD
*CLOSED
*SAVED
*PENDING
*DEFERRED
All spool file status will be considered for selection.
Only spool files with a status of *READY will be selected.
Only spool files with a status of *HELD will be selected.
Only spool files with a status of *CLOSED will be
selected.
Only spool files with a status of *SAVED will be selected.
Only spool files with a status of *PENDING will be
selected.
Only spool files with a status of *DEFERRED will be
selected.
SFJOBNAM
SFJOBNAM(Blank|*|Spool File Jobname/User/Job Number)
Specifies the job name, user name, and job number that will be used to select spool
files. If anything other than blanks is in SFJOBNAM parameter, it will be used as the
primary selection criteria. If any of the three fields (job name, user name, and job
number) are specified, then all three fields must be entered and be valid.
The allowable values are:
Blank
This is the default selection. This will cause all other
selection criteria to be used for spool files.
* The * will cause the current job-name/user-name/job
number to be used to select spool files.
Job-name
User-Name
Job-Number
Specify the name of the job to be selected. If no job
qualifier is given, all of the jobs currently in the system
are searched for the simple job name.
Specify the name that identifies the user profile under
which the job is run.
Specify the job number assigned by the system.
SFTARGET
SFTARGET (*SPLF|*TEXT|*PDF|*TEXT1|*TEXT2)
Specifies the format of the file that will be stored in the archive.
141

The allowable values are:
*SPLF
*TEXT
*TEXT1
*TEXT2
*TEXTFC
*PDF
*PDFLETTER
*PDFLEGAL
This is the default selection. This will compress the
spool file in a spool file format with all of the spool file
attributes. This format is only valid on an AS/400. If
the archive is extracted, it will take on the latest spool
file settings, such as, job name, user, job number, spool
file number, etc. The suffix for this selection is SPLF.
Parameter SFTGFILE is required to be *GEN1 for
SFTARGET(*SPLF).
The spool file will be saved in the archived as an ASCII
text document. The suffix for this selection is .TXT.
each new page will have a form feed control character.
The spool file will be saved in the archived as an ASCII
text document. The suffix for this selection is .TXT.
Each new page will have a carriage control and line feed
control characters.
The spool file will be saved in the archived as an ASCII
text document. The suffix for this selection is .TXT.
Each page will have a carriage control and line feed
control characters for blanks lines to fill out a page with
the number lines required by the spool file attribute.
The spool file will be saved in the archive as an ASCII
Text document. The suffix for this selection is .TXT.
Each new page will have a form feed control character.
The spool file will be saved in the archived as a PDF text
document. The suffix for this selection is .PDF. The size
will be adjusted based upon the width and length of the
spool file.
The spool file will be saved in the archived as a PDF text
document. The suffix for this selection is .PDF. The size
will be adjusted based upon the width and length of the
spool file.
The spool file will be saved in the archived as a PDF text
document. The suffix for this selection is .PDF. The size
will be adjusted based upon the width and length of the
spool file.
SFTGFILE
SFTGFILE (|*GEN1|*GEN2|*GEN1P|File Name)
Specifies the how the file name will be stored in the archive.
The allowable values are:
*GEN1
GEN1 is the default selection. This generates a very
specific name using most of the spool file name
attributes to form the file name so that it will not be
142

*GEN1P
*GEN2
File Name
duplicated. *GEN1 is required if SFTRAGET is *SPLF.
The name will be built as follows:
“Job-Name/User-Name/#Job-Number/Spool-File-
Name/Fspool-File-Number.Suffix”
”MYJOB/BILLS#152681/INVOICE/F0021.SPLF”
The suffix is dependent on the SFTARGET setting.
*GEN1P generates the same file name as *GEN1 except
instead of a '/' separator, *GEN1P will use a '.' as name
separator.
*GEN2 uses the spool file name and appends the spool
file number followed by the suffix that is depended on
the SFTARGET setting. Caution should be taken in that
a duplicate file name in the archive could be created. An
example of GEN2 is a spool file INVOICE with spool file
number of 21 that will be converted to a text file will
generate a file name of INVOICE21.TXT.
This parameter should only be used when selecting one
specific spool file where you want a specific file name.
SPLFILE
SPLFILE (*ALL| Spool File Name)
Specifies the spool file name that will be selected. This parameter is used along with
all the other spool file selection parameters to determine the spool files to select.
The allowable values are:
*ALL
Spool File Name
This is the default setting. *ALL indicates that spool file
name is not important.
A specific spool file name that will be searched for and
selected.
SPLNBR
SPLFILE (*ALL|*LAST| Spool File Number)
Specifies the number of the spool file from the job whose data records are to be
selected. If *ALL is coded then all file numbers are considered. This parameter is
only valid when the SFJOBNAM parameter or SPLFILE is used. This parameter is used
along with all the other spool file selection parameters to determine the spool files to
select.
The allowable values are:
*ALL
*LAST
This is the default setting. *ALL indicates that spool file
number is not important.
The spooled file with the highest number is used.
143

Spool File Number A number 1-9999 to specify the number of the spooled
file whose data records are to be selected.
SIGNERS
Signing Certificates :
File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL
LookUp Type . . . . . . . . *DB *DB, *FILE, *MBRSET, *INLIST
Signer . . . . . . . . . . . _____________________________________________
Password (If Private) . . . _________________________________________
Required . . . . . . . . . . *RQD *RQD, *OPT
Or
SIGNERS((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))
SIGNERS((*FILE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (password)
*RQD))
SIGNERS((*FILE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx'
(‘mypassword’) *RQD))
SIGNERS((*FILE *DB ‘EM=bill.somebody@pkware.com' (password) *RQD))
SIGNERS((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)
This parameter identifies the public key certificate with private key that is to be used
to digitally sign files to be added to the archive and/or the archive directory. Multiple
signing certificates may be applied to the files but only one signer is allowed to sign
the archive directory. Signing an archive by signing its central directory enables
people who receive the archive to confirm that the archive as a whole is not
changed. By contrast, signing only individual files in an archive enables people to
confirm that the particular signed files are unchanged but leaves open the possibility
that the archive has had files added or removed.
There are five options for SIGNERS.
Signing Type File/Archive
(*FILE |*ARCHIVE |*ALL)
The File/Archive selection determines whether the files, archive or both are to be
signed during the ZIP run. Only one signer can be specified for an archive. If the
lookup type is *INLIST, then this option will be ignored and will pickup from the
records in the inlist file.
• *FILE – All new files being compressed in the run will be signed by this
private key and a signature entry will be added to the archive.
• *ARCHIVE – The archive directory will be signed by this private key and a
signature entry will be added to the archive.
• *ALL – Both *FILE and *ARCHIVE for the signer will be used.
Lookup Type
(*DB |*FILE |*MBRSET |*INLIST)
The lookup type would be the type of signer search that will be used for the signer
string to lookup the private key.
• *DB - The signer string is defined to search using the Certificate Locator
Database to access the digital certificate and private key.
144

• *FILE - The signer string is defined to read a specific file in a specific path in
the IFS in order to access the digital certificate and private key.
• *MBRSET - The signer string is defined to read this specific file from the
enterprise private certificate store to access the digital certificate and private
key.
• *INLIST- The signer string defines a specific file that will contain one to many
signers. The TYPLISTFL parameter must specify the file type for the inlist.
Signer
(The signer string name)
The signer string format depends on what was specified for the lookup type.
• If lookup type is *DB, the signer string will either be an email address or the
common name of the certificate. This depends on the configuration setting in
PKCFGSEC parameter CERTDB. To override the default selection mode, you
can prefix the string with EM= for email, or CN= for the common name.
For example:
SIGNERS((*FILE *DB ‘bill.somebody@pkware.com' (password) *RQD)
(*ARCHIVE *DB ‘CN=bill somebody' (password) *RQD)
(FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))
• If lookup type is *FILE, the signer string is defined to read a specific file in a
specific path of the IFS. This file should be public key X.509 with the private
key X.509 certificate file.
For example:
SIGNERS((*ARCHIVE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (password)
*RQD))
The digital certificate file with the private key ‘pkwareCertAdmin04.pfx’ will be
in the full path '/pkzshare/CStores/private’.
• If lookup type is *MBRSET, the signer string is defined to read a specific file
from the public certificate store and/or the private certificate store of the IFS.
This file should be public key X.509 with the private key X.509 certificate file.
For example:
SIGNERS((*ALL *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))
The digital certificate file ‘pkwareCertAdmin04.pfx’ will be in the full path of
the private certificate store defined in the enterprise security configuration
private store (parameter CSPRV). Since the password was included, the file
will be searched for in the enterprise security configuration private store
(parameter CSPRIV).
• If lookup type is *INLIST the signer string defines a full file name of an input
list file that contains records of SIGNERS shortcut parameters. The type of file
will exist in the QSYS library file system if TYPLISTFL(*DB) is set and will be a
path file name in the IFS if TYPLISTFL(*IFS) is set. The format of the
SIGNERS shortcut parameters are defined below in the *INLIST usage
section.
145

Password
This designates the password that is required for a private key (PKCS#12 file). When
a value is specified, the target must be an X.509 PKCS#12 private key certificate.
The PASSWORD value may contain blanks and is delimited by the closing right
parenthesis ")" of the signing command.
Required
(*RQD|*OPT|*SAME)
If *RQD then this signer MUST be found during the selection and the certificate
MUST be a valid certificate with a private key or the run will fail.
Usage Notes:
A NULL file (binary file having zero bytes of data) will be signed. However, note that
the digital signature is based on a fixed hash value.
The entire data stream of each file is run through the hash algorithm before
compression or encryption. However, file text data is translated before hashing so
that the receiving system is able to hash the identical stream after
decryption/decompression.
The processor requirement for a file signature is directly related to the size of the
file(s) being signed and/or authenticated (see SIGN_HASHALG). Therefore, when
processing costs are a consideration, the decision whether to use SIGNERS to sign
large files should be based on the business case. Sometimes signers for the archive
may be more appropriate. (The directory size is proportional to the number of files in
the archive, not the physical size of the file data.)
A separate signing operation is performed for each supplied certificate, for each file.
Processor and elapsed time will be impacted in proportion to the number of
signatories and files selected.
The number of file signatures that can be held for each file is constrained by a
number of factors. These include EXTRAFLD(*YES) and DBSERVICE(*NO), the size of
the signatures generated (based on the size of the certificate information), the
number of certificates in the authenticating certificate authority chain, the number of
different certificate authorities used in association with the signing certificates, if
FNE(*YES) is specified, and the number of recipients for certificate-based encryption
of files. For planning purposes, typical ZIP operations will support up to 10 file
signatories as a rule, although more or fewer may be achieved in practice.
It is important that the password is entered in the correct case. Any variation in case
or misspelling will result in a public key certificate access attempt (which will fail for
a private key PKCS#12 certificate). Please note that passwords will be masked out in
all output displays.
A local certificate store configuration is required to complete the processing of this
command. Even when a direct FILE specification is made to locate the private key
certificate, the CS and ROOT certificate store components must be accessible to
complete the certificate signing chain within the archive. This information is required
to complete authentication processing on the target system when the local certificate
store on that system does not contain the certificate authority chain required to
validate TRUST (see PKCFGSEC).
146

Processing will be terminated if none of the requested certificates can be accessed,
regardless of the “R” required flag. If multiple requests are made and at least one
signature is found, processing will continue normally.
Signed files are tolerated by prior releases of PKZIP and SecureZIP for iSeries but
are not processed for authentication.
For inlist that contains a password to open a private certificate, make sure that the
security is sufficient to only allow the owner of the certificate to have read access.
Otherwise this would leave a security hole where others could browse the password.
*INLIST Usage:
If *INLIST is defined on the SIGNERS parameter, then the signer filed will be a file
that SecureZIP will read to include the signer. The format is very similar to the
SIGNERS parameter described above except each line signer starts with
“{SIGNERS=” and is terminated by the “}” character with the semi-colon “;” as a
separator for each entry.
{SIGNERS=Signing Type, Lookup Type; Signer; Password; Required}
Signing Type
Lookup Type
Signer
Password
Required
Examples:
See Signing Type in SIGNERS
See Lookup Type in SIGNERS excluding the INLIST
See Signer in SIGNERS.
See Password in SIGNERS.
See Required in SIGNERS, but use RDQ for *RQD and OPT for
*OPT.
Sample 1: tstsign_db1.inlist.
{SIGNERS=File;DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}
Sample 2: tstsign_mb2.inlist.
{SIGNERS=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}
SIGNPOL
Signing Filters:
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...
+ for more values
Or
SIGNPOL(*WARN (*SYSTEM) )
SIGNPOL(*WARN (*ALL *NOTTRUSTED) )
SIGNPOL(*SYSTEM (*ALL *NOTEXPIRED) )
147

This parameter defines the processing options and filters that should take place if the
SIGNERS parameter is used to define the file or archive signing certificates.
Validate Level (*VALIDATE |*WARN |*SYSTEM)
The validate level specifies the type of signing processing that should take place if
the signer requests encounter an error. If *SYSTEM is specified, the enterprise
setting from PKCFSEC is used. If the enterprise setting is defined as Lockdown, then
this parameter cannot be revised and a warning will be issued if a change is
detected.
• *SYSTEM - Indicates the authentication processing that is set in the
environmental setting will be used.
• *VALIDATE - Indicates that when authentication takes place and a failure
occurs based on the filters, the run will be considered a failure, and the
message issued at the end will indicate one or more errors during the run.
• *WARN - Indicates that when authentication takes place and a failure occurs,
the failure is only considered a warning. The messages at the end of the run
will not consider any failed filters for signer certificates as errors.
Filters (*SYSTEM |*ALL |*NONE |*TRUSTED |*EXPIRED |*REVOKED |*NOTTRUSTED
|*NOTEXPIRED |*NOTREVOKED)
The signing filter policies settings are defined in the enterprise security file supplied
by the SecureZIP administrator (see PKCFGSEC). These global policy settings can be
revised with sub-parameter values, but if the enterprise setting is defined as
lockdown, this parameter cannot be revised and a warning will be issued if a change
is detected. The variables are cumulative from the global setting. The setting of
these filters defines what certificates are acceptable for signing.
• *SYSTEM - All filter policies are from the global settings.
• *ALL - This sub-parameter activates all levels of authentication. If followed
by negating sub-levels, then all but those negating levels are activated. For
example: *ALL, NOTEXPIRED means that expired certificates will not cause an
authentication error, but TRUST and REVOKE must both be satisfied.
• *NONE - Will negate all the policies.
• *TRUSTED - Each end-entity certificate used in the signature must be traced
back to a trusted root certificate. The CACA and CSROOT stores on the local
system performing the authentication check will be accessed to determine if
the entire certificate chain can be trusted. Although the root (“self-signed”)
certificate may be included within the archive, it MUST also exist in the
CSROOT store to complete the TRUSTED state.
• *EXPIRED - The digital certificates used to originally perform the signing
operation contain internal date ranges of validity. The signer operation will fail
if any of the certificates in the trust chain are not found to be within their
stated data range. Note that an end-entity certificate may have expired at the
time that the archive is being accessed, and NOTEXPIRED may be used to
continue processing.
• *REVOKED - A certificate owner may request that the issuing certificate
authority declare a certificate to be revoked and thereby no longer consider
that certificate to be valid. The signer operation will fail if any of the
148

certificates in the trust chain are found to have been revoked or if the
revocation status could not be determined.
• *NOTTRUSTED - Negates the *TRUSTED filter.
• *NOTEXPIRED - Negates the *EXPIRED filter.
• *NOTREVOKED - Negates the *REVOKED filter.
STOREPATH
STOREPATH(*NO|*YES)
Specifies whether to store the full path and file name in the archive, or to just save
the file name. If the file is an IFS file type, the path is all directories, from the
current directory, to the directory of the file. In the library system, the path is the
library and the file name. The member name is considered to be the archive name.
The allowable values are:
*YES
*NO
Store all paths and the filename in the PKZIP archive.
Store only the filename in the PKZIP archive.
TMPPATH
TMPPATH(*CURRENT| pathname)
Specifies a directory or library/file in which to build the temporary archive file. While
PKZIP is compressing data into an archive, a temporary archive file name is used.
The temporary file name is a 10-character name with a prefix of “PZ” followed by a
time stamp (PZtttttttt). If this option is *CURRENT, the temporary file is built in the
same directory (for library file systems it is same library/file with temporary
member) in which the new archive will be stored and is then renamed at the end of
the run to the archive name. If an override path is specified, the temporary archive
file is built into that specified path, and the file is then copied to its final archive path
at the end of the run. The temporary file name and path type will be the same as
specified for ARCHIVE. See parameter TYPARCHFL for file system type information.
Special libraries (such as QTEMP) are used frequently.
*CURRENT
pathname
NOTE 1:
Specifies that the current archive path will be used (see
ARCHIVE) to build the temporary archive file
PZxxxxxxxx.
Specifies a path name (if using IFS such as
/PKZIP/tempdir) or a library/file (if using the library
system).
When using the QSYS library file system and specifying
“qtemp” as the TMPPATH, a dynamic file name and
member name is created in the library qtemp. At the
end of the run, the file and member are removed. If
any other combination of names is used, then a dynamic
member name is created and only the member is
removed.
149

NOTE 2:
When using the QSYS library file system and specifying
a TMPPATH, there may be a slight performance
degradation because the archive file will have to be
copied from one library/file to another library/file.
Otherwise, if *CURRENT is used, the file member name
will only be renamed.
TRAN
TRAN(*INTERNAL| Member Name)
Specifies the translation table for use with translating data from the iSeries EBCDIC
character set to the character set used in the archive file (normally the ASCII
character set). A default internal table is predefined (see Appendix F).
*INTERNAL
Member Name
Use the predefined internal table for translation. Using
this is initially faster because PKZIP does not have to
parse the override table.
Specifies the member name in the file PKZTABLES that
will be parsed and used to translate data files to the
archive character set. The member should have the
exact format of member UKASCII in file PKZTABLES (see
Appendix F for information on defining translation
tables).
TYPARCHFL
TYPARCHFL(*DB|*IFS)
Specifies the type of file system in which the archive file will exist (see parameters
ARCHIVE and TMPPATH for additional information).
*DB
*IFS
Archive files are to be in the QSYS library file system.
Archive files are to be in the integrated files system
(IFS).
TYPFL2ZP
TYPFL2ZP(*DB|*IFS)
Specifies the type of file system that contains files to be zipped. Reflected for files in
parameters FILES and EXCLUDE.
*DB
*IFS
*IFS2
Files to be zipped are in the QSYS library file system.
Files to be zipped are in the IFS (integrated files system)
- Case sensitive selection.
Files to be zipped are in the IFS (integrated files system)
– Non-case-sensitive selection.
150

*DBA
*SPL
Files to be compressed are database files in the QSYS
library file system with database mode
"DBSERVICE(*YES)", and the records are to processed
in arrival sequence. This is only pertinent for database
files containing keys and when it is important to retain
the arrival sequence of the data.
Files to be zipped are spool files.
TYPLISTFL
TYPLISTFL(*DB|*IFS)
Specifies the “type of files system” that will be used for the input list file and/or the
output list file of selected items.
To use input list files, see parameters INCLFILE (file section list) or EXCLFILE (file
exclude list). To create an output list file of the selected file items, see parameter
CRTLIST.
*DB
*IFS
Files are in the QSYS library file system.
Files are in the IFS(integrated files system).
VERBOSE
VERBOSE(*NORMAL|*NONE| *ALL|*MAX )
Specifies how the detail will be displayed during a PKZIP run.
The allowable values are:
*NORMAL
*NONE
*ALL
*MAX
Displays most informative message to show PKZIP is
processing.
Displays only major exception information.
Displays all messages.
Used only for debugging purposes.
VPASSWORD
VPASSWORD(Archive Verify Password)
Specifies a verification password against the entered password since the PASSWORD
is not visible. This parameter is required for all encryption methods except ZIPSTD.
VPASSWORD follows all the rules of PASSWORD and must match exactly to the
archive password entered in PASSWORD parameter or the run will be terminated.
151

12 PKUNZIP Command
PKUNZIP Command Summary with Parameter Keyword Format
If the OS/400 command prompt screen is to be used, the command format is simply:
PKUNZIP.
The command prompt screen is displayed when ENTER or PF4 is pressed. The
parameter keywords are displayed on this screen together with the available
keyword options. The required options can be selected before PF4 is pressed to
accept the selections. If the command and parameter keywords are entered together
on the command line, the required format is:
PKUNZIP keyword1(option) keyword2(option) . . . keywordn(option)
Keywords are delimited by spaces. The keyword “ARCHIVE” is the only positional
keyword where the keyword itself is not required. Whenever the word “path” is used,
its meaning depends on the file system that is being used. If IFS is used, path refers
to the openness true path type. If the library systems or *DB is used, path means
library/file, and then the file name refers to the member name.
152

TYPE( *VIEW )
(*EXTRACT}
{*NEWER}
{*TEST}
ARCHIVE( Archive Zip File name with path )
AUTHCHK( Authenticators )
Authenticate Type
{*FILE}
{*ARCHIVE}
{*ALL}
Lookup Type {*DB }
{*LDAP}
{*FILE}
{*MBRSET}
{*INLIST}
Recipient
Password (if Private)
Required {*RQD }
{*OPT}
{Recipient String}
{Certificate password}
AUTHPOL ( Authenticate Filters: )
Validate Level {*SYSTEM }
{*WARN }
{*VALIDATE}
Validate Type {*NONE }
{*ALL }
{*ARCHIVE}
{*FILE}
Filters {*SYSTEM }
{*ALL}
{*NONE}
{*TAMPER}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTAMPER}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
CRTLIST( {*NONE} )
path/filename
CVTDATA(
External Pgm Conversion Extended Data)
CVTFLAG( {*NONE} )
External Pgm Conversion Flags
CVTTYPE( {*NONE} )
{*DROP}
{*SUFFIX}
DFTDBRECLN( {132} )
{decimal number}
DROPPATH( {*NONE} )
{*ALL}
{*LIB}
ENTPREC( Decryption Recipients )
Lookup Type {*DB }
{*LDAP}
{*FILE}
153

{*MBRSET}
{*INLIST}
Recipient
{Recipient String}
Password (if Private) {Certificate password}
Required {*RQD }
{*OPT}
EXCLFILE( {*NONE} )
path/filename
EXCLUDE( file_specification1, )
file_specification2,
file_specificationn
EXDIR( {*CURRENT} )
path
FILES( file_specification1, )
file_specification2,
file_specificationn
FILETYPE( {*TEXT} )
{*BINARY}
{*EBCDIC}
{*DETECT}
FTRAN( {*INTERNAL} )
Member Name
IFSCDEPAGE( {*NO} )
Code-page
INCLFILE( {*NONE} )
path/filename
MSGTYPE( {*PRINT} )
{*SEND}
{*BOTH}
OVERWRITE( {*NO} )
{*YES}
{*PROMPT}
PASSWORD( Archive Password )
SFQUEUE ( {*DFT} )
{Library/Outq }SPLUSRID (
SPLUSRID {*DFT} )
{User ID }
TRAN( {*INTERNAL} )
Member Name
TYPARCHFL( {*DB} )
{*IFS}
TYPFL2ZP( {*DB} )
{*IFS}
TYPLISTFL( {*DB} )
{*IFS}
VERBOSE( {*NORMAL} )
{*NONE}
154

{*ALL}
{*MAX}
VIEWOPT( {*NORMAL} )
{*DETAIL}
{*BRIEF}
{*COMMENT }
{*FNE}
{*FNEALL}
VIEWSORT( {*ASIS} )
{*DATE}
{*DATER}
{*NAME}
{*NAMER}
{*PERCENT}
{*PERCENTR}
{*SIZE}
{*SIZER}
155

PKUNZIP Command Keyword Details
TYPE
TYPE(*EXTRACT|*NEWER|*TEST |*VIEW)
The TYPE keyword specifies the type of action PKUNZIP should perform on the ZIP
archive.
The possible actions are:
*VIEW
*EXTRACT
*NEWER
*TEST
Display output information about all files or selected files
contained in an archive. This option is performed using
PKUNZIP. The sequence (see *VIEWSORT) and type of
list (*VIEWOPT) determines what information is
displayed.
Extracts files from the archive (please refer to the
DROPPATH, CVTTYPE, TO, and EXDIR parameters for
controlling the conversion of file names extracted from
the archive).
Extracts files in the archive that have a more recent
date and time than the corresponding file on disk. If the
files do not exist on disk, they will be extracted as
newer. All other files will be skipped.
Tests the integrity of files in the archive by extracting
files without writing the data. As each file is extracted,
a CRC is calculated. At the end of the file the calculated
CRC is compared against the stored CRC in the archive
file header to confirm that the data has not been
corrupted.
ARCHIVE
ARCHIVE(Archive Zip File name with path)
Specifies the path/file name or the library/file name of the PKUNZIP archive to be
processed.
This is a required parameter.
The format depends on whether you will be using the archive file in the library file
system or the IFS.
See parameter TYPARCHFL for file system type information.
Library File System: Format is library/file(member). If member is
omitted, it will use the file name for the member.
156

Integrated File System (IFS): Open system path followed by the archive
file name. The path and file name can up to 256
characters and may contain embedded spaces.
AUTHCHK
Authenticator Certificates:
File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE, *MBRSET...
Authenticator . . . . . . . ______________________________
Password (If Private) . . . ______________________________
Required . . . . . . . . . . *RQD *RQD, *OPT
+ for more values _
Or
AUTHCHK((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))
AUTHCHK((*ALL *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
AUTHCHK((*FILE *DB ‘EM=bill.somebody@pkware.com' () *OPT))
AUTHCHK((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)
This parameter specifies that digital signature authentication processing should be
performed for specific signers. Separate authentication processing may be specified
for either the archive central directory or files by using multiple commands.
Optionally, specific signers may be specified to authenticate against. This parameter
is used in conjunction with the AUTHPOL parameters and its settings.
It is possible that more than one certificate may be returned for a single common
name or email search. As a result, each one will be added to the list of validating
sources.
When no specific certificates are requested, any signatories found in the archive are
validated in accordance with the systems or current AUTHPOL Filters policy settings.
There are five options for AUTHCHK.
Authenticator Type File/Archive
(*FILE |*ARCHIVE |*ALL)
This designates the type of authentication that is to be performed. Either ARCHIVE,
FILE or ALL may be specified on each item, but by using ALL or archive with the
*RQD option will result in error since the archive can only have one signatory. If the
lookup type is *INLIST, then this option will be ignored and will pickup from the
records in the inlist file.
• *FILE – The signed files will be authenticated with this authenticator.
• *ARCHIVE - The archive directory will be authenticated with this
authenticator.
• *ALL – Both the signed files and the archive directory will be authenticated
with this authenticator.
Lookup Type
(*DB |*FILE |*LDAP |*MBRSET |*INLIST)
The lookup type would be the type of authenticator search to be used for the
authenticator string to look up the public key.
157

• *DB - The authenticator string is defined to search using the certificate
locator database to access the digital certificate.
• *FILE - The authenticator string is defined to read a specific file in a specific
path in the IFS in order to access the digital certificate.
• *LDAP - The recipient string is defined to search using the LDAP server to
access the digital certificate.
• *MBRSET - The authenticator string is defined to read this specific file from
the enterprise public certificate store to access the digital certificate.
• *INLIST- The authenticator string defines a specific file that will contain one
to many AUTHCHK. The TYPLISTFL parameter must specify the file type for
the inlist.
Authenticator
(The authenticator string name)
The authenticator string format depends on what was specified for the lookup type.
• If lookup type is *DB, the authenticator string will either be an email address
or the common name of the certificate. This depends on the configuration
setting in PKCFGSEC parameter CERTDB. To override the default selection
mode, you can prefix the string with EM= for email, or CN= for the common
name.
For example:
AUTHCHK((*FILE *DB ‘bill.somebody@pkware.com' () *RQD)
(*ARCHIVE *DB ‘CN=bill somebody' () *RQD)
(FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))
• If lookup type is *FILE, the authenticator string is defined to read a specific
file in a specific path of the IFS. This file should be a public key X.509 file or
public key X.509 certificate with a private key file.
For example:
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' ()
*RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path
'/pkzshare/CStores/public’.
• If type is *LDAP, the authenticator string will either be an email address or
the common name of the certificate depending on the search mode
configuration setting in PKCFGSEC parameter LDAP. To override the default
selection mode, you can prefix the string with EM= for email address, or CN=
for the common name.
For example:
AUTHCHK ((*ARCHIVE *LDAP ‘bill.somebody@pkware.com' () *RQD)
(*FILE *LDAP ‘CN=bill somebody' () *OPT)
(*FILE *LDAP ‘EM=bill.somebody@pkware.com' () *RQD))
• If lookup type is *MBRSET, the authenticator string is defined to read a
specific file from the public certificate store and/or the private certificate store
of the IFS. This file should be a public key X.509 file or public key X.509
certificate with a private key file.
158

For example:
AUTHCHK((*ALL *MBRSET 'pkwareCertAdmin04.cer' () *RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of
the public certificate store defined in the enterprise security configuration
public store (parameter CSPUB). If a password is included, the file is searched
for in the enterprise security configuration private store (parameter CSPRIV).
• If lookup type is *INLIST, the authenticator string defines a full file name of
an input list file that contains records of AUTHCHK shortcut parameters. The
type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set
and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format
of the AUTHCHK shortcut parameters are defined below in the *INLIST usage
section.
Password
This designates the password that is required for a private key certificate with a
private key (PKCS#12 file). When a value is specified, the target must be an X.509
PKCS#12 public key certificate with the private key.
The PASSWORD value may contain blanks and is delimited by the closing right
parenthesis ")" of the signing command.
Required
(*RQD|*OPT|*SAME)
If *RQD, then this authenticator must be found during the selection, and the
certificate must be a valid certificate with a private key, or the ZIP/UNZIP run will
fail.
Usage Notes:
Passwords are masked out in all output displays.
A local certificate store configuration is required to complete the TRUST processing of
this command.
Processing is terminated if none of the requested certificates can be accessed,
regardless of the “R” required flag. If multiple requests are made and at least one
signature is found, processing continues normally.
For inlist that contains a password to open a private certificate, make sure that the
security is sufficient to only allow the owner of the certificate to have read access.
Otherwise this would leave a security hole where other users could browse the
password.
*INLIST Usage:
If *INLIST is defined on the AUTHCHK parameter, then the authenticator filed will be
a file that SecureZIP will read to include the authenticator. The format is very similar
to the AUTHCHK parameter described above except that each line authenticator
starts with “{AUTHCHK=” and is terminated by the “}” character, with the semicolon
“;” as a separator for each entry.
{AUTHCHK=Authenticator Type, Lookup Type; Authenticator; Password; Required}
159

Authenticator Type
Lookup Type
Authenticator
Password
Required
Examples:
See Authenticator Type in AUTHCHK
See Lookup Type in AUTHCHK excluding the INLIST
See Authenticator in AUTHCHK.
See Password in AUTHCHK.
See Required in AUTHCHK, but use RDQ for *RQD and OPT for
*OPT.
Sample 1: tstauth_db1.inlist.
{AUTHCHK=FILE;DB;EM=PKTESTDB4@nowhere.com;;RQD}
Sample 2: tstauth_mb2.inlist.
{AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}
Sample 3: tstauth_mb3.inlist.
{AUTHCHK=ALL;MBRSET;pktestdb3.pfx;PKWARE;RQD}
AUTHPOL
Authenticate Filters:
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...
Validate Type . . . . . *ARCHIVE *ARCHIVE, *NONE
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...
+ for more values
Or
AUTHPOL(*WARN *ARCHIVE (*SYSTEM) )
AUTHPOL(*WARN *FILE (*NOTTRUSTED) )
AUTHPOL(*SYSTEM *ALL (*ALL *NOTEXPIRED) )
This parameter defines the processing options and filters that should apply if a
signed file or signed archive is encountered.
Validate Level (*VALIDATE |*WARN |*SYSTEM)
The validate level specifies the type of authentication processing that should take
place if a file or archive is encountered. The default is *SYSTEM and, unless it is
modified, SecureZIP will use the enterprise setting from PKCFSEC.
• *VALIDATE – Indicates that when authentication takes place and a failure
occurs based on the filters, the run will be considered a failure and the
message issued at the end will indicate one or more errors during the run.
• *WARN - Indicates that when authentication place and a failure occurs, the
failure is only considered a warning. The messages at the end of the run will
not consider any failed authentications as errors.
160

• *SYSTEM – Indicates the authentication processing that is set in the
environmental setting will be used.
Validate Type (*ALL |*ARCHIVE |*FILE |*NONE)
The validate type specifies whether the file, archive, all or no authentication will take
place if a file or archive has been signed. The default is *NONE, and anything other
than *NONE requires the Enhanced Encryption module.
• *ALL - Indicates that authentication will take place for both files and/or the
archive has been signed.
• *ARCHIVE - Indicates that only a signed archive will be authenticated.
• *FILE - Indicates that only the signed files will authenticated.
• *NONE - Indicates no authentication will take place even though a file or
archive has been signed.
Filters (*SYSTEM |*ALL |*NONE |*TAMPER |*TRUSTED |*EXPIRED |*REVOKED
|*NOTAMPER |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED )
The authentication filter policies settings are defined in the enterprise security file
supplied by the SecureZIP administrator (See PKCFGSEC). These global policy
settings can be revised with sub-parameter values. The variables are cumulative
from the global setting.
• *SYSTEM – All filter policies are from the global settings.
• *ALL - This sub-parameter activates all levels of authentication. If followed
by negating sub-levels, then all but those negating levels are activated. For
example: *ALL NOTEXPIRED means that expired certificates will not cause an
authentication error, but TRUST and TAMPERCHECK must both be satisfied.
• *NONE – Will negate all the policies.
• *TAMPER – This sub-parameter signifies that a verification of the data
stream should be done against the digital signature.
• *TRUSTED – This sub-parameter signifies that the entire certificate authority
chain must be validated. This includes locating the root (self-signed)
certificate on the local system.
• *EXPIRED – This sub-parameter signifies that certificate date range
validation should be performed on the certificates (including the certificate
authority chain). Although the term “expired” is used, a certificate that has
not yet reached its valid data range specification will fail.
• *REVOKED - A certificate owner may request that the issuing certificate
authority declare a certificate to be revoked and thereby no longer consider
that certificate to be valid. The authentication operation will fail if any of the
certificates in the trust chain are found to have been revoked, or if the
revocation status could not be determined
• *NOTAMPER – Negates the *TAMPER filter.
• *NOTTRUSTED – Negates the *TRUSTED filter.
• *NOTEXPIRED - Negates the *EXPIRED filter.
• *NOTREVOKED – Negates the *REVOKED filter.
161

CRTLIST
CRTLIST(*NONE| path/filename )
Specifies that PKUNZIP will create an output file with a list of entries that will be
compressed based upon the selection criteria in the FILES and EXCLUDE parameters.
This parameter only works with the TYPE set to *VIEW.
See parameter TYPLISTFL for file system type information.
*NONE
path/filename
No list file will be created.
Enter the file path and name of the file to create. The
layout depends on which file system you want to create
the file in.
Library File System:
The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
CVTDATA
CVTDATA(External Program Conversion Extended Data)
Specifies the extended data that is passed to the external program CVTNAME. When
CVTFLAG is not *NONE, the contents of the parameter are passed to provide
extended flexibility in controlling how the iSeries names are stored in the archive.
See Appendix D for more details on the external program.
External Program Conversion Extended Data
Specify up to 255 bytes of unedited data which is passed
to the exit program CVTNAME to assist in controlling the
program logic.
CVTFLAG
CVTFLAG(*NONE|Conversion Flags)
Specifies the flags passed to the external program CVTNAME. These are used to
control how the iSeries names are stored in the archive. See Appendix D for more
details on the external program.
The allowable values are:
*NONE
Conversion Flags
Conversion exit is not active.
Specify a 5-byte flag that is passed to the exit program
CVTNAME to control the program logic. If the name
passed back is blank, then conversion is referred back to
the setting of the CVTTYPE parameter.
162

CVTTYPE
CVTTYPE(*NONE|*DROP|*SUFFIX)
Specifies how the files names in the archive will be converted to a file name in the
iSeries library, file, and Member format. In the iSeries QSYS library system, the
length of each name in the QSYS format can only be up to 10 characters. In other
platforms, the file name formats (including MS/DOS) may have an extension with a
period (.) separator which is not valid in the iSeries DB name. The file names in
some cases may even exceed the 10-character limit. This parameter gives control
over the file name conversion process.
Note: The conversion of file names may result in duplicate file names on the iSeries
system. In this case, the rules for overwriting the files are in effect for duplicates
(see the OVERWRITE option). If this is the case, using specific file inclusion and
exclusion with multiple runs may be required to extract all of the files.
The allowable values are:
*SUFFIX
*NAMEFILE
*DROP
This forces the removal of the period(.) extension and
stores name truncating characters over 10 characters.
The extensions are considered to be file names or
treated as a slash (/).
Drops all characters after the period(.) extension
separator, and stores the name truncating characters
over 10.
DFTDBRECLN
DFTDBRECLN (132|Record Length)
Specifies the record length to use when creating a file in the QSYS library system. If
TYPFL2ZP parameter is *DB, and the file being extracted does not exist nor does
extended attribute for the record length exist, the file will be created with the record
length specified in this parameter.
The allowable values are:
132 Default is record length of 132 to match previous
versions.
Record Length A decimal number from 50 to 32000.
DROPPATH
DROPPATH(*NONE|{*ALL| *LIB)
Used to drop the path(s) or libraries of files that are stored in the archives, therefore
only using the file names in the archive. This is used along with the keyword EXDIR
where the default paths are defined when dropping the paths on files in the archive.
For example, if the file in the archive is “path1/path2/filename” (IFS) or
“library/file/member” (QSYS), and if DROPPATH is *ALL, the file being extracted
163

would be “filename” or “member”. If *LIB was used, the file being extracted would
be path1/filename” or “file/member”.
See “Example 1 - PKUNZIP Files to a New or Different Library” in Appendix B for an
example of using EXDIR and DROPPATH together.
The allowable values are:
*NONE
*ALL
*LIB
Do not remove paths and/or libraries in the archive.
Remove all paths that are stored in the archive, leaving
only an IFS file name or member name.
Remove only the first path (which in most cases could
be the library).
ENTPREC
Encryption Recipients :
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE...
Recipient . . . . . . . . . ______________________________________
Password (If Private) . . . ______________________________________
Required . . . . . . . . . . *RQD *RQD, *OPT
+ for more values _
Or
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.pfx'
(‘mypassword’) *RQD))
ENTPREC((*DB ‘EM=bill.Somebody@pkware.com' () *RQD))
ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))
ENTPREC((*INLIST 'ATEST/INLIST(ENGNEER1)' *N)
The encryption/decryption recipient parameter defines one to many recipients which
is to be included for the ZIP and UNZIP process. This parameter allows 1-4 types of
certificate searches to take place along with providing the ability for an include file
that may contain the recipients.
The specification of this recipient ENTPREC parameter, triggers encryption to take
place during ZIP processing utilizing the found recipients along with any password
that may be entered.
There are four options.
Lookup Type
(*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)
The Lookup type would be the type of recipient search that will be used for the
recipient string.
• *DB - The Recipient string is defined to search using the Certificate Locator
Database to access the digital certificate.
• *LDAP - The recipient string is defined to search using the LDAP server to
access the digital certificate.
164

• *FILE - The recipient string is defined to read a specific file in a specific path
in the IFS in order to access the digital certificate.
• *MBRSET - The recipient string is defined to read this specific file from the
enterprise public certificate store to access the digital certificate.
• *INLIST- The recipient string defines a specific file that will contain one to
many recipients.
Recipient
(The recipient string name)
The recipient string format depends on what was specified for the Lookup type.
• If type is *DB - The recipient string will either be an email address or the
common name of the certificate. This depends on the configuration setting in
PKCFGSEC parameter CERTDB. To override the default selection mode, you
can prefix the string with EM= for email or CN= for the common name.
For example:
ENTPREC((*DB ‘bill.Somebody@pkware.com' () *RQD)
(*DB ‘CN=bill Somebody' () *RQD)
(*DB ‘EM=bill.Somebody@pkware.com' () *RQD))
• If type is *LDAP - The recipient string will either be an email address or the
common name of the certificate depending on the search mode configuration
setting in PKCFGSEC parameter LDAP. To override the default selection mode,
you can prefix the string with EM= for email or CN= for the common name.
For example:
ENTPREC((*LDAP ‘bill.Somebody@pkware.com' () *RQD)
(*LDAP ‘CN=bill Somebody' () *OPT)
(*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))
• If type is *FILE - The recipient string is defined to read a specific file in a
specific path of the IFS. This file should be Public-key X.509 file or private-key
X.509 certificate file.
For example:
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path
'/pkzshare/CStores/public’.
• If type is *MBRSET - The recipient string is defined to read a specific file from
public certificate store / private certificate store of the IFS. This file should be
public-key X.509 file or private-key X.509 certificate file.
For example:
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of
the public certificate store defined in the enterprise security configuration
public store(parameter CSPUB). If a password was included, the file would be
searched for in the enterprise security configuration private store (parameter
CSPRIV).
• If type is *INLIST- The recipient string defines a full file name of an input list
file that contains records of ENTPREC shortcut parameters. The type of file
165

will in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path
file name in the IFS if TYPLISTFL(*IFS) is set. The format of the ENTPREC
shortcut parameters are define below in the *INLIST Usage section.
Password (Private Cert Password)
The password is only required if the certificate that is being selected is a private
certificate. This option should be omitted if a public certificate will be utilized.
Required
(*RQD|*OPT|*SAME)
If *RQD, then this recipient MUST be found during the selection and the certificate
MUST be valid or the ZIP/UNZIP run will fail.
Usage Notes:
The ZIP process only requires a X.509 public-key format certificate to encrypt files.
The UNZIP process requires X.509 private-key format certificate file to decrypt files
and this will the input of a password.
For inlist that contains a password to open a private certificate, make sure that the
security is sufficient to only allow the owner of the certificate to have read access.
Otherwise this would leave a security hole where other users could browse the
password.
*INLIST Usage:
If *INLIST is defined on the ENTPREC parameter, then the recipient filed will be a file
that SecureZIP will read to include recipient. The format is very similar to the
ENTPREC parameter describe above except each line recipient starts with
“{RECIPIENT=” and is terminated by the “}” character with the semi-colon “;” as a
separator for each entry.
Examples:
{RECIPIENT=Lookup Type; Recipient; Password; Required}
Lookup Type
Recipient
Password
Required
{RECIPIENT=MBRSE;EM; mypassword;RQD}
See Lookup Type in ENTREC excluding the INLIST
See Recipient in ENTREC.
See Password in ENTREC.
See Required in ENTREC, but use RDQ for *RQD and
OPT for *OPT.
Sample 1: tstpriv_db4.inlist.
{RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}
Sample 2: tstpriv_mb3.inlist.
{RECIPIENT=MBRSET;pktestdb3.pfx;PKWARE;RQD}
166

Sample 3: tstpubl.inlist.
{RECIPIENT=MBRSET;pktestdb3.crt;;RQD}
{RECIPIENT=MBRSET;pktestdb4.crt;;OPT}
Sample 4: tstpubl2.inlist.
{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD}
{RECIPIENT=DB;CN=PKWARE Test4;;OPT}
EXCLFILE
EXCLFILE(*NONE| path/filename)
This parameter specifies the file containing the list of files to be excluded. This can
be used with or without the EXCLUDE parameter. See parameter TYPLISTFL for file
system type information.
*NONE
path/filename
No list file will be processed.
Enter the file path and the name of the file to process.
The layout depends on which file system you want the
file created.
Library File System:
The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
EXCLUDE
EXCLUDE(file_specification1, file_specification2,... file_specification n )
Specifies the files and file specification patterns that will be excluded from the
PKUNZIP run. One or more names can be specified. Each name should be in the
OS/400 file system format, such as, QSYS is library/file(member) and IFS is
directory/file, and can include wildcards “*” and “?”.
Note: If TYPE(*VIEW) is being used, then the format for these names is the
MS/DOS format.
The PKUNZIP program can also exclude file specifications by using the list file
parameter EXCLFILE with a list of names to exclude.
Please refer to Chapter 5 for details of file specification formatting.
The valid parameter values for the FILES keyword are as follows:
'file_specification 1'
'file_specification 2'...
'file_specification n'
167

EXDIR
EXDIR(*CURRENT| path)
If there are no paths stored in the archive file name, EXDIR specifies the default path
to store the files being extracted. The path definition depends on the “file system
type” in parameter TYPFL2ZP. This will happen when the files come from a PC or if
the files were compressed with SecureZIP for iSeries using the STOREPATH(*NO)
parameter.
If the “file system type” is IFS, EXDIR will be the paths defined for your iSeries open
systems and the default path will be the current directory settings (issue the
command DSPCURDIR to see the current directory settings).
If the “file system type” is the library file system, the path will be either a library or a
library/filename. The default is *CURLIB/UNZIPPED and if the file UNZIPPED does not
exist, then it is created with a record length of 132. It is best to create a default file
with the record length of your choice, because if a text file is extracted with a record
length greater than the file’s record length, the record will be truncated to fit the
record length.
If EXDIR is coded with keyword MBR and the file system is the QSYS library system,
PKUNZIP will use the member name for the file name. For example:
EXDIR('newlib/MBR') and DROPPATH(*ALL) parameters are coded and the file name
in archive is "mylib/myfile/mymbr", the file will be extract to the file
"newlib/mymbr(mymbr)". This is only valid for TYPFL2ZP(*DB) files.
EXDIR is also used when the archive file is a GZIP archive and there is no file name
stored in the archive. In this case, EXDIR becomes a required field.
*CURRENT
path
Current directory for IFS or *CURLIB/UNZIPPED for the
QSYS library file system.
Enter the path or path/path/.. in which to extract. The
layout depends on the file system in which the file is to
be created.
Library File System:
The format is "library/file".
Integrated File System (IFS):
The format is "path1/path2/../pathn".
FILES
FILES(file_specification1, file_specification2,... file_specification n)
Specifies the files and file specification patterns that will be selected in the PKUNZIP
process. One or more names can be specified. Each name should be in the OS/400
file system format, such as, QSYS is library/file(member), and IFS is directory/file,
and can include wildcard “*” and “?”.
Note: If TYPE(*VIEW) is being used then the format for these names is the
MS/DOS format.
The PKUNZIP program can also have file specification selections to include by using
the list file parameter INCLFILE with a list of names to select.
168

Files may also be excluded. See the EXCLUDE parameter.
Please refer to Chapter 5 for details of file specification formatting.
The valid parameter values for the FILES keyword are as follows:
'file_specification 1'
'file_specification 2'
'file_specification n'
FILETYPE
FILETYPE(*TEXT|*BINARY|*EBCDIC|*DETECT)
Specifies whether the files selected are treated as text or binary data. For text files
added to an archive, trailing spaces in each line are removed, the text is converted
to ASCII (based on the translation tables) by default, and a carriage return and line
feed (CR/LF) are added to each line before the data is compressed into the archive.
Binary files are not converted at all.
There are attributes which indicate how a file was compressed (TEXT, BINARY, or a
SAVF) in the archive headers. The default setting (and recommended) is *DETECT,
which analyzes the header to determine the file type. To view the attribute settings
of a file, use the VIEWOPT( *DETECT).
If the file is a SAVF, then it will be processed as BINARY, regardless of any option
that you select.
*DETECT
*TEXT
*BINARY
*EBCDIC
Uses the attribute setting that is stored in the archive to
determine the file type.
Specifies that the files selected are text files and
translation will be performed using the translate tables
specified in the TRAN option.
Specifies that the files selected are binary files and no
translation should be performed.
Specifies that the files selected are text files and leaves
it in EBCDIC without performing any translation. This is
good only if the files are to be used on an iSeries or
IBM-type mainframe. If they are unzipped to a PC file,
then a translation from EBCDIC to ASCII is required.
FTRAN
FTRAN(*INTERNAL| Member Name )
Specifies the translation table for use with translating "file names, comments, and
password" from the iSeries EBCDIC character set to the character set used in the
archive file (normally ASCII character set). A default internal table is predefined. See
Appendix F - Translation Tables for additional information.
169

*INTERNAL
membername
Use the predefined internal table for translation. Using
this is initially faster because PKUNZIP does not have to
parse the override table.
Specify the member name in the file PKZTABLES that
will be parsed and used to translate "File names and
comments" files to the archive character set. The
member should have the exact format of member
UKASCII in file PKZTABLES. See Appendix F for
information on defining translation tables.
IFSCDEPAGE
IFSCDEPAGE(*NO | Code-Page)
If this option is set to *NO, PKUNZIP will write IFS files with the code page that is
registered for the file, or will use the default job code page if no code page is set in
the file attributes. Otherwise, PKUNZIP will write IFS files with the specified code
page.
Note: If files are to be extracted to a case sensitive file system, the case sensitive
format of file names must be used before they can be selected.
The allowable values are:
*NO
Code-Page
The PKUNZIP program will read IFS files with the code
page registered for the file. This is the default.
The PKUNZIP program will write the IFS files with the
specified code page value.
INCLFILE
INCLFILE(*NONE| path/filename)
This parameter specifies the file containing the list of files to be selected for
including. This can be used with or without the FILES parameter. See parameter
TYPLISTFL for file system type information.
*NONE
No include list file will be processed. This is the default.
path/filename Enter the file path and name of the file to process. The
layout depends on which file system you want the file
created.
Library File System:
The format is "library/file(member)".
Integrated File System (IFS):
The format is "path1/path2/../pathn/filename".
170

MSGTYPE
MSGTYPE(*PRINT|*SEND|*BOTH)
Specifies where the display of messages and information should be shown. The
PKUNZIP program can send messages which appear on the log, and also may print
to stdout and stderr. If working interactively, stdout and stderr will display upon the
dynamic screen. If submitted via batch, you can override them to print in an OUTQ,
or you can build a CL and save them to an outfile.
*SEND
*PRINT
*BOTH
Send the information to the log with send message
commands.
Send the information to stdout and stderr.
Send the information to the log with send message
commands and also to stdout and stderr.
OVERWRITE
OVERWRITE(*NO|*YES|*PROMPT}
Controls how PKUNZIP reacts to files that are being extracted and the file already
exists. To help prevent accidental overwriting of files, the default is *PROMPT.
The allowable values are:
*YES
*NO
*PROMPT
Always overwrite files. If the file exists, the file will be
overwritten with no message or prompting.
Never overwrite files. If the file already exists then the
archive file will be skipped and not extracted. This is the
default.
When a file being extracted already exists, PKUNZIP will
issue the warning message AQZ0262 and prompt the
user for the required action.
PASSWORD
PASSWORD(Archive Password)
Specifies a password to be used for files that were added to the archive with a
password. This password may be up to 64 characters in length and is case-sensitive.
All files selected for archiving will be checked for encryption using the specified
password. Files in the archive may have different passwords. If so, PKUNZIP must be
run once for each password.
Since the password in entered in EBCDIC, the translation table referenced in the
FTRAN parameter is used to translate it to ASCII. Care should be take when using
the FTRAN override when using a password. To use password-protected files, the
same FTRAN override option is required.
171

SFQUEUE
SFQUEUE (*DFT |Name)
Specifies the output queue that will be used as an override when extracting spool
files. If no OUTQ library is specified, it will default to *LIBL.
The allowable values are:
*DFT
OUTQ
OUTQ Library
The output queue that are in the spool file attributes will
be used when extracting files.
The specific OUTQ that will used when the spool file is
extracted. It must be a valid output queue.
The library where the OUTQ resides.
SPLUSRID
SPLUSRID (*DFT| User ID)
The user ID to use when extracting a spool file. If *DFT is used the user ID belonging
to the spool file will be used when building the spool file.
The allowable values are:
*DFT
User ID
Use user ID associated with spool file in the archive.
Specify a valid user ID that the new extracted spool file
will belong to. It must be a valid user ID on the
OS/400.
Note on extracting Spool Files: To create or extract a spool file with PKUNZIP,
the user must have *USE authority to the API QSPCRTSP. The normal setting for the
API QSPCRTSP is authority PUBLIC(*EXCLUDE). The API authority is set this way so
that system administrators can control the use of this API. This API has security
implications because you can create a spooled file from the data of another spooled
file. To allow user to extract spool files change the API authority on a need basis.
TRAN
TRAN(*INTERNAL| Member Name)
Specifies the translation table for use with translating data from the iSeries EBCDIC
character set to the character set used in the archive file (normally the ASCII
character set). A default internal table is predefined (see Appendix F).
*INTERNAL
Member Name
Use the predefined internal table for translation. Using
this is initially faster because PKUNZIP does not have to
parse the override table.
Specifies the member name in the file PKZTABLES that
will be parsed and used to translate data files to the
archive character set. The member should have the
172

exact format of member UKASCII in file PKZTABLES (see
Appendix F for information on defining translation
tables).
TYPARCHFL
TYPARCHFL(*DB|*IFS)
Specifies the type of file system in which the archive file will exist (see parameters
ARCHIVE and TMPPATH for additional information).
*DB
*IFS
Archive files are to be in the QSYS library file system.
Archive files are to be in the integrated files system
(IFS).
TYPFL2ZP
TYPFL2ZP(*DB|*IFS)
Specifies the type of file system that contains the files to be unzipped. Reflected for
files in parameters FILES and EXCLUDE.
*DB
*IFS
Files to be unzipped are in the QSYS library file system.
Files to be unzipped are in the IFS (integrated files
system).
TYPLISTFL
TYPLISTFL(*DB|*IFS)
Specifies the “type of files system” that will be used for the input list file and/or the
output list file of selected items.
To use input list files, see parameters INCLFILE (file section list) or EXCLFILE (file
exclude list). To create an output list file of the selected files items, see parameter
CRTLIST.
*DB
*IFS
Files are in the QSYS library file system.
Files are in the IFS(integrated file system).
VERBOSE
VERBOSE(*NORMAL|*NONE| *ALL|*MAX )
Specifies how the detail will be displayed during a PKUNZIP run.
The allowable values are:
*NORMAL
Displays most informative messages to show PKUNZIP is
processing.
173

*NONE
*ALL
*MAX
Displays only major exception information.
Displays all messages.
Used only for debugging purposes.
VIEWOPT
VIEWOPT(*NORMAL|*DETAIL|*BRIEF|*COMMENT|*FNE|*FNEALL)
Specifies the level of information produced when viewing the archive.
The allowable values are:
*NORMAL
*DETAIL
*BRIEF
*COMMENT
*FNE
*FNEALL
Shows the original file length, compression method,
compressed size, compression ratio, file date and time,
32-bit CRC value, and file name for each file in the
archive.
Shows very detailed technical information about each
file in the archive. It will also show all extended
attribute (extra data fields) information that was stored
in the archive produced by PKZIP (only if the PKZIP
keywords EXTRAFLD(*YES) or DBSERVICE(*YES) were
specified).
Shows the original file length, file date and time, and file
name for each file in the archive.
Same as the *NORMAL option, but also shows any file
comments stored on a separate line after its details.
Shows the archive’s file name encryption properties.
Shows the archive’s file name encryption detail
properties including the allowable recipients.
VIEWSORT
VIEWSORT(*ASIS|*DATE|*DATER|*NAME|*NAMER|*PERCENT|*PERCENTR| *SIZE|*SIZER))
Specifies the sequence of the viewing display.
The allowable values are:
*ASIS
*DATE
*DATER
*NAME
List the files in the sequence in which they are stored in
the archive, such as, as is.
List the files in ascending order of the file’s date & time
as stored in the archive.
List the files in descending order of the file’s date & time
as stored in the archive.
List the files in ascending order of the file name as
stored in the archive.
174

*NAMER
*PERCENT
*PERCENTR
*SIZE
*SIZER
List the files in descending order of the file name as
stored in the archive.
List the files in ascending order of the compression
percentage as stored in the archive.
List the files in descending order of the compression
percentage as stored in the archive.
List the files in ascending order of the uncompressed file
size as stored in the archive.
List the files in descending order of the uncompressed
file size as stored in the archive.
175

13 PKCFGSEC “Configure Security
Parameters” Command
PKCFGSEC Command Summary with Parameter Keyword
Format
The PKCFGSEC command updates and views the SecureZIP security configuration
file. This configuration file is where the enterprise security options and defaults
reside.
Keywords are demarcated by spaces. In many case there are multiple entries for a
parameter where each entry is again demarcated by spaces. For more information
about the command process, reference the IBM home page for your version of the
operating system.
Usage Notes
It is recommended that you define your standard enterprise options in a CL using the
PKCFGSEC command. Then as changes occur or new versions are upgraded the CL
can be run to reset the parameters. This will also help if you need to temporarily
change one or more settings, as the CL can provide a quick means to reset the
configuration back to the enterprise setting.
TYPE ( ({*INSTALL} )
{IVIEW }
SECTYPE ( ZIP Secure Settings: )
SecureZIP Active {*SAME|*NO|*YES}
AES 3DES Keys {*SAME|*NO|*YES }
Password {*SAME|*NO|*RQD}
Recipient Secure {*SAME|*NO|*RQD }
File Signing 1 {*SAME|*NO }
Archive Signing1 1 {*SAME|*NO}
File Authentication 1 {*SAME|*NO }
Archive Authentication 1 {*SAME|*NO}
File Name Encrypton {*SAME|*NO|*RQD| *OPT}
ADVCRYPT ( Freeze Method )
{*SAME }
{*NONE }
{AES}
{AES128}
1 Not Active. Future Releases
176

{AES192}
{AES256}
{3DES }
{DES }
{RC4_128}
{ADVANCE}
Mode {*SAME }
{BSAFE }
{PKWARE}
Hash {*SAME }
{*SHA1 }
PASSWORD ( Min Length {1-200} )
Min Length {1-200}
Hardening Options{0} 1
SIGNPOL ( Signing Settings: )
Signing Hash {*SAME }
{*SHA1}
{*MD5}
Validate Level {*SAME }
{*VALIDATE}
{*WARN }
{*VALIDATELOCK}
{*WARNLOCK}
Lockdown {*SAME }
{*NO}
{*YES}
Filters {*SAME }
{*ALL}
{*NONE}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
AUTHPOL ( Authenticate Filters: )
Validate Level {*SAME }
{*NONE }
{*VALIDATE}
{*WARN }
{*VALIDATELOCK}
{*WARNLOCK}
Lockdown {*SAME }
{*NO}
{*YES}
Filters {*SAME }
{*ALL}
{*NONE}
{*TAMPER}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTAMPER}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
ENCRYPOL ( Encryption Filters: )
Validate Level {*SAME }
{*VALIDATE}
{*WARN }
{*VALIDATELOCK}
{*WARNLOCK}
Lockdown {*SAME }
177

{*NO}
{*YES}
Filters {*SAME }
{*ALL}
{*NONE}
{*TRUSTED}
{*EXPIRED}
{*REVOKED}
{*NOTTRUSTED}
{*NOTEXPIRED}
{*NOTREVOKED}
DECRYPOL ( DecryptionFilters: ) 1
Validate Level {*SAME }
REVKEPOL ( Revocation Settings: )
CRL Type {*SAME }
{*NONE }
{*STATICCRL}
Revoke Level {*SAME } 1
{*NONE}
CERTSELT ( Certificate Validation Level: )
Cert. Best Fit {*SAME }
{*NONE }
{*LATESTVALID}
{*LASTVALID}
{*FIRSTVALID}
{*LATEST}
{*LAST }
{*FIRST }
Cert. Secure Type{*SAME } 1 {*NONE }
{*ENCRYPTION}
{*SIGNING}
CERTDB (Certificate DataBase Locator: )
Active? {*SAME }
{*YES }
{*NO }
Store Type {*SAME }
{*NONE }
{*LIB}
Sequence {*SAME }
{0-9 }
Library {*SAME }
{Library Name string }
Search Mode {*SAME }
{*EMAIL }
{*CN}
CSPUB ( Certificate PUBLIC Store: )
Store Type {*SAME }
{*NONE }
{*PATH}
Sequence {*SAME }
{0-9 }
Store Location {*SAME }
{Path Name string }
CSPRVT ( Certificate PRIVATE Store: )
Store Type {*SAME }
{*NONE }
{*PATH}
Sequence {*SAME }
178

{0-9 }
Store Location {*SAME }
{Path Name string }
CSCA ( Certificate CA Store: )
Store Type { *SAME }
{*NONE }
{*FILE}
Sequence { *SAME }
{0-9 }
Store Location { *SAME }
{Path/File Name string }
CSROOT ( Certificate ROOT Store: )
Store Type { *SAME }
{*NONE }
{*FILE}
Sequence { *SAME }
{0-9 }
Store Location { *SAME }
{Path/File Name string }
CSCRL ( Certificate CRL Store: )
Store Type { *SAME }
{*NONE }
{*FILE}
Sequence { *SAME }
{0-9 }
Store Location { *SAME }
{Path/File Name string }
CWRKPATH ( Certificate Work Path: )
Path Location { *SAME }
{*NONE }
{Path Name string }
ENTPREC ( Enterprise Encrypt Recipient: )
LookUp Type { *SAME }
{*NONE}
{*DB }
{*LDAP }
{*FILE }
{*MBRSET }
{*INLIST }
Recipient {Recipient Name string }
Required { *SAME }
{*RQD }
{*OPT }
LDAPACTV ( LDAP Definitions: )
Nbr Active LDAPs { *SAME }
{Number of Active LDAPs }
179

LDAP1 (Primary LDAP: )
1 Network Name { *SAME }
{Network IP address or server Name }
1 Port {1-9999 }
1 Sequence {0-9 }
1 TimeOut {0-9999 }
1 Access User {LDAP User for Access }
1 Access Password {User Password }
1 Search Mode {*EMAIL }
{*CN }
1 Start Node {Start Node Text String }
1 Test {N }
{Y }
PKCFGSEC Command Keyword Details
By using the *SAME as an option no changes will take place to the current security
configuration file.
TYPE
TYPE(*UPDATE|*VIEW)
The type processing parameter indicates whether the security configuration should
update the configuration file or view the current settings.
SECTYPE
ZIP Secure Settings:
SecureZIP Active . . . . . *YES
*NO, *YES, *SAME
AES 3DES Keys . . . . . . . *YES
*NO, *YES, *SAME
Password . . . . . . . . . *NO
*NO, *RQD, *SAME
Recipient Secure . . . . . *NO
*NO, *RQD, *SAME
File Signing . . . . . . . *NO
*NO, *SAME
Archive Signing . . . . . *NO *NO, *SAME
File Authentication . . . *NO *NO, *SAME
Archive Authentication . . *NO
*NO, *SAME
File Name Encryption . . . *OPT
*NO, *RQD, *OPT, *SAME
Or SECTYPE(*YES *YES *NO *NO *NO *NO *NO *OPT)
SECTYPE or PKZIP Secure Settings are the base security settings for ZIP and UNZIP
processing and currently consist of six options:
SecureZIP Active (*NO|*YES|*SAME)
By setting this option to *YES activates the security configuration file. This is
required to utilize the security features in SecureZIP. .
AES 3DES Keys (*NO|*YES|*SAME)
The purpose of this switch is to maintain compatibility with Windows (pre-XP)
systems where the private key certificate was not imported with "Mark the private
180

key as exportable". This has importance when sharing AES-encrypted files with
recipients. See the section on Windows compatibility for more information.
Password (*NO|*RQD|*SAME)
The Password option if coded *YES, will force the ZIP process to always require a
password when compressing a file.
Recipient Secure (*NO|*RQD|*SAME)
The Recipient Secure option if coded *YES, will force the ZIP process to always
require at least one valid recipient when compressing a file.
File Signing (*NO |*YES |*SAME)
Allows SecureZIP to digitally sign the files in the archive.
Archive Signing (*NO |*YES |*SAME)
Allows SecureZIP to Digitally sign the archive’s central directory.
File Authentication (*NO |*YES |*SAME)
Allows SecureZIP to authenticate the files in the archive that has been digitally
signed.
Archive Authentication (*NO |*YES |*SAME)
Allows SecureZIP to authenticate the archive’s directory that has been digitally
signed.
File Name Encryption (*NO |*RQD |*OPT |*SAME)
The file name encryption option allows the user to mask the names of files in the
archive for added security.
*NO – The ZIP process is not allowed to create filename-encrypted archives
(that is, FNE(*NO) is required).
*RQD – All ZIP runs must specify the FNE(*YES) to create filenameencrypted
archives.
*OPT – Creating filename-encrypted archives is optional for ZIP runs (that is,
FNE(*YES) is allowed in the ZIP jobs).
ADVCRYPT
Advance Encryption:
Freeze Method . . . . . . > AES128
Mode . . . . . . . . > BSAFE
*SAME, *NONE, AES, AES128...
PKWARE, BSAFE, *SAME
Or ADVCRYPT(AES128 BSAFE )
181

The Advanced encryption parameter controls the enterprise settings for encryption
when zipping or compressing files. There are the following option settings for
ADVCRYPT:
Method (AES|AES128|AES192|AES256|3DES|DES RC4_128| Advance|*SAME|*NONE)
The Method option if coded other than *NONE, will force the ZIP process to always
require the encryption algorithm selected. If AES is selected then all AES algorithms
are allowed. If Advance is selected then encryption is required with any algorithm
except ZIPSTD.
Mode (PKWARE|BSAFE |*SAME)
The advanced encryption mode selects which algorithm modes to use. PKWARE use
the SecureZIP/PKZIP exclusive implementation of the AES. BSAFE use the
SecureZIP/PKZIP implementation of the RSA Security, Inc. CERT-C for AES, 3DES,
DES and RC4 128 key.
Hash (*SHA1 |*SAME)
A hash calculation is involved as part of the key manipulation for the encryption
process. At this time only the SHA1 algorithm is supported.
Usage Notes
If the mode is MODE(PKWARE) and METHOD(*NONE) or ADVANCE, then if on the
ZIP process the 3DES, DES, or RC4 is selected for the algorithm, the BSAFE
implementation is used.
PASSWORD
Archive Password Specs:
Min Length . . . . . . . . > 1
1-200, *SAME
Max Length . . . . . . . . > 200
1-200, *SAME
Hardening Options . . . . . > 0 *SAME, 0, 1, 2
Or PASSWORD(1 200 0) or PASSWORD(1 200)
The Password parameter defines the enterprise settings when the ZIP process
provides a password. There are three options.
Min Length (1-200|*SAME)
The minimum length option is the enterprises required minimum length when a
password is provided in the ZIP process. The default is 1. The windows version
requires the minimum password length to be 8 or more.
Max Length (1-200|*SAME)
The maximum length option is the enterprises required maximum length when a
password is provided in the ZIP process. The default is 200.
182

Hardening Options (0,1,2|*SAME)
The password hardening option is reserved for future releases of SecureZIP.
SIGNPOL
Signing Settings:
Signing Hash . . . . . . . . *SAME *SAME, *SHA1, *MD5
Validate Level . . . . . *SAME
Lockdown Filters . . . . *SAME *NO, *YES, *SAME
Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE...
+ for more values
Or
SIGNPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) )
SIGNPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )
When signing a file or archive, SIGNPOL will define the HASH ALGORITHM, the error
validation levels, and the CERTIFICATE filters for the signers certificates selected.
Signing Hash (*SHA1 | *MD5 |*SAME)
Specifies the hashing algorithm that is used to generate a digital signature. It applies
to the active Signing files and archives during a ZIP run.
Options:
*SHA1 The default algorithm generates a 20-byte hash value. This algorithm
is supported by all SecureZIP products.
The information below is from FIPS 180-1:
This Standard specifies a Secure Hash Algorithm, SHA-1, for computing a
condensed representation of a message or a data file. When a message of
any length < 2 64 bits is input, the SHA-1 produces a 160-bit output called a
message digest. The message digest can then be input to the Digital
Signature Algorithm (DSA) which generates or verifies the signature for the
message. Signing the message digest rather than the message often
improves the efficiency of the process because the message digest is usually
much smaller in size than the message. The same hash algorithm must be
used by the verifier of a digital signature as was used by the creator of the
digital signature.
The SHA-1 is called secure because it is computationally infeasible to find a
message which corresponds to a given message digest, or to find two
different messages which produce the same message digest. Any change to a
message in transit will, with very high probability, result in a different
message digest, and the signature will fail to verify.
*MD5
This algorithm generates a 16-byte hash value. It is
included for compatibility with older releases of PKZIP on
other platforms, which previously supported this
algorithm.
183

Processing Notes
The entire data stream (archive central directory or file data) is run through the hash
algorithm before compression or encryption. However, file text data is translated
before hashing so that the receiving system is able to hash the identical stream after
decryption/decompression.
During authentication operations, SecureZIP for iSeries will dynamically detect
which algorithms had been used for signing and perform the necessary processing to
validate the signature.
Validation Level (*VALIDATE | *WARN | *VALIDATELOCK | *WARNLOCK |*SAME)
The validation level defines the error level for failure, if an error occurs with the
selection of a certificate for signing fails the filters.
Options:
*VALIDATE
*WARN
*VALIDATELOCK
*WARNLOCK
If an error occurs then the ZIP job will issue that a
failure occurred and will not continue.
If an error occurs then the ZIP will continue and will not
issue that an error occurred at the end of the ZIP
process.
Same as *VALIDATE, but will also not allow a ZIP to run
with an option for SIGNPOL other than what is defined
for the enterprise system. A warning message will be
issued and the run will continue using the enterprise
settings.
Same as *WARN, but will also not allow a ZIP to run
with an option for SIGNPOL other than what is defined
for the enterprise system. A warning message will be
issued and the run will continue using the enterprise
settings.
Lockdown Filters (*NO | *YES | *SAME)
Provides the ability to lockdown the filters so they can not be changed at run time.
By specifying *YES, the enterprise settings will be in lockdown mode. If the SIGNPOL
in the PKZIP command is other than *SYSTEM, a warning message will be issued and
the enterprise settings will be used for the run.
Filters (*ALL | *NONE | * TRUSTED | *EXPIRED | *REVOKED | *NOTTRUSTED |
*NOTEXPIRED | *NOTREVOKED |*SAME)
The signing filter defines the level of processing that Signing Files and Signing
Archives certificate selection will perform during SECZIP execution.
Options:
*ALL
*NONE
*TRUSTED, *EXPIRED, and *REVOKED are used.
*NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are
used
184

*TRUSTED
*EXPIRED
*REVOKED
*NOTTRUSTED
*NOTEXPIRED
*NOTREVOKED
Each end-certificate used in the signature must be
traced back to a trusted root certificate. The CSCA and
CSROOT stores on the local system performing the
authentication check will be accessed to determine if the
entire certificate chain can be trusted. Although the Root
(“self-signed”) certificate may be included within the
archive, it MUST also exist in the CSROOT store to
complete the TRUSTED state.
The digital certificates used for the signing operation
contains internal date ranges of validity. The certificate
selection operation will fail if any of the certificates in
the trust chain are not found to be within their stated
data range. Note that an end-certificate may have
expired at the time that the archive is being accessed,
and NOTEXPIRED may be used to continue processing.
A certificate owner may request that the issuing
certificate authority declare a certificate to be revoked
and thereby no longer consider that certificate to be
valid. The signing certificate selection operation will fail
if any of the certificates in the trust chain are found to
have been revoked or if the revocation status could not
be determined.
*TRUSTED is not validated for signing certificates.
*EXPIRED is not validated for signing certificates.
*REVOKED is not validated for signing certificates.
AUTHPOL
Authenticate Filters:
Validate Level . . . . . *SAME
Lockdown Filters . . . . *SAME *NO, *YES, *SAME
Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE...
+ for more values
Or:
AUTHPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) )
AUTHPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )
AUTHPOL defines the level of processing that authentication process will perform.
AUTHPOL fully defines the signature authentication elements to be verified in both
PKZIP and PKUNZIP. If not locked down the default settings may be changed by the
SecureZIP run.
Validation Level (*VALIDATE | *WARN | *NONE | *VALIDATELOCK | *WARNLOCK
|*SAME)
The validation level defines the error level for failure, if an error occurs with the
selection of a certificate for authenticating fails the filters.
185

Options:
*VALIDATE
*WARN
*NONE
*VALIDATELOCK
*WARNLOCK
If an error occurs, then the ZIP job will issue that a
failure occurred and will not continue.
If an error occurs, then the ZIP will continue and will not
issue that an error occurred at the end of the ZIP
process.
If an error occurs then the ZIP will continue and will not
issue that an error occurred at the end of the ZIP
process.
Same as *VALIDATE, but will also not allow a ZIP to run
with an option for AUTHPOL other than what is defined
for the enterprise system. A warning message will be
issued and the run will continue using the enterprise
settings.
Same as *WARN, but will also not allow a ZIP to run
with an option for AUTHPOL other than what is defined
for the enterprise system. A warning message will be
issued and the run will continue using the enterprise
settings.
Lockdown Filters (*NO | *YES | *SAME)
Provides the ability to lockdown the filters so they can not be changed at run time.
By specifying *YES, the enterprise settings will be in lockdown mode. If the AUTHPOL
in the PKZIP command is other than *SYSTEM, a warning message will be issued and
the enterprise settings will be used for the run.
Filters (*ALL | *NONE | *TAMPER | *TRUSTED | *EXPIRED | *REVOKED | *NOTAMPER |
*NOTTRUSTED | *NOTEXPIRED | *NOTREVOKED |*SAME)
The authentication filter defines the level of processing that authenticating Files and
authenticating Archives certificate selection will perform during SECZIP execution.
Options:
*ALL
*NONE
*TAMPER
*TRUSTED
*TAMPER, *TRUSTED, *EXPIRED, and *REVOKED are
used.
*NOTAMPER, *NOTTRUSTED, *NOTEXPIRED, and
*NOTREVOKED are used.
The signature associated with the archive or file(s)
involved will be used to verify that the content has not
been altered since the archive was built.
Each end-certificate used in the signature must be
traced back to a trusted root certificate. The CSCA and
CSROOT stores on the local system performing the
authentication check will be accessed to determine if the
entire certificate chain can be trusted. Although the Root
(“self-signed”) certificate may be included within the
186

*EXPIRED
*REVOKED
*NOTAMPER
*NOTTRUSTED
*NOTEXPIRED
*NOTREVOKED
archive, it MUST also exist in the CSROOT store to
complete the TRUSTED state.
The digital certificates used for the signing operation
contains internal date ranges of validity. The certificate
selection operation will fail if any of the certificates in
the trust chain are not found to be within their stated
data range. Note that an end-certificate may have
expired at the time that the archive is being accessed,
and NOTEXPIRED may be used to continue processing.
A certificate owner may request that the issuing
certificate authority declare a certificate to be revoked
and thereby no longer consider that certificate to be
valid. The signing certificate selection operation will fail
if any of the certificates in the trust chain are found to
have been revoked or if the revocation status could not
be determined.
The signature associated with the archive or file(s)
involved will NOT verify.
*TRUSTED is not validated for signing certificates.
*EXPIRED is not validated for signing certificates.
*REVOKED is not validated for signing certificates.
ENCRYPOL
Encryption Filters:
Validate Level . . . . . *SAME
Lockdown Filters . . . . *SAME *NO, *YES, *SAME
Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE...
+ for more values
Or:
ENCRYPOL (*WARN *NO (*ALL *NOTREVOKED) )
ENCRYPOL (*VALIDATELOCK *YES (*ALL *REVOKED) )
When encrypting a file with digital certificate, the certificates must meet a certain
standard. ENCRYPOL defines the error validation levels and the certificate filters for
the encrypting certificates selected.
Validation Level (*VALIDATE | *WARN | *VALIDATELOCK | *WARNLOCK |*SAME)
The validation level defines the error level for failure, if an error occurs with the
selection of a certificate for signing fails the filters.
Options:
*VALIDATE
*WARN
If an error occurs, then the ZIP job will issue that a
failure occurred and will not continue.
If an error occurs, then the ZIP will continue and will not
issue that an error occurred at the end of the ZIP
process.
187

*VALIDATELOCK
*WARNLOCK
Same as *VALIDATE, but will also not allow a ZIP to run
with an option for ENCRYPOL other than what is defined
for the enterprise system. A warning message will be
issued and the run will continue using the enterprise
settings.
Same as *WARN, but will also not allow a ZIP to run
with an option for ENCRYPOL other than what is defined
for the enterprise system. A warning message will be
issued and the run will continue using the enterprise
settings.
Lockdown Filters (*NO | *YES | *SAME)
Provides the ability to lockdown the filters so they can not be changed at run time.
By specifying *YES, the enterprise settings will be in lockdown mode. If the
ENCRYPOL in the PKZIP command is other than *SYSTEM, a warning message will be
issued and the enterprise settings will be used for the run.
Filters (*ALL | *NONE | * TRUSTED | *EXPIRED | *REVOKED | *NOTTRUSTED |
*NOTEXPIRED | *NOTREVOKED |*SAME)
The encryption filters defines the level of processing that encrypting certificate
selection will perform during SECZIP execution.
Options:
*ALL
*NONE
*TRUSTED
*EXPIRED
*REVOKED
*TRUSTED, *EXPIRED, and *REVOKED are used.
*NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are
used
Each end-certificate used in the signature must be
traced back to a trusted root certificate. The CSCA and
CSROOT stores on the local system performing the
authentication check will be accessed to determine if the
entire certificate chain can be trusted. Although the Root
(“self-signed”) certificate may be included within the
archive, it MUST also exist in the CSROOT store to
complete the TRUSTED state.
The digital certificates used for the signing operation
contains internal date ranges of validity. The certificate
selection operation will fail if any of the certificates in
the trust chain are not found to be within their stated
data range. Note that an end-certificate may have
expired at the time that the archive is being accessed,
and NOTEXPIRED may be used to continue processing.
A certificate owner may request that the issuing
certificate authority declare a certificate to be revoked
and thereby no longer consider that certificate to be
valid. The signing certificate selection operation will fail
if any of the certificates in the trust chain are found to
have been revoked or if the revocation status could not
be determined.
188

*NOTTRUSTED
*NOTEXPIRED
*NOTREVOKED
*TRUSTED is not validated for encrypting certificates.
*EXPIRED is not validated for encrypting certificates.
*REVOKED is not validated for encrypting certificates.
REVKEPOL
Revocation Settings:
CRL Type . . . . . *SAME *STATICCRL, *NONE, *SAME
Revoke Level . . . . . . *SAME *SAME, *NONE
Or:
REVKEPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) )
REVKEPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )
REVKEPOL defines the type and level of CRL processing, if any, that will take place.
Currently only a static CRL is available.
CRL Type (*STATICCRL | *NONE |*SAME)
Defines type CRL processing that will take place with certificate analysis.
Options:
*STATICCRL
*NONE
Specifies CRL processing only on a static store that is
updated with the PKSTORADM command. The timeliness
of updates depends on the customer’s policies and the
updating of the CRL store. This option requires that the
CRL must be defined.
No CRL processing check will take place. With the option
*NONE , no certificates will ever have the revoke status.
Revoke Level (*NONE | *SAME)
Currently not used. Reserved for future use.
*NONE
To be defined.
CERTSELT
Certificate Validation Level:
Cert. Best Fit . . . . . . . > *NONE
Cert. Secure Type . . . . . > *NONE
*NONE, *LATESTVALID...
*NONE, *ENCRYPTION...
Or CERTSELT(*NONE *NONE )
The certificate validation level defines how SecureZIP will select a digital certificate
when there is more than one certificate available from an LDAP or database
selection. There are two options.
189

Cert. Best Fit
(*NONE|*LATESTVALID|*LASTVALID|*FIRSTVALID|*FIRST|*LAST|*LATEST|*SAME)
This command assists in restricting the number or type of certificates being used to
represent a user or organization for each encrypted file.
When using LDAP or the database to locate public-key certificates for recipients, it is
possible to locate more than one certificate for a target recipient. For example, if a
user obtains a new certificate each year, then multiple certificates may represent
that user within the LDAP. It may also be possible for a user to have certificates from
multiple certificate authorities (e.g. Verisign, Thawte), or multiple certificates for
different purposes (encryption vs. signing).
In any of the above conditions, a ZIP process may result in multiple recipient
certificates being processed for the same target recipient (person or organization).
Some organizations may desire to restrict the type or quantity of certificates being
used for encryption. This can save processing resources and ZIP archive space.
Options:
*NONE
*FIRST
*LAST
*LATEST
*FIRSTVALID
No matching will be performed. Every certificate located
in an LDAP server or database matching the search
criteria will be added as a viable recipient.
For each LDAP or database entry matching the search
criteria, only the first certificate stored in that entry will
be included, regardless of use type designated in the
certificate or its valid date period. This use case
depends on the certificate loading order used in the
LDAP or database.
For each LDAP or database entry matching the search
criteria, only the last certificate stored in that entry will
be included, regardless of use type designated in the
certificate or its valid date period. This use case depends
on the certificate loading order used in the LDAP or
Database.
For each LDAP or database entry matching the search
criteria, the most recent certificate stored in that entry
will be included, regardless of use type designated in the
certificate. Note that if multiple certificates are found
within an LDAP entry, certificates with their validity
period not yet starting will be excluded unless they are
the only certificates within the entry. In that case, the
first certificate found will be selected.
For each LDAP or database entry matching the search
criteria, the first certificate found with a use type set for
encryption stored in that entry will be included,
regardless of its valid date period. This use case
depends on the certificate loading order used in the
LDAP. If no entries are found with the use type set to
encryption, then the first certificate found in the LDAP or
database entry will be selected.
190

*LASTVALID
*LATESTVALID
For each LDAP or database entry matching the search
criteria, the last certificate found with a use type set for
encryption stored in that entry will be included,
regardless of its valid date period. This use case
depends on the certificate loading order used in the
LDAP. If no entries are found with the use type set to
encryption, then the first certificate found in the LDAP or
database entry will be selected.
For each LDAP entry matching the search criteria, the
most recent certificate found with a use type set for
encryption also having the “best” date range for its
validity period. This use case depends on the certificate
loading order used in the LDAP. If no entries are found
with the use type set to encryption, then the most
recent certificate found in the LDAP entry will be
selected. Note that if multiple certificates are found
within an LDAP entry, certificates with their validity
period not yet starting will be excluded unless they are
the only certificates within the entry. In that case, the
first certificate found will be selected.
Note: Regardless of the option selected, at least one certificate will be selected from
an LDAP or database entry. Each certificate selected must be in valid X.509 publickey
format.
Cert. Secure Type (*NONE| *ENCRYPTION| *SIGNING| |*SAME)
The certificate secure type forces the strict enforcement of digital certificate based
upon on their purpose. An example would be if a certificate was for signing only and
did not allow encryption then by specifying *ENCRYPTION, the certificate would not
be valid.
CERTDB
Certificate DataBase Locator:
Active? . . . . . . . . . . > *YES
*NO, *YES, *SAME
Store Type . . . . . . . . > *LIB
*LIB, *SAME
Sequence . . . . . . . . . > 0 0-9
Library . . . . . . . . . . > PKW81051S DB Library
Search Mode . . . . . . . . > *EMAIL *EMAIL, *CN, *SAME
Or
CERTDB(*YES *LIB 0 PKW81051S *EMAIL)
The certificate locator database parameter activates and defines the location and
defaults of the certificate locator database files. There are five options.
Active? (*YES|*NO|*SAME)
To utilize the certificate locator database you must set this option to *YES. If this is
*NO then all attempts to use the *DB option on recipients parameter in ZIP and
UNZIP will fail.
191

Store Type (*LIB|*SAME)
The store type specifies what type of database store. At this time only *LIB for
library is allowed.
Sequence (1-9*SAME)
The sequence defines the sequence of the database search when using the *SYSTEM
option. This is reserved for future releases
Library (Library name|*SAME)
This defines where the database store exist and is used in combination with the
“Store Type”. At this time only *LIB is allowed, so this option will define the library
where the SecureZIP databases exist.
Search Mode Default
(*EMAIL|*CN|*SAME)
The Search Mode default defines what type of search should be used when
performing a database search and the search string prefix is not ‘CN=’ nor ‘EM=’.
*EMAIL will use the email address contained in the certificate and *CN will use the
common name of the certificate.
CSPUB
Certificate PUBLIC Store:
Store Type . . . . . . . . > *PATH
*PATH, *SAME
Sequence . . . . . . . . . > 1 0-9
Store Location . . . . . . > '/pkzshare/CStores/public'
Or
CSPUB(*PATH 1 '/pkzshare/CStores/public')
The certificate public store parameter defines the location and defaults for the public
certificate store. A store location is required for certificate processing. Currently
there are three options.
Store Type (*PATH|*SAME)
The store type specifies the type of store. At this time only *PATH is allowed and
defines the “store Location” as a path in the integrated file system (IFS).
Sequence (1-9|*SAME)
The Sequence option defines the sequence of the public search when using the
*SYSTEM option. This is reserved for future releases.
Store Location (location name|*SAME)
This defines the IFS path where the certificate store for individual public-key X.509
certificates resides on the local system.
192

CSPRVT
Certificate PRIVATE Store:
Store Type . . . . . . . . > *PATH
*PATH, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/private'
Or CSPRVT(*PATH 0 '/pkzshare/CStores/private')
The private certificate store parameter defines the location and defaults for the
private certificate store. A store location is required for certificate processing.
Currently there are three options.
Store Type (*PATH|*SAME)
The store type specifies the type of store. At this time only *PATH is allowed and
defines the “Store Location” as a path in the IFS.
Sequence (1-9 |*SAME)
The Sequence defines the sequence of the private search when using the *SYSTEM
option. This is reserved for future releases.
Store Location (location name|*SAME)
This defines the IFS path where the certificate store for individual private-key X.509
certificates resides on the local system.
Usage Notes
Private keys require a password to use or open.
CSCA
Certificate CA Store:
Store Type . . . . . . . . > *FILE
*FILE, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/CA/pkwareCA.store'
Or:
CSCA(*FILE 0 '/pkzshare/CStores/CA/ pkwareCA.store')
The certificate authority store parameter defines the location and defaults for the
certificate authority store. A certificate authority store location is required to validate
the certificate for trust and certificate revocation. Currently there are three options.
Store Type (*FILE|*SAME)
The store type specifies the type of store. At this time only *FILE is allowed to define
the “Store Location” as a path/file in the IFS.
193

Sequence (1-9 |*SAME)
The Sequence defines the sequence of the private search when using the *SYSTEM
option. This is reserved for future releases.
Store Location (location name|*SAME)
This defines the IFS full path and file name where the certificate authority store for
public-key X.509 certificates reside on the local system. This store file is a file with a
PKCS#7 format.
CSROOT
Certificate ROOT Store:
Store Type . . . . . . . . > *FILE
*FILE, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/Root/pkwareRoot.store'
Or
CSROOT(*FILE 0 '/pkzshare/CStores/Root/ pkwareRoot.store')
The certificate root store parameter defines the location and defaults for the trusted
root public store. A root store location is required to validate the certificate for trust
and certificate revocation. Currently there are three options.
Store Type (*FILE|*SAME)
The store type specifies the type of store. At this time only *FILE is allowed to define
the “Store Location” as a path/file in the IFS.
Sequence (1-9 |*SAME)
The sequence defines the sequence for the private search when using the *SYSTEM
option. This is reserved for future releases.
Store Location (location name|*SAME)
This defines the IFS full path and file name where the trusted root public store for
trusted root public-key X.509 certificates resides on the local system. This store file
is a file with a PKCS#7 format.
CSCRL
Certificate CRL Store:
Store Type . . . . . . . . > *FILE
*FILE, *SAME
Sequence . . . . . . . . . > 0 0-9
Store Location . . . . . . > '/pkzshare/CStores/CRL/pkwareCRL.store'
Or
CSCRL(*FILE 0 '/pkzshare/CStores/ pkwareCRL.store')
The certificate CRL store parameter defines the location and defaults for the
Certificate Revocation Store. A CRL store location is required to perform certificate
revocation which is set in REVKEPOL parameter. Currently only a Static CRL is
available and has three options.
194

Store Type (*FILE|*SAME)
The store type specifies the type of store. At this time only *FILE is allowed to define
the “Store Location” as a path/file in the IFS.
Sequence (1-9 |*SAME)
The sequence defines the sequence of the private search when using the *SYSTEM
option. This is reserved for future releases.
Store Location (location name|*SAME)
This defines the IFS full path and file name where the CRL (Certificate Revocation
List) store resides on the local system. This store file is a file with a PKCS#7 format.
CWRKPATH
Certificate Work Path:
Path Location . . . . . . > '/pkzshare/CStores/CTemp'
Or
CWRKPATH ('/pkzshare/CStores/CTemp')
The certificate administration tools and certificate utility tools require the use of a
temporary area in order to write temporary files during a process. CWRKPATH
defines the path where the utilities can create and destroy temporary files. This area
should give *PUBLIC full rights.
Path Location (Path name |*NONE |*SAME)
Specify the full path name for the certificate working path. If no changes are
required, use *SAME. If the current path is to be cleared, use *NONE. Note by not
defining a working path certain certificate utilities may operate correctly.
ENTPREC
Enterprise Encrypt Recipient:
LookUp Type . . . . . . . . > *MBRSET *NONE, *DB, *LDAP, *FILE...
Recipient . . . . . . . . . > 'pkwareCertAdmin04.cer'
Required . . . . . . . . . . > *RQD *RQD *OPT, *SAME
Or ENTPREC(*MBRSET 'pkwareCertAdmin04.cer' *RQD)
The enterprise encrypt recipient (contingency key) parameter defines the enterprise
or corporate defined recipient which should be included as a global or administrative
access recipient. This enables the enterprise to decrypt and access the file(s) when
other Recipients are no longer able or eligible.
The specification of this recipient does not trigger encryption to take place during ZIP
processing in the same way as – ENTPREC parameter in the ZIP command. However,
once strong encryption is specified, the value of this parameter is implicitly included
in the run as if a - ENTPREC command had been invoked. This parameter follows the
syntax of the ENTPREC in the PKZIP and PKUNZIP commands.
195

Currently there are three options.
Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)
The lookup type would be the type of recipient search that will be used for the
recipient string.
• *NONE - Indicates no enterprise recipient is supplied.
• *DB - The recipient string is defined to search using the certificate locator
database to access the enterprise certificate.
• *LDAP - The recipient string is defined to search using the LDAP server to
access the enterprise certificate.
• *FILE - The recipient string is defined to search using a specific path and file
in the IFS to access the enterprise certificate.
• *MBRSET - The recipient string is defined to search using a file in the
enterprise public certificate store to access the enterprise certificate.
Recipient (The recipient file or name)
The common name (CN=) or email address (EM=) of the recipient(s). Also, the
location on the Inlist file containing the recipient name(s).
Required (*RQD|*OPT|*SAME)
If *RQD, then anytime the ENTPREC is evoked in the PKZIP command, the recipient
defined here is required for the ZIP process to complete successfully.
LDAPACTV
LDAP Definitions:
Nbr Active LDAPs . . . . . > 3
1-3, *NONE, *SAME
Or
LDAPACTV(3)
LDAPACTV define how many active LDAPS will be defined for SecureZIP. Currently
the maximum is three.
LDAP1
Primary LDAP:
1 Network Name . . . . . . > '192.168.111.28'
1 Port . . . . . . . . . . > 389 1-9999
1 Sequence . . . . . . . . > 1 0-9
1 TimeOut . . . . . . . . . > 0 0-9999
1 Access User . . . . . . . > 'PKWAREADDEV\test'
1 Access Password . . . . . > 'xxxx'
1 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN
1 Start Node . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'
196

Or
1 Test . . . . . . . . . . > N N, Y
LDAP1('192.168.111.28' 389 1 0 'PKWAREADDEV\test' 'xxxx' *EMAIL
'cn=users,dc=pkwareaddev,dc=com' N)
The LDAP1, LDAP2 and LDAP3 parameters define from 1 to 3 LDAP server
configurations. To access the LDAP, see your directory services administrator for the
LDAP servers. Currently there are nine options for each LDAP.
Network Name (LDAP Server |*SAME)
The LDAP network name can be either the TCP/IP address of the LDAP server or if
name resolution is supported this can be the server’s name.
Port (1-9999 |389)
Specifies the TCP port number the LDAP server is listening on. The standard LDAP
port is 389, but each installation may vary, especially if it is a secured port.
Sequence (0-9|*SAME)
Specifies the search sequence of databases and LDAP servers. This is reserved for
future releases.
Timeout (0-9999|*SAME)
Specifies the maximum number of seconds to wait for search results. 0 will use the
default defined for the LDAP server.
Access User (Name of User|*SAME)
The distinguished name of the entry user that will be used to bind.
Access Password (Password |*SAME)
The credentials with which to authenticate the access user. Arbitrary credentials can
be passed using this parameter. In most cases, this is the password for the access
user.
Search Mode (*CN|*EMAIL|*SAME)
Specifies the default LDAP search mode that will be used if neither CN= nor EM= are
prefixed on the recipient selection string.
Start Node (Distinguished name of where to start|*SAME)
Specifies the distinguished name of the entry at which to start the search (at what
potion of the LDAP structure should the search begin)
Test (Y|N)
Specify whether to Test the current LDAP. By coding this option to a Y for YES, then
after the command has updated the security configuration file, a verification test will
197

e performed for this LDAP. For more information on the results see the PKLDAPTST
(Test LDAP) command.
LDAP Usage Notes:
Please be aware that the LDAP may not contain any encryption certificate validation
policies. If the end user specifies only the LDAP, without a local CA and root stores
for the environment, then the SecureZIP default validation settings of TRUSTED and
REVOKED will be enforced for the run. This will cause the run to fail during
validation of the trusted certificate path because there are no CA and Root
certificates available for processing. If you wish to execute the SecureZIP with the
LDAP only, then you will need to set your security environment policies or run policy
for the authentication and encryption validation policies in the run for to exclude
trust and revoke filters:
AUTHPOL(*WARN *NONE (*ALL *NOTTRUSTED *NOTREVOKED))
ENCRYPOL(*WARN (*ALL *NOTTRUSTED *NOTREVOKED))
Windows Compatibility
When using BSAFE AES encryption with recipients, there is a cross-system
compatibility issue to be addressed by the user community. Windows operating
systems running pre-Win/XP may experience a decryption problem depending on the
state of the private-key certificate on the workstation. During the Windows certificate
import process, a dialog check-box "Mark the private key as exportable" may be
selected. If this option was not selected, then Windows will not allow an AES
encrypted file to be decrypted unless the master session key was wrapped with
3DES.
The security configuration parameter SECTYPE option "AES 3DES Keys" is introduced
with RECIPIENT processing which allows the SecureZIP user to create AES-encrypted
files that are compatible with older Windows workstations. When turned on, the
MSK3DES flag is set in the NDH/DIB; indicating that the master session key
information is protected with 3DES when recipients are specified.
PKZIP for Windows has a variance in processing between 6.0 and 7.x due to OAEP
processing. PKZip for Windows 5.0 through 6.0 used OAEP processing. However, that
was found to be incompatible with smartcards, so 6.1 and above began setting the
NO_OAEP flag in the NDH/DIB flags and stopped creating OAEP encryption-mode
files.
198

14 PKLDAPTST “LDAP Test” Command
PKLDAPTST Command Summary with Parameter Keyword
Format
PKLDAPTST is a utility command to assist in testing the LDAP servers that SecureZIP
will use. This command is included to assist with the LDAP parameters and to verify
LDAP access along with time access.
Keywords are demarcated by spaces. In many cases there are multiple entries for a
parameter where each entry is again demarcated by spaces. For more information
about command process reference the IBM Home page for your version of the
operating system.
ACTION ( ({*SUMMARY} )
{*DETAILS }
SNAME ( Server Name or IP )
{Network IP address or server Name }
PORT ( Port Number )
{389 }
{1-9999 }
USER ( Access User )
{LDAP User for Access }
PASSWORD ( Access Password )
{User Password }
STRNODE ( Start Node )
{Start Node Text String }
SEARCHFT ( Search Filter )
{'(cn=*)(userCertificate=*)'}
{ valid LDAP Search String }
199

MAXI ( Max Item )
{0-9999 }
PKLDAPTST Command Keyword Details
ACTION - Action Type
ACTION (*SUMMARY|*DETAILS)
Specifies how much to display.
*SUMMARY will show the times and the count of items returned.
*DETAILS will show the common name of all LDAP items selected.
SNAME - Server Name or IP
SNAME (LDAP Server)
The LDAP Server name can be either the TCP IP address of the LDAP server or if
name resolution is supported this can be the server’s name.
PORT - Port Number
PORT (389 | 1-9999)
Specifies the TCP port number the LDAP server is listening on. The standard LDAP
ports is 389 but each installation may vary, especially if it is a secured port.
USER - Access User
USER (Distinguish name of an authorized user for access)
Specifies the distinguished name of the entry user that will be used to bind the LDAP
server.
200

PASSWORD - Access Password
PASSWORD (Password of the Access User if available)
Specifies the credentials with which to authenticate the access user. Arbitrary
credentials can be passed using this parameter. In most cases, this is the password
for the access user.
STRNODE - Start Node
STRNODE (Start Node Text String)
Specifies the distinguished name of the entry at which to start the search (at what
potion of the LDAP structure should the search begin).
SEARCHFT - Search Filter
SEARCHFT ('(cn=*)(userCertificate=*)'| valid LDAP Search String)
Specifies the LDAP search string for the Test. The text must be a valid LDAP search
string. The default string is '(CN=*)(userCertificate=*)', which will search for all
common names that have a user certificate.
MAXI - Max Item
MAXI (100| 0-9999)
Specifies the maximum numbers of LDAP items to return for the test run. If this
value exceeds the value defined for the LDAP server, it will take president over the
MAXI value.
Sample Test:
SecureZIP LDAP Test
8.1 (PKLDAPTST)
Type choices, press Enter.
Action Type . . . . . . . . . . *SUMMARY *SUMMARY, *DETAIL
Server Name or IP . . . . . . . > '192.168.132.25'
Port Number . . . . . . . . . . 389 Character value
Access User . . . . . . . . . . > 'PKWAREADDEV\test'
Access Password . . . . . . . .
Start Node . . . . . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'
Search Filter . . . . . . . . . '(cn=*)(userCertificate=*)'
Max Item . . . . . . . . . . . . > 100
Character value
Or:
PKLDAPTST SNAME('192.168.132.25') USER('PKWAREADDEV\test')
PASSWORD() STRNODE('cn=users,dc=pkwareaddev,dc=com') MAXI(100)
201

Results:
PKLDAPTEST LDAP Test Starting 2004/07/22 06:23:34
PKLDAPTESTT Parameters:Action
- Server Port
- User Password
- Start Node
- Search Filter
- Max Items to Search ,100
LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds
LDAP_intialTest - --SizeLimit=100 TimeLimit=0
LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds
LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds
LDAP_intialTest - --LDAP Search ...... 21 entries found
LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds
LDAP_intialTest - Total Entries=21
PKLDAPTESTT LDAP Testing Ending RC=0
Or:
LDAP1('192.168.111.28' 389 1 0 'PKWAREADDEV\test' 'xxxx'
*EMAIL'cn=users,dc=pkwareaddev,dc=com' N)
202

15 PKBLDCDB “Build Certificate
Database” Command
PKBLDCDB Command Summary with Parameter Keyword
Format
PKBLDCDB is a utility command to build the certificate locator database files and set
the security of the certificate file in the IFS.
NOTE: In order to use PKBLDCDB, the user must have the proper authority for the
path/file and for the CHGAUT command.
Keywords are demarcated by spaces. In many cases there are multiple entries for a
parameter where each entry is again demarcated by spaces. For more information
about the command process, reference the IBM home page for your version of the
operating system.
MAINT ( Processing Type )
{*UPDATE }
{*TEST }
{*VERIFY }
MTYPE ( Maint. Type )
{*FILE }
{*DIRECTORY }
CTYPE ( Certificate Type )
{*PUBLIC }
{*PRIVATE }
FNAME ( Path/File Name )
{Path and/or file name }
PASSWORD ( Cert Password )
{Certificate Private Key Password }
DUPOPT ( Replace Duplicates )
{*REPLACE}
{*NOREPLACE}
203

LOGLVL ( Logging Level )
{*LOG }
{*NOLOG }
{*MAXLOG }
OWNER ( Cert. Owner )
{QPGMR }
{*NONE }
{Vaild User Id }
PUBAUTH ( PUBLIC Authority Settings: )
New data authorities {*SAME }
{*RWX}
{*RX}
{*RW}
{*WX}
{*R }
{*W }
{*X }
{*EXCLUDE}
New object authorities {*SAME }
{*ALL }
{*OBJEXIST}
{*OBJMGT}
{*OBJALTER}
{*OBJREF}
{*NONE}
UIDAUTH ( New ID Authority Settings: )
New User ID {*CURRENT }
{Valid User Id }
New data authorities {*SAME }
{*RWX}
{*RX}
{*RW}
{*WX}
{*R }
{*W }
{*X }
{*EXCLUDE}
New object authorities {*SAME }
{*ALL }
{*OBJEXIST}
{*OBJMGT}
{*OBJALTER}
{*OBJREF}
{*NONE}
PKBLDCDB Command Keyword Details
MAINT - Processing Type
MAINT (*UPDATE |*TEST |*VERIFY)
The processing type determines the action that PKBLDCDB.
204

*UPDATE will update the certificate locator database.
*VERIFY will scan the certificate locator database and validate that all the files in the
database still exist in their store. If the DUPOPT parameter is *REPLACE and the file
in the database does not exist, that database record will be removed.
*TEST will simulate updating the certificate locator database, but will not perform
any posting. This command is helpful to review for errors and/or counts.
MTYPE - Maintenance Type
MTYPE (*FILE|*DIRECTORY)
The maintenance type determines the type of path/file name in the parameter
FNAME. If *FILE, then FNAME should be a specific certificate file (fully qualified path
included). If *DIRECTORY, the FNAME should be the fully qualified path that will be
scanned for the certificate file.
CTYPE - Certificate Type
CTYPE (*PUBLIC|*PRIVATE)
CTYPE specifies the type of certificates (private or public) will be processed in this
run.
*PUBLIC specifies that only a public certificate should be processed. No password
should be supplied.
*Private indicates that only private-key certificates should be processed and requires
a password be entered.
FNAME - Path/File Name
FNAME (Path and/or file name )
The contents of FNAME contain the IFS file or directory that will be used to update
the certificate locator database. To use a specific file, code MTYPE(*FILE) and enter
the full path and file name of the specific certificate file. If MTYPE(*DIRECTORY),
then enter the IFS fully qualified directory that PKBLDCDB will scan for certificates.
If you have all your public certificates in one store, it is easy to use *DIRECTORY to
update the database in one run. For the most part, the private key processing will
usually use *FILE for the run since private key certificates require a unique
password.
If you want to use the path to the system store for public or private key certificates,
and you want to enter only the file name, prefix the file name with {SP}. This inserts
the appropriate system path for the path of the file name.
For example: FNAME('{SP}myfile.cer'). If CTYPE(*PUBLIC), the path of the
enterprise store will be something like '/myroot/cstore/public/myfile.cer'.
205

PASSWORD - Certificate Password
PASSWORD (Certificate Private Key Password)
To access the contents of a private key certificate, processing requires the password
assigned when the certificate was exported. When entering this password, note that
it is used only to open the certificate to gather the database data and is not stored or
saved. The certificate is not altered in any way.
DUPOPT - Replace Duplicates
DUPOPT (*REPLACE|*NOREPLACE)
The DUPOPT is used with MAINT(*UPDATE) and MAINT(*VERIFY). When using
MAINT(*UPDATE), DUPOPT(*REPLACE) will replace the database entry with new data
when a duplicate entry is encountered. *NOREPLACE will only occur if a duplicate
was not found.
When using MAINT(*VERIFY) and a file in the certificate locator database cannot be
found, PKBLCDB will remove the database entry for that file with
DUPOPT(*REPLACE). With *NOREPLACE only an error message will be displayed.
LOGLVL - Logging Level
LOGLVL (*LOG|*NOLOG |*MAXLOG)
Specifies the level of logging (printing/viewing) during a PKBLDCDB run.
LOGLVL(*NOLOG) will only show a minimal amount of information.
LOGLVL(*MAXLOG) will show more details, with some of the detail useful only for
problem determination.
OWNER - Cert. Owner
OWNER (*NONE | New Object Owner ID)
OWNER transfers object ownership for the IFS certificate files processed during a
PKBLDCDB run from the current owner to the specified owner. The authority that
other users have to the object does not change. Using *NONE will make no
ownership changes.
Note: In order for this change to work, the user running PKBLDCDB must have the
authority to execute the CHGOWN command and must have the authority to change
the files ownership. Otherwise an error will occur. The database will be updated but
the ownership will not be changed.
206

PUBAUTH - PUBLIC Authority Settings
PUBLIC Authority Settings:
New data authorities . . . . . *SAME *SAME, *RWX, *RX, *RW, *WX...
New object authorities . . . . *SAME *SAME, *ALL, *OBJEXIST...
+ for more values
New data authorities {*SAME |*RWX |*RX |*RW |*WX |*R |*W |*X |*EXCLUDE}
New object authorities {*SAME | *ALL | *OBJEXIST | *OBJMGT | *OBJALTER | *OBJREF
| *NONE}
The PUBAUTH allows the PKBLDCDB run to change the PUBLIC authorities on the IFS
files that are processed. By specifying “PUBAUTH(*SAME (*SAME))”, PKBLDCDB will
not alter the file authority for PUBLIC.
The rules for the PUBAUTH parameter are the same as the CHGAUT command. For
more information about changing PUBLIC authorities and the explanation of the data
and object authorities, see the CHGAUT command.
Note: In order for this change work, the user running PKBLDCDB must have the
authority to execute the CHGAUT command and must have the authority to change
the IFS file authorities. Otherwise an error will occur. The database will be updated
but the authorities will not be changed.
For details of the new data authorities and new object authorities, see the UIDAUTH
parameter where the user would specify *PUBLIC.
UIDAUTH - New ID Authority Settings
New ID Authority Settings:
New User ID . . . . . . . . . *NONE User Id, *CURRENT, *NONE
New data authorities . . . . . *SAME *SAME, *NONE, *RWX, *RX...
New object authorities . . . . *SAME *SAME, *NONE, *ALL...
+ for more values
New User ID {*NONE |*CURRENT | Valid User ID}
New data authorities {*SAME |*RWX |*RX |*RW |*WX |*R |*W |*X |*EXCLUDE}
New object authorities {*SAME | *ALL | *OBJEXIST | *OBJMGT | *OBJALTER | *OBJREF
| *NONE}
The UIDAUTH allows the PKBLDCDB run to add/change a user’s authorities on the
IFS files that are processed. Specifying UIDAUTH(*NONE) , no user authorities will
be changed.
The rules for UIDAUTH parameter are the same as the CHGAUT command. For more
information about changing object authorities and the explanation of the data and
object authorities see the CHGAUT command.
Note: In order for this change work, the user running PKBLDCDB must have the
authority to execute the CHGAUT command and must have the authority to change
207

the IFS file authorities. Otherwise an error will occur. The database will be updated
but the authorities will not be changed.
UIDAUTH options are:
New User ID:
Specifies the user ID to whom authorities for the named file object are being given.
If user ID is not *NONE, the authorities are given specifically to that user. The user
ID must be a valid iSeries user ID. *CURRENT will use the ID of the user that is
running the PKBLDCDB command.
New Data Authorities for the file:
Specifies the data authorities being given to the user specified in the new user ID
parameter. If a value other than *SAME is specified, the value replaces any data
authorities (*OBJOPR, *READ, *ADD, *UPD, *DLT, and *EXECUTE) that the user
currently has to the objects.
The possible values are:
*SAME
*NONE
*RWX
*RX
*RW
*WX
The user’s data authorities to the objects do not change.
The user does not have any of the data authorities to
the objects.
The user is given *RWX authority to the objects. The
user is given *RWX authority to perform all operations
on the object except those limited to the owner or
controlled by object existence, object management,
object alter, and object reference authority. The user
can change the object and perform basic functions on
the object. *RWX authority provides object operational
authority and all the data authorities.
The user is given *RX authority to perform basic
operations on the object, such as run a program or
display the contents of a file. The user is prevented
from changing the object. *RX authority provides object
operational authority and read and execute authorities.
The user is given *RW authority to view the contents of
an object and change the contents of an object. *RW
authority provides object operational authority and data
read, add, update, and delete authorities.
The user is given *WX authority to change the contents
of an object and run a program or search a library or
directory. *WX authority provides object operational
authority and data add, update, delete, and execute
authorities.
*R The user is given *R authority to view the contents of an
object. *R authority provides object operational
authority and data read authority.
208

*W The user is given *W authority to change the contents of
an object. *W authority provides object operational
authority and data add, update, and delete authorities.
*X The user is given *X authority to run a program or
search a library or directory. *X authority provides
object operational authority and data execute authority.
*EXCLUDE
Exclude authority prevents the user from accessing the
object.
New Object Authorities for the file(s):
Specifies the object authorities being given to the user specified in the user
parameter. If a value other than *SAME is specified, the value replaces any object
authorities (*OBJEXIST, *OBJMGT, *OBJALTER, and *OBJREF) that the user
currently has to the objects.
The possible values are:
*SAME
*NONE
*ALL
*OBJEXIST
*OBJMGT
*OBJALTER
*OBJREF
The user's object authorities to the objects do not
change.
The user does not have any other object authorities
(existence, management, alter, or reference). If
*EXCLUDE or *AUTL is specified for the DTAAUT
parameter, this value must be specified.
All of the other object authorities (existence,
management, alter, and reference) are given to the
users. Or specify up to four (4) of the following values:
The user is given object existence authority to the
object.
The user is given object management authority to the
object.
The user is given object alter authority to the object.
The user is given object reference authority to the
object.
209

16 PKQRYCDB “Query Cert Database”
Command
PKQRYCDB Command Summary with Parameter Keyword
Format
PKQRYCDB is a utility command to query the certificate locator database files or a
certificate file in the IFS.
Keywords are demarcated by spaces. In many cases there are multiple entries for a
parameter where each entry is again demarcated by spaces. For more information
about the command process reference the IBM home page for your version of the
operating system.
SecureZIP Query Cert Db 8.1 (PKQRYCDB)
Type choices, press Enter.
Processing Type . . . . . . . . *SUMMARY *SUMMARY, *LEVEL1, *ALL
File Type . . . . . . . . . . . *DB *FILE, *DB, *P7B
Certificate Type . . . . . . . . *ALL *PUBLIC, *PRIVATE, *ALL
Selection Name . . . . . . . . . __________________________________________
_____________________________
Cert Password . . . . . . . . .
Logging Level . . . . . . . . . *LOG *NOLOG, *LOG, *MAXLOG
PKQRYCDB Command Keyword Details
RUNTYPE - Processing Type
RUNTYPE (*SUMMARY|*LEVEL1 |*SELECT|*ALL)
The processing type determines the amount of details that PKQRYCDB will display.
The possible type codes are:
*SUMMARY - Shows only one line per selected item and is based on the
selection type (CN= or EM=)
*LEVEL1 - Displays the common name, email address and the certificate path
and file name
210

*SELECT - Displays a display file of certificates based on the selection type.
The items can be browsed or selected for a detail display of the certificates. If
the certificate dates have expired, the dates will be highlighted.
*ALL - Displays a complete set of details for each certificate; could be 20-40
lines per file
FTYPE - File Type
FTYPE (*FILE| *DB | *P7B)
The file type determines the type of path/file name in the parameter FNAME.
If *DB is selected, PKQRYCDB will search the database based on the contents
of the FNAME. For example, CN=Bill* will search for all certificates with a
common name that starts with Bill regardless of upper case or lower case.
If *FILE is selected, then FNAME should be a very specific certificate file (full
path included).
*P7B will read a specific file that should be in a P7B format. It will then do a
detailed display for the contents of the P7B certificate store.
CTYPE - Certificate Type
CTYPE (*ALL| *PUBLIC | *PRIVATE)
CTYPE specifies the type of certificates, private or public, that will be processed in
this run.
*ALL will process both public and private certificates.
*PUBLIC specifies that only public certificates should be processed. No
password should be supplied.
*PRIVATE indicates that only private-key certificates should be processed and
requires that a password be entered.
FNAME - File Name
FNAME (Path/File name)
If FTYPE is *DB, the FNAME contents will be the selection criteria for the certificate
locator database. It should contain the prefix of the field to select, such as CN= for
common name and EM= for email address. Selection is not case-sensitive. If the
selection ends in an asterisk (*), a generic selection is made for all certificates
starting with the selection criteria.
If FTYPE is *FILE, the contents of FNAME contains the IFS file that will used to query
the certificate contents. Specify the full path and file name of the specific certificate
file.
211

PASSWORD - Certificate Password
PASSWORD (Certificate Private Key Password)
Processing the private key certificate with RUNTYPE(*ALL) requires the password
used when the certificate was exported to open and gather the contents. The
password is used only to open the certificate to gather the database data; it is not
stored or saved. The certificate is not altered in any way.
LOGLVL - Logging Level
LOGLVL (*LOG|*NOLOG |*MAXLOG)
Specifies the level of logging (printing/viewing) used during a PKQRYCDB run.
LOGLVL(*NOLOG) shows only a minimal amount of information. LOGLVL(*MAXLOG)
shows more details, with some of detail useful only for problem determination.
Sample Displays
Request RUNTYPE(*SUMMARY) to generate and display a report containing additional
information about the certificate.
PKQRYCDB RUNTYPE(*SUMMARY) FNAME('cn=will*')
PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:37:28
PKQRYCDB Start Search Summary for
Public Key CN=William S. Somebody
Public Key CN=William Somebody
Public Key CN=William Somebody
Private Key CN=William Somebody
Public Key CN=William Somebody
PKQRYCDB Run Totals:
Total Records In Error =0
Total Records Processed =5
PKQRYCDB Scan ending------
Request RUNTYPE(*Level1) to generate and display a report containing additional
information about the certificate.
PKQRYCDB RUNTYPE(*LEVEL1) FNAME('cn=will*')
212

PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:39:34
PKQRYCDB Start Search Level 1 for
Public Key CN=William S. Somebody
EM=sombody@worldnet.att.net
FN=William S. Somebody
File
Public Key CN=William Somebody
EM=bill.Somebody@pkware.com
FN=William Somebody
File
Public Key CN=William Somebody
EM=bill.Somebody@pkware.com
FN=William Somebody
File
Private Key CN=William Somebody
EM=bill.Somebody@pkware.com
FN=William Somebody
File
Public Key CN=William Somebody
EM=bSomebody@pkware.com
FN=William Somebody
File
PKQRYCDB Run Totals:
Total Records In Error =0
Total Records Processed =5
PKQRYCDB Scan ending------
Request RUNTYPE(*ALL) to generate and display a report containing additional
information about the certificate.
PKQRYCDB RUNTYPE(*ALL) FTYPE(*FILE)
FNAME('/pkzshare/CStores/public/billSomebody03.cer')
PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:43:50
---------------------------------------------------------
Public Key Found File
CN=William Somebody
EM=bill.Somebody@pkware.com
FN=William Somebody
--- Certificate ---
William Somebody
Subject:
O=VeriSign, Inc.
OU=VeriSign Trust Network
OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
OU=Persona Not Validated
OU=Digital ID Class 1 - Microsoft Full Service
CN=William Somebody
E=bill.Somebody@pkware.com
Issuer:
O=VeriSign, Inc.
OU=VeriSign Trust Network
OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98
CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
SerialNumber:
3F55 2A91 2B5A 9F9B 46E0 D8A0 96DB DDAB
NotBefore:
Mon Jul 21 19:00:00 2003
NotAfter:
Wed Jul 21 18:59:59 2004
213

SHA-1 Hash of Certificate:
D5 CE FF A5 72 EF B6 53 EA 75 F7 CA 2E 01 85 7B
65 7C B8 E7
Public Key Hash:
6E 16 CF EF FA A0 99 25 2B 79 DE E6 23 C7 D7 42
80 82 F3 E4
End Entity
PKQRYCDB Run Totals:
Total Records In Error =0
Total Records Processed =1
PKQRYCDB Scan ending------
The following table explains the fields of the certificate details in the display.
Heading
Subject
Issuer
SerialNumber
NotBefore/NotAfter
SHA-1 Hash of Certificate
Public Key Hash
Key Usage
Description
Information about the entity to whom the certificate was
issued
Information about the entity that issued the certificate
Serial number of the certificate
Date range for which the certificate is valid
The SHA-1 algorithm hash, or “thumbprint,” of the
certificate
The hash, or “thumbprint,” of the public key
Key usage flags that determine how the certificate was
intended to be used
The public key hash value is the prime key used in the local certificate store index.
The Issuer fields are composed of several x.509 subfields. The exact set varies. The
following table describes some of the most commonly used.
Code
O
OU
CN
E or EM
C
ST
L
Description
Organization
Organizational Unit
Common Name
Email address
Country
State or Province
Locality or City
The common name (CN) and email (E) fields can be searched to identify recipients.
214

17 PKSTORADM “Certificate Store
Administration” Command
PKSTORADM Command Summary with Parameter Keyword
Format
PKSTORADM is a certificate store administration utility command to maintain the
certificate authority (CA), trusted root, and certificate revocation list (CRL) stores.
Before using this utility, define the three stores and their location with PKCFGSEC
command.
X.509 certificates may be imported to the local certificate store through the
SecureZIP local certificate store administration tool PKSTORADM. These certificates
are frequently obtained through another platform and (binary) transferred to the
operational iSeries system for installation.
Important Note: All X.509 certificates should be transferred to the local iSeries
environment in binary mode with no translation.
When certificates are imported, you may either define which store a certificate
should be placed in or let the certificate administration tool determine the
appropriate store location based on the certificate type. You must tell the
PKSTORADM what certificate file type and key type to import.
iSeries UPDATE authority (or equivalent) must be granted to the system
administrator responsible for altering the certificate store.
PKSTORADM can import certificates to be added to your CA and/or to your TRUSTED
ROOT STORES. It can also be used to import a CRL into your static CRL store. When
building your stores, you should first install the trusted roots, followed by the CA
certificates. Before importing a CRL file, its CA must be in the CA store.
Usage Notes
If a certificate is designated to be an end-entity certificate, it can be ignored, or a
.cer file will be created in the public store path.
It’s important that only known trusted roots be allowed to be added to your trusted
root store. You should install a certificate to your root store only when you have
confirmed its authenticity. To do this, contact the certificate authority listed in the
candidate root certificate file. If you install a certificate to your root without
confirming its authenticity, you may be creating a security risk. Once you install the
215

certificate to your root store, SecureZIP will use it to complete future certificate trust
chain validation processing associated with the certificate authority.
PKSTORADM uses the SecureZIP utility PKCAADMN and most of the message issued
will be from that utility. Messages that start with prefix ZPCA are from the
PKCAADMN utility and be found in the message section. If there are no error
messages, AQZ0049 will be issued and can be monitored. If an error is encountered,
the escape message AQZ0050 will be issued and can be monitored.
Keywords are demarcated by spaces. In many cases there are multiple entries for a
parameter, with each entry again demarcated by spaces. For more information about
the command process, refer to the IBM home page for your version of the operating
system.
Type choices, press Enter.
SecureZIP CA Store Admin 8.1 (PKSTORADM)
Processing Type . . . . . . . . _________ *IMPORT, *LIST, *BROWSE...
Preferred Store . . . . . . . .
*CA, *ROOT, *CRL,*DETECT
File Type . . . . . . . . . . . *CER *CER, *P7B, *CRL
End Entities:
Process End Entities? . . . . *NO *YES, *NO
File Mode . . . . . . . . . . *UNIQUE *UNIQUE, *OVERWRITE
Selection Name . . . . . . . . . ____________________________________________
Cert Password . . . . . . . . . ____________________________________________
Logging Level . . . . . . . . . *LOG *NOLOG, *LOG, *MAXLOG
Temporary Controls . . . . . . . ____________ *SIMULATE
PKSTORADM Command Keyword Details
RUNTYPE - Processing Type
RUNTYPE (*IMPORT |* LIST |*BROWSE |*VERIFY |*DELETE |*INITIALIZE)
Specifies the processing type or action that PKSTORADM will perform:
*IMPORT
*LIST
*BROWSE
*VERIFY
Reads the input file (defined in the FNAME) with the file
type (FTYPE) and add the certificates to the appropriate
store defined with the preferred store STYPE.
Provides a complete, detailed listing of all the certificates
in the store defined in the STYPE parameter. No
updating takes place.
Provides a short display of all the certificates in the store
defined in the STYPE parameter. No updating takes
place.
Tests the store defined with the STYPE parameter and
verifies the condition of your store. No updating takes
place.
216

*DELETE
*INITIALIZE
Delete a certificate from either the CA or root store.
First a browse list similar to the browse list for the short
list will be displayed. Enter a ‘4’ for the option of the
certificate to be deleted and press the ENTER key to
display a confirmation message window. To complete
the deletion, press F5 to delete or F12 to cancel. If
*DETECT or *ALL is entered both stores will be
displayed. Only one delete option of ‘4’ can be entered.
Clears and initializes the store defined in the STYPE
parameter. For this command to work, you must also
type the word ‘Initialize’ in the FNAME parameter. Note:
Take care when using the option because it clears all of
your store’s current content.
FTYPE - File Type
FTYPE (*CER | *P7B | *CRL)
Defines the format or package type that the input file contains:
Format
*CER (PEM)
* P7B
(PKCS#7)
*CRL
Description
Contains a single public-key certificate. It may be in Base-64
encoded (ASCII text with ASCII headers) or DER-encoded binary
format.
Common file extensions: .pem, .cer, .key
Contains one or more CA (and or root) certificates or could also
contain one or more CRL in a PKCS#7 format.
Common file extension: .p7b
Contains certificate revocation list in a CRL format issued by a
certificate authority.
Common file extension: .crl
STYPE - Certificate Store
STYPE (*DETECT | *CA |*ROOT |*CRL)
STYPE specifies the type of certificates, private or public, to be processed in this run.
*DETECT
*CA
*ROOT
Detect will try to determine which store the certificate
will be imported into. If *DETECT is used with
RUNTYPE(*LIST) or RUNTYPE(*VERIFY), it is assumed to
perform on all stores.
Certificate authority store defined in the CSCA
parameter of PKCFGSEC.
Trusted root store defined in the CSROOT parameter of
PKCFGSEC.
217

*CRL
Static CRL (Certificate Revocation List) store defined in
the CSCRL parameter of PKCFGSEC.
ENDENTITY - End Entities
End Entities:
Process End Entities? . . . . *NO *YES, *NO
File Mode . . . . . . . . . . *UNIQUE *UNIQUE, *OVERWRITE
Or
ENDENTITY(*YES *OVERWRITE)
ENDENTITY specifies whether to automatically update end entity certificates when
found through the PKBLDCDB process by building X.509 files in a DER-encoded
binary format and placing the files in the public store path. The file name will be the
name of the inputted file with a _EEx.cer suffixed at the end, where x is a sequence
number. After adding you should run PKBLDCDB to record the latest public
certificates.
Process End Entities? (*YES|*NO)
Specifies whether to build the end entity certificates in the public store path.
*YES
*NO
If a p7b type file is being read that contains end entity
certificates, the end entity certificates will have a file
created for each certificate in the public store path, and
a PKBLDCDB will be launched to update the database.
Ignore end entity certificates.
File Mode? (*UNIQUE|*OVERWRITE)
Specifies action to take if a duplicate file is found in the public store path.
* UNIQUE If a file is being generated and a duplicate name is
found in the public store path, then the number will be
incremented until no duplicate is found.
*OVERWRITE
If a duplicate file is found in the public store path, the
file will be written over with the new file. If a duplicate is
written over, then you should run a PKBLDCDB with
*VERIFY to correct the locator database.
FNAME - File Name
FNAME (Path/File name)
FNAME is the inputted IFS path and file name that will be used to import with the
RUNTYPE(*IMPORT). If you specify RUNTYPE(INITIALIZE), then you must enter
‘Initialize’ to initialize a store.
218

PASSWORD - Certificate Password
PASSWORD (Certificate Private Key Password)
Reserved for future use. To process password protected P7B files that may contain a
private key.
LOGLVL - Logging Level
LOGLVL (*LOG|*NOLOG |*MAXLOG)
Specifies the level of logging (printing/viewing) used during a PKSTORADM run.
LOGLVL(*NOLOG) shows a minimal amount of information. LOGLVL(*MAXLOG)
shows more details, with some of detail useful only for problem determination.
CNTRLS - Logging Level
CNTRLS (*NONE |*SIMULATE )
Specifies special process controls for the run. At this time only *SIMULATE exits.
*NONE
*SIMULATE
No special controls.
Only valid with the RTYPE(*IMPORT). Simulates the run
process and does not update the stores. Provides a way
to see how and what would be added if an input file is
added to the stores.
Sample Displays
The following example shows a simulation of adding an inputted CER type file to the
root store.
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT)
FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')
CNTRLS(*SIMULATE)
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:35:57
ZPCA000I SUCCESS: Added certificate to store
'/myroot/pkware/CStore/Root/pkwareRT.store'.
DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;FN=PKTESTDB
Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBRoot@nowhere.com
;ROOT
ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store.
ZPCA000I SUCCESS: Saved certificate store
'/myroot/pkware/CStore/Root/pkwareRT.store' to disk.
ZPCA000I Added 0 of a possible 1 certificates to the ROOT store.
ZPCA000I 0 certificates in the ROOT store before the Add command.
ZPCA000I 0 certificates in the ROOT store after the Add command.
ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store.
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
219

The following example shows adding an inputted CER type file to the root store.
Since a CER type file only has one certificate, one of a possible one certificate(s) was
added. Since the store was initially empty, the number of certificates in the store
before adding was zero, and the number after the add is one.
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT)
FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:47:55
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/
pkwareRT.store'.
DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;FN=PKTESTDB
Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBRoot@nowhere.com
;ROOT
ZPCA000I SUCCESS: Saved certificate store
'/myroot/pkware/CStore/Root/pkwareRT.store' to disk.
ZPCA000I Added 1 of a possible 1 certificates to the ROOT store.
ZPCA000I 0 certificates in the ROOT store before the Add command.
ZPCA000I 1 certificates in the ROOT store after the Add command.
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
This example also adds a certificate, but this time the file is destined for the CA
store.
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA)
FNAME('/myroot/pkware/CStore/Testzips/pkwareCA.cer')
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:51:22
ZPCA000I SUCCESS: Added certificate to store
'/myroot/pkware/CStore/CA/pkwareCA.store'.
DSN=/myroot/pkware/CStore/Testzips/pkwareCA.cer;CER=1;FN=PKWARE Test Intermediate
Cert;TP=2B3C27C30067690EFB77A8A84DAB1D39A1368906;SN=01;E=PKTESTDBIC@nowhere.com;C
A
ZPCA000I SUCCESS: Saved certificate store
'/myroot/pkware/CStore/CA/pkwareCA.store' to disk.
ZPCA000I Added 1 of a possible 1 certificates to the CA store.
ZPCA000I 0 certificates in the CA store before the Add command.
ZPCA000I 1 certificates in the CA store after the Add command.
PKSTORADM Store Admin ending------0
This example shows the verification action. Since the store type is STYPE(*DETECT),
it verifies all of the stores.
PKSTORADM RUNTYPE(*VERIFY) FTYPE(*CER) STYPE(*DETECT)
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:53:41
ZPCA000I SUCCESS: CA Store '/myroot/pkware/CStore/CA/pkwareCA.store' verified
successfully. 1 certificates found.
ZPCA000I SUCCESS: Root Store '/myroot/pkware/CStore/Root/pkwareRT.store' verified
successfully. 1 certificates found.
220

ZPCA000I SUCCESS: CRL store '/myroot/pkware/CStore/CRL/pkwareCRL.store'
successfully verified. 0 revocation lists found.
PKSTORADM Store Admin ending------0
The following example does a detail list. Since the store type is STYPE(*DETECT), all
of the stores are listed. The list can get quite lengthy but may be needed to verify
your store contents.
PKSTORADM RUNTYPE(*LIST) FTYPE(*CER) STYPE(*DETECT)
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:57:38
CA Store
--------
--- Certificate 1 ---
PKWARE Test Intermediate Cert
Subject:
C=US
S=Wisconsin
L=Milwaukee
O=PKWARE, Inc.
OU=PKWARE, Inc. -- for test and evaluation purposes only
CN=PKWARE Test Intermediate Cert
E=PKTESTDBIC@nowhere.com
Issuer:
C=US
S=Wisconsin
L=Milwaukee
O=PKWARE, Inc.
OU=PKWARE, Inc. -- for test and evaluation purposes only
CN=PKTESTDB Root
E=PKTESTDBRoot@nowhere.com
SerialNumber:
01
NotBefore:
Mon Dec 20 08:54:09 2004
NotAfter:
Sat Dec 14 08:54:09 2024
SHA-1 Hash of Certificate(Thumbprint):
2B 3C 27 C3 00 67 69 0E FB 77 A8 A8 4D AB 1D 39 A1 36 89 06
Public Key Hash:
72 C0 6D 05 C9 3E A9 6C 34 9C AD D0 8F 14 C0 8E 04 B0 E5 CF
Certificate Authority
--- Certificate 2 ---
PKWARE Test Intermediate Cert A
Subject:
C=US
S=Wisconsin
L=Milwaukee
O=PKWARE, Inc.
OU=PKWARE, Inc. -- for test and evaluation purposes only
CN=PKWARE Test Intermediate Cert A
E=PKTESTDBICA@nowhere.com
Issuer:
C=US
S=Wisconsin
L=Milwaukee
O=PKWARE, Inc.
OU=PKWARE, Inc. -- for test and evaluation purposes only
CN=PKTESTDB Root
E=PKTESTDBRoot@nowhere.com
SerialNumber:
221

02
NotBefore:
Tue Feb 8 11:38:17 2005
NotAfter:
Sun Dec 15 11:38:17 2024
SHA-1 Hash of Certificate(Thumbprint):
C4 05 A5 BC 36 94 21 49 D5 C2 12 CB 6C 21 3C 4F 1F E8 93 E6
Public Key Hash:
08 3B E9 79 78 15 E7 BA E9 00 90 00 D5 AC 92 BD 83 7A 8D 57
Certificate Authority
Root Store
----------
--- Certificate 1 ---
PKTESTDB Root
Subject:
C=US
S=Wisconsin
L=Milwaukee
O=PKWARE, Inc.
OU=PKWARE, Inc. -- for test and evaluation purposes only
CN=PKTESTDB Root
E=PKTESTDBRoot@nowhere.com
Issuer:
C=US
S=Wisconsin
L=Milwaukee
O=PKWARE, Inc.
OU=PKWARE, Inc. -- for test and evaluation purposes only
CN=PKTESTDB Root
E=PKTESTDBRoot@nowhere.com
SerialNumber:
00
NotBefore:
Mon Dec 20 08:21:34 2004
NotAfter:
Thu Dec 19 08:21:34 2024
SHA-1 Hash of Certificate(Thumbprint):
A9 1C D3 12 EF FE F5 1C 8A BF EF D9 2C 23 FF 67 FB DB EB E3
Public Key Hash:
9A C2 BA 79 76 20 64 5E 12 79 D9 74 4C A8 59 66 71 E9 C2 DD
Self Signed
Certificate Authority
CRL Store
---------
PKSTORADM Store Admin ending------0
The following example adds a CRL to the CRL store.
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CRL) STYPE(*CRL)
FNAME('/myroot/pkware/CStore/Testzips/crl1.crl')
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 14:16:48
ZPCA000I SUCCESS: Added certificate '/myroot/pkware/CStore/Testzips/crl1. crl' to
store '/myroot/pkware/CStore/CRL/pkwareCRL.store'.
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CRL/pkwa
reCRL.store' to disk.
222

ZPCA000I Added 1 out of 1 certificates to the CRL store.
ZPCA000I 0 entries in the CRL store before the Add command.
ZPCA000I 1 entries in the CRL store after the Add command.
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
The following example displays a CRL listing.
PKSTORADM RUNTYPE(*LIST) STYPE(*CRL)
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 14:20:59
CRL Store
---------
--- CRL 1 ---
PKWARE Test Intermediate Cert A
Issuer:
C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and
evaluation purposes only;CN=PKWARE Test Intermediate Cert
A;E=PKTESTDBICA@nowhere.com
LastUpdate:
Unknown
NextUpdate:
Unknown
Revoked Serial Numbers (1):
SerialNumber=01;
IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED;
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
The following example demonstrates a *BROWSE display browse.
PKSTORADM RUNTYPE(*BROWSE) STYPE(*ALL)
3/23/05 08:17:01 Certificate Store Admin PKQCD01D
Store Review Query
Option Document
CA 1 FN=Class 1 Public Primary Certification Authority
CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor
CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor
CA 4 FN=PKWARE Test Intermediate Cert E
CA 5 FN=VeriSign Class 2 CA - Individual Subscriber
CA 6 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
CA 7 FN=Thawte Server CA
CA 8 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
CA 9 FN=Thawte Premium Server CA
CA 10 FN=PKWARE Test Intermediate Cert
CA 11 FN=PKWARE Test Intermediate Cert A
CA 12 FN=PKWARE Test Intermediate Cert F
CA 13 FN=VeriSign, Inc.,VeriSign International Server CA - Class 3,www.v
Root 1 FN=VeriSign Commercial Software Publishers CA
Root 2 FN=VeriSign Individual Software Publishers CA +
F3-Exit F9-Fold F12-Return
223

F9 to Unfold:
3/23/05 08:17:01 Certificate Store Admin PKQCD01D
Store Review Query
Option Document
CA 1 FN=Class 1 Public Primary Certification Authority
SN=00CDBA7F56F0DFE4BC54FE22ACB372AA55
CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor
. By Ref.,LIAB. LTD. (c) 97 VeriSign
SN=1E47DBE0434AFB7AE84ABEF2EC2C7A6F
CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor
. By Ref.,LIAB. LTD. (c) 97 VeriSign
SN=5C1CD1200795F810DE576AC1FCCBF8C6410E0812
+
F3-Exit F9-Fold F12-Return
The following example demonstrates the importing of certificates from a p7b file that
has the end entity certificate with the full path of CA and root certificates. If the CA
and root already exist, the number of certificates in the stores will not increase. Note
the file created in the public store for the end entity certificate. See the message
(End Entity File created) where
the suffix _EEx.cer was attached and the file written in the public store path.
PKBLDCDB should now be run to add the certificate to the locator database. You
should run with CNTRLS(*SIMULATE) first to make sure what you are adding to your
CA and root stores is acceptable and trusted.
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*P7B) STYPE(*DETECT)
ENDENTITY(*YES *UNIQUE)
FNAME('/pkzshare/cstores/Inputs/carolineF2004.p7b')
PKSTORADM SecureZIP CA Store Administration starting------2005/03/23 09:11:14
ZPCA000I SUCCESS: Added certificate to store
'/pkzshare/CStores/Root/pkwareRT.store'.
DSN=/pkzshare/cstores/Inputs/carolineF2004.p7b;CER=2;FN=Class 1 Publi c Primary
Certification Authority;TP=90AEA26985FF14804C434952ECE9608477AF556F
;SN=00CDBA7F56F0DFE4BC54FE22ACB372AA55;ROOT
ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/Root/pkwareRT.store'
to disk.
ZPCA000I SUCCESS: Added certificate to store '/pkzshare/CStores/CA/pkwareCA.store
'. DSN=/pkzshare/cstores/Inputs/carolineF2004.p7b;CER=3;FN=VeriSign Class 1 CA I
ndividual Subscriber-Persona Not Validated;TP=12519AE9CD777A560184F1FBD542152
22E95E71F;SN=0D8B4FEEAAD2185BF4756A9D29E17FFB;CA
ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/CA/pkwareCA.store' t
o disk.
ZPCA000I Added 1 of a possible 3 certificates to the stores.
ZPCA000I Added 0 certificates to the CA store.
ZPCA000I 12 certificates in the CA store before the Add command.
ZPCA000I 12 certificates in the CA store after the Add command.
ZPCA000I Added 0 certificates to the ROOT store.
224

ZPCA000I 27 certificates in the ROOT store before the Add command.
ZPCA000I 27 certificates in the ROOT store after the Add command.
ZPCA000I 1 end entities written to the
'/pkzshare/cstores/CWrkPath/SZdbfbecc7.tmp' output file.
End Entity File created.
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
Now add the public certificate to the locator database with the PKBLDCDB command:
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PUBLIC)
FNAME('/pkzshare/CStores/public/carolineF2004_EE1.cer')
PKBLDCDB Update SecureZIP Cert DataBase starting------2005/03/23 09:32:25
PKBLDCDB Running Update Mode--Replace Duplicates---
PKBLDCDB Adding
PKBLDCDB Run Totals:
Total Records Added =1
Total Records Updated =0
Total Duplicateds Found =0
Total Records In Error =0
Total Records Processed =1
PKBLDCDB Scan ending------
PKBLDCDB Completed Successfully
The following example demonstrates the certificate deletion process:
PKSTORADM RUNTYPE(*DELETE) STYPE(*CA)
3/23/05 08:23:02 Certificate Store Admin PKQCD01D
Store Review Query
Type option - Press Enter. ONLY 1 Delete Selection Valid
4-Delete
Option Document
CA 1 FN=Class 1 Public Primary Certification Authority
CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor
CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor
CA 4 FN=PKWARE Test Intermediate Cert E
CA 5 FN=VeriSign Class 2 CA - Individual Subscriber
CA 6 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
CA 7 FN=Thawte Server CA
CA 8 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated
CA 9 FN=Thawte Premium Server CA
CA 10 FN=PKWARE Test Intermediate Cert
CA 11 FN=PKWARE Test Intermediate Cert A
4 CA 12 FN=PKWARE Test Intermediate Cert F
CA 13 FN=VeriSign, Inc.,VeriSign International Server CA - Class 3,www.v
F3-Exit F9-Fold F12-Return
+
Enter 4 on the certificate line to delete, and press the ENTER key. This will cause the
following window to appear for confirmation.
3/23/05 08:23:02 Certificate Store Admin PKQCD01D
Store Review Query
Type option - Press Enter. ONLY 1 Delete Selection Valid
225

4-D ......................................................................
Optio : Confirm Certificate to be deleted from CA Store :
CA : Location: 12 :
CA : FN= PKWARE Test Intermediate Cert F : or
CA : SN= 01 : or
CA : :
CA : Note: :
CA : Certificates that are issued by the certification : ed
CA : authorities or any lower level certification authorities :
CA : will no longer be trusted. Press PF5 to Continue with : ed
CA : the deletions or PF12 to exit without deleting the :
CA : certificate. :
CA : Press F5 to Delete Certificate :
4 CA : Press PF12 to exit Without Delete :
CA : F5=Delete F12=Cancel : .v
: :
:....................................................................: +
To delete the certificate, press the PF5 key.
PKSTORADM SecureZIP CA Store Administration starting------2005/03/23 08:30:18
ZPCA000I SUCCESS: Deleted certificate from store.
ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/CA/pkwareCA.store'
to disk.
ZPCA000I Deleted 1 certificates from the CA store.
ZPCA000I 13 certificates in the CA store before the Delete command.
ZPCA000I 12 certificates in the CA store after the Delete command.
Certificate Deleted From CA Store
PKSTORADM Store Admin ending------0
PKSTORADM Completed Successfully
Message AQZ0528 is issued to the log for the deletion.
226

18 Processing with GZIP
Introduction to GZIP (GNU zip)
GZIP (GNU zip) is a compression utility designed to use a different standard for
handling compressed data in an archive. Its main advantages over other
compression utilities are much better compression and freedom from patented
algorithms. It has been adopted by the GNU project and is now relatively popular on
the Internet. GZIP was written by Jean-Loup Gailly (jloup@gzip.org) and Mark Adler
(the decompression code).
GZIP (GNU zip) utility program (available on a number of platforms including MVS,
UNIX, and PC) can be used like SecureZIP for iSeries to compress and extract
data. SecureZIP for iSeries in producing GZIP archives implements two GZIP
standard specifications:
RFC 1952: GZIP file format specification Version 4.3, which documents the GZIP
specifications and the format of a GZIP archive file.
RFC 1951: DEFLATE Compressed Data Format Specification Version 1.3, which
documents the compression algorithm used by GZIP processing.
The RFC is a process to promote specifications and standards throughout the
Internet community and can be found at www.faqs.org/rfcs. Both RFC 1952 and RFC
1951 specifications are platform-independent; therefore, data that was compressed
on one platform, for example, UNIX, may be decompressed on another platform, for
example, iSeries or MVS.
The one significant advantage of GZIP archive files over ZIP archive files is the ability
to handle larger (greater than 4 GB) file sizes. The standard ZIP archive format
restricts processing to uncompressed files that are less than 4 GB and cannot create
an archive containing multiple files that would meet or exceed the 4 GB limit. These
restrictions are due to the size of the specified fields (4 byte fields) that contain the
file size information within the archive. The GZIP archive format (see RFC 1952) can
process files of any size. This format does not maintain a 'directory’ of information
for individual files and allows sizes to 'wrap' at 4 GB, so it does not suffer a size
restriction.
227

GZIP Archive Files Used By SecureZIP for iSeries
The term GZIP archive file is used to describe the file that holds data that has been
compressed by one of the GZIP programs and meets the specifications of RFC 1952.
At the end of the GZIP archive is a trailer that contains the file’s compressed size,
uncompressed size, and a CRC value for the file (which is used to verify that the
decompressed data is identical to the data that was originally compressed).
A GZIP archive file can be transferred from one platform to another and can be
decompressed by a GZIP-compatible application which is running on that platform.
The internal format of a GZIP archive is identical, no matter what platform
compressed the file.
SecureZIP for iSeries (by default) creates new archives as members of PF-DTA
files with 132-byte records. The archive file is given a text field of 'file created by
PKZIP iSeries.' The archive member is given a text field of 'Member created by
PKZIP iSeries.' If you wish to create your own archive (perhaps because a larger
record size would be convenient), then you can do so, but consider the following:
When creating the file, do not create any members in it.
After creating the file, change the MAXMBRS parameter for the file from 1 to
*NOMAX.
A GZIP archive holds files internally in either text or binary format, both of which are
compatible with other platforms supported by GZIP. Because information held in a
GZIP archive is defaulted for binary processing, SecureZIP for iSeries uses the
parameter FILETYPE for text or binary processing. When transporting archives
between machines that use different character sets for text, for example, EBCDIC
and ASCII, the binary format may not be appropriate. Specifying that the file is to be
compressed as FILETYPE(*TEXT) will allow SecureZIP for iSeries to perform
EBCDIC-to-ASCII conversion, as required. Specifying FILETYPE(*TEXT) may also be
useful when PKUNZIP is used on the iSeries to extract data that has been
compressed on an ASCII system.
A GZIP archive is similar to a ZIP archive but normally only contains one compressed
file or member. GZIP archives, like ZIP archives, use the Lempel-Ziv algorithm
(inflate) to compress and decompress data. Unlike a ZIP archive, GZIP archives do
not hold a lot of information in various information blocks throughout the archive.
Instead, they contain only one information block at the beginning of the archive and
locates size information at the end of the archive. Some GZIP text data, for example,
file name and comments, use the ISO 8859-1 (LATIN-1) character set and therefore
will be converted to and from LATIN-1 as required. When a GZIP archive is created,
an information block is placed in the archive before the compressed version of the
file. This information block includes the following information about the file:
228

• The compression method used on the file.
• The date and time of the last update to the file.
• A flag to indicate optional extended data exists (these fields are usually
operating system-dependant and may be ignored if identification code is
unrecognized).
• The name of the file that was compressed.
• An archive text comment.
• Compressed data followed by the GZIP trailer at the end of the archive. The
trailer includes a CRC value and the original size of the uncompressed file.
Cross Platform Compatibility
Since GZIP archive files adhere to RFC 1952, the files are compatible across all GZIPsupported
platforms. If executable files and other platform-dependent objects are
compressed on one platform and then decompressed on another, it is unlikely that
they will work on the new platform. The same can be said about EBCDIC vs. ASCII.
Because the extra information is platform dependent, most likely it will be ignored by
another platform.
A major consideration for cross platform processing is when building the archive in
the QSYS library file system you may end up with pad bytes at the end of the archive
due to files have record lengths and the end of the archive will be padded to the
record length. Some GZIP products cannot handle the extra pad bytes at the end of
the archive. In this case, the archive should be stored in the IFS where the archive
will be a true stream file with no pad bytes at the end of the archive.
GZIP Restrictions
Filename encryption can not be used with GZIP.
Special Note on GZIP Passwords
GZIP standard processing (RFC 1952) does not normally allow a password to be
placed on a GZIP archive. SecureZIP for iSeries does allow this feature, but its use
may cause compatibility issues with other platforms. PKZIP for MVS does use the
same password standard, so GZIP archives with passwords can be exchanged
between SecureZIP for iSeries , PKZIP for VSE, and PKZIP for MVS. Because
GZIP archives that are created with a password with SecureZIP for iSeries or
PKZIP for MVS are not part of the GZIP standards, these files will probably
appear to be corrupt on other platforms.
Processing GZIP Archives
SecureZIP for iSeries can create and extract information from GZIP format
archives similar to how it can be used to create and extract information from a ZIP
archive. The creation of a GZIP archive and other parameters is exactly like all other
processes in SecureZIP for iSeries , including use of extended attributes. To create
a GZIP archive file, code the parameter GZIP(*YES). The difference is that the
229

archive can only have one (1) file, and the archive cannot be updated. The PKUNZIP
program will identify the GZIP archive and process it accordingly.
The following are the specific GZIP Restrictions that pertain to the PKZIP and
PKUNZIP programs:
GZIP Compressing
The code used by SecureZIP for iSeries follows the standards specified in the two
applicable RFC's. Specifically, these are RFC 1952 (GZIP file format specification
Version 4.3) and RFC 1951 (DEFLATE Compressed Data Format Specification Version
1.3). SecureZIP for iSeries should always be able to create a GZIP compatible
compressed file and extract data from a GZIP compressed file where the GZIP utility
matches these two specifications.
• Parameter COMPRESS(*NO) cannot be used because all GZIP archives must
contain compressed data.
• Parameter COMPRESS(*TERSE) cannot be used because terse compression is
a non-standard compression method for GZIP.
• Parameter FTRAN is not valid for GZIP because filenames have to be held in
the ISO 8859-1(LATIN-1) character set.
• Parameter TYPE (type of processing to be performed) cannot be specified
because *DELETE, *UPDATE, *FRESHEN, *MOVEF, or *MOVEU as a GZIP
archive cannot be updated once created.
Only one file is supported per GZIP archive. When creating an archive, this means
that only one file or member can be identified for inclusion in the archive.
If SecureZIP for iSeries is used to create and encrypt a GZIP archive using a
password, other platforms may not be able to decrypt the data. The encryption
algorithm used by SecureZIP for iSeries in a GZIP archive is similar to that used
by PKZIP, but it is not supported as part of the specifications for GZIP.
Once an iSeries SAVF has been zipped into a GZIP archive, the archive will extract on
another platform but will not be available as a SAVF. It will just be a binary file and
of no use on another platform.
The file name stored in an archive created by SecureZIP for iSeries will typically
contain library, file, and member names (directory components) which relate to the
qualifiers of the original iSeries name. According to the GZIP specifications, the file
name stored should be the original name of the file being compressed, with any
directory components removed. Most GZIP utilities support directory components,
and the default SecureZIP for iSeries processing will include library, file, and
member names in the output file name. Note: It is not possible to create a GZIP
archive using SecureZIP for iSeries that does not have the file name stored in the
archive.
GZIP Extracting
If a file name is present in the GZIP archive, it will be held in the ISO 8859-1
(LATIN-1) character set.
If there is no file name in the archive, one will use the default paths defined in the
EXDIR parameter.
230

If there is more than one compressed file in the archive, only the first file can be
processed.
When zipping a file into an archive, the archive cannot already exist. It is not
possible to merge or update a GZIP archive.
VIEW processing may not show all of the details from the archive, since some
information is not stored (or not stored in convenient locations) in the GZIP archive.
For example, the compressed and uncompressed file sizes will typically be shown as
zero.
To match the GZIP specifications, the time stored in the archive header will be in
universal time format (seconds since 01/01/1970). Because of manipulation during
processing, this time will have only a two-second accuracy (will always be divisible
by 2) and therefore could be one second off from the original file time.
There is no standard iSeries method to set the creation date of a file. As a result, the
time in the GZIP archive is ignored when creating the iSeries output file. It may be
viewed by specifying the parameter TYPE(*VIEW).
Sample GZIP Processing
Compressing a file
The following example shows how to compress a file into a GZIP archive. The PKZIP
command is used to compress data into an archive. To select the GZIP format for the
resulting archive, you must use the GZIP(*YES) option with the PKZIP command:
PKZIP ARCHIVE(‘MYLIB1/MYARCHFIL(GZ01)’) FILES('TESTLIB1/FILE1TXT') TYPE(*ADD)
GZIP(*YES)
The command above will compress the text file TESTLIB1/FILE1TXT into the archive
MYLIB1/MYARCHFIL(GZ01) in GZIP format. The archive must not already exist or an
error message will be generated and the operation will fail.
The output from the above command should look like the following:
File MYARCHFIL created in library MYLIB1.
SecureZIP for iSeries (tm) Data Compression Version 8.1, 2003/05/01
Copyright. 2004 PKWARE, Inc. All rights reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
EVALUATION Running
EVALUATION, Warning - This license will expire in 29 days on 2003/06/02
Contact your dealer with the following information
Machine ID = 0107X8WT, Processor Group = P10
Scanning files for match ...
File MYARCHFIL in library MYLIB1 with member GZ01 not found.
Found 1 matching files
Member GZ01 added to file MYARCHFIL in MYLIB1.
Member GZ01 removed from file MYARCHFIL in MYLIB1.
Member PZ3AF2447F added to file MYARCHFIL in MYLIB1.
Compressing TESTLIB1/FILE1TXT(FILE1TXT) in TEXT mode
Add TESTLIB1/FILE1TXT/FILE1TXT -- Deflating (31%)
Member PZ3AF2447F renamed to member GZ01.
Member GZ01 file MYARCHFIL in MYLIB1 changed.
PKZIP Compressed 1 files in GZIP Archive MYLIB1/MYARCHFIL(GZ01)
PKZIP Completed Successfully
231

19 Messages
SecureZIP for iSeries messages are broken down into three types. When using
*VIEW type, all displays of the archive and files information use messages AQZ0800
thru AQZ0899. The licensing install and licensing validation use messages that start
with AQZ9nnnn. All other messages start with AQZ0001 through AQZ0799.
There are two messages that are issued as escape messages, and because they are
issued as an escape message, they can be monitored with the MONMSG command in
CL programs. Escape messages indicates a condition causing PKZIP or PKUNZIP to
end abnormally, without completing its work. By monitoring for escape messages,
you can take corrective actions or clean up and end your procedure or program. To
see the actual condition that may have caused the problem, you should review all
previous messages from the job log. If PKZIP or PKUNZIP issues one of these escape
messages, and the messages are not being monitored, then the iSeries will issue an
inquiry message requiring a reply (normal iSeries processing).
The message numbers that are issued as escapes are:
• AQZ0022 - PKZIP completed with errors.
• AQZ0038 - PKUNZIP completed with errors.
There are four messages that are issued as completion message types and are also
issued as a status message type. Because the messages are issued as a status type,
they can be monitored with the MONMSG command in CL programs. The message
numbers that are issued as status message types are:
• AQZ0012 - PKZIP ending with nothing to do for .
• AQZ0020 - PKZIP completed successfully.
• AQZ0024 - PKZIP completing with a warning. No files selected.
• AQZ0037 - PKUNZIP completed successfully.
EXAMPLE:
Msg ID
| Severity
| Code
| | Message Text
| | |
AQZ0109-00: Compressing &1 in &2 mode
232

Explanation: Informational. Compressing has started for the file with a specified
mode. The modes are: 1) SAVF, 2) DATABASE, 3) BINARY, 4) TEXT, and 5) Text in
EBCDIC.
The message text &1 will be the file name and &2 will be the mode such as:
Compressing TESTLIB/TESTFILE(TESTFILE) in TEXT mode
Messages from Certificate Store Administration
From the PKSTORADM command, messages are displayed from the Certificate Store
Administration program. These message all start with the prefix ZPCA followed by a
three digit number with a suffix of E (Error), W (warning) or I (Informational). For
example: “ZPCA815E Cannot Continue. Unable to close CA Store.”
See standard messages AQZ0049-00 "PKSTORADM Completed Successfully" and
AQZ0050-40 "PKSTORADM Completed with Errors" for PKSTROADM-monitored
completion messages.
233

AQZ0001 - AQZ0799 Messages
AQZ0001-00
Explanation:
PKZIP: &1 &2.
This message is used in conjunction with other messages to provide extended
information. See the following messages.
AQZ0002-40
Explanation:
Unexpected End of File: &1 &2.
While reading an archive file in PKZIP, an unexpected end of file was encountered.
The file may not have been created properly or copied to completion. Try running the
TYPE(*TEST) to see it can identify more information and review all other messages.
AQZ0003-40
Explanation:
Archive file Structure Error: &1 &2.
This message is associated with the previous message for exact cause. This
indicates a major archive failure for PKZIP to process. Review all messages and run
PKUNZIP with TYPE(*TEST) to see if there are more details. This may indicate that
current archive is incomplete or corrupted.
AQZ0004-40
Explanation:
Out Of Memory: &1 &2.
While trying to allocate memory in PKZIP or PKUNZIP, a failure occurred and no
memory was granted. Check other messages in the job log for possible causes and
refer to Appendix C about memory errors. If this continues, please contact the
Product Services Division at 1-937-847-2687 for assistance.
AQZ0005-40
Explanation:
Logic Error: &1 &2.
This message should never occur. If it does it may be due to a corrupted archive file.
Please contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ0006-40
Explanation:
Error opening temp archive file:.
While trying to process PKZIP, a failure occurred while opening the temporary archive
file. Review other messages with PKZIP and the iSeries for more details of why
the failure occurred. Attributes used were=&2'.
234

AQZ0009-40
Explanation:
User interrupt or termination: &1 &2.
PKZIP encountered a request to terminate. If it continues to be unknown, please
contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ0010-40
Explanation:
Error using temp file: &1 &2.
While trying to process PKZIP, a failure occurred with the temporary archive file.
Review other messages with PKZIP and the iSeries for more details of why the failure
occurred.
AQZ0011-40
Explanation:
Read or Seek error: &1 &2.
While reading an archive file in PKZIP, an unexpected error was encountered. The
file may not have been created properly, or copied to completion. Try running the
TYPE(*TEST) to see it can identify more information and review all other messages.
AQZ0012-40
Explanation:
PKZIP ending with Nothing to do for .
PKZIP found no files to process. Review the FILES EXCLUDE keywords for the
selections. This message can be monitored using MONMSG.
AQZ0013-40
Explanation:
Missing or empty archive file: &1 &2.
An archive file to process *UPDATE, *FRESHEN, or *DELETE is empty. No TYPE
was processed.
AQZ0014-40
Explanation:
Error writing to a file: &1 &2.
An unexpected error was encountered while writing the archive file. PKZIP is
terminated and the temporary archive file is corrupted. Review other PKZIP message
and iSeries messages in order to interpret why this message occurred.
AQZ0015-40
Explanation:
Could not open to write: &1 &2.
PKZIP could not create a list file or ARCHIVE file. PKZIP has terminated. Review
iSeries messages for cause of error.
235

AQZ0018-40
Explanation:
Could not open a specified file to read: &1 &2.
An archive, list, or extracted file could not be opened for reading. Review PKZIP
messages and iSeries messages that occurred in run.
AQZ0019-00
Explanation:
PKZIP Compressed &1 files in Archive &2.
&1 is the number of files that were compressed in this run of PKZIP storing them in
the archive file &2.
AQZ0020-00
Explanation:
PKZIP Completed Successfully.
PKZIP completed successfully. This message can be monitored using MONMSG.
AQZ0021-10
Explanation:
There are no files to select from: Zip ending.
Either no files were selected with files parameters for all actions or no files qualified
for selection with *FRESHEN or *UPDATE TYPE. Review archive and selection
parameters.
AQZ0022-40
Explanation:
PKZIP Completed with Errors.
See job log for previous errors messages. An error occurred that caused PKZIP to
complete unsuccessfully. AQZ0022 message will be issued as an Escape message
type. Escape messages indicate a condition causing PKZIP to end abnormally
without completing its work. This message can be monitored using MONMSG.
AQZ0023-10
Explanation:
Invalid date {&1} for date select option &2.
DATETYPE with *BEFORE or *AFTER was selected in PKZIP, but has an invalid
date in DATEAB. Format must be mmddyyyy or yyyymmdd. The mm must be 1 thru
12. The dd must be 1 thru 31.
AQZ0024-00
Explanation:
PKZIP Completing with a Warning. No Files Selected for
compression.
PKZIP selected 0 files for compression and there were no other actions (such as
*DELETE, archive comment update) to revise the archive. This message can be
monitored using MONMSG.
236

AQZ0025-40
Explanation:
File name contains special characters.
The file contains characters not valid for a file name.
AQZ0026-30
Invalid option(s) used with DELETE; ignored.
Explanation: This message should never occur. Please contact the Product Services Division at 1-
937-847-2687 for assistance.
AQZ0027-30
Explanation:
Archive file is empty, cannot make it as old as latest entry.
PKZIP run with archive file in the IFS file type. Cannot set date and time of the
archive to latest time of files because the archive file is empty.
AQZ0028-30
Explanation:
Archive file has only directories, cannot make it as old as
latest entry.
PKZIP run with archive file in the IFS file type. Cannot set date and time of the
archive to latest time of files. The archive file is OK.
AQZ0029-40
Explanation:
Name Not match: &1.
A file in the FILES selection keyword could not be found or matched with a pattern.
PKZIP will not process.
AQZ0030-00
Explanation:
Scanning files for match...
Information only. The search has started for file selections.
AQZ0031-00
Explanation:
Found &1 matching files.
Information only. The number of selection files that was found is considered for
processing.
237

AQZ0032-00
Explanation:
Copying temp &1 to &2.
Copies a temporary archive file to the requested archive name.
AQZ0034-00
Explanation:
Searching Archive &1 for files to extract.
Informational only. PKUNZIP has started searching the archive for files that meet the
selection and excluding parameters.
AQZ0035-00
Explanation:
Extracting file &1.
Informational only. PKUNZIP is in the process of extracting file &1.
AQZ0036-00
Explanation:
PKUNZIP extracted &1 files.
Informational only. PKUNZIP reports the number of files that were extracted in this
run.
AQZ0037-00.
Explanation:
PKUNZIP Completed Successfully.
Informational only. PKUNZIP completed with no errors. This message can be
monitored using MONMSG.
AQZ0038-40
Explanation:
PKUNZIP Completed with Errors.
During a run of PKUNZIP, errors were encountered. Some processing may or may
not have completed. Review the preceding messages for further details. AQZ0038
message will be issued as an escape message type. Escape messages indicates a
condition causing PKUNZIP to end abnormally without completing its work. This
message can be monitored using MONMSG.
AQZ0039-00
Explanation:
PKUNZIP found &1 file(s) in Error.
The run of PKUNZIP found &1 files with some type of error resulting in these files not
being processed. Consult the job log to discover why these files were in error.
238

AQZ0040-10
Explanation:
PKUNZIP skipped &1 file(s).
PKUNZIP skipped the files due to target files already existing on the system and the
parameter to OVERWRITE was set to *NO, which informs the system not to overwrite
any file that already exists.
AQZ0041-00
Explanation:
Searching GZIP Archive &1 for files to extract.
Informational only. PKZIP is searching for the files to process with GZIP option.
AQZ0042-00
Explanation:
Scanning Archive &1 for &2 files in archive.
PKZIP is scanning the input archive for files. Informational only when VERBOSE is
set. For large archive with tens of thousands of files it may take a while for this
process.
AQZ0043-00.
Explanation:
PKCFGSEC Completed Successfully.
Informational only. PKCFGSEC completed with no errors. This message can be
monitored using MONMSG.
AQZ0044-40
Explanation:
PKCFGSEC Completed with Errors.
During a run of PKCFGSEC, errors were encountered. Some processing may or may
not have completed. Review the preceding messages for further details. AQZ0044
message will be issued as an escape message type. Escape messages indicates a
condition causing PKCFGSEC to end abnormally without completing its work. This
message can be monitored using MONMSG.
AQZ0045-00.
Explanation:
PKBLDCDB Completed Successfully.
Informational only. PKBLDCDB completed with no errors. This message can be
monitored using MONMSG.
AQZ0046-40
Explanation:
PKBLDCDB Completed with Errors.
During a run of PKBLDCDB, errors were encountered. Some processing may or may
not have completed. Review the preceding messages for further details. AQZ0046
message will be issued as an escape message type. Escape messages indicates a
239

condition causing PKBLDCDB to end abnormally without completing its work. This
message can be monitored using MONMSG.
AQZ0047-00.
Explanation:
PKBQRYCDB Completed Successfully.
Informational only. PKBQRYCDB completed with no errors. This message can be
monitored using MONMSG.
AQZ0048-40
Explanation:
PKBQRYCDB Completed with Errors.
During a run of PKBQRYCDB, errors were encountered. Some processing may or
may not have completed. Review the preceding messages for further details.
AQZ0048 message will be issued as an escape message type. Escape messages
indicates a condition causing PKBQRYCDB to end abnormally without completing its
work. This message can be monitored using MONMSG.
AQZ0049-00
Explanation:
PKSTORADM Completed Successfully.
Informational only. PKSTORADM completed with no errors. This message can be
monitored using MONMSG.
AQZ0050-40
Explanation:
PKSTORADM Completed with Errors.
During a run of PKSTORADM, errors were encountered. Some processing may or
may not have completed. Review the preceding messages for further details.
AQZ0050 message will be issued as an escape message type. Escape messages
indicates a condition causing PKSTORADM to end abnormally without completing its
work. This message can be monitored using MONMSG.
AQZ0051-00
Explanation:
End Entity File created.
End Entity File certificate file was created. PKBLDCDB should be run to add the
certificate data to locator database.
AQZ0097-10
Input Archive was found to be Digitally Signed..
Explanation: The archive was digitally signed. This PKZIP update will destroy the signature.
240

AQZ0101-00
Explanation:
Add &1 -- &2.
Information providing the file and the type of compression method (deflate, terse, or
store) along with the percent of compression.
AQZ0102-00
Explanation:
Freshening: &1 with &2.
Informational: PKZIP running with TYPE(*FRESHEN) is processing the file with
compression method (deflate, terse, or store) and the percent of compression.
AQZ0103-00
Explanation:
Updating: &1 with &2.
Informational: PKZIP running with TYPE(*UPDATE) is processing file with
compression method (deflate, terse, or store) and the percent of compression.
AQZ0104-00
Explanation:
Deleting: &1.
Informational: Delete file &1 from the archive.
AQZ0105-00
Explanation:
Translating to ASCII.
Informational with VERBOSE(*max) indicating that data will translated to ASCII.
AQZ0106-00
Explanation:
Zip diagnostic: &1 .
File in the archive is up to date with date & time or the file in the archive is now
missing. Only when Verbose(*max).
AQZ0107-40
Explanation:
Attempting to restore &1 to its previous state.
A failure occurred while running PKZIP with an existing archive. An attempt is being
made to set the archive to a previous state prior to the original processing start time.
241

AQZ0108-00
Explanation:
Excluding .
In run PKZIP, a file found in the selection process was excluded due to a match
excluding file parameter.
AQZ0109-00
Explanation:
Compressing &1 in &2 mode.
Informational: Compressing has started for the file with a specified mode. The
modes are: 1) SAVF, 2) DATABASE, 3) BINARY, 4) TEXT and 5) Text in EBCDIC.
AQZ0110-00
Explanation:
The Output List file is being created.
Informational: to indicate that file &1 is being created, and will also be used to add list
records selected in the run. See Keyword-CRTLIST for more details.
AQZ0111-00
Explanation:
&1 Records written to the Output List file &2.
Informational: indicates that &1 records were outputted to the list file &2. See
keyword-CRTLIST for more details.
AQZ0112-00
Explanation:
&1 records read from Include File &2.
INCLFILE parameter was optioned in PKZIP or PKUNZIP. This message displays
how many records were in the file.
AQZ0113-00
Explanation:
Include parameters supplied &1.
Informational: How many include items found in FILES and INCLFILE.
AQZ0114-00
Explanation:
&1 records read from Exclude File &2.
EXCLFILE parameter was optioned in PKZIP or PKUNZIP. This message displays
how many records were in the file.
242

AQZ0115-00
Explanation:
Exclude parameters supplied &1.
Informational: How many include items found in EXCLUDE and EXCLFILE.
AQZ0116-00
Explanation:
Zip diagnostic: &1cluding .
Informational PKZIP: Display of file being included or excluded.
AQZ0117-00
Explanation:
File matches archive file – skipping.
PKZIP running with a file selected, which is the current file, requested as the archive.
This file is skipped from the selection process.
AQZ0118-40
Explanation:
Replace: cannot open &1.
PKZIP is trying to copy the temporary archive file to the archive file. The archive file
cannot be opened. Check the job log for messages as to why the open failed. If
specifying parameter TMPPATH in the library file system, verify that both library and
file name are specified (for example, MPPATH(‘MYLIB/TEMPARCH’).
AQZ0119-40
Explanation:
Fcopy: Write error.
PKZIP is trying to copy the temporary archive e file to the archive file. The archive
encountered an error while writing the new archive file. Check the job log for
messages to determine why the write failed.
AQZ0120-40
Explanation:
Fatal: Incorrect compressed size - &1.
A failure occurred while compressing. The size reported by the compression engine
is different from the offset determined in the archive file. This should never happen.
Please contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ0121-00
Explanation:
Stats: &1 &2.
Information in PKZIP with verbose on. Shows the size of the file being compressed
and the size of the compressed file.
243

AQZ0122-00
Explanation:
Enter new Zip file Comment for file &1.
FILESTEXT was set to edit a new comment for files being added to the archive.
Enter the file’s comment and press the Enter key.
AQZ0123-00
Explanation:
Enter Zip file Comment for file &1.
An unexpected error was encountered while writing the archive file. PKZIP is
terminated, and the FILESTEXT was set to edit comments for files being added or
updated to the archive. Enter the file's comment, and press the Enter key.
AQZ0124-00
Explanation:
Zip Info: &1 &2.
Informational PKZIP files when processing with enhanced DEBUG options.
AQZ0125-00
Explanation:
Zip: reading &1.
Informational PKZIP: reading the file & in the current archive. Only displays with
Verbose(*MAX) during fix option. This option is not available at this time.
AQZ0126-00
Explanation:
Zip Info: &1 for &2.
Informational PKZIP: Compression statistic of file &2. Only displays with
Verbose(*MAX) during fix option. This option is not available at this time.
AQZ0127-00
Explanation:
Global settings are “No wildcard selection”, but FILES contains
an *.
The files parameter contains a wildcard selection , but the wildcard global setting
is coded for NO wildcards selections. Correct and rerun or see your administrator for
the PKZIP settings.
AQZ0129-40
Explanation:
Local header not found for &1.
The current, loaded archive file is corrupted. The local header cannot be found for
the compressed file &1. Processing of PKZIP will not continue. Review other
messages. If file was created using PKZIP, please contact the Product Services
Division at 1-937-847-2687 for assistance. If the file came from another source,
review the creation of the file to verify if it was transferred properly to iSeries.
244

AQZ0130-00
Explanation:
Self Extracting code for &1 found in archive file.
Informational PKZIP: Adjusting offsets in the archive file &1 for local headers. Only
displays with Verbose(*max).
AQZ0131-00
Explanation:
Zip diagnostic: Deleting file &1.
Informational PKZIP with TYPE(*DELETE): The file &1 was found in the archive and
removed.
AQZ0132-00
Explanation:
Error in Deleting file &1.
PKZIP with TYPE(*DELETE) could not delete the file &1 from the archive. Review job
log and other message that occurred during the PKZIP run to determine the cause.
AQZ0133-40
Explanation:
Deleting directory &1 (if empty).
PKZIP with TYPE(*DELETE) found a match and it was an empty directory. The
directory is being removed from the archive file.
AQZ0134-00
Explanation:
Zip Info: &1 &2.
Informational PKZIP about archive files when processing with enhanced debug turned
on.
AQZ0135-10
Explanation:
Zero-length name for entry # &1.
An error occurred reading the archive file for entry # &1. The name of the file has a
zero length. If processing continues, unpredictable results may occur. The source of
the archive file and its history of reaching it current state should be reviewed. Other
files in the archive should be valid.
AQZ0136-00
Explanation:
Bad extended local header for.
An archive file indicated it contained an extended local header. The header is
corrupted. Processing will be terminated. Run PKUNZIP with TYPE(*View) and
VIEWOPT(*Detail) to see if more information is available.
245

AQZ0137-10
Explanation:
Extended local header not found for &1.
An archive indicated it contained an extended local header for file &1. The extended
header could not be found nor processed. Run PKUNZIP with TYPE(*View) and
VIEWOPT(*Detail) to see if more information is available.
AQZ0138-00
Explanation:
Missing end signature -- probably not a archive file (did you
remember to use binary mode when you transferred it?).
The archive file did not have an end signature, which usually indicates it is not an
archive file or it is an incomplete archive file.
AQZ0139-00
Explanation:
Multiple disk information ignored.
PKZIP and PKUNZIP do not support multiple disk functionality.
AQZ0140-00
Explanation:
Name lengths in local and central differ for &1.
The archive file is corrupted. The name lengths of the file name in the local directory
are different than the name length in the central directory.
AQZ0141-00
Explanation:
Names in local and central differ for &1.
The archive file is corrupted. The file name & in the local directory is different than
the file name in the central directory. This is an invalid archive. Contact the Product
Services Division at 1-937-847-2687 for assistance.
AQZ0143-00
Explanation:
Rename failure: New archive file left as: &1.
PKZIP is trying to rename the temporary name for a requested archive and has failed.
Review the job log for cause. The archive file &1 is still valid but is saved using the
temporary name. Rename the temporary file manually to the requested archive
name.
AQZ0144-40
Rename failure: Tried to rename to &1.
Explanation: Part 2 of previous message AQZ0143-00.
246

AQZ0145-40
Explanation:
PKZIP could not open file for reading: &1.
PKZIP could not open file &1 for reading to compress. Review the job log and other
messages for cause.
AQZ0146-40
Explanation:
Archive file and directory with the same name: &1.
PKZIP found a file and directory to be selected with the same name. &1 will be
bypassed and the job terminated.
AQZ0147-00
Explanation:
will just copy entry over: &1.
PKZIP will copy the archive over the current archive file &1.
AQZ0148-40
Explanation:
Archive file empty.
PKZIP process ended with no files in the archive file. Review selection process and
preceding messages. The archive is not valid and cannot be used to extract files.
AQZ0149-10
Explanation:
File is being skipped due to previous error.
An error occurred processing file &1 and the parameter ERROPT was set to *SKIP
the file.
AQZ0150-40
Explanation:
Archive File is not found or empty without ADD TYPE.
PKZIP process is running without TYPE(*ADD); cannot find the specified archive file,
or the archive file is empty. For Actions other than *ADD, a valid archive must exist.
AQZ0151-00
Explanation:
include pattern or file could not find a match in search
path.
The Include pattern in the FILES or INCLFILE could not find a match during the
PKZIP run. Review selection parameters, the library list, or the current directory.
247

AQZ0152-20
Explanation:
Cannot have duplicate names in Zip Include.
PKZIP found entries in the FILES or INCLFILE that result in duplicate entries. Correct
and rerun.
AQZ0153-00
Explanation:
Duplicates: 1st=, 2nd=.
Part 2 of message AQZ0152 showing the duplicate files.
AQZ0154-20
Explanation:
Cannot read Archive file for *FRESHEN or *UPDATE.
PKZIP is running with TYPE *FRESHEN or *UPDATE and could not read the archive
file. Review the job log for other messages to determine cause.
AQZ0155-30
Explanation:
No files found for in archive file for *DELETE TYPE.
The file pattern specified for a PKZIP run with *DELETE found no files that matched in
the archive.
AQZ0156-00
Explanation:
Searching for files to include...
PKZIP searching for files that match entered file specifications.
AQZ0157-40
Explanation:
Library cannot not be found.
PKZIP, in an attempt to find file selections, could not find a specified Library. Review
selection criteria in FILES and INCLFILE. Run is terminated.
AQZ0158-40
Explanation:
File not found in Library &1.
PKZIP, in an attempt to find file selections, could not find a specified file in a specific
Library. Review selection criteria in FILES and INCLFILE. Run is terminated.
248

AQZ0160-40
Explanation:
SFX File &1 Cannot be opened. Run Terminated.
SELFXTRACT was coded to build an archive with a self extracting preamble. While
trying to open that SFX file &1, an error occurred. See previous detail job log for
more details on the failure. Contact the Product Services Division at 1-937-847-2687
for assistance.
AQZ0161-40
Explanation:
Error occurred while reading SFX file &1.
SELFXTRACT was coded to build an archive with a self extracting preamble. While
trying to read that SFX file &1, an error occurred. See previous detail job log for more
details on the failure. Contact the Product Services Division at 1-937-847-2687 for
assistance.
AQZ0162-40
Explanation:
Error Occurred while copying SFX file &1 to archive file.
SELFXTRACT was coded to build an archive with a self extracting preamble. While
trying to copy SFX file &1 to the archive, an error occurred. See previous detail job
log for more details on the failure. Contact the Product Services Division at 1-937-
847-2687 for assistance.
AQZ0163-00
Explanation:
Self Extracting code was added to archive with &2 bytes
SELFXTRACT(&1) was coded to build an archive with a self extracting preamble.
This is informational only on the addition of the preamble &1 to the archive.
AQZ0164-00
Explanation:
Removing &1 bytes preamble code from Archive File &2.
SELFXTRACT(*REMOVE) was coded to remove the self extracting preamble from
the archive. This is informational only on the removal of the preamble.
AQZ0165-00
Explanation:
File &1 exceeds 4 Gig and PKZIP is not running with GZIP(*YES).
File bypassed.
PKZIP is trying to compress file &1 in a standard archive (parameter GZIP is *NO)
and the sizes exceed 4 gigabytes. Use GZIP(YES) to compress.
249

AQZ0166-40
Explanation:
Self Extraction Creation cannot be performed with Encryption.
SELFXTRACT was coded to create a self extracting archive with advanced
encryption. Advanced encryption is not supported with self extracting archives.
AQZ0167-40
Explanation:
Self Extraction Creation cannot be performed with Large File
Support.
SELFXTRACT was coded to create a self extracting archive and it was determined
that ZIP64 format will be required for large file support. ZIP64 large file support is not
provided for self extracting archives.
AQZ0168-40
Explanation:
Self Extraction preamble &1 is not supported.
SELFXTRACT was coded to create a self extracting archive with &1. It is not
available on your current environment. The job will be terminated. Contact the
Product Services Division at 1-937-847-2687 for assistance.
AQZ0169-00
Explanation:
Inputted Recipient Listing.
Informational heading for ZIP and UNZIP. The recipient list that was inputted will
follow.
AQZ0170-00
Explanation:
&1 &2.
Informational. A message for each inputted recipient list when Verbose(*all). This will
show the optional/required, lookup type, and lookup string.
Example: Rqrd *LDAP EM=robb.ervin@pkware.com
Opt'l *File /pkzshare/CStores/public/suegantt04.cer
AQZ0171-00
Explanation:
Simulated List:&1.
CRTLIST(*SIMLUATE) was specified to simulate the selection list with the ZIP
process and each file selected is shown with this message.
250

AQZ0172-40
Explanation:
Recipient Processing Fail due to error code &1.
An internal error occurred with certificate processing. This should not occur. The
message detail contains diagnostic information of this occurrence. Please contact the
Product Services Division at 1-937-847-2687 for assistance. Control data .
AQZ0173-00
Explanation:
No Private Certificate found for decryption.
No valid private certificates were found. At least one private key required for
decryption. Control data .
AQZ0174-40
Explanation:
Recipient Encryption process failed.
An internal error occurred with recipient encryption processing. This should not
occur. The message detail contains diagnostic information of this occurrence.
Please contact the Product Services Division at 1-937-847-2687 for assistance.
Control data .
AQZ0175-00
Explanation:
Required Recipient Failed.
An inputted recipient was coded to be required, but either the recipient string could
not be found or the certificate was invalid. Review the inputted recipient shown in the
message
AQZ0176-40
Explanation:
Invalid &1 Store for Recipient Processing.
Either the public store, private store or LDAP definitions in the configuration security
file are invalid. Run PKCFGSEC *VIEW and review the store definitions.
AQZ0177-40
Explanation:
No Recipients were selected for Encryption process.
Recipient encryption was requested, but no valid recipients were found. Review
inputted recipients and verify their existence.
AQZ0178-40
Explanation:
Required Recipient failed selection process.
Inputted recipient that was coded as “required” failed to be found or contained an
invalid certificate.
251

AQZ0179-00
Explanation:
Total Recipients processed &1.
Information only. Displays the total number of recipients that were selected for
processing.
AQZ0180-40
Explanation:
Recipient Requires Password for Private Key.
UNZIP recipients require a certificate password for each recipient. This is required to
access the private key for decryption. Re-run with password for each recipients
certificate.
AQZ0181-00
Explanation:
Could Not Process Recipient In File .
While trying to parse an INLIST recipients file, an error was found. Review the
format, separators, beginning character and ending character.
AQZ0182-00
Explanation:
Invalid Recipient InFile Record Nbr &2.
While trying to parse an INLIST recipients file, an error was found. Review the
format, separators, beginning character and ending character. This shows the record
number that caused the error in the INLIST file.
AQZ0183-00
Explanation:
Archive Recipient List:
Informational Heading. The recipient list messages AQZ0184 follows.
AQZ0184-00
Explanation:
CN=&1 EMail=&2.
Informational. Each recipient that is included in the process will be listed showing the
common name and email address.
AQZ0185-00
Explanation:
Certificate Database is not Active.
A recipient was authorized to use the certificate locator database (*DB) but the
certificate database is not set to active in the security configuration file. Use
PKCFGSEC *VIEW to view settings. And then use PKCFGSEC to set the database
settings.
252

AQZ0186-40
Explanation:
Security Configuration Turned Off to disallow Certifcate
Processing.
A recipient was coded in the ENTPREC parameter, but the security configuration file
is either missing or is not active (ZIP Secure Settings/ SecureZIP Active=NO). Use
PKCFGSEC *VIEW to view settings. Use PKCFGSEC to set it active.
AQZ0187-40
Explanation:
No Private Key(s) provided to perform Decryption.
Recipients supplied for decryption, but there were no recipients with a password (for
private keys) that was selected. To do decryption, at least one valid private key is
required.
AQZ0188-40
Explanation:
Recipient INLIST file &1 cannot be opened.
The recipient list contains a lookup type of *INLIST for Inlist file processing. The file
string supplied could not be found or opened. Verify the file and the file system
where it resides. See TYPLISTFL parameter.
AQZ0189-40
Explanation:
No Signers were selected for Digital Signing processing.
Digital signing was requested, but no valid signers were found. Review inputted
signers and verify existence of certificates.
AQZ0190-40
Explanation:
Signing Processing Fail due to error code &1.
An Internal error occurred with certificate processing. This should not occur. The
message detail contains diagnostic information of this occurrence. Please contact the
Product Services Division at 1-937-847-2687 for assistance. Control data .
AQZ0191-40
Explanation:
More Than one (1) Archive Signer was submitted..
Only one archive signer is permitted. Change the SIGNERS parameter and resubmit
with one archive signer.
AQZ0192-40
Explanation:
Required Signer or Authenticator failed selection process.
Inputted signer or authenticator that was coded as "Required" failed to be found or
contained an invalid certificate.
253

AQZ0193-40
Explanation: T.
Authenticating processing Failed due to error code &1.
AQZ0194-40
Explanation:
Request for Specific Authenticator was not found.
Post &1.
AQZ0195-40
Explanation:
File Authentication check unsuccessful.
Based on the authentication filters, one or more archive authentications failed.
Failure codes (&1).
AQZ0196-30
Explanation: x.
Archive Has been Tampered with: Archive Authentication has been
removed.
AQZ0197-40
Explanation:
Archive Authentication check unsuccessful.
Based on the authentication filters, one or more archive authentications failed.
Failure Codes (&1).
AQZ0198-40
Explanation:
Request for Optional Authenticators were not found.
Post &1.
AQZ0199-40
Explanation: T.
Run being terminated for Authentication failure.
AQZ0200-40
Signers Requires password.
Explanation: Control data .
254

AQZ0201-00
Explanation:
PKUNZIP Archive: &1.
PKUNZIP Informational: Currently processing archive file &1.
AQZ0203-10
Explanation:
Caution: File name not matched: &1.
PKUNZIP could not find the specified file name in the FILES and/or INCLFILE
parameters. File is not extracted.
AQZ0204-10
Explanation:
Caution: Excluded file name not matched: &1.
Based upon entered EXCLUDE and EXCLFILE parameters, PKUNZIP did not find
any names to exclude. This is informational only.
AQZ0205-00
Explanation:
Please check that you have transferred or created the Archive
File in the appropriate BINARY mode.
PKUNZIP displays this message as a reminder of a common cause of an invalid
archive file. This message appears with invalid archive messages.
AQZ0206-40
Explanation:
Archive name contains invalid characters.
The archive name contains characters that are invalid and will cause the archive to
fail to be created. Correct archive and execute the job again.
AQZ0208-00
Explanation:
Skipping: &1 unsupported compression method &2.
PKUNZIP, while trying to extract file &1, found an unsupported compression method.
The file is unable to be extracted. Run PKUNZIP with TYPE(*VIEW) and
VIEWOPT(*Detail) for more information about the file and its compression method.
This file is skipped in this extraction run
AQZ0209-40
Explanation:
Signing is not activated.
The signing of files and/or archives are set to No in the enterprise configuration file.
(See PKCFGSEC)..
255

AQZ0210-40
Explanation:
Authentication is not activated.
The authentication of files and/or archives are set to No in the enterprise configuration
file. (See PKCFGSEC)..
AQZ0211-00
Explanation:
&1 appears to use backslashes as path separators.
The selection file &1 appears to have double \\ in the name for path separators. Run
will continue processing with normal separators. Review results to verify.
AQZ0212-00
Explanation:
Error: Invalid response [&1].
An Invalid response was received for a reply message. Review the reply message
request for a valid response, and once located, enter a valid response.
AQZ0213-00
Explanation:
At least one error was detected in &1.
PKUNZIP encountered at least one error while processing. Review job log for
messages.
AQZ0214-00
Explanation:
Caution: Zero files tested in &1.
PKUNZIP found no files to test while processing with TYPE(*TEST). Review job log
for other messages and review selection criteria. Run PKUNZIP with TYPE(*VIEW)
and VIEWOPT(*Detail) to verify archive file.
AQZ0215-00
Explanation:
Skipping: &1 unable to get password.
PKUNZIP is processing file &1 and it is encrypted, but no password was entered for
this run. Re-run PKUNZIP with a correct password for file &1. Processing continues
with other files.
AQZ0216-00
Explanation:
Skipping: &1 incorrect password.
PKUNZIP is trying to process file &1 that is encrypted, but the password entered for
this run was incorrect for this file. Processing continues. Execute the job again with
the correct password.
256

AQZ0217-00
Explanation:
&1 file(s) skipped because of incorrect password.
During this run of PKUNZIP, &1 file(s) were not processed due to incorrect passwords
or missing passwords.
AQZ0218-00
Explanation:
(May instead be incorrect password).
Part 2 of message AQZ0226 to remind that the failure may be due to an incorrect
password. Review to see if file is encrypted by running PKUNZIP with TYPE(*VIEW)
and VIEWOPT(*Detail) for the file and verify that encryption is on for the file.
AQZ0219-00
Explanation:
No errors detected in compressed data of &1.
PKUNZIP encountered errors with archive file &1 during run. Review job log for
messages.
AQZ0220-00
Explanation:
No errors detected in &1 for &2 file(s) tested.
PKUNZIP was run with TYPE(*TEST). No errors were found in testing the selected
files in the archive file &2.
AQZ0221-00
Explanation:
&1 file(s) skipped because of unsupported compression or
encoding.
PKUNZIP encountered &1 files that were bypassed due to unsupported compression
methods. Review the job log for details.
AQZ0224-00
Explanation:
Warning: &1 is probably truncated.
While trying to extract file &1, some type of write error occurred, forcing an incomplete
extraction. The file has probably been truncated. Review the job log for more
information about why this message occurred.
AQZ0225-20
Explanation:
&1: Unknown compression method.
Compression method number &2 was found in the archive for file &1. This
compression is unknown and is not supported by this PKUNZIP version. PKUNZIP
will skip this file and then will attempt to extract the next file within the archive.
257

AQZ0226-00
Explanation:
&1: Bad CRC &2.
While extracting file &1, the CRC calculated for the file was not the same as the CRC
stored in the archive for the file.
AQZ0227-00
Explanation:
&1: Compressed EA data missing (&2 bytes).
In extracting file &1, it was identified to be created as an EF NTSD file. The EA data
is missing and the file will be not be extracted.
AQZ0228-00
Explanation:
Field entry: EF block length (&1 bytes) exceeds remaining EF
data (&2 bytes).
Inconsistent extra field data was found, which will be ignored. The extracted file data
should be valid.
AQZ0231-00
Explanation:
&1: Bad CRC for extended attributes.
A bad CRC was found in the extended attributes for an archive created by an OS/2
system. Extended Attributes are ignored.
AQZ0232-00
Explanation:
&1: Unknown compression method for EAs (&2).
An unknown compression method found for an archive created by an OS/2 system.
File is not extracted. Run PKUNZIP with TYPE(*VIEW) and VIEWOPT(*ALL) to see
archive details.
AQZ0234-00
Explanation:
&1 archive&2 successfully processed.
Informational: &1 is the number of files that were processed successfully in the
archives.
AQZ0235-00
Explanation:
&1 archive&2 had warnings but no fatal error.
Informational: &1 is the number of files processed in the archives that issued a
warning. Review job log for their warnings.
258

AQZ0236-00
Explanation:
&1 archive&2 had fatal errors.
There were &1 files in the archives that had a fatal error and could not be processed.
Review job log for messages of the files that failed.
AQZ0240-00
Explanation:
No Archive files found.
While searching for an archive to extract from, no archive file was found. Review to
see that the archive exists.
AQZ0241-00
Explanation:
Cannot find archive file internal end directory in one of &1 or
&2%s.zip, and cannot find %s, period.
The archive file may not be an archive or it may be corrupted.
AQZ0242-40
Explanation:
Cannot find archive file &1, &2.
The archive file could not be found. Review command parameters.
AQZ0246-00
Explanation:
Note: &1 may be a plain executable, not an archive.
The archive file &1 is not an archive. Either it is corrupted, or it could be an
executable object.
AQZ0247-00
Explanation:
Warning [&1]: &2 extra bytes at beginning or within Archive
File (attempting to process anyway).
The archive &1 contains extra bytes within the archive. Will attempt continued
extraction. Verify other messages within the job log and review source of archive file.
If no failing message occurs, the extract file should be valid.
AQZ0250-00
Testing: &1.
Explanation: PKUNZIP Informational: TYPE(*TEST) is in the processing of testing file &1.
259

AQZ0251-00
Explanation:
Extracting: &1 &2.
PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting a stored
file &1 with mode of empty, binary, text, text in EBCDIC, SAVF, or database file.
AQZ0252-00
Explanation:
Unshrinking: &1 &2.
PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that
was compressed with the shrink method, and with either a mode of empty, binary,
text, text in EBCDIC, SAVF, or database file.
AQZ0253-00
Explanation:
Exploding: &1 &2.
PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that
was compressed with the implode method, with either a mode of empty, binary, text,
text in EBCDIC, SAVF, or database file.
AQZ0254-00
Explanation:
Inflating: &1 &2.
PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that
was compressed with the Deflate method, with either a mode of empty, binary, text,
text in EBCDIC, SAVF, or database file.
AQZ0255-10
Explanation:
Member truncated to 10 characters.
The member name of a file being extracted exceeds the ten-character limitation for an
iSeries file member name. The name is truncated to ten characters.
AQZ0256-10
Explanation:
Warning: Cannot set times for &1.
After extracting a file to the integrated file system, PKUNZIP failed to reset the date
and time from the archive file to the file extracted to IFS. The file data is correct.
AQZ0257-00
Explanation:
When Creating an out list file, TYPE must be *VIEW with *NORMAL
view.
PKUNZIP has keyword CRTLIST specified and can only be used with TYPE(*VIEW)
and VIEWOPT(*NORMAL). Correct the TYPE value and execute the job again.
260

AQZ0258-10
Explanation:
Overriding Library is invalid.
Parameter EXDIR was specified in PKUNZIP with TYPE(*EXTRACT) and
TYPFL2ZP(*DB). The first path in EXDIR contains an invalid Library due to the name
exceeding 10 characters. Run is aborted. Correct the command and execute the job
again.
AQZ0259-00
Explanation:
Target file exists. Skipping &1.
Warning: PKUNZIP was extracting file &1, but the file already exists. Parameter
OVERWRITE was either set to *NO or it was set to *PROMPT and the response on
the prompt was N.
AQZ0260-00
Explanation:
Target file newer. Skipping &1.
Warning: PKUNZIP was extracting file &1 with TYPE(*NEWER). The current file is
newer than the file in the archive and will be skipped.
AQZ0261-00
Explanation:
File: &1 tested OK.
Informational: PKUNZIP with TYPE(*TEST) tested file &1 and found no problems.
AQZ0262-20
Explanation:
Warning! &1 already exists. Reply Y, N, A, R, y, n, or r.
Y = Overwrite this file with the file extracted from the archive. N = The file will not be
extracted from the archive. A = All files in the archive will be extracted and will
overwrite any existing files of the same name. R = you will be prompted for a new file
name. The default is N. If you wish to change this default then use the CHGMSGD
command.
AQZ0263-00
Explanation:
Enter in the new File Name for &1.
PKUNZIP issued message AQZ0262 for prompt for the over writing of file &1. The
response received was "R" to rename the file. Enter in a valid name for the new file.
261

AQZ0264-20
Explanation:
Warning: EBCDIC Translation code x’15’ must convert to x’0a’
in &1(&2) override.
Keyword TRAN (Data EBCDIC Translation Mbr) was selected with an override
member. EBCDIC code x’15’ must translate to x’0A’ for iSeries EOL(end of line)
character. Correct and execute the job again.
AQZ0265-00
Explanation:
Warning: The password has embedded blanks.
A password was entered for PKZIP keyword PASSWORD() and was found to have
blanks embedded. Some systems do not accept embedded blanks in the password.
Run continues with the entered password.
AQZ0266-00
Explanation:
Tersing &1 in &2 mode.
PKZIP Informational: File &1 is being compressed with the TERSE compression
method with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database
file.
AQZ0267-00
Explanation:
unTersing &1 &2
PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that
was compressed by the TERSE method, with either a mode of empty, binary, text,
text in EBCDIC, SAVF, or database file.
AQZ0268-10
Explanation:
Warning! Record length mismatch. Archived file record length
= &1, output file record length = &2.
PKUNZIP has detected that the output file and the file in the archive have different
record lengths. PKUNZIP will still try to extract the data, but the format and
appearance of the data is not guaranteed. Please consult the manual for more
information.
AQZ0269-40
Explanation:
Password Failed Enterprise Security Settings.
The security configuration defines the password settings, and the password entered
does not conform to the enterprise settings. Do a PKCFGSEC *VIEW to view the
Password configuration.
262

AQZ0270-40
Explanation:
Password does not match the Verify Password. Re-enter and try
again.
The password entered in the VPASSWORD parameter does not match than the
password entered in the PASSWORD parameter or VPASSWORD is missing when
advanced encryption was selected. The run will be terminated. Re-issue the
command and verify both PASSWORD and VPASSWORD contains the same values.
AQZ0271-40
Explanation:
Compressed Size Invalid for Advance Encryption.
File &1 requires advanced encryption but has an invalid compress size of &2. Do a
PKUNZIP TYPE(*VIEW) VIEWOPTION(*DETAIL) for more information about file.
extract or test will continue.
AQZ0272-40
Explanation:
Advance Encryption is invalid for GIZP Archive.
PKZIP is running with GZIP(*YES) and the option ADVCRYPT is specifying advanced
encryption (other than *NONE and ZIPSTD), GZIP only supports ZIP standard for
iSeries and zSeries. Note: Standard GZIP on platforms other than iSeries and
zSeries do not support encryption.
AQZ0273-40
Explanation:
Major Error Occurred with Advanced Encryption with New File
size. Will Try to continue.
PKUNZIP failed while extracting a file with invalid advanced encryption controls. The
extracted size exceeds the uncompressed size &1 by &2 bytes. Contact the Product
Services Division at 1-937-847-2687 for assistance.
AQZ0274-40
Explanation:
Encryption Method is not Supported.
PKUNZIP cannot extract file due to the encryption method indicated on the archive.
Perform PKZIP TYPE(*VIEW) VIEWOPT(*ALL) to check encryption method on
message AQZ0872. Only valid encryption methods supported are: Zip standard, AES
128, AES 192, and AES 256.
AQZ0275-40
Explanation:
A File in the Archive coded for Adavnced Encryption was found
to be Invalid.
PKUNZIP was extracting a file coded as being archived with advanced encryption.
The file is invalid due to invalid encryption data. Perform PKZIP TYPE(*VIEW)
VIEWOPT(*ALL) and check other messages in the job log for possible causes. If this
continues, please contact the Product Services Division at 1-937-847-2687 for
assistance.
263

AQZ0276-40
Explanation:
Security Types Not Supported for file Archive.
PKUNZIP could not extract file. archive indicates that it contains security types of
certificate signature or combination password and signature. PKUNZIP only supports
password only. Do a PKUNZIP TYPE(*VIEW) VIEWOPT(*DETAIL) to see security
type.
AQZ0277-40
Explanation:
Security Settings Require a Password on ZIP processes.
The security configuration states that all archives must have a password for
encryption, but no password was entered in the PASSWORD parameter. See
PKCFGSEC.
AQZ0278-40
Explanation:
Enterprise Security Requires at least one Recipient for
Certificate processing.
The security configuration states that all archives must have at least one recipient for
encryption, but no recipients were entered. See “ZIP Secure Settings: Recipient
Secure(*RQD)” in PKCFGSEC *VIEW.
AQZ0280-40
Explanation:
Only TYPE(*ADD) or TYPE(*MOVE) are valid with Spool Files
selection.
When parameter TYPFL2ZP(*SPL) is used for spool file selection, only *ADD and
*MOVE are valid settings for the TYPE parameter. Correct and execute the job
again.
AQZ0281-40
Explanation:
File Inlcudes and Excludes are invalid for Spool File
selection.
When parameter TYPFL2ZP(*SPL) is used for spool file selection, the INCLUDE and
EXCLUDE parameters are not allowed. Correct and execute the job again.
AQZ0282-40
Explanation:
Input list file for file includes and excludes are invalid with
Spool File Selection.
When parameter TYPFL2ZP(*SPL) is used for spool file selection, the INCLFILE and
EXCLFILE parameters for list input file includes and excludes are not allowed.
Correct and execute the job again.
264

AQZ0283-40
Explanation:
Date selection (DATETYPE) with Before or After is Invalid with
Spool File Selection.
When parameter TYPFL2ZP(*SPL) is used for spool file selection, the DATETYPE
must be *NONE. Correct and execute the job again.
AQZ0284-40
Explanation:
STOREPATH(*NO) is invalid with Spool Selection.
When parameter TYPFL2ZP(*SPL) is used for spool file selection, the STOREPATH
must be *YES. Correct and execute the job again.
AQZ0285-40
Explanation:
The Spooled File and/or Attributes cannot be retrieved. Error
Code=&1 with &2.
While trying to retrieve a Spool File or the spool file attributes, an error (code=&1 with
&2) occurred. Job will be aborted. It may be that the spool file was being modified.
Try to execute the job again. If problem persists, please contact the Product Services
Division at 1-937-847-2687 for assistance.
AQZ0286-40
Explanation:
Job information cannot be retrieved. Job ending with Error
Code (&1 - &2).
Information about current job could not be retrieved. Job will be aborted. Try |rerunning.
If problem continues, please contact the Product Services Division at 1-937-
847-2687 for assistance.
AQZ0287-40
Explanation:
Spool File Selection List could not generated. Job ending with
Error Code (&1 - &2).
While trying to select spool files for processing, the job has failed while generating a
list of spool files. Try to execute the job again. If problem persists, please contact the
Product Services Division at 1-937-847-2687 for assistance.
AQZ0288-40
Explanation:
Abnormal Error Occurred while processing Spool Files.
While processing a spool file, an internal error occurred with error codes (&1 - &2).
Try re-running. If problem continues, please contact the Product Services Division at
1-937-847-2687 for assistance.
265

AQZ0289-40
Explanation:
Failure occurred during creation of Spool File.
While trying to create a spool during extraction, a failure occurred with error codes
(&1 - &2). Try re-running. If problem continues, please contact the Product Services
Division at 1-937-847-2687 for assistance.
AQZ0291-40
Explanation:
SFJOBNAM in the PKZIP command is incomplete or Invalid.
If the Spool File Job Name is “*”, spool file job user and spool file job number must be
blank. Otherwise all fields must contain valid name, user and number or they must all
be blank. Correct and execute the job again.
AQZ0292-40
Explanation:
Error Occurred while transforming the spool file. Job is
aborted.
A major error has occurred while transforming a spool file to an ASCII file. Job is
being aborted with exception code(&1-&2). Try to execute the job again. If this
failure continues, please contact the Product Services Division at 1-937-847-2687 for
assistance.
AQZ0293-40
Explanation:
Parameter SFTARGET(*SPLF) requires SFTGFILE(*GEN1). Correct
and re_run.
SFTGFILE must be coded as *GEN1 when requesting a target type of Spool File
SFTARGET(*SPLF). Correct and execute the job again.
AQZ0294-40
Explanation:
Spoof File (&1) is &2 type print file and Convert Format is
TEXT. File bypassed.
Only spool file types *SCS, *IPDS and *AFP are valid for text conversion. &2 type
cannot convert to TEXT format.
AQZ0295-10
Explanation:
Spool File &1 is being skipped due to being in OPEN Status.
Spool files that are in an open status are not eligible for selection. File will be
skipped.
266

AQZ0296-10
Explanation:
Spool File "&1" Exceeds Maximum allowed size.
The spool file &1 exceeded the maximum allowed of &2. File will be either skipped or
the job will end based on ERROPT settings.
AQZ0297-40
Explanation:
The Output Queue for Spool Files selection cannot be found.
The output queue specified in parameter SFQUEUE is invalid or cannot be found in
the libraries specified.
AQZ0298-40
Explanation:
Invalid Code Page for Spool File conversion.
While trying to convert a spool file to ASCII text, it was found the code page was
invalid. Review parameter IFSCDEPAGE for overrides. Error occurred while using
page code from &1 to &2.
AQZ0299-40
Explanation:
Spool File Target File Cannot be named GEN1 nor GEN2 nor start
with an *.
Spool file parameter SFTGFILE cannot have file names GEN1 and GEN2. This is to
prevent mistakes by leaving off the leading *. SFTGFILE cannot start with an * other
than special names *GEN1, *GEN1P and *GEN2'.
AQZ0300-10
Explanation:
A Specific File name was specified in SFTGFILE, but more than 1
spool file was selected.
When specifying a file name in SFTGFILE, only one spool file can be selected.
Correct selections and re-run.
AQZ0301-40
Explanation:
Parameter SFTARGET(*SPLF) requires EXTRAFLD(*YES). Correct and
re_run.
In order to be able to extract a spool file, extended attributes are required.
AQZ0302-40
Explanation:
FILETYPE parameter must be (*DETECT) when compressing Spool
Files.
When parameter TYPFL2ZP(*SPL) is coded to compress spool files, the FILETYPE
parameter must be (*DETECT).
267

AQZ0303-10
Explanation:
Warning: Only Local Extended Attributes was selected to store
iSeries Extended Attributes.
This is a warning that the extra data fields will be stored only in the local directory
because of parameter EXTRADATA(*LOCAL). SecureZIP for iSeries will not utilize
the extended attributes.
AQZ0304-30
Explanation:
SFJOBNAM(&1) Job cannot not be found or is invalid.
The parameter SFJOBNAM(&1) for job selection of a spool file could not be found or
is an invalid job. Correct and execute the job again.
AQZ0305-30
Explanation:
SPLNBR parameter is non-numeric or invalid.
The SPLNBR must be either *ALL, *LAST, or it must be a numeric value from 1 thru
999999. Correct and execute the job again.
AQZ0306-40
Explanation:
SFQUEUE with *SEL has invalid Outq library reference.
The SFQUEUE parameter has the *SEL for the OUTQ name, but the library is either
blank, *LIBL, or *CURRENT. PKZIP will be aborted. Correct and execute the job
again.
AQZ0306-40
Explanation:
SFQUEUE with *SEL has invalid Outq library reference.
The SFQUEUE parameter has the *SEL for the OUTQ name, but the library is either
blank, *LIBL, or *CURRENT. PKZIP will be aborted. Correct and execute the job
again.
AQZ0307-00
Explanation:
The SIGNPOL validation is locked down at the enterprise level.
Warning. The SIGNPOL validation is locked down at the enterprise setting, therefore
parameters request are ignored.
AQZ0308-00
Explanation:
The AUTHPOL validation is locked down at the enterprise level.
Warning. The AUTHPOL validation is locked down at the enterprise setting, therefore
parameters request are ignored.
268

AQZ0309-00
Explanation:
The ENCRYPOL validation is locked down at the enterprise level.
Warning. The ENCYRPOL validation is locked down at the enterprise setting,
therefore parameters request are ignored.
AQZ0310-00
Explanation:
The SIGNPOL filters ared locked down at the enterprise level.
Warning. The SIGNPOL filters are locked down at the enterprise setting, therefore
parameters request are ignored.
AQZ0311-00
Explanation:
The AUTHPOL filters ared locked down at the enterprise level.
Warning. The AUTHPOL filters are locked down at the enterprise setting, therefore
parameters request are ignored.
AQZ0312-00
Explanation:
The ENCRYPOL filters ared locked down at the enterprise level.
Warning. The ENCRYPOL filters are locked down at the enterprise setting, therefore
parameters request are ignored.
AQZ0320-30
Explanation:
Insufficient authority to open secured Archive. Requires valid
&1.
The archive specified is a filename-encrypted archive that requires validation before it
can be opened by a password and/or valid private key from a recipient.
AQZ0321-40
Explanation:
Problem Procssing FNE.
An Internal error occurred with filename-encryption processing. This should not
occur. The message detail contains diagnostic information of this occurrence.
Please contact the Product Services Division at 1-937-847-2687 for assistance.
Please provide the message details for support.
AQZ0322-40
Explanation:
FND Temporary File Failure.
An Internal error occurred with the filename-encryption processing temporary file.
The message detail contains diagnostic information of this occurrence. Please
contact the Product Services Division at 1-937-847-2687 for assistance. Please
provide the message details for support.
269

AQZ0324-00
Explanation:
Warning: FNE Input Archive being converted to Non-FNE.
The archive currently specified is a filename-encrypted archive, and the filename
encryption parameter is coded as “FNE(*NO *YES)”. This will convert the filenameencrypted
archive to be a non-filename-encrypted archive. This is a warning only.
AQZ0325-40
Explanation:
FNE is Invalid with GZIP.
Both GZIP(*YES) and FNE(*YES) was entered. Filename encryption is an invalid
GZIP option.
AQZ0326-40
Explanation:
FNE Requires a Password and/or Recipients.
FNE(*YES) was entered to create a filename-encrypted archive, but no password or
recipients were entered.
AQZ0327-40
Explanation:
FNE Requires Strong Encryption Algorithm.
FNE(*YES) was entered to create a filename-encrypted archive, but the parameter
ADVCRYPT was *NONE or ZIPSTD. Filename encryption requires advanced
encryption.
AQZ0328-30
Explanation:
Input Archive is FNE with FNE(*NO *NO). Requires FNE Overwrite
*YES to convert to non-FNE.
The archive currently specified is a filename-encrypted archive, but the filename
encryption parameter was FNE(*NO *NO). This filename-encryption setting will not
create a new filename-encrypted archive or overwrite an existing filename-encrypted
archive. If the updated archive is to be filename-encrypted, the parameter should be
FNE(*YES). If the updated archive should be a non-FnE, the parameter should be
(*NO *YES).
AQZ0329-00
Explanation:
Warning FNE will force EXTRAFLD(*CENTRAL).
The filename encryption parameter was *YES to create an FnE archive, but the extra
field was either *LOCAL or *BOTH. SecureZIP will force EXTRAFLD(*CENTRAL).
270

AQZ0330-00
Explanation:
Warning:FNE archive found. Inputted Password and/or Recipients
will be ignored.
The archive currently specified is a filename-encrypted archive for updating. The
archive will be updated with its current password and/or recipients. This is a warning
that any new password or new recipients will be ignored.
AQZ0401-40
Explanation:
Memory allocation failure while processing Parameters &1 &2.
A failure occurred while trying to allocate memory. Check other messages in the job
log for possible causes and refer to Appendix C about memory errors. If this
continues, please contact the Product Services Division at 1-937-847-2687 for
assistance.
AQZ0402-40
Explanation:
I/O Error: &1.
An I/O error occurred. This message will help describe a previous message. Review
all messages in the job log to resolve the problem.
AQZ0403-40
Explanation:
Open error occurred on Translate table .
While opening file &1, an open error occurred. Review FTRAN and TRAN keyword
entries and messages in the job log to determine the cause of problem. Current run
is terminated.
AQZ0404-40
Explanation:
Read Error while reading Translate table .
While reading file &1, an error occurred. Review FTRAN and TRAN keyword entries
and messages in the job log to determine the cause of the problem. Browse file &1
and review the data to ensure it follows the requirements of a translate table. The
current run is terminated.
AQZ0405-40
Explanation:
Translate Table must have 256 entries. File found &2
entries.
A translation table is required to have 256 entries. Browse file &1 and review the data
to ensure it follows the requirements of a translate table. The current run is
terminated.
271

AQZ0406-40
Explanation:
Internal Error. Should not occur "&1".
If this error occurs, review to ensure you have a valid archive. Please contact the
Product Services Division at 1-937-847-2687 for assistance. Current run is
terminated.
AQZ0407-40
Explanation:
&1 file size changed while zipping.
PKZIP has determined that the size of file &1 has changed while compressing. Size
Information (&2). File should be compressed again.
AQZ0408-40
Explanation:
Compression of input file &1 failed. Could not read input
file.
A read error occurred while trying to compress input file &1. Review all job log
messages to determine cause of read error. The job is terminated.
AQZ0409-40
Explanation:
Failure during user space creation &1.
A failure occurred while using an API, which required a user space that failed. See
message &2 in job log for which API and why the failure occurred. The job is
terminated.
AQZ0410-40
Explanation:
API list command failure due error &1 &2.
Review error message &1 for more information why API list command &2 failed. The
job is terminated.
AQZ0411-40
Explanation:
File &1. is not a database.
A list member API was issued for file &1. A return message, "CPF3C23," indicates
this file is not a database file, which is allowed to have members. Review file &1 to
ensure it is a valid file to compress. The job is terminated.
AQZ0412-00
Explanation:
API error &1. Get Member descriptions .
While issuing a Get Member descriptions for file &2, error &1 occurred. Review
message &1 for more information.
272

AQZ0413-00
Explanation:
API error &1. Database File descriptions .
While retrieving the file descriptions for file &2, error &1 occurred. Review message
&1 for more information.
AQZ0414-00
Explanation:
API error &1. Get Object descriptions .
While retrieving object descriptions for file &2, error &1 occurred. Review message
&1 for more information.
AQZ0415-00
Explanation:
API error &1. Change Object descriptions .
While issuing a change to the object &2, error &1 occurred. Review message &1 for
more information.
AQZ0416-00
Explanation:
API error &1. Process Command .
While trying to process command &2, error &1 occurred. Review message &1 for
more information. This may occur if the user does not have the proper authority for
the command.
AQZ0417-40
Explanation:
Error writing List file &1.
Keyword CRTLIST was specified and an error occurred while writing to file &1.
Review all job log messages for more details. The job will be terminated.
AQZ0418-40
Explanation:
Error opening or closing list file &1.
Keyword CRTLIST was specified and an error occurred while &2 was opening or
closing file &1. Review all job log messages for more details. The job will be
terminated.
AQZ0419-40
Explanation:
Cannot open file for Include selection.
File &1 (specified in keyword INCLFILE) cannot be opened. See job log messages
for more information. Verify that file &1 is a valid file for input to include selection.
The job is terminated.
273

AQZ0420-40
Explanation:
Cannot open file for Exclude filtering.
File &1 (specified in keyword EXCLFILE), cannot be opened. See job log messages
for more information. Verify that file &1 is a valid file for input to exclude selection.
The job is terminated.
AQZ0421-00
Explanation:
File failed while retrieving the members for the file.
Review Job Log for previous message for details of failure.
When trying to retrieve the members for file and record , the API failed.
The job log will show more details in the previous messages. One cause may be the
file was remote and could not be accessed.
AQZ0450-40
Explanation:
Did not find end-of-central-dir signature at end of central
dir.
While scanning an archive for proper archive signatures, the end of central directory
signature could not be found. Ensure it is a valid archive or if the archive was sent via
FTP; ensure binary was used.
AQZ0451-40
Explanation:
Expected central file header signature not found (file #&1).
While scanning an archive for proper archive signatures, the expected central file
header signature could not be found. The archive may be corrupted, or it was
transferred from another source incorrectly.
AQZ0452-40
Explanation:
Attempt to seek before beginning of Archive file &1.
While scanning the archive for valid information, an offset caused PKZIP to attempt
seeking functions prior to the beginning of the archive. The archive may be
corrupted.
AQZ0453-40
Explanation:
&1: Bad file comment length.
The archive indicated that a comment existed for file &1. The length was zero, or the
comment length was wrong. Run PKUNZIP with detail view for more information.
274

AQZ0454-40
Explanation:
Invalid option mixture - should never occur by using PKUNZIP
Command.
Please contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ0455-40
Explanation:
Both Overwrite *NONE and *ALL specified; ignoring *ALL - This
should never Occur.
By using the PKUNZIP command this error should never occur. Please contact the
Product Services Division at 1-937-847-2687 for assistance.
AQZ0456-40
Explanation:
&1: bad filename length in &2 directory.
File &1 was found to have a bad file name length in the archive &2 directory.
Processing will continue at the next entry. Try running PKUNZIP with
VIEWOPT(*DETAIL) to gather more information. The archive may be corrupt.
AQZ0457-40
Explanation:
&1: Bad Extra data length in &2 directory.
File &1 was found to have a bad extra data length in the archive &2 directory.
Processing will continue at the next entry. Try running PKUNZIP with a detail view to
gather more information. The archive may be corrupt.
AQZ0458-40
Explanation:
File # &1: Bad Archive File offset (&2): &3.
PKUNZIP was trying to extract or test files in the archive. File number #1 in archive
contained a bad offset length (&2).
AQZ0459-20
Explanation:
Length warning: &1 bytes [&2].
Length Warning: Based on the local directory, the bytes required are less than the
actual bytes used. Review the extracted file and ensure it is extracted correctly. Run
PKUNZIP with view detail to check files sizes. The file is extracted and the process
continues.
AQZ0460-40
Explanation:
Length Error: &1 bytes [&2].
Length Failure: Based on the local directory, the bytes required are more than the
actual bytes used. Review the extracted file and ensure it is extracted correctly. Run
275

PKUNZIP with view detail to check files sizes. The file is extracted and the process
continues.
AQZ0461-40
Explanation:
Error: Not enough memory to Unshrink &1.
While trying to allocate memory to Un-shrink file &1, an error occurred. All processing
is terminated. Check other messages in the job log for possible causes and refer to
Appendix C about memory errors. If this continues, please contact the Product
Services Division at 1-937-847-2687 for assistance.
AQZ0462-40
Explanation:
File #&1: Bad local header.
File in the archive with sequence number &1 has an invalid local directory header.
File cannot be extracted or tested. The archive may be corrupt.
AQZ0463-40
Explanation:
(Attempting to re - compensate).
An error occurred previously in the archive (see the message log). An attempt will be
made to compensate for the error.
AQZ0464-40
Explanation:
Skipping: &1 %2 volume label.
An archive created under another system has a volume label appearing in the
archive. iSeries cannot process this request and will skip file &1.
AQZ0468-40
Explanation:
Invalid compressed data to &1 &2.
While attempting to uncompress file &2 using method &1, it was determined that the
compressed data was invalid or corrupt. Review the log for other messages to help
diagnose the problem. Do a PKUNZIP with VIEWOPT(*DETAIL). Verify the source
of the archive that is being processed to verify if it was created using a compression
product from PKWARE, Inc. Please contact the Product Services Division at 1-937-
847-2687 for assistance.
AQZ0469-40
Explanation:
Error: Not enough memory to &1 &2.
While attempting to uncompress file &2 using method &1, PKUNZIP could not
allocate enough memory to extract file. Check other messages in the job log for
possible causes and refer to Appendix C about memory errors. If this continues,
please contact the Product Services Division at 1-937-847-2687 for assistance.
276

AQZ0470-40
Explanation:
&1: Out of memory while inflating EAs.
While extracting file &1, an allocation of memory failure occurred while trying to
extract and file with extended attributes. This archive was created by another system
type. Check other messages in the job log for possible causes and refer to Appendix
C about memory errors. If this continues, please contact the Product Services
Division at 1-937-847-2687 for assistance.
AQZ0471-40
Explanation:
&1: Unknown error on extended attributes.
While extracting file &1, an unknown error occurred while trying to process the
extended attributes data. This archive was created by another system type.
AQZ0472-40
Explanation:
Unsupported extra-field compression type (&1)—skipping.
The extended data fields for file &1 was found, but it’s not recognized or it’s Invalid.
The file will be skipped.
AQZ0473-00
Explanation:
Error: Cannot allocate unzip buffers.
While starting to extract the file, PKUNZIP could not allocate enough memory for IO
buffers within the file. Job will be terminated. Check other messages in the job log
for possible causes and refer to Appendix C about memory errors. If this continues,
please contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ0475-40
Explanation:
Warning [&1]: Archive File is disk %u of a multi-disk archive
and this is not the disk on which the central Archive File
directory begins.
The archive indicates that part of a multi-disk archive is invalid for PKUNZIP. Review
the source of the archive and ensure the archive is made up of one file.
AQZ0476-30
Explanation:
Warning [&1]: End-of-central-directory record claims this is
disk &2 attempting to process anyway.
The central directory has a setting that indicates this is a multi-archive disk file. It will
attempt to process file &1. Expect "errors" and warnings; true multi-part support does
not exist.
277

AQZ0477-30
Explanation:
Warning [&1]: Archive File claims to be last disk of a multipart
archive; attempting to process anyway.
Expect errors and warnings, as true multi-part support does not exist.
AQZ0478-30
Error [&1]: Missing &2 bytes in Archive file (attempting to
process anyway).
Explanation: While extracting files from archive file &1 with PKUNZIP, it was found to have &2
bytes missing according to the directories. PKUNZIP will continue attempting to
extract the files and will complete the process.
AQZ0479-30
Explanation:
Error [&1]: NULL central directory offset (attempting to
process anyway).
While extracting from archive file &1, an error was found in the central directory offset.
PKUNZIP will try to compensate and continue the process.
AQZ0480-30
Explanation:
Warning [&1]: Archive File is empty.
PKUNZIP found that the archive file &1 is empty and that there is nothing to process.
AQZ0481-30
Explanation:
Error [&1]: Start of central directory not found; Archive file
is corrupt.
PKUNZIP could not find the start of the central directory in archive file &1. archive file
is corrupt and the job will be terminated.
AQZ0482-30
Warning[&1]: Reported length of central directory IS &2 bytes
too long. Compensating...
Explanation: PKUNZIP found that the length of the central directory of the archive is too long by &2
bytes. PKUNZIP will try to compensate and continue.
AQZ0483-40
Explanation:
End-of-central-directory signature not found in archive &1.
An End-of-central-directory signature not found. Either the file &1 is not an archive
file or it constitutes one disk of a multi-part archive. In the later case, the central
directory and archive file comment will be found on the last disk(s) of this archive.
278

AQZ0484-00
Explanation:
Caution: Archive file &1 comment will be truncated.
While displaying the archive file comment, it was truncated due to excess length.
This affects only the displayed information, not the data itself.
AQZ0485-30
Explanation:
Error: Cannot delete old &1.
Cannot delete file &1 on IFS system file type. See the job message log for more
information.
AQZ0486-30
Explanation:
Error: PKZIP cannot open Archive File [ &1 ].
Archive file &1 cannot be opened for reading in PKZIP. See the job message log for
more information.
AQZ0487-30
Explanation:
Error: Cannot create &1.
PKUNZIP was trying to create file &1 for extraction, but the create process failed.
The file was not extracted. See the job message log for create failure.
AQZ0488-40
Explanation:
Error: Archive file &1 read error.
PKUNZIP received a file error while reading archive file &1. Job is terminated. See
the job message log for explanation of the error.
AQZ0489-10
Warning: Filename too long -- truncating.
Explanation: The file name length (including path) found in the archive exceeds the length of 255
bytes allowed in PKUNZIP. File name is truncated.
AQZ0490-10
Explanation:
Warning: Extra field too long (&1). Ignoring.
The extended attribute is too long for PKUNZIP to allocate memory. The attributes
will be ignored.
279

AQZ0491-40
Explanation:
Error: More than &1 simultaneous threads. Some threads are
probably not calling DESTROYTHREAD().
Internal error. This should not occur. Please contact the Product Services Division at
1-937-847-2687 for assistance.
AQZ0492-40
Explanation:
Error: Could not find global pointer in table Maybe somebody
accidentally called DESTROYTHREAD() twice.
Internal error. This should not occur. Please contact the Product Services Division at
1-937-847-2687 for assistance.
AQZ0493-40
Explanation:
Error: Global pointer in table does not match pointer passed
as parameter.
Internal error. This should not occur. Please contact the Product Services Division at
1-937-847-2687 for assistance.
AQZ0494-00
Explanation:
Warning: Cannot set UID &1 and/or GID %d for &2.
After extracting a file successfully, PKUNZIP could change the UID attributes for a file
in the integrated file system to the UID in the archive settings. See the job log for
more information.
AQZ0495-00
Explanation:
Warning: Cannot set modification, access times for &1.
After extracting a file successfully, PKUNZIP could change the modification time and
the access time for a file in the integrated file system to the time that is stored within
the archives. Times are left as the time extracted. See the job log for more
Information.
AQZ0496-00
Explanation:
Warning: Cannot set permissions for &1.
After extracting a file successfully, PKUNZIP could not set the authority permissions
for the file in the integrated file system. File has job user as owner. See the job log
for more information.
280

AQZ0498-40
Explanation:
&1: Write error was encountered while extracting.
While extracting and writing file &1, an error occurred. It could be the allowable disk
allocation for a user, a job, or a file. See the job log for more information. The current
extracted file is incomplete.
AQZ0499-50
Explanation:
Archive file probably corrupt (&1).
A Handler signal occurred in PKUNZIP, which indicates an internal error occurred, or
the archive file is corrupt. Please contact the Product Services Division at 1-937-847-
2687 for assistance with the archive file and the job log.
AQZ0501-20
Explanation:
Warning: Cannot allocate wildcard buffers.
PKUNZIP could not allocate memory resources in the integrated file system wildcard
buffers. Cannot select files. Check other messages in the job log for possible
causes, and refer to Appendix C about memory errors. If problem persists, please
contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ0502-00
Explanation:
Creating directory: &1.
Information only: PKUNZIP created directory &1 in the integrated file system.
AQZ0503-30
Explanation:
Mapname: Conversion of &1 failed.
PKUNZIP failed while converting (mapping) the internal file &1 name to an iSeries
external file name. Check the log to see if file was extracted successfully.
AQZ0504-20
Explanation:
Checkdir: Cannot create extraction directory &1.
PKUNZIP failed while trying to create directory &1 in the integrated file system
required extracting file.
AQZ0505-10
Explanation:
Warning: Cannot set UID &1 for &2.
After extracting a file successfully, PKUNZIP could not change the UID attributes for a
file in integrated file system to the UID in the archive settings. See the job log for
more Information.
281

AQZ0506-10
Explanation:
Checkdir warning: Path too long; truncating &1.
The path name in the archive file is longer than the 255 bytes permitted by the
integrated file system. The path will be truncated for file extraction.
AQZ0508-10
Explanation:
Checkdir error: &1 exists but is not directory: unable to
process.
PKUNZIP was extracting a file to the integrated file system where the archive file
name indicated it is a directory, but the file already exists and is not a directory. A
default path will be used.
AQZ0509-10
Explanation:
Checkdir error: Cannot create &1 unable to process &2.
PKUNZIP could not create directory &1 in the integrated files system. A default
directory is used. See the JOB LOG For information about the failure.
AQZ0510-10
Explanation:
Checkdir error: Path too long: &1.
PKUNZIP determined that the path of file to extract exceeded 255 bytes. The file will
use default path.
AQZ0511-40
Explanation:
Failure to create file in Library .
PKUNZIP was issuing a CRTPF command for a file that was using default settings
before extracting and an error occur in the CRTPF command. See the job log for
more information. The files are not extracted.
AQZ0512-40
Explanation:
Failure to create SAVF in Library .
PKUNZIP was issuing a CRTSAVF command to create file &1 for extracting and the
create process failed. See the job log for more information. The files are not
extracted.
AQZ0513-10
Explanation:
Warning! Line &1 has been truncated.
When writing a text file, the length of the line exceeded the record length of the output
file and the line was truncated. Use an output file with the correct record length.
282

AQZ0514-30
Explanation:
Failure in creating Library &1 for Archive.
PKUNZIP was trying to extract a file to library &1 and the library did not exist.
PKUNZIP failed when trying to create the Library. For more information see the job
log. This may be a security issue. The file is not extracted.
AQZ0515-40
Explanation:
PKZIP Failure in file read request. Request bytes &1.
While trying to read a selected file for compression, PKZIP experienced an error
where the size of the data read failed the request. View the job log to see if any
messages pertain to the file. The file being used may cause this. The job will be
terminated and the archive will be corrupted.
AQZ0516-40
Explanation:
Could not allocate Memory for Terse extraction. PKUNZIP is
ending immediately.
PKZIP was compressing the file with compression type *TERSE, but could not
allocate memory for the TERSE buffers. Check other messages in the job log for
possible causes and refer to Appendix C about memory errors. If the problem
persists, please contact the Product Services Division at 1-937-847-2687 for
assistance.
AQZ0517-40
Explanation:
Terse Extraction Failure. Work buffers are too small.
PKUNZIP could not complete an extraction of a file compressed in TERSE mode
because the buffers were too small. This should not occur for an archive created with
this release. Please contact the Product Services Division at 1-937-847-2687 for
assistance.
AQZ0518-00
Explanation:
Warning! File &1 has associated triggers.
PKZIP has detected that the database file being zipped has trigger programs
associated with it. PKZIP does not store trigger program information in the archive.
See Appendix K for more information. This message only appears when
compressing database files. If you want to preserve the trigger information, first save
the file and trigger programs to a SAVF and then add the SAVF to the archive.
AQZ0519-00
Explanation:
Warning! File &1 has associated constraints.
PKZIP has detected that the database file being zipped has constraints associated
with it. PKZIP does not store constraint information in the archive. See Appendix K
for more information. This message appears only when compressing database files.
283

If you wish constraint information to be preserved, first save the file to a SAVF and
then add to the archive.
AQZ0520-00
Explanation:
Warning! File &1 uses an alternative collating sequence.
The file being compressed uses an alternative collating sequence (the ALTSEQ
keyword was specified in the DDS for the file). PKZIP does not store alternative
collating table information in an archive. When unzipped, the file will not have the
same access path. This message only appears when compressing database files. If
you want to preserve the alternate sort order, first save the file in a SAVE and then
add to the archive.
AQZ0521-00
Explanation:
Warning! File &1 has NULL capable fields.
PKZIP has detected that one or more fields in the file are NULL capable. PKZIP will
translate NULL numeric fields as zeros and NULL character fields as blanks. See
Appendix K for more information. This message only appears when compressing
database files. If you want to preserve NULL fields, first save the file in a SAVF and
then add the SAVF to the archive.
AQZ0522-00
Explanation:
Database process selected but missing DB extended data record -
File &1.
Indicates that database attributes are present to create a database, but the database
extended attributes could not be found. The archive may be corrupt. PKZIP will try to
create file with default settings.
AQZ0523-00
Explanation:
Failure building DDS source to gen database - File &1.
While building the DDS source for creating file &1, an error occurred in routine
build_ddssrc with number &2. See the job log for other messages. Please contact
the Product Services Division at 1-937-847-2687 for assistance.
AQZ0525-00
Explanation:
Warning! File &1 has Public Authorization List.
PKZIP has detected that the database file being zipped has a public authorization list
associated with it. PKZIP does not store public authorization list information in the
archive. See Appendix K for more information. This message only appears when
compressing database files. When extracting the file, it is up to the user to provide
information about a public authorization list. If you wish to preserve public
authorization list information, first save the file to a SAVF and then add the file to the
archive.
284

AQZ0526-30
Explanation:
Extended attributes exceed 64K
The extended attributes for the file being compressed exceeded the maximum length
that can be accommodated in a PKZIP archive. Action: Either compress the file with
DBSERVICES(*NO) or first save the file in the save file and then add to the archive.
AQZ0527-10
Explanation:
Warning: Text Record too long for buffers.
length=&1. Buffer Length=&2
Text Record
A text record length exceeded the maximum supported buffer length of &2. Record is
truncated. File extract should be reviewed for completeness. Probable cause: the
file does not contain proper carriage return or line feed characters.
AQZ0528-00
Explanation:
Certificate Deleted From &1 Store.
Cert Deleted from &1 Store. Where &1 will be the store CA or Root. &2 is the
certificate data that was deleted. Part 1 is the index number. Part 2 is the Serial
Number of the certificate. Part 3 is the friendly name of the certificate. For example:
“Cert Deleted from CA Store”
AQZ0600-00
Explanation:
Archive &1 Identified as a GZIP archive.
PKZIP was run, specifying existing archive &1 and that the archive is identified as a
GZIP archive. GZIP archive files cannot be updated.
AQZ0601-40
Explanation:
Option GZIP cannot zip to an existing archive.
PKZIP GZIP(*YES) parameter has been specified and the archive indicated on the
PKZIP command already exists. A GZIP archive cannot be updated; you can only
compress in GZIP format to a new archive. Specify an archive name that is not in
use.
AQZ0602-40
Explanation:
Option GZIP only allows 1 file per archive.
GZIP processing has identified more than one file to include in the archive, but only
one file is allowed per GZIP archive. Specify a file name or wildcard combination that
identifies only one file or be more specific and specify the library, the file, and the
member names.
285

AQZ0603-40
Explanation:
Invalid TYPE used with GZIP. TYPE(*ADD,*MOVEA,*VIEW) is only
valid option for GZIP.
A PKZIP TYPE other than *ADD, *MOVEA or *VIEW was specified with option
GZIP(*YES). This is an invalid combination. The job will be terminated.
AQZ0604-00
Explanation:
PKZIP Compressed &1 files in GZIP Archive &2.
&1 is the number of files that were compressed in this run of PKZIP, storing them in
the GZIP archive File &2.
AQZ0605-40
Explanation:
GZIP cannot allocate memory for GZIP extraction.
PKUNZIP was trying to extract the file from an archive identified as a GZIP archive,
but could not allocate memory. The job is terminated. Check other messages in the
job log for possible causes and refer to Appendix C about memory errors. If this
continues, please contact the Product Services Division at 1-937-847-2687 for
assistance.
AQZ0606-40
Explanation:
GZIP Archive File &1 probably corrupt.
PKUNZIP was trying to extract from archive file &1, and it was identified as a GZIP
archive. It was determined that it could be corrupt based on the setting in the header
or trailer.
AQZ0607-40
Explanation:
Cannot Use compress(*STORE or *TERSE) with GZIP.
GZIP parameter *YES cannot be used when COMPRESS parameter is set to
*STORE or *TERSE.
AQZ0608-40
Explanation:
GZIP *YES cannot be used with FTRAN table.
FTRAN table override cannot be used with option GZIP(*YES) due to compliance
issues.
AQZ0609-00
Explanation:
Warning! GZIP Archive has non-compliant Flag settings.
The archive being processed has reserve bits in the flag byte set. This may indicate
the presence of new fields or options in the archive that prevent the file being
extracted from being extracted correctly.
286

AQZ0610-40
Explanation:
GZIP Archive &1 contains no filename and Default Path was not
specified.
The GZIP archive that is being extracted does not contain a file name. To get a file
name, use EXDIR keyword and enter a path and filename. If you are using the IFS,
use path/filename. For the library file system, use library/filename.
AQZ0611-40
TEXTEDIT parameter is invalid with GZIP(*YES).
Explanation: GZIP archives do not support file comments. TEXTEDIT must be *NO.
287

AQZ0800 - AQZ0899 *VIEW Display Messages
AQZ0800-00
Explanation:
Filename: &1.
Displays the archive file name being viewed or processed.
AQZ0801-00
Explanation:
Archive Comment: "&1".
Displays the archive comment (if one exists) when TYPE(*VIEW) is used with
parameters *NORMAL, *DETAIL, *COMMENT for keyword VIEWOPT( ).
AQZ0802-00
Explanation:
Length, Date, Time, Name.
This message will appear at the top of the file information listing when the option
VIEWOPT(*BRIEF) is used with TYPE(*VIEW).
AQZ0803-00
Explanation:
-------- ---- ---- ----
This message will appear after message AQZ0802 for the file information listing when
the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).
AQZ0804-00
Explanation:
&1 &2 &3.
File information listing when the option VIEWOPT(*BRIEF) is used with
TYPE(*VIEW). Length=uncompressed size, modifications Date and time of file, and
the filename.
AQZ0805-00
Explanation:
-------- -------
This message will appear after the brief file information listing as a separator when
the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).
288

AQZ0806-00
Explanation:
&1 &2 file&3.
This message is the totals for file information listing when the option
VIEWOPT(*BRIEF) is used with TYPE(*VIEW). Total: Uncompressed size=&1, and
Number of files in listing=&2.
AQZ0807-00
Explanation:
File Comment: "&1".
Displays the file comment text when the option VIEWOPT(*COMMENT or *DETAIL)
is used with TYPE(*VIEW).
AQZ0808-00
Explanation:
Length, Method, Size, Ratio, Date, Time, CRC-32, Name.
This message displays the first heading in the file information listing when any of the
parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT() option.
AQZ0809-00
Explanation:
-------- ------ ------- ----- ---- ---- ------ ----
This message displays the second heading in the file information listing when any of
the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT()
option.
AQZ0810-00
Explanation:
&1 &2 &3 &4 &5 &6 &7 &8.
This message displays the file attributes in the file information listing when any of the
parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )
option. Uncompressed file length=&1, compression method used=&2, compressed
size=&3, compression ratio=&4, file date/ Time=&5, CRC-32=&6, for the file name &7.
AQZ0811-00
Explanation:
-------- ------- ---- -----
--
This message displays the totals separator in the file information listing when any of
the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )
option.
AQZ0812-00
Explanation:
&1 &2 &3 &4 file&5.
This message displays the totals in the file information listing when any of the
parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )
289

option. Total uncompressed size=&1, total compressed size=&2, for &3 number files
in listing.
AQZ0813-00
Explanation:
archive: &1 &2 bytes &3 file&4.
Archive statistics for archive File &1, is &2 bytes is length with &3 files in archive.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0814-00
Explanation:
Created by: &1 &2.
Displays the PKZIP operating system and the PKZIP algorithm version which the file
was added to the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0816-00
Explanation:
Minimum file system compatibility required: &1 &2.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL) and only with debug option
on. Shows detail operating system (&1) with version (&2).
AQZ0817-00
Explanation:
Zip Spec to Extract: &1.
Displays the minimum version of the PKZIP specification required to extract the file
from the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0818-00
Explanation:
Compression method: &1 &2.
Displays the compression method used to compress the file. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0821-00
Explanation:
Extended local header: &1.
Shows the setting of the general-purpose bit to indicate an extended local header
exists. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0822-00
Explanation:
Date and Time &1.
Displays the modification date mm-dd-yyyy and time hh:mm of files attributes
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
290

AQZ0823-00
Explanation:
32-bit CRC value (hex): &1.
Displays the value of the cyclical redundancy check (CRC) of a file in the archive.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0824-00
Explanation:
Compressed size: &1 bytes.
Displays the compressed size of a file in the archive. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
AQZ0825-00
Explanation:
Uncompressed size: &1 bytes.
Displays the Uncompressed size of a file in the archive. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0826-00
Explanation:
Length of filename: &1 bytes.
Displays the length of the file name of a file in the archive. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0827-00
Explanation:
Length of extra field: &1 bytes.
Displays the length of the extended data field in the archive. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0828-00
Explanation:
Length of file comment: &1 characters.
Displays the Length of a file comment if it exists in the archive. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0829-00
Explanation:
Size of sliding dictionary (implosion): &1K.
Displays the size of the sliding dictionary that was used to compress a file in the
archive with the implode compression method. Information with TYPE(*VIEW) and
VIEWOPT(*DETAIL).
291

AQZ0830-00
Explanation:
Number of Shannon-Fano trees (implosion): &1.
Displays the number of Shannon-Fano trees that were used to compress a file in the
archive with an implode compression method. Information with TYPE(*VIEW) and
VIEWOPT(*DETAIL).
AQZ0831-00
Explanation:
Detected File type: &1 &2.
Based on internal attributes; displays the file type that was detected for a file in the
archive. The Types are: binary, text, text in EBCDIC, SAVF, UNKNOWN.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0834-10
Explanation:
Caution: Archive File comment truncated.
The archive file comment exceeded the buffer size and will be truncated. This is only
a warning that affects the display of the comment. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
AQZ0835-00
Explanation:
Unknown Extended Attribute TAG &1 with length of &2.
An unknown extended attribute key was found; PKUNZIP does not handle this, and it
will be bypassed. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0836-00
Explanation:
Extended attributes: &1, [Length = &2].
If extended attributes are stored in the archive for this file, then [Yes] is displayed,
otherwise, [No] is displayed. The size of these extended attributes are &2 bytes.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0837-00
Explanation:
A sub field with ID &1 with a length of &2 bytes.
This is only used in DEBUG mode only. Information with TYPE(*VIEW) and
VIEWOPT(*DETAIL).
AQZ0838-00
Explanation:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Displays a View file separator for reading purposes. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
292

AQZ0839-00
Explanation:
Found &1 file&2, &3 bytes uncompressed, &4 bytes compressed:
&5.
Displays the total number of files found in the archive (&1). Displays the total bytes
uncompressed(&3) and the total bytes compressed(&4) for the archive. Information
with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0840-00
Explanation:
IFS: Code Page &1.
Displays the code page of an IFS file in the archive. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
AQZ0841-00
Explanation:
IFS: Creation Time &1.
Displays the creation date and time of an IFS file in the archive. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0842-00
Explanation:
IFS: Access Time &1.
Displays the last access date and time of an IFS file in the archive. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0843-00
Explanation:
IFS: Modification Time &1.
Displays the last modification date and time of an IFS file in the archive. Information
with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0844-00
Explanation:
Lib Text Desc: &1.
Displays the text associated with a library that contains the file that has been stored
within the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0845-00
Explanation:
File Text Desc: &1.
Displays the text associated with a file that has been stored within the archive.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
293

AQZ0846-00
Explanation:
Mbr Text Desc: &1.
Displays the text associated with the member of the file that has been stored in the
archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0847-00
Explanation:
Record Length: &1.
Displays the record length of the file in the archive. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
AQZ0848-00
Explanation:
Source or Data: &1.
Displays whether the file stored in the archive is a PF-DTA file or is a PF-SRC file
type. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0849-00
Explanation:
Source Type: &1.
Displays the source type, for example, CLP, RPG, CMD, etc., for a PF-SRC member.
Displays Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0850-00
Explanation:
Unknown Database type: &1.
The extended data field specifying the file is a database or is not invalid. Database
options ignored. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0851-00
Explanation:
Database File Attributes-.
This indicates that a file contains database file attributes in the archive. Information
with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0852-00
Explanation:
AUT(&1) MAXMBRS(&2) DLTPCT(&3) SIZE(&4 &5 &6) ALLOCATE(&7)
CONTIG(&8) LVLCHK(&9) REUSEDLT(&10) Access path type: &11.
Displays Database File Attributes:- File Authority:
&1 Maximum no. members in file:
&2 Max % deleted records in file:
&3 Initial size of member:
&4 Size of increment:
&5 Max no. increments:
&6. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
294

AQZ0853-00
Explanation:
Format Name(&1) No. Flds(&2) No. Key Flds(&3).
Displays Database File Field Format Attributes: - File Format Name: &1 Number of
fields in format:
&2 No. key fields in format:
&3 Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0854-00
Explanation:
-Field descriptions:-
Displays that a heading of Field descriptions will follow. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0855-00
Explanation:
Num, Name, Width Gen. U D N V K CCSID.
DB Field Format Attributes:
Num Field Number
Name Internal Field name
Width Field width (Number of digits/characters)
Gen. Decimal Pos./Allocated Length/Time or Date format
U Usage (B = Both, I = Input, O = Output, N = Neither
D Field Data type
N Null field capable indicator
V Variable length field indicator
K Key Field indicator
CCSID CCSID of field (N/A numeric fields).
Information with TYPE(*VIEW)/VIEWOPT
AQZ0856-00
Explanation:
----- ---------- ----- ----- - - - - - -----
Displays heading separator for the field description details. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0857-00
Explanation:
&1 &2 &3 &4 &5 &6 &7 &8 &9 &10.
This field has the following attributes:
&1 Num: Field Number
&2 Name: Internal Field name
&3 Width: Field width
&4 General:
&5 U: Usage
&6 D: Field Data type
&7 N: Null capable
&8 V: Variable length field
&9 K: Key Field
&10 CCSID: CCSID of field
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
295

AQZ0858-00
Explanation:
Text: &1.
Displays the text description for this field: &1. Information with TYPE(*VIEW) and
VIEWOPT(*DETAIL).
AQZ0859-00
Explanation:
Alias: &1.
Displays the alternative field name (alias) for this field: &1. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0860-00
Explanation:
Default: &1.
Displays the default value for the field is: &1. Information with TYPE(*VIEW) and
VIEWOPT(*DETAIL).
AQZ0861-00
Explanation:
Col Heading 1: &1.
Displays the First column heading for the field is: &1. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
AQZ0862-00
Explanation:
Col Heading 2: &1.
Displays the second column heading for the field is: &1. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0863-00
Explanation:
Col Heading 3: &1.
Displays the third column heading for the field is: &1. Information with TYPE(*VIEW)
and VIEWOPT(*DETAIL).
AQZ0864-00
Explanation:
MAINT(&1) RECOVER(&2) FRCACCPTH(&3) ACCPTHSIZ(&4) Order: &5
Displays the keyed access path attributes: - Order = Duplicate key sorting order.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
296

AQZ0865-00
Explanation:
File text: &1.
Displays the text associated with the file that has been stored in the archive.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0866-00
Explanation:
Archive identified as a GZIP archive.
Archive identified as a GZIP archive. Information with TYPE(*VIEW) and
VIEWOPT(*DETAIL).
AQZ0867-00
Explanation:
VMS file attributes (&1 octal): 2.
If present for a file in the archive, displays VMS file attributes. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0868-00
Explanation:
Amiga file attributes (&1 octal): &2.
If present for a file in the archive, displays Amiga file attributes. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0869-00
Explanation:
Unix file attributes (&1 octal): &2.
If present for a file in the archive, displays UNIX file attributes. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0870-00
Explanation:
Non-MSDOS external file attributes: &1 hex.
If present for a file in the archive, displays non-MSDOS external file attributes.
Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0871-00
Explanation:
MS-DOS file attributes (&1 hex): &2.
If present for a file in the archive, displays MS-DOS file attributes. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
297

AQZ0872-00
Explanation:
Advanced Encryption &1. &2.
Displays the advanced encryption method the file was archived. Information with
TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0873-00
Explanation:
Algorithm Key &1, Security type &2.
Displays the Advanced encryption algorithm key text description and the security type
(password, certificate signature, or combination password with signature) that was
used to encrypt the file. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).
AQZ0874-00
Explanation:
Spool File Type: &1, Target File:&2, (CdPg=&3), Nbr Of
pages(&4).
Displays the spool file type, the target format file type, and the number of pages in the
spool file. If the target is Text or PDF then (CdPg=&3) will be displayed to show the
code page that was used to translate the EBCDIC to ASCII.
AQZ0875-00
Explanation:
SPLF Desc: &1.
Displays the spool file name attributes with / separation with format: “Job-
Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-Number.Suffix”.
AQZ0876-00
Explanation:
OS390 File Type &1
Z390 MVS or VSE extended attributes.
AQZ0877-00
Explanation:
OS390 Record Format
Z390 MVS or VSE extended attributes.
AQZ0878-00
OS390 Block Size &1
Explanation: Z390 MVS or VSE extended attributes.
298

AQZ0879-00
Explanation:
OS390 VSAM Record Size &1
Z390 MVS or VSE extended attributes.
AQZ0880-00
Explanation:
OS390 VSAM Max Record Size &1
Z390 MVS or VSE extended attributes.
AQZ0881-00
Explanation:
OS390 VSAM Cluster Name &1
Z390 MVS or VSE extended attributes.
AQZ0882-00
Explanation:
OS390 VSAM Data Name &1
Z390 MVS or VSE extended attributes.
AQZ0883-00
Explanation:
OS390 VSAM Index Name &1
Z390 MVS or VSE extended attributes.
AQZ0884-00
Explanation:
ZIP64 Extended Information: Uncompressed size=&1; Compressed
Size=&2
Extended data to support large files. Original uncompressed size=&1; Compressed
size=&2; Offset=&3.
AQZ0885-00
Explanation:
ZIP 64 Large File Support Found
PKZIP was able to support large format files for this archive
AQZ0886-00
Archive has been Digitally Signed.
Explanation: The archive contains a digital signature for security purpose.
299

AQZ0887-00
Explanation:
Spool File OUTQ(&1) and User(&2)
Displays the OUTQ that the spool file was compressed from and the user ID of the
spool file.
AQZ0888-00
Explanation:
Number Certifcate Recipients &1.
VIEWOPT(*ALL) option: Displays the number recipients found for the file in archive.
AQZ0889-00
Explanation:
Recipient List:
VIEWOPT(*ALL) option: Header for recipient list in the messages aqz0890 following.
AQZ0890-00
Explanation:
CN=&1, EM=&2.
VIEWOPT(*ALL) option: The common name and email address for each recipient
found for the file in archive.
AQZ0891-00
Explanation:
Archive is FnE (File Name Encrypted).
View information that the archive is a filename-encrypted archive.
AQZ0892-00
Explanation:
Archive is created as FNE &1.
Informational only. Shows that the archive created is filename-encrypted and shows
the compression and encryption used.
AQZ0893-00
Explanation:
File Signature: CN=&1; EM=&2; S/N=&3.
Informational only. Shows informational data of the signature that is used to signed
the file or archive. CN- Common name, EM-Email, and S/N- Serial Number.
AQZ0900-00
Explanation:
Archive is Non FNE Archive. Nothing to View.
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested, but the archive is not filenameencrypted.
300

AQZ0901-00
Explanation:
FNE: Encryption Type (&1) with Algo (&2).
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for a filename-encrypted
archive. This message shows the encryption type and algorithm used for the archive.
Example “FNE: Encryption Type (Password and Recipients) with Algo (AES 256 Key)
“.
AQZ0902-00
Explanation:
FNE: Compression &1 percent.
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for FnE archive. This message
shows the compression (if any exist) used for the archive. Example “FNE:
Compression 0 percent “.
AQZ0903-00
Explanation:
FNE: Hashing Algo &1 with hash length &2.
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for a filename-encrypted
archive. This message shows the hash method used for the archive. Example “FNE:
Hashing Algo CRC32 with hash length 4 “.
AQZ0904-00
Explanation:
FNE Contains &1 Recipients.
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for a filename-encrypted
archive. This message shows the number of recipients used for the FnE.
AQZ0905-00
Explanation:
FNE Recp #&1:&2.
VIEWOPT(*FNEALL) requested for a filename-encrypted archive. This message
shows the each FnE’s recipient Common Name and Email. Example “FNE Recp
#2:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com;”.
AQZ0906-00
Explanation:
FNE : &1.
VIEWOPT(*FNEALL) and VERBOSE(*ALL) requested for a filename-encrypted
archive. This message shows the valid certificate dates for each recipient of a
filename-encrypted archive. Example “FNE Recp #2:CN=PKWARE Test3;
EM=PKTESTDB3@nowhere.com;”.
301

AQZ8xxx Configuration Messages
AQZ8003-00
Explanation:
SecureZIP Config Updated Successfully.
PKCFGSEC had no errors while updating the enterprise configuration file. The
“PKZCFG” file was updated.
AQZ8004-00
Explanation:
SecureZIP Config Updated Failed.
PKCFGSEC encountered errors while updating the enterprise configuration file. The
“PKZCFG” file has not been updated
AQZ8005-40
Explanation:
Could not create Config file - aborting.
While running PKCFGSEC, the configuration file “PKZCFG” was not found. Therefore
PKCFGSEC tried to create the file but the creation failed. Review the job log for
messages on why the create failed.
AQZ8006-40
Explanation:
Could not Write Config file - aborting.
While running PKCFGSEC, the configuration file “PKZCFG” is trying to be updated
but failed. Review job log for messages on why update failed.
AQZ8007-40
Explanation:
Could not Copy Config file - aborting.
Review the job log for messages on why the copy failed.
AQZ8008-40
Could open Confiuration File.
Explanation: The opening of configuration file “PKZCFG” has failed. Review the job log for
messages on why update failed.
AQZ8009-40
Explanation:
Parameter &1 Path/File does not exist. .
The File or Path for parameter &1 does not exist. Correct file/path or create the
path/file and re-run. No updates will take place.
302

AQZ8010-40
Explanation:
The Library &1 in the parameters CERTDB does not exist.
The Library for parameter CERTDB does not exist. Correct Parameter for the library
where the Certificate Locator Database is located and re-run. No updates will take
place.
AQZ8200-00
Explanation:
SecureZIP Security Administration.
PKCFGSEC informational. Main heading.
AQZ8201-00
Explanation:
ZIP Secure Settings:
PKCFGSEC informational. Subsection heading for ZIP secure settings.
AQZ8202-00
Explanation:
SecureZIP Active . . . . . .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure settings.
See PKCFGSEC for explanation.
AQZ8203-00
Explanation:
Password . . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure password
setting. See PKCFGSEC for explanation.
AQZ8204-00
Explanation:
Recipient Secure . . . . .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure recipient
secure setting. See PKCFGSEC for explanation.
AQZ8205-00
Explanation:
File Signing . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure file signing
setting. See PKCFGSEC for explanation.
303

AQZ8206-00
Explanation:
Archive Signing
. . . . .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure archive
signing setting. See PKCFGSEC for explanation.
AQZ8207-00
Explanation:
File Authentication
. . .&1.
PKCFGSEC informational. Security configuration setting for zip secure file
authentication setting. See PKCFGSEC for explanation..
AQZ8208-00
Explanation:
Archive Authentication . .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure archive
authentication setting. See PKCFGSEC for explanation.
AQZ8209-00
Explanation:
Advance Encryption:
PKCFGSEC informational. Security configuration setting for advance encryption.
See PKCFGSEC for explanation.
AQZ8210-00
Explanation:
Frozen Method &.
PKCFGSEC informational. Security configuration setting for advance encryption.
See PKCFGSEC for explanation.
AQZ8211-00
Explanation:
Frozen Mode
&1.
PKCFGSEC informational. Security configuration setting for ADVANCE
ENCRYPTION. See PKCFGSEC for explanation.
AQZ8212-00
Explanation:
Archive Password Specs:
PKCFGSEC informational. Security configuration setting for archive password
specifications. See PKCFGSEC for explanation.
304

AQZ8213-00
Explanation:
Min Length . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for archive password
specifications. See PKCFGSEC for explanation.
AQZ8214-00
Explanation:
Max Length . . . . . . . .&1
PKCFGSEC informational. Security configuration setting for archive password
specifications. See PKCFGSEC for explanation.
AQZ8215-00
Explanation:
Hardening Options . . . . .&1.
PKCFGSEC informational. Security configuration setting for archive password
specifications. See PKCFGSEC for explanation.
AQZ8216-00
Explanation:
Certificate PUBLIC Store:
PKCFGSEC informational. Security configuration setting for certificate public store.
See PKCFGSEC for explanation.
AQZ8217-00
Explanation:
Certificate PRIVATE Store:
PKCFGSEC informational. Security configuration setting for certificate private store.
See PKCFGSEC for explanation.
AQZ8218-00
Explanation:
Certificate CA Store:
PKCFGSEC informational. Security configuration setting for certificate authority (CA)
store. See PKCFGSEC for explanation.
AQZ8219-00
Explanation:
Certificate ROOT Store:
PKCFGSEC informational. Security configuration setting for certificate ROOT store.
See PKCFGSEC for explanation.
305

AQZ8220-00
Explanation:
Store&1 Location=&2.
PKCFGSEC informational. Security configuration setting for store of group. See
PKCFGSEC for explanation.
AQZ8221-00
Explanation:
Enterprise Encrypt Recipient:
PKCFGSEC informational. Security configuration setting for enterprise encrypt
recipient. See PKCFGSEC for explanation.
AQZ8222-00
Explanation:
Store Type(&1) Select="&2".
PKCFGSEC informational. Security configuration setting for enterprise encrypt
recipient. See PKCFGSEC for explanation.
AQZ8223-00
Explanation:
(&1)- Recipient &2.
PKCFGSEC informational. Security configuration setting for enterprise encrypt
Recipient. See PKCFGSEC for explanation.
AQZ8224-00
Explanation:
Enterprise Certificate Database.
PKCFGSEC informational. Security configuration setting for enterprise certificate
database. See PKCFGSEC for explanation.
AQZ8225-00
Explanation:
Active . . . . . . . . . .&.
PKCFGSEC informational. Security configuration setting for enterprise certificate
database. See PKCFGSEC for explanation.
AQZ8226-00
Explanation:
Search Mode . . . . . . . &1.
PKCFGSEC informational. Security configuration setting for enterprise certificate
database. See PKCFGSEC for explanation.
306

AQZ8227-00
Explanation:
File Name Encryption
. .&1.
PKCFGSEC informational. Security configuration setting for ZIP secure settings. See
PKCFGSEC for explanation.
AQZ8228-00
Explanation:
Signing
PKCFGSEC informational. Heading for Digital Signing settings.
AQZ8229-00
Explanation:
Hash . . . . . . . . .&1.
PKCFGSEC informational. The hashing method used when performing digital signing.
Either SHA1 or MD5.
AQZ8230-00
Explanation:
Configuration File &1.
PKCFGSEC informational. Shows the actual configuration file used in PKCFGSEC.
AQZ8231-00
Explanation:
Updated date/time =&1.
PKCFGSEC informational. Displays the date and time the configuration file was last
updated.
AQZ8232-00
Explanation:
Authentication.
PKCFGSEC informational. Heading for Authentication settings.
AQZ8233-00
Explanation:
Check . . . . . . . . .&1.
PKCFGSEC informational. Defines the level of authentication or CRL. If None, no
authentication will take place even if the files or archive have been signed. Warning
will issue warning messages on any failures and Authenticate will stop processing on
failures.
307

AQZ8234-00
Explanation:
Filters . . . . . . . .&1.
PKCFGSEC informational. Describes the filters used for authentication.
AQZ8235-00
Explanation:
Encryption:.
PKCFGSEC informational. Heading for Encryption certificate settings.
AQZ8236-00
Explanation:
Decryption:.
PKCFGSEC informational. Heading for Decryption:certificate settings.
AQZ8237-00
Explanation:
Certificate CRL Store:
PKCFGSEC informational. Security configuration setting for certificate CRL
(certificate Revocation List) store. See PKCFGSEC for explanation.
AQZ8238-00
Explanation:
Revocation:.
PKCFGSEC informational. Heading for Revocation processing settings.
AQZ8239-00
Explanation:
CRL Type. . . . . . . .&1.
Define if CRL exist and the type of CRL store processing. At this time only Static CRL
stores are supported.
AQZ8297-00
Explanation:
Certificate Validation Level:
PKCFGSEC informational. Security configuration setting for certificate validation level.
See PKCFGSEC for explanation.
AQZ8298-00
Explanation:
Best Fit: . . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for certificate validation level.
See PKCFGSEC for explanation.
308

AQZ8299-00
Explanation:
Type Select . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for certificate validation level.
See PKCFGSEC for explanation.
AQZ8300-00
Explanation:
LDAP Definitions:
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8301-00
Explanation:
Nbr Of Active . . . . . .&1.
PKCFGSEC informational. Security configuration setting for the number of active
LDAPs. See PKCFGSEC for explanation.
AQZ8302-00
Explanation:
LDAP nbr &1:
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8303-00
Explanation:
Network Name . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8304-00
Explanation:
Network Name . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8305-00
Explanation:
Port . . . . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
309

AQZ8306-00
Explanation:
Access User . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8307-00
Explanation:
Access Password . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8308-00
Explanation:
Search Mode . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8309-00
Explanation:
Start Node . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8310-00
Explanation:
3DES Compatability . . . .&1.
PKCFGSEC informational. Security configuration setting for SecureZIP for 3DES
compatibility setting. See PKCFGSEC for explanation.
AQZ8311-00
Explanation:
Time Out.
. . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
AQZ8312-00
Explanation:
Sequence. . . . . . . . . .&1.
PKCFGSEC informational. Security configuration setting for LDAP definitions. See
PKCFGSEC for explanation.
310

AQZ9xxx LICENSE Messages
AQZ9000-00
Explanation:
SecureZIP for iSeries (TM) Compression Utility Version &1, &2.
Displays the Version &1 of SecureZIP for iSeries with version release date of &2.
AQZ9001-00
Explanation:
SecureZIP for iSeries (tm) running under Beta release &1.
Displays if PKZIP is running under an Alpha or a Beta Release.
AQZ9002-00
Explanation:
PKZIP is being terminated due license validation failure.
PKZIP could not validate the license. Obtain proper licensing keys from PKWARE,
Inc., and run INSTPKLIC.
AQZ9003-00
Explanation:
Machine ID = &1, Processor Group = &2.
Displays the machine CPU serial number and the processor group information.
AQZ9004-00
Explanation:
EVALUATION Running.
PKZIP is running under demo and in evaluation mode. a license key needs to be
obtained.
AQZ9005-00
Explanation:
Enterprise Registered.
SecureZIP for iSeries is licensed with enterprise registered.
AQZ9006-00
Registered.
Explanation: SecureZIP for iSeries has been registered with a valid license key.
311

AQZ9007-00
Explanation:
Copyright. 2004 PKWARE, Inc. All Rights Reserved.
SecureZIP for iSeries banner lines. Displays when PKZIP or PKUNZIP starts.
AQZ9008-00
Explanation:
THIS LICENSE HAS EXPIRED. To renew your license.
During PKZIP start up processing, it was determined that your license has expired.
See following messages on how to update your licenses.
AQZ9009-00
Explanation:
Contact your dealer with the following information.
Informing that the next message provides information required to obtain a license
update.
AQZ9010-00
Explanation:
Make sure you have run the Install License program INSTPKLIC.
A problem has occurred when trying to open and process the licensing. This is
probably due to not running the install license program.
AQZ9011-50
Explanation:
Could not open License file for -aborting &2.
PKZIP or PKUNZIP could not open the license file. Job will terminate. This is
probably due to not running the install program.
AQZ9012-50
Explanation:
Could not read License file base for , Length returned =&2.
An error occurred while reading the PKZIP licensing file. Review the job log for more
details. Job will be terminated.
AQZ9013-50
Explanation:
Could not read License file Feature for , Length returned
=&2.
An error occurred while reading the PKZIP licensing file. Review the job log for more
details. Job is being terminated.
312

AQZ9014-00
Explanation:
&1, Warning - This license will expire in &2 days on &3.
A warning that your license will expire soon. Contact your supplier to obtain a new
license.
AQZ9015-00
UNREGISTERED Copy Running,
Explanation: SecureZIP for iSeries is running without a valid license. It will run temporarily for 30
days. Contact your supplier to obtain a new license with your serial number and
processor group.
AQZ9016-00
Explanation:
Unregistered Hardware Found Exception. &1 Grace days allowed.
Serial number and/or processor group was not found for SecureZIP for iSeries. A
temporary license will be granted for &1 days. Contact your supplier to obtain a new
license with your serial number and processor group.
AQZ9017-00
Explanation:
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Trademark notes.
AQZ9018-40
Explanation:
Beta Release Has Expired Contact PKWARE, Inc. for Final Beta
Release.
You are running a Beta Version of SecureZIP for iSeries that has expired. Contact
PKWARE, Inc., for a newer version of SecureZIP for iSeries.
AQZ9021-00
Explanation:
SecureZip(tm) is a trademark of PKWARE (R), Inc.
Trademark.
AQZ9050-50
Explanation:
Could not create License file - aborting.
While running INSTPKLIC, the licensing did not exist, so one needed to be created.
An error occurred and INSTPKLIC could not be created. See the job log for more
detailed information. Job will be terminated.
313

AQZ9051-50
Explanation:
Could not open License file for update-aborting.
SecureZIP for iSeries could not open the license file for updating. Job will terminate.
See the job log for details.
AQZ9052-50
Explanation:
Could write License file for update-aborting.
SecureZIP for iSeries could not write to the license file with updates. Job will
terminate. See the job log for details.
AQZ9054-50
Input File cannot be open for input.
Explanation: The PKZIP License Install program could not open the "Library/File(member)" - &1
input file that contains the licensing update keys. Job is terminated. See the job log
for details.
AQZ9055-50
Error Reading Input Control file .
Explanation: The PKZIP License Install program could not read the "Library/File(member)" - &1
input file that contains the licensing update keys. Job is terminated. See the job log
for details.
AQZ9056-00
Explanation:
&1 Evaluation set to expire in &2 days on &3.
Feature Code &1 has been set for evaluation and will expire in &2 days on the date of
&3.
AQZ9057-00
Explanation:
Nbr of Feature Control Records Type-&1 was &2.
The total of inputted feature control records with type &1 was processed. This is only
with debug turned on.
AQZ9058-00
Rec - &1 &2.
Explanation: Displays detail input control records being processed by INSTPKLIC (includes *
comments).
314

AQZ9059-00
Explanation:
License File &1 Updated successfully.
The PKZIP license file &1 was updated successfully with supplied control records.
AQZ9060-50
Explanation:
License file NOT Updated.
Due to errors wile running the license install program, the license file was not
updated. Review the job log for previous message, which indicates why the file was
not updated.
AQZ9061-40
Explanation:
Error found in processing input parameters.
Errors were found while processing the input control records in the license install
program. License file was not updated. Review the job log for previous message,
which indicates why the file was not updated.
AQZ9062-40
Explanation:
More than 1 control code 55 record, Run terminated.
Only one customer control record beginning with 55 is allowed in the license control
Program. Job will be terminated. Review Input Control file for control records.
AQZ9063-40
Explanation:
Control Record 55 must be 1st non-comment record.
The first control record (non-comment) in the license control input file must the
customer control record beginning with 55. Job will be terminated.
AQZ9064-40
Explanation:
Invalid Feature Code in Position 1 & 2.
In positions 1 and 2 of the license control record is the feature code. The license
install program found the invalid feature code of &1. The license file will not be
updated. (See “Licensed Product Features” in Chapter 4).
AQZ9065-40
Explanation:
Invalid Date on record &2.
An invalid feature date on control record number &2 was found. Date must be
YYYYMMDD format with valid month and day. The license file will not be updated.
315

AQZ9066-40
Explanation:
An error has occurred in validating the Customer Number &1 -
Contact your Dealer.
The customer number &1 was found to be invalid. Contact your salesperson or
reseller for correct codes. The license file will not be updated.
AQZ9067-40
Explanation:
An error has occurred in validating the License - Contact Your
Dealer.
The validation of the license was found to be Invalid. Contact your salesperson or
reseller for correct codes. The license file will not be updated.
AQZ9068-40
Explanation:
An error has occurred in validating the License. Contact Your
Dealer.
The validation of the license was found to be Invalid. Contact your salesperson or
reseller for correct codes. The license file will not be updated.
AQZ9069-40
Explanation:
Customer name cannot be blank for Control 55.
In the customer control record (starts with 55), the customer name should contain the
Customers name in positions 23 thru 72 and must not be blank.
AQZ9070-40
Explanation:
Duplicate hardware found for Feature %2.
Only one unique hardware (serial number and processor group) is allowed per feature
code. The license file will not be updated.
AQZ9071-40
Explanation:
Embedded blanks in hardware for feature &2.
The hardware codes (serial number and processor group) must all be non-blank
characters. The license file will not be updated.
AQZ9072-40
Explanation:
Max hardware exceeded &2 for Feature &2.
All hardware available entries are in use. There is no room to add another hardware
entry for the product. Contact your salesperson or reseller.
316

AQZ9073-40
Explanation:
&1 Request to setup DEMO rejected. DEMO is already running.
A request in the License install program to setup a demo license was issued, but a
demo is currently active. A demo request cannot be run until current demo expires.
The license file is not updated.
AQZ9074-40
Explanation:
Cannot do VIEW option until file has been Installed.
A request in the license Install program to view the current license setting was issued,
but the VIEW option cannot be used until one valid install is processed.
AQZ9075-40
Explanation:
Invalid or Missing Member Name.
Special characters or a blank member name was submitted in the command
INSTPKLIC for parameter INMBR.
AQZ9076-40
Explanation:
Feature Code &1 is invalid for Customer Number &2.
The customer number &2 on the input control record is invalid for the specified feature
code &1. Contact your salesperson or reseller for correct codes. The license file will
not be updated.
AQZ9077-40
Explanation:
License Keys have invalid version setting.
The version of the keys entered is a mismatch to SecureZIP for iSeries version.
Review input file for keys.
AQZ9078-40
Explanation:
SecureZip Control Record 57 must be 1st non-comment record.
The first control record (non-comment) in the license control input file must the
customer control record beginning with 57. Job will be terminated.
AQZ9079-00
*********************************************
Explanation: Displays a print separator for INSTPKLIC viewing.
317

AQZ9080-00
Explanation:
A License Report requested on &1 from CPU Serial# &2.
The licensing Install program was run with TYPE(*VIEW), and the report of the
current status of the license will be following for this CPU.
AQZ9081-00
Explanation:
&1 Product Licensed to Customer # &2 -&3.
Displays the version, customer number and customer name currently on license file.
Information of INSTPKLIC with TYPE(*VIEW).
AQZ9082-00
Explanation:
&1-DEMO with &2 Days remaining (&3).
Displays the hardware &1 is running as a demo and has &2 days remaining.
Information of INSTPKLIC with TYPE(*VIEW).
AQZ9083-00
Explanation:
Enterprise Licensed. All Products Features are available on
all CPUs. Expiration Date is &1.
Display that all CPUs are being run with the enterprise license; also displays the
expiration date. Information of INSTPKLIC with TYPE(*VIEW).
AQZ9084-00
Explanation:
&1 Licensed --Expires &2 for processors:.
Displays the feature codes (&1) and their expiration date(&2) that is associated with
the current license file. Information of INSTPKLIC with TYPE(*VIEW).
AQZ9085-00
Explanation:
Serial# &1 Processor Type &2.
Displays the list of hardware that is active under the feature code (AQZ90084).
Information of INSTPKLIC with TYPE(*VIEW).
AQZ9086-00
Explanation:
Serial# &1 is Not Licensed. Use Of The Product will CEASE in
&2 days (&3).
Displays the hardware that is not currently licensed for the above feature code
(AQZ9084) and display when it will expire. Information of INSTPKLIC with
TYPE(*VIEW).
318

AQZ9087-00
Explanation:
Contact PKWARE, Inc. for Licensing.
Informational message to contact your support technician for licensing update.
Please contact the Product Services Division at 1-937-847-2687 for assistance.
AQZ9100-40
Explanation:
!!!PZ Base Module is not licensed for this Serial Number. Run
will not be processed.
The !!!PZ base module could not be validated. Obtain proper licensing keys from
your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more
contact information.
AQZ9101-40
Explanation:
Compression Feature is not licensed for this Serial Number.
Run will not be processed.
PKZIP could not validate the compression license feature. Obtain proper licensing
keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087
for more contact information.
AQZ9102-40
Explanation:
Decompression Feature is not licensed for this Serial Number.
Run will not be processed.
PKZIP could not validate the decompression license feature. Obtain proper licensing
keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087
for contact information.
AQZ9103-40
Explanation:
GZIP Feature is not licensed for this Serial Number. Run will
not be processed.
PKZIP could not validate the GZIP license feature. Obtain proper licensing keys from
your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more
contact information.
AQZ9104-40
Explanation:
Directory Integration Feature is not licensed for this Serial
Number. Run will not be processed.
PKZIP could not validate the directory integration (LDAP) license feature. Obtain
proper licensing keys from your salesperson or reseller and run INSTPKLIC. See
Message AQZ9087 for more contact information.
319

AQZ9105-40
Explanation:
Advance Encryption Feature is not licensed for this Serial
Number. Run will not be processed.
PKZIP could not validate the advance encryption license feature. Obtain proper
licensing keys from your salesperson or reseller and run INSTPKLIC. See Message
AQZ9087 for more contact information.
AQZ9106-40
Explanation:
Spool File Feature is not licensed for this Serial Number. Run
will not be processed.
PKZIP could not validate the spool file license feature. Obtain proper licensing keys
from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for
more contact information.
AQZ9107-40
Explanation:
Beta Release Has Expired Contact PKWARE, Inc. for Final Beta
Release.
You are running a beta version of SecureZIP for iSeries that has expired. Contact
PKWARE, Inc., for a newer version of SecureZIP for iSeries.
AQZ9109-00
Explanation:
Self Extraction Support Feature is not licensed for this Serial
Number. Run will not be processed.
PKZIP could not validate the self extraction support feature. Obtain proper licensing
keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087
for more contact information.
AQZ9110-40
Explanation:
Advance Encryption Feature is not licensed for this Serial
Number. Authentication will not take place.
The AUTHPOL was set to authenticate either the archive or file, But Advance
Encryption Feature is not licensed. The AUTHPOL will now be set to *NONE.
320

ZPCA801x – ZPCA899x Messages
These messages relate to certificate store administration.
ZPCA801E
Explanation:
Response:
Invalid parameter value for Preferred Certificate Store. Value
= %s..
The PKCAADMN utility expects one of the following value for the Preferred Certificate
Store parameter:
CA - Certificate Authority Store
RT - Root Store
CR - Certificate Revocation List Store
BG - Best Guess or DETECT (PKCAADMN attempts to select the storebased on the
input certificate constraints.)
%s Shows the value that the PKCAADMN utility received for the Preferred Certificate
Store parameter.
The PKCAADMN utility will be unable to proceed without a properly specified
Preferred Certificate Store parameter. Program execution will terminate.
Determine the origin of the incorrect value and change to one of the correct input
values listed above.
ZPCA802E
ZPCA802E Invalid parameter value for Action. Value = %s.
Explanation: The PKCAADMN utility expects one of the following value for the Action parameter: -
Add certificate to a store D - Delete a certificate from a store V - Verify the integrity of
a store S - Short list of a store's contents L - Long list of a store's contents I - Initialize
a certificate store B - Browse a certificate file's contents
%s Shows the value that the PKCAADMN utility received for the Action parameter.
Response:
The PKCAADMN utility will be unable to proceed without a properly specified Action
parameter. Program execution will terminate. Determine the origin of the incorrect
value and change to one of the correct input values listed above.
ZPCA803E
Explanation:
Invalid parameter value for Certificate File Type. Value = %s.
The PKCAADMN utility expects one of the following value for the Certificate File Type
parameter:
CER - .cer Certificate File (also called a PEM file) P7B - PKCS #7 Certificate File CRL
- .crl Certificate Revocation List File
%s Shows the value that the PKCAADMN utility received for the Certificate File Type
parameter.
Response:
The PKCAADMN utility will be unable to proceed without a properly specified
Certificate File Type parameter. Program execution will terminate. Determine the
321

origin of the incorrect value and change to one of the correct input values listed
above.
ZPCA804E
Explanation:
Response:
Cert Wrap initialization failed.
The PKCAADMN relies on the Cert Wrap modules to process certificate files and
stores. Without the proper execution of these modules, the PKCAADMN cannot
function. If initialization of Cert Wrap cannot be completed, the PKCAADMN program
cannot continue.
The PKCAADMN utility will be unable to proceed without Cert Wrap initialization.
Program execution will terminate. Contact PKWARE Technical Support to determine
the origin of the Cert Wrap failure.
ZPCA805E
Explanation:
Open certificate store failed. Store '%s1' type incompatible
with certificate '%s2' type.
When performing an add to store operation, the PKCAADMN utility requires that the
type of the certificate match the type of the store that the certificate is being added to.
In the case of the CA store, this means the certificate must have the certificate
authority constraint.* For the root store, the certificate must be self signed.
%s1 Shows the value that the PKCAADMN utility received for the certificate store.
%s2 Shows the value that the PKCAADMN utility received the certificate file.
Response:
The PKCAADMN utility will be unable to proceed with the add command without the
certificate store type and the certificate file type matching. Program execution will
terminate. Determine the origin of the type mismatch and change the certificate store
and/or certificate file values so that the certificate and store types match and
reattempt the add command.
ZPCA806E
Explanation:
Response:
The certificate store '%s' was not opened.
While attempting to open the certificate store file, the PKCAADMN program was
unable to open the file. %s Shows the value that the PKCAADMN utility received for
the certificate store.
The PKCAADMN utility will be unable to proceed with the command without a valid
certificate store being specified. Program execution will terminate. Verify that the
correct file name was passed to PKCAADMN for the certificate store name and
reattempt the command.
322

ZPCA807E
Explanation:
Response:
Memory allocation error.
The PKCAADMN program was unable to allocate storage space.
The PKCAADMN utility will be unable to proceed without the ability to allocate
memory for storage. Program execution will terminate. Contact PKWARE Technical
Support to determine the origin of the memory allocation error.
ZPCA808E
Explanation:
Response:
Failed to read from certificate store '%s'.
The PKCAADMN program was unable to read from the specified certificate store file.
%s Shows the value that the PKCAADMN utility received for the certificate store.
The PKCAADMN utility was able to open the specified certificate store file. However,
the program was unable read from the file. Program execution will terminate. Verify
that the file is indeed a valid certificate store file and attempt the command again.
ZPCA809E
Explanation:
Response:
Failed to read the entire file '%s'. Expected %d1, read %d2.
The PKCAADMN program was unable to read all of the data from the specified
certificate store file. %s Shows the value that the PKCAADMN utility received for the
certificate store. %d1 Shows the expected data size to be read from the certificate
store file. %d2 Shows the actual data size read from the certificate store file.
The PKCAADMN utility was able to open the specified certificate store file and read
from it successfully. However, the program was unable to read all the expected data
from the file. Program execution will terminate. Verify that the file is indeed a valid
certificate store file and attempt the command again.
ZPCA810E
Explanation:
Response:
Failed to build certificate store '%s'.
The PKCAADMN program was unable take the data from the file and form a
certificate store in memory. %s Shows the value that the PKCAADMN utility
received for the certificate store.
The PKCAADMN utility was able to open the specified certificate store file and read
all the data from it successfully. However, the program was unable to use the data
from the file to form a valid certificate data structure in memory. Program execution
will terminate. Verify that the file is indeed a valid certificate store file and attempt the
command again.
ZPCA811E
Explanation:
Cert Wrap failed to open '%s'. CW Error = 0X%X.
The PKCAADMN program was unable take the data from the certificate file and form
a certificate data object in memory. %s Shows the value that the PKCAADMN utility
323

eceived for the certificate file. %X Shows the hexadecimal value the Cert Wrap
module returned upon failure to process the certificate file.
Response:
The PKCAADMN utility was able to open the specified certificate file and read all the
data from it successfully. However, the program was unable to use the data from the
file to form a valid certificate data structure in memory. Program execution will
terminate. Verify that the file is indeed a valid certificate file and attempt the command
again.
ZPCA812E
Explanation:
Response:
Cert Wrap failed to add '%s'. CW Error = 0X%X.
The PKCAADMN program was unable to add the specified certificate file to the
certificate store. %s Shows the value that the PKCAADMN utility received for the
certificate file. %X Shows the hexadecimal value the Cert Wrap module returned
upon failure to add the certificate file to the certificate store.
The PKCAADMN utility was able to open the specified certificate file and process the
data. However, the utility failed to add to certificate to the store. Program execution
will terminate. Verify that the file is indeed a valid certificate file and attempt the
command again.
ZPCA813E
Explanation:
Response:
Cert Wrap failed to free certificate context. CW Error = 0X%X.
The PKCAADMN program was unable to release the system resources allocated by
the Cert Wrap modules during program execution. %X Shows the hexadecimal
value the Cert Wrap module returned upon failure to free the certificate context.
The PKCAADMN utility was unable to release the system resources allocated by the
Cert Wrap modules during program execution. This is indicative of an internal
program error. Program execution will terminate. Contact PKWARE Technical
Support to determine the resolution of the program error.
ZPCA814E
Explanation:
Response:
Cannot continue. Unable to close root store.
The PKCAADMN program was unable to close the root store. The program allocates
system resources associated with the root store and was unable to free those
resources after use.
The PKCAADMN utility was unable return the root store resources back to the
operating system after use. The program cannot recover from this state and the
program execution will terminate. It is possible that the certificate store is corrupt in
some way. Verify that the root store is valid. If the root store proves valid, contact
PKWARE Technical Support to determine the source of the failure.
324

ZPCA815E
Explanation:
Response:
Cannot continue. Unable to close CA store.
The PKCAADMN program was unable to close the CA store. The program allocates
system resources associated with the CA store and was unable to free those
resources after use.
The PKCAADMN utility was unable return the CA store resources back to the
operating system after use. The program cannot recover from this state and the
program execution will terminate. It is possible that the certificate store is corrupt in
some way. Verify that the CA store is valid. If the CA store proves valid, contact
PKWARE Technical Support to determine the source of the failure.
ZPCA816E
Explanation:
Response:
Cannot continue. Unable to save certificate store.
The PKCAADMN program was unable to save the certificate store. The program
write the certificate store back to disk to complete the operation and was unable to do
so.
The PKCAADMN utility was unable write the certificate store back to disk. The
program cannot recover from this state and the program execution will terminate. It is
possible that the certificate store is corrupt in some way. Verify that the certificate
store is valid. If the store proves valid, verify that the utility has write access to the
disk in question and reattempt the operation.*
ZPCA817E
Explanation:
Response:
Failed to write to certificate store '%s'.
The PKCAADMN program was unable to write to the specified certificate store file.
%s Shows the value that the PKCAADMN utility received for the certificate store.
The PKCAADMN utility was able to open the specified certificate store file. However,
the program was unable write to the file. Program execution will terminate. Verify that
the file is indeed a valid certificate store file and attempt the command again.
ZPCA818E
Explanation:
Response:
Failed to write the entire file '%s'. Expected %d1, wrote %d2.
The PKCAADMN program was unable to write all of the data to the specified
certificate store file. %s Shows the value that the PKCAADMN utility received for the
certificate store. %d1 Shows the expected data size to be written to the certificate
store file. %d2 Shows the actual data size written to the certificate store file.
The PKCAADMN utility was able to open the specified certificate store file and wrote
to it successfully. However, the program was unable to write all the expected data to
the file. Program execution will terminate. Verify that the file is indeed a valid
certificate store file and attempt the command again.
325

ZPCA819E
Explanation:
Response:
Cannot continue. Nothing found to save to the certificate
store.
The PKCAADMN program found nothing to write to the specified certificate store file.
The PKCAADMN utility was able to open the specified certificate store file but found
nothing to write. This is an unrecoverable program state and the program execution
will terminate. Verify that the file is indeed a valid certificate store file and attempt the
command again.
ZPCA820E
Explanation:
Response:
Cannot continue. Unable to close the certificate store.
The PKCAADMN program was unable to close the certificate store. The program
allocates system resources associated with the certificate store and was unable to
free those resources after use.
The PKCAADMN utility was unable return the root store resources back to the
operating system after use. The program cannot recover from this state and the
program execution will terminate. It is possible that the certificate store is corrupt in
some way. Verify that the root store is valid. If the root store proves valid, contact
PKWARE Technical Support to determine the source of the failure.
ZPCA821E
Explanation:
Response:
Cannot continue. Unable to close certificate revocation list
store.
The PKCAADMN program was unable to close the certificate revocation list store.
The program allocates system resources associated with the certificate revocation list
store and was unable to free those resources after use.
The PKCAADMN utility was unable return the certificate revocation list store
resources back to the operating system after use. The program cannot recover from
this state and the program execution will terminate. It is possible that the certificate
store is corrupt in some way. Verify that the certificate revocation list store is valid. If
the certificate revocation list store proves valid, contact PKWARE Technical Support
to determine the source of the failure.
ZPCA822E
Explanation:
Response:
Cannot continue. Unhandled certificate file type.
The PKCAADMN utility received a certificate file type that the program does not know
how to process.
The PKCAADMN utility will be unable to proceed without a properly specified
certificate file type parameter. Program execution will terminate. This is an error
internal to the program. Contact PKWARE Technical Support to resolve this issue.
326

ZPCA823E
Explanation:
Response:
Cannot continue. Unable to retrieve certificate name from the
store.
The PKCAADMN utility must match the certificate name specified for deletion with the
certificate name found in the certificate store. The program was unable to read the
certificate name from the certificate store.
The PKCAADMN utility will be unable to proceed without properly reading the
certificate name from the store. Program execution will terminate. The certificate store
in question may be invalid. Verify the integrity of the certificate store and try the
command again.
ZPCA824E
Explanation:
Response:
Cannot continue. Delete certificate failed.
The PKCAADMN utility was unable to delete the certificate from the certificate store.
The PKCAADMN utility will be unable to proceed past this point in the deletion
process and program execution will terminate. This is an error internal to the program.
The program was able to identify the certificate to be deleted in the certificate store
but the deletion failed. Contact PKWARE Technical Support to resolve this issue.
ZPCA825E
Explanation:
Response:
Delete certificate failed. Match was not found in the
specified store.
The PKCAADMN utility must match the certificate specified in the input parameters
with a certificate in the specified certificate store in order to perform the deletion
process. This match failed.
The PKCAADMN utility will be unable to proceed without properly matching the
certificate specified for deletion with an entry in the certificate store. Program
execution will terminate. The certificate store in question may not contain the
specified certificate. Verify the certificate store contents and try the command again.
ZPCA826E
Explanation:
Response:
Serial number must be in hexadecimal notation.
The PKCAADMN utility must match the certificate serial number to an entry in the
certificate store. The provided serial number was not in proper hexadecimal notation.
The PKCAADMN utility will be unable to proceed without properly matching the
certificate specified for deletion with an entry in the certificate store. Program
execution will terminate. The serial number may have been improperly entered in the
PKCAADMN utility. Verify the serial number parameter and try the command again.
ZPCA827E
Explanation:
Certificate store verification failed.
The PKCAADMN utility was unable to verify the specified certificate store.
327

Response:
The PKCAADMN utility failed to verify the store for a specific reason. Look to the
previous errors associated with this error in the listing to determine the exact cause of
the verify command failure. Investigate the previous errors in the listing to determine
the root cause of the verify failure.
ZPCA828E
Explanation:
Response:
Must specify root, CA or CRL store to initialize.
The PKCAADMN utility was to continue with the certificate store initialization due to
an invalid store type.
The PKCAADMN utility will be unable to proceed past this point in the initialization
process and program execution will terminate. This is an error internal to the program.
Contact PKWARE Technical Support to resolve this issue.
ZPCA829E
Explanation:
Response:
Certificate store initialization failed.
The PKCAADMN utility was unable to initialize the specified certificate store.
The PKCAADMN utility failed to initialize the store for a specific reason. Look to the
previous errors associated with this error in the listing to determine the exact cause of
the initialization command failure. Investigate the previous errors in the listing to
determine the root cause of the initialization failure.
ZPCA830E
The end entity file '%s' was not opened.
Explanation: The PKCAADMN program was unable to open the specified end entity output file. %s
Shows the value that the PKCAADMN utility received for the output file.
Response:
The PKCAADMN utility was unable to open the specified end entity output file. The
program cannot recover from this situation and the program execution will terminate.
Verify that the file name is indeed a valid and attempt the command again.
ZPCA831E
Explanation:
Response:
Could not retrieve certificate property from store.
The PKCAADMN utility must retrieve certificate properties from the certificate store
and could not.
The PKCAADMN utility will be unable to proceed past this point in the end entity
output process and program execution will terminate. This is an error internal to the
program. Contact PKWARE Technical Support to resolve this issue.
328

ZPCA832E
Explanation:
Response:
Cannot continue. Unable to make CRL from file '%s'.
The PKCAADMN utility must create a certificate revocation list data structure from the
input file but was unable to. %s Shows the value that the PKCAADMN utility
received for the certificate revocation list.
The PKCAADMN utility will be unable to proceed past this point in the certificate
revocation list add process and program execution will terminate. It is possible that
the input file is not a valid certificate revocation list file. Verify the input file attempt
the command again.
ZPCA833W
Explanation:
Response:
Cannot verify CRL issuer '%s' with CA Store. Trying Root
Store.
The PKCAADMN utility must verify the certificate revocation list data issuer to be sure
the revocation list is valid. The program was unable to find the CRL issuer in the CA
store. %s The issuer name for the certificate revocation list in question.
The PKCAADMN utility will also look in the root store for the issuer before abandoning
the CRL add process. The utility will also check the root store for the CRL issuer.
This is only a warning message and will not hinder the CRL add process unless the
CRL issuer is not found in the root store either.
ZPCA834W
Explanation:
Response:
Cannot verify CRL issuer with root store.
The PKCAADMN utility must verify the certificate revocation list data issuer to be sure
the revocation list is valid. The program was unable to find the CRL issuer in the root
store.
The PKCAADMN utility will also look in the CA store for the issuer before abandoning
the CRL add process. The utility will also check the CA store for the CRL issuer. This
is only a warning message and will not hinder the CRL add process unless the CRL
issuer is not found in the CA store either.
ZPCA835E
Explanation:
Response:
Cannot continue. Unable to verify CRL issuer.
The PKCAADMN utility must verify the certificate revocation list data issuer to be sure
the revocation list is valid. The program was unable to find the CRL issuer in the root
store or the CA store.
The PKCAADMN utility has checked both the root and the CA stores for the CRL
issuer and was unsuccessful. The program cannot continue with the CRL add
without verifying the issuer and the program execution will terminate. Verify the
contents of the root and/or CA stores to be sure that the issuer for the CRL in
question is present in one of the stores and attempt the command again.
329

ZPCA836E
Explanation:
Response:
Cannot continue. Unable to add CRL to store.
The PKCAADMN utility was unable to add the CRL file to the certificate revocation list
store.
The PKCAADMN utility cannot continue the add process past this point and the
program execution will terminate. Verify the certificate revocation list store is valid and
attempt the command again.
ZPCA837E
Explanation:
Response:
Cert Wrap failed to free CRL context. CW Error = 0X%X.
The PKCAADMN program was unable to release the system resources allocated by
the Cert Wrap modules during program execution. %X Shows the hexadecimal
value the Cert Wrap module returned upon failure to free the CRL context.
The PKCAADMN utility was unable to release the system resources allocated by the
Cert Wrap modules during program execution. This is indicative of an internal
program error. Program execution will terminate. Contact PKWARE Technical
Support to determine the resolution of the program error.
ZPCA838E
Explanation:
Response:
Cannot continue. Unable to get information from CRL.
The PKCAADMN program was unable to retrieve information from the certificate
revocation list data structure.
The PKCAADMN utility was unable to retrieve information from the certificate
revocation list data structure. This is indicative of an internal program error. Program
execution will terminate. Contact PKWARE Technical Support to determine the
resolution of the program error.
ZPCA839E
Explanation:
Response:
Cannot continue. Unable to get name from CRL.
The PKCAADMN program was unable to retrieve the CRL name from the certificate
revocation list data structure.
The PKCAADMN utility was unable to retrieve the CRL name from the certificate
revocation list data structure. This is indicative of an internal program error. Program
execution will terminate. Contact PKWARE Technical Support to determine the
resolution of the program error.
ZPCA840E
Explanation:
Delete CRL failed. Match was not found in the CA or Root
store.
The PKCAADMN program was unable to find the CRL issuer in the CA or root stores.
The CRL delete is unable to proceed in this situation.
330

Response:
The PKCAADMN utility was unable to retrieve the CRL issuer from the root or CA
stores. The program cannot recover from this situation and the program execution
will terminate. Verify the contents of the CA and/or root stores and attempt the
command again.
ZPCA841E
Explanation:
Response:
Delete CRL failed. Unable to find the CRL in the store.
The PKCAADMN program was unable to find the specified CRL in the certificate
revocation list store. The CRL delete command is unable to proceed in this situation.
The PKCAADMN utility was unable to find the CRL in the certificate revocation list
store. The program cannot recover from this situation and the program execution will
terminate. Verify the contents of the certificate revocation list store and attempt the
command again.
ZPCA842E
Explanation:
Response:
Delete CRL failed. Unable to remove the CRL from the store.
The PKCAADMN program was unable to delete the specified CRL entry from the
certificate revocation list store.
This error is indicative of an internal program error. The program execution will
terminate. Contact PKWARE Technical Support to determine the resolution of the
program error.
ZPCA843E
Explanation:
Response:
The store file '%s' was empty. Please try a valid certificate
store.
The PKCAADMN program was passed the name of an empty file in place of a
certificate store. %s Shows the value that the PKCAADMN utility received for the
certificate store.
The PKCAADMN utility is unable to proceed without properly specified certificate
stores. The program cannot recover from this situation and the program execution
will terminate. Verify the certificate store file names and attempt the command again.
ZPCA844E
Explanation:
Response:
Certificate type could not be determined.
The PKCAADMN program was unable to determine the type of the certificate to be
add.
The PKCAADMN utility is unable to proceed without properly the type of the certificate
being added as this type determines which store the certificate should be placed in.
The program cannot recover from this situation and the program execution will
terminate. Verify the origin of the input file and be sure it is a valid certificate file and
try the command again.
331

ZPCA845E
Invalid type specified for '%s' for Browse. Only CER and P7B
types are valid.
Explanation: The PKCAADMN program was unable to browse a file of the specified file type. %s
Shows the value that the PKCAADMN utility received for the certificate file.
Response:
The PKCAADMN utility was able to browse the specified certificate file type. Program
execution will terminate. Verify the type of the certificate file in question and attempt
the command again.
ZPCA846W
Explanation:
Response:
Simulation Requested. Nothing will be saved to the store.
The PKCAADMN utility has been given a simulate add command via the flag settings.
Due to the simulation, nothing was saved to the certificate store.
The PKCAADMN utility successfully ran the add command to completion, however
nothing was saved to the certificate store. This is expected behavior for the simulated
add command and this message is presented only as a reminder. If a simulate add
was requested, no user action is required. However, if a simulation was not desired,
change the flags so that a simulation will not occur and attempt the command again.
ZPCA847W
Explanation:
Response:
Simulation Requested. The end entity was not saved.
The PKCAADMN utility has been given a simulate add command via the flag settings.
Due to the simulation, the end entity was not saved to the output file.
The PKCAADMN utility successfully ran the add command to completion, however
nothing was saved to the output file. This is expected behavior for the simulated add
command and this message is presented only as a reminder. If a simulate add was
requested, no user action is required. However, if a simulation was not desired,
change the flags so that a simulation will not occur and attempt the command again.
ZPCA848W
Explanation:
Response:
End entity not saved as file was not specified.
The PKCAADMN utility could not save the end entity to disk as no output file was
specified in the input parameters to the PKCAADMN program.
The PKCAADMN utility successfully ran the add command to completion, however
nothing was saved as the output file was not specified. If this was the desired
command, no user action is required. However, if the end entity output was needed,
change the input parameters so that a valid output file is specified and attempt the
command again.
332

ZPCA849E
Explanation:
Response:
Cannot continue. Unable to determine certificate store count.
The PKCAADMN utility was not able to determine the number of certificates in the
certificate store.
The PKCAADMN utility successfully opened the certificate store but was unable to get
a count of the number of certificates in that store. The program can not continue if
this situation occurs. This error could be indicative of an invalid store. Run a validate
command against the store in question to determine that it is not corrupt. If the
validate command is successful, this could be indicative of an internal program error.
In this case, contact PKWARE Technical Support to resolve this problem.
ZPCA850E
Explanation:
Response:
Cannot continue. Unable to determine certificate file count.
The PKCAADMN utility was not able to determine the number of certificates in the
specified input file.
The PKCAADMN utility successfully opened the input file but was unable to get a
count of the number of certificates in that file. The program can not continue if this
situation occurs. This error could be indicative of an invalid input file. Verify the source
of the input file in question to determine that it is not corrupt. If necessary, export
and/or transfer the input file to the system again ensure file integrity. If this fails to
resolve the problem with the file, contact PKWARE Technical Support to resolve this
problem.
ZPCA851E
Explanation:
Response:
Cannot continue. Unable to determine CRL store count.
The PKCAADMN utility was not able to determine the number of certificate revocation
list entries in the CRL store.
The PKCAADMN utility successfully opened the CRL store but unable to get a count
of the number of certificate revocation list entries in that store. The program can not
continue if this situation occurs. This error could be indicative of an invalid store. Run
a validate command against the store in question to determine that it is not corrupt. If
the validate command is successful, this could be indicative of an internal program
error. In this case, contact PKWARE Technical Support to resolve this problem.
ZPCA852E
Explanation:
Response:
Cannot continue. Unable to determine CRL file count.
The PKCAADMN utility was not able to determine the number of certificate revocation
list entries were contained in the specified input file.
The PKCAADMN utility successfully opened the input file but was unable to get a
count of the number of certificate revocation list entries in that file. The program can
not continue if this situation occurs. This error could be indicative of an invalid input
file. Verify the source of the input file in question to determine that it is not corrupt. If
necessary, export and/or transfer the input file to the system again ensure file
integrity. If this fails to resolve the problem with the file, contact PKWARE Technical
Support to resolve this problem.
333

ZPCA853E
Explanation:
Response:
Add operation was not completed due to newer CRL entry in the
CRL store.
The PKCAADMN utility was unable to complete the Add command due to the fact that
there was a newer copy of the input certificate revocation list already in the CRL
store.
The PKCAADMN utility will not permit an older certificate revocation list to overwrite a
newer one already present in the CRL store. The program will terminate in this case.
This error could be indicative of an invalid input file. Verify the source of the input file
in question to determine that it is not corrupt. If necessary, export and/or transfer the
input file to the system again ensure the newest available certificate revocation list is
being added to the CRL store.
ZPCA854E
Explanation:
Response:
Add operation was not completed due to newer certificate entry
in the store.
The PKCAADMN utility was unable to complete the Add command due to the fact that
there was a newer copy of the input certificate already in the certificate store.
The PKCAADMN utility will not permit an older certificate to overwrite a newer one
already present in the certificate store. The program will terminate in this case. This
error could be indicative of an invalid input file. Verify the source of the input file in
question to determine that it is not corrupt. If necessary, export and/or transfer the
input file to the system again ensure the newest available certificate is being added to
the certificate store.
334

A
Performance Considerations
This appendix lists a few performance considerations when running SecureZIP for
iSeries. Most performance related issues can be controlled by the PKZIP/PKUNZIP
parameters. However, it should be noted that PKZIP data compression is CPU
intensive by its very nature, and that PKZIP/PKUNZIP parameters can only help to a
limited degree. Therefore, it should be expected that a reasonable amount of CPU
resources will be needed for such operations.
Interactive Performance
When compressing large size files, PKZIP will sometimes use as much CPU resources
as the system will allow. With this in mind, processing very large files may perform
best as a submitted job. However, some iSeries environments have constraints on
running interactive jobs. If those interactive jobs run for a long time and use a high
amount of CPU resources, the system will slow down and may issue the message
CPI1479 "Interactive activity approaching capacity of installed feature." In this case,
review the details of this message. This usually means that the interactive systems
are using more resources than the iSeries was configured to use.
Compression Type Performance
Selecting a compression method is one way to get the smallest compressed file with
the relationship to the CPU usage and run times. Sometimes, to get the best results,
you may have to run several tests with the data to balance the compression ratio to
the length of the run time. Running with *MAX will usually get the best compression
ratio but will also run the longest. In most of our test cases, *MAX would run 30%-
40% longer than *NORMAL and might only gain less than 1% better ratio. This is
why we recommend using SUPERFAST (the default) unless your testing implies
otherwise.
To minimize the overhead needed to ZIP, the best thing (and the easiest) is to select
a compression method other than *MAX. PKZIP’s default compression method is
SUPERFAST.
When using the compression method of Maximum, you are only compressing the
data by another 1-8% over a job that might use the SUPERFAST compression
method. The archive file size change is minimal. However, the time difference
335

etween a maximum and a SUPERFAST job can be measured in hours if the file is big
enough!
You may read more about the compression levels by prompting the Compression
Level parameter (F1).
Compression Level . . . . . . . *SUPERFAST *FAST, *NORMAL, *MAX...
Data Type Selection
Getting the best performance from your iSeries machine with regards to a PKZIP job
can truly depend on the parameters you have selected for the job. In many cases,
the compressed size of a file depends on the type of data (Binary vs. Text), and the
compression type selected. Text will usually compress more since it has a higher
probability of repeated characters.
Knowing the target platform of the data will help you resolve how PKZIP is to treat
the data during the compression process. However, PKZIP treatment of data defaults
to *DETECT. *DETECT means that PKZIP will scan the data (up to 97% of the input
file) to determine whether the data that it is going to compress should be treated as
TEXT or BINARY. This can be an especially painful process if you are selecting large
files for compression. However, to get around the scanning overhead, if you know
you are sending the archive or ZIP file to a PC or to a UNIX machine, you know that
the data will need to be converted to TEXT (or ASCII). Therefore, you should select
file Types(*TEXT). If the data is targeted for another iSeries machine, then you
should select *BINARY. *DETECT should only be used when you do not know the
nature of the data.
You may read more about the data types by prompting the file Types parameter
(F1).
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ....
Archive Placement (IFS or in a Library)
For best performance try to store the archives in the IFS. By placing the archive in
the IFS instead of in a library/file reduces the overall CPU usage and in some cases
can reduce the run times as much as 30%-40%.
It is recommended when using the ZIP process for large files that the ZIP archive be
stored in the IFS. This method provides the best performance and makes the most
efficient use of storage space for both ZIP archives and ZIP temporary files.
ZIP64 Processing Considerations
When processing very large files or high volumes of files, the processing
characteristics of PKZIP may vary depending on the phase of processing involved.
Some common processing phases and their run-time characteristics are:
• ZIP file selection: When selecting a very large number of files through many
directories and/or libraries, the initial selection requires IO time and memory
per file to analyze and manage each of the file’s properties. The more files to
336

select, the more memory and initial startup overhead. Each site will have to
discover their practical limits based on their environments and resources.
• Archive directory read processing: When updating an existing archive that
contains a very large number of files, time and memory again are used to
manage the archives and its directory. Or when using PKUNZIP to view the
files, the more files in the archive, the more memory that is required and the
more time that is involved when sorting the files in archive properties before
displaying or printing the contents.
• Archive updating: When updating a large archive with large file sizes, there
will be overhead to copy the files from the previous archive, before adding or
updating new files to the archive. For example, if you have a 10 GB archive
with 5 files that are each compressed, down to 2 GB, overhead will be
required to copy the compressed files from the old archive to the new archive.
This is another reason for storing the archive in the IFS, which can help
reduce resources rather than storing the archive in a file in a library.
• When compressing large size files, PKZIP will sometimes use as much CPU as
the system will allow. With this in mind, processing very large files may
perform best as a submitted job. Some iSeries systems have constraints on
running interactively, and if interactive jobs run a long time and use high
amounts of CPU resources, their system will start slowing down and may
issue the message CPI1479 "Interactive activity approaching capacity of
installed feature." In this case they should review the details of this message,
which usually means that their interactive systems are using more resources
than the iSeries was configured to use.
Encryption Performance
When using advanced encryption versus no encryption, there will be a slight increase
in the overall size of the archive that contains the AES overhead (approximately 300
bytes per file in archive). The increase in size will be same whether you use AES 128,
AES 192, or AES 256.
AES 256 being the most secure encryption algorithm, will also consume the most
CPU usage. AES 128 on average could use around 9% more CPU than running with
no encryption. AES 256 averages about 3.4% more usage when compared with AES
128 (or around 12.5% versus no encryption).
Extended Attributes Selections
The extended attributes naturally contribute some overhead to the archive but it is
minimal, unless you are compressing a database file in the QSYS library file system
with the parameter DBSERVICE(*YES). This size then depends on the definitions of
the database (fields, headings, etc), but also is very important in rebuilding a DB2
database where it does not exist.
These extended attributes can be stored in two places, called the local header and
central header directories. SecureZIP for iSeries 8.1 and other current PKWARE
products now only use the extended attributes from the central directory. PKZIP for
OS/400 5.5 required some of the attributes in the local header.
337

To help reduce the archive overhead the parameter EXTRAFLD in PKZIP has been
expanded to select where you want to store the attributes. By using
EXTRAFLD(*Central), you reduce the size of each file in the archive by the size of the
extended attributes. Caution: If the attributes are required on another iSeries
not running on 8.0 or above, use the option EXTRAFLD(*BOTH) or
EXTRAFLD(*YES).
338

B
Examples
Example 1 - PKUNZIP Files to a New or Different Library
To extract the files in the archive to a new library. An example of the files in the
archives are:
PKUNZIP ARCHIVE('atest/qz/tstchg')
Archive: ATEST/QZ(TSTCHG) 88572 bytes 6 files
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
259 Defl:F 178 01-16-01 08:24 b5dbf80c TESTLIB1/BEN/BEESON
449664 Defl:F 48720 01-16-01 14:46 94c7506c
TESTLIB1/MYSPLFTM.P/AQZIP123.4X
205693 Defl:F 29687 01-16-01 14:46 e2473ea4
TESTLIB1/MYSPLFTM.P/LISTDBOB.X
27488 Defl:F 6771 01-16-01 14:46 c264817a TESTLIB1/MYSPLFTM.P/QPRINT1X
3352 Defl:F 800 01-16-01 14:46 3e485445
TESTLIB1/MYSPLFTM.P/T4RSTLIB.XY
256 Stored 256 01-16-01 15:22 29058c73 TESTLIB1/TEST1/HEX
-------- ------- --- -------
686712 86412 6 files
To extract to a new library, use the keyword EXDIR and DROPPATH
PKUNZIP ARCHIVE('atest/qz/tstchg') TYPE(*EXTRACT) EXDIR(mynewlib) DROPPATH(*LIB)
PKUNZIP Archive: ATEST/QZ(TSTCHG)
Searching Archive ATEST/QZ(TSTCHG) for files to extract
Extracting file TESTLIB1/BEN/BEESON
NOTE path
Library MYNEWLIB created.
NOTE Library
created
File BEN created in library MYNEWLIB.
Member BEESON added to file BEN in MYNEWLIB.
Member BEESON file BEN in MYNEWLIB changed.
Inflating: MYNEWLIB/BEN(BEESON) Text NOTE new path
Extracting file TESTLIB1/MYSPLFTM.P/AQZIP123.4X
File MYSPLFTMP created in library MYNEWLIB.
Member AQZIP1234X added to file MYSPLFTMP in MYNEWLIB.
Member AQZIP1234X file MYSPLFTMP in MYNEWLIB changed.
Inflating: MYNEWLIB/MYSPLFTMP(AQZIP1234X) Text
Since the library mynewlib did not exist, it was created.
339

Example 2 - CLP with Override for Stdout and Stderr to an OUTQ
The following is an example of overriding the PKZIP and PKUNZIP program output,
and then redirecting the output to an OUTQ. This also provides an example of using
mixed file systems, such as having the archive file in the IFS and selecting files from
the QSYS library file system.
ZIPEXPL01: PGM PARM(&OUTQ)
/* Program: ZIPEXPL01 Example */
/*****************************************************************/
/* Abstract: This is a example CL program has on parameter for */
/* the OUTQ for the processing of SecureZIP for iSeries. If it is */
/* *none or *NONE no overriding to QPRINT will take place. */
/* 1. Will add the SecureZIP for iSeries Library to Library List */
/* If it is already part of LIBL then note so as to not */
/* remove at the end. */
/* 2. Set the Current Library (only required if parameters of */
/* PKZIP leaves out the Library and a default is needed) */
/* 3. An example of setting the current directory is IFS */
/* 4. Check input OUTQ. If none keep processing */
/* 5. Override the Stdout and Stderr to input outq */
/* This is where PKZIP will send messages when the */
/* MSGTYPE is (*PRINT) or (*BOTH). */
/* 6. Run Test01 of PKZIP */
/* 7. Run Test02 of PKZIP with archive in IFS */
/* 8. Run Test03 of PKZIP with IFS system */
/* 9. Run Test04 of PKUNZIP to view archive */
/* 10. If the PKZIP Library was not present at the beginning */
/* remove it from *LIBL. */
/* */
/*****************************************************************/
OUTQ: DCL VAR(&OUTQ) TYPE(*CHAR) LEN(10)
PKZIPLIB: DCL VAR(&PKZIPLIB) TYPE(*CHAR) LEN(10) +
VALUE(PKW81051S)
/* if PKZIP library is in Libl do not remove it at the end */
LIBLCHG: DCL VAR(&LIBLCHG) TYPE(*CHAR) LEN(1) VALUE('Y')
CURLIB: DCL VAR(&CURLIB) TYPE(*CHAR) LEN(10) VALUE(MYLIB)
ZIPDIR: DCL VAR(&ZIPDIR) TYPE(*CHAR) LEN(10) +
VALUE('/mydir')
/* Add the SecureZIP for iSeries library to library List */
ADDLIBLE LIB(&PKZIPLIB)
MONMSG MSGID(CPF2103) EXEC(CHGVAR VAR(&LIBLCHG) +
VALUE('N'))
/* Set Current Directory to MYLIB */
/*(not Required for this test Just an example)*/
CHGCURLIB CURLIB(&CURLIB)
/* Set Current Directory to zip */
/*(not Required for this test Just an example)*/
CD
DIR(&zipdir)
/* Check input outq to see overides required */
CHKOUTQ: IF COND((&OUTQ *EQ '*none') *OR (&OUTQ *EQ +
'*NONE')) THEN(GOTO CMDLBL(NOOUTQ))
/* change Stdout and Stderr to my outq */
OVRPRTF FILE(STDOUT) TOFILE(*LIBL/QSYSPRT) OUTQ(&OUTQ)
OVRPRTF FILE(STDERR) TOFILE(*LIBL/QSYSPRT) OUTQ(&OUTQ)
NOOUTQ:
/* Test basic PKZIP */
TEST01: PKZIP ARCHIVE('ATEST/PKZ2(MYSL04)') +
FILES('TESTLIB/MYSPLF(*ALL)') +
EXCLUDE('TESTLIB/MYSPLF(Q*)')
/* Test basic PKZIP with archive in IFS and print only messages */
340

TEST02: PKZIP ARCHIVE('/mydir /tmpsave/itest01') +
FILES('TESTLIB/TEST') FILETYPE(*BINARY) +
TYPARCHFL(*IFS) MSGTYPE(*PRINT)
/* Test PKZIP with all files in IFS */
TEST03: PKZIP ARCHIVE('/mydir/tmpsave/itest02.zip') +
FILES('/mydir/test1/basetest') +
TYPARCHFL(*IFS) TYPFL2ZP(*IFS)
/* Test PKUNZIP view of archive from test02 */
TEST04: PKUNZIP ARCHIVE('/mydir/tmpsave/itest01') +
TYPARCHFL(*IFS) MSGTYPE(*PRINT)
/* If PKZIP Library was added to LIBL then remove it */
ENDPGM: IF COND(&LIBLCHG *EQ 'Y') THEN(RMVLIBLE +
LIB(&PKZIPLIB))
ENDPGM
Example 3 - Creating an Archive in Personal Folders (QDLS)
The following is an example of creating and processing the archive in the Document
library Services file system (QDLS). First, assume a folder in QDLS with a name of
MYFOLDER where the archives will be stored. To view the folders, issue the
command WRKLNK '/QDLS/*' (you could use WRKDOC and WRKFLR, but WRKLNK is
better to use since PKZIP will be using /QDLS).
Work with Object Links
Directory . . . . :
/qdls
Type options, press Enter.
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attribu
11=Change current directory ...
Opt Object link Type Attribute Text
. FLR
.. FLR
MYFOLDER
FLR
QBKBOOKS
FLR
Run the PKZIP command:
PKZIP ARCHIVE('/QDLS/MYFOLDER/MYARCH1.ZIP') FILES('testlib/ben')
TYPARCHFL(*IFS)
The suffix .ZIP was added to help identify the file as an archive file.
SecureZIP for iSeries (tm) Compression Utility Version 8.1, 2003/08/21
Copyright. 2004. PKWARE, Inc. All Rights Reserved.
PKZIP is a registered trademark of PKWARE, Inc.
EVALUATION Running
EVALUATION, Warning - This license will expire in 29 days on 2003/09/20
Contact your dealer with the following information
Machine ID = , Processor Group = P05
Scanning files for match ...
Found 1 matching files
Compressing TESTLIB/BEN(BEESON) in TEXT mode
Add TESTLIB/BEN/BEESON -- Deflating (32%)
PKZIP Compressed 1 files in Archive /QDLS/MYFOLDER/MYARCH1.ZIP
PKZIP Completed Successfully
Press ENTER to end terminal session.
341

To see the file in the folders, run WRKLNK '/QDLS/MYFOLDER/*'
Work with Object Links
Directory . . . . :
/QDLS/MYFOLDER
Type options, press Enter.
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes
11=Change current directory ...
Opt Object link Type Attribute Text
. FLR
.. FLR
MYARCH1.ZIP
DOC
Next, to view the contents, run:
PKUNZIP ARCHIVE('/QDLS/MYFOLDER/MYARCH1.ZIP') TYPARCHFL(*IFS)
SecureZIP for iSeries (tm) Compression Utility Version 8.16
2003/08/21
Copyright. 2004. PKWARE, Inc. All Rights Reserved.
PKZIP is a registered trademark of PKWARE, Inc.
Archive: /QDLS/MYFOLDER/MYARCH1.ZIP 551 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
259 Defl:F 177 32% 11-27-00 15:32 b5dbf80c TESTLIB/BEN/BEESON
-------- ------- ---- -------
259 177 32% 1 file
PKUNZIP extracted 0 files
PKUNZIP Completed Successfully
Press ENTER to end terminal session.
Example 4 - Processing Archive on a CD (QOPT)
The following is an example of processing an archive that exists on a CD and using
PKUNZIP to view or extract. Because the archive file is on a CD, and the file system
QOPT controls the CD, this archive basically exists in the IFS.
First, check and ensure the archive is on the CD by doing a WRKLNK (you can use
WRKOPTDIR, but using WRKLNK will show the actual paths required). Remember,
the volume of the CD is also a directory in QOPT file system. If the file names are
longer than eight characters, the file name will be changed, much like you see in
DOS systems. It will contain a tilda (~) followed by a number for files found with
excessive name lengths.
WRKLNK ‘/QOPT/*’
Work with Object Links
Directory . . . . :
/QOPT
Type options, press Enter.
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes
11=Change current directory ...
Opt Object link Type Attribute Text
MYTESTLABEL
DDIR
342

The above screen shows that the volume label of the CD is “MYTESTLABEL”. Using
the “5” for the next level option, you can navigate through the directories. You will
then see the files and directories on the root of the CD. For example:
Work with Object Links
Directory . . . . :
/QOPT/MYTESTLABEL
Type options, press Enter.
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes
11=Change current directory ...
Opt Object link Type Attribute Text
ARCHIVE.ZIP
DSTMF
GZIPPW.GAR
DSTMF
OS_400~3.DOC
DSTMF
PKZCVT~2.DOC
DSTMF
PKW80~1.SAV
DSTMF
PKW80~1.ZIP
DSTMF
To view the archive PKW80~1.ZIP (which is really the long name PKW81051S.ZIP)
contents, use PKUNZIP with *VIEW.
Use the command:
PKUNZIP ARCHIVE('/QOPT/MYTESTLABEL/PKW80~1.ZIP') TYPARCHFL(*IFS)
TYPE(*VIEW)
SecureZIP for iSeries (tm) Compression Utility Version 8.1, 2003/08/22
Copyright. 2004. PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Archive: /QOPT/MYTESTLABEL/PKW80~1.ZIP 1373026 bytes 1 file
Length Method Size Ratio Date Time CRC-32 Name
-------- ------ ------- ----- ---- ---- ------ ----
6044544 Defl:N 1372902 77% 08-16-01 21:17 d73f09cf PKW81051S.sav
-------- ------- ---- -------
6044544 1372902 77% 1 file
PKUNZIP extracted 0 files
PKUNZIP Completed Successfully
Example 5 - Compressing files from a CD (QOPT)
Using the document (.DOC) files on the CD shown in Example 4, we can compress
the files and store them in the archive in my archive library ATEST under the file
V509 archives with an archive file member named CDTEST01.
PKZIP ARCHIVE('atest/v509/cdtest01') FILES('/QOPT/MYTESTLABEL/OS_400~3.DOC'
'/QOPT/MYTESTLABEL/PKZCVT~2.DOC') TYPFL2ZP(*IFS)
SecureZIP for iSeries (tm) Compression Utility Version 8.1, 2003/08/22
Copyright. 2004. PKWARE, Inc. All Rights Reserved.
PKZIP (R) is a registered trademark of PKWARE (R), Inc.
Scanning
files for match ...
Found 2 matching files
Compressing /QOPT/MYTESTLABEL/OS_400~3.DOC in BINARY mode
Add /QOPT/MYTESTLABEL/OS_400~3.DOC -- Deflating (77%)
Compressing /QOPT/MYTESTLABEL/PKZCVT~2.DOC in BINARY mode
Add /QOPT/MYTESTLABEL/PKZCVT~2.DOC -- Deflating (79%)
PKZIP Compressed 2 files in Archive ATEST/V509(CDTEST01)
343

PKZIP Completed Successfully
Because you would not be able to extract them to the CD, you may want to use the
parameter STOREPATH(*NO) so that only file names OS_400~3.DOC and
PKZCVT~2.DOC are stored in the archive.
Example 6 - Compressing CL with MSG Checking
The following brief example demonstrates using PKZIP in a CL passing the archive’s
library, file, and member as variables and then monitoring for errors from the PKZIP
run.
ZIPEXPL03: PGM
PARM(&ZIPLIB &ZIPFILE &ZIPMBR)
/* Program: ZIPEXPL03 Example */
/*****************************************************************/
/* Abstract: This is a example CL program that has 3 paramters */
/* that specifies the archive's Library, File and Member. */
/* 1. Will add the SecureZIP for iSeries Library to Library List */
/* If it is already part of LIBL then note so as to not */
/* remove at the end. */
/* 2. Build the archive file namefor PKZIP by concatenating */
/* the inputted library, file and member names. */
/* 3. Compress all files in TESTLIB with PKZIP Command */
/* 4. Monitor for error messages from PKZIP. */
/* If errors send message. */
/* 5. If the PKZIP Library was not present at the beginning */
/* remove it from *LIBL. */
/* */
/*****************************************************************/
/* &PKZIPLIB contains the current PKZIP library */
DCL VAR(&PKZIPLIB) TYPE(*CHAR) LEN(10) +
VALUE(PKW81051S)
/* if PKZIP library is in Libl do not remove it at the end */
DCL VAR(&LIBLCHG) TYPE(*CHAR) LEN(1) VALUE('Y')
/* &ZIPLIB is Library where archive will be stored */
DCL VAR(&ZIPLIB) TYPE(*CHAR) LEN(10)
/* &ZIPFILE is File for the archive */
DCL VAR(&ZIPFILE) TYPE(*CHAR) LEN(10)
/* &ZIPMBR is Member of the archive file */
DCL VAR(&ZIPMBR) TYPE(*CHAR) LEN(10)
/* Archive file for PKZIP built with concatenation */
DCL VAR(&ZARCHF) TYPE(*CHAR) LEN(36)
/* Add the SecureZIP for iSeries library to library List */
ADDLIBLE LIB(&PKZIPLIB)
MONMSG MSGID(CPF2103) EXEC(CHGVAR VAR(&LIBLCHG) +
VALUE('N'))
/*Concatenate the libraries, files and members for PKZIP of the archive*/
CHGVAR VAR(&ZARCHF) VALUE(&ZIPLIB *TCAT '/' *TCAT +
&ZIPFILE *TCAT '/' *TCAT &ZIPMBR)
/* Compress all files in the library TESTLIB and */
/* store them in the archive specified in the */
/* calling of the CLP program */
/* If messages AQZ0022 "PKZIP Completed with Errors." */
/* or AQZ0012 "PKZIP ending with Nothing to do" */
/* are returned */
/* from PKZIP, send message indicating an error */
/* Occured. */
PKZIP ARCHIVE(&ZARCHF) FILES('TESTLIB/*all(*all)') +
COMPRESS(*NORMAL) ARCHTEXT('This the text +
of the archive for example 3')
MONMSG MSGID(AQZ0022) EXEC(SNDPGMMSG MSG('PKZIP +
Ended with MONMSG for AQZ0022'))
344

MONMSG MSGID(AQZ0012) EXEC(SNDPGMMSG MSG('PKZIP +
Ended with MONMSG for AQZ0012'))
/* If PKZIP Library was added to LIBL then remove it */
ENDPGM: IF COND(&LIBLCHG *EQ 'Y') THEN(RMVLIBLE +
LIB(&PKZIPLIB))
EOJ: ENDPGM
Example 7 – Compressing Spool Files Samples
The following are several samples demonstrating the selection of spool file for
compression.
Sample 1: Select a specific spool file (MYSPLFFILE) for the specific job (jobname-
WSSSPL, User-WSS and job number 11) in all output queues (the default of
SFQUEUE) and convert the spool file to a PDF format SFTARGET(*PDFLETTER) to fit
a letter format. store the archive in the IFS with TYPARCHFL(*IFS) .
PKZSPOOL ARCHIVE('/pkzshare/bills/splftest01.zip') TYPARCHFL(*IFS)
SPLFILE(MYSPLFILE) SFUSER(*ALL) SFJOBNAM(11/WSS/WSSSPL)
SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P)
Sample 2: Select all spool files belonging to users WSS and TAIT (SPLUSERID) that
resides in the OUTQ QPRINTS (SFQUEUE) and compress them as spool files with
SFTARGET(*SPLF). This might be done to save the spool files for later review since
this OUTQ is purged on a regular basis.
PKZSPOOL ARCHIVE('/pkzshare/bills/splftest02.zip') TYPARCHFL(*IFS)
SFUSER(WSS TAIT) SFQUEUE(QPRINTS) SFTARGET(*SPLF) SFTGFILE(*GEN1)
Sample 3: Using the archive from Sample 2, we want to restore or extract the spool
files in order to print them again. Except in this case we want them to belong to the
user MAS with SPLUSERID and place the spool files in the OUTQ MASQ (SFQUEUE)
located in the library DEVPLIB.
PKUNZIP ARCHIVE('/pkzshare/bills/splftest02.zip') TYPARCHFL(*IFS)
TYPE(*EXTRACT) SPLUSRID(MAS) SFQUEUE(DEVPLIB/MASQ)
Sample 4: Select the spool file QPRINTS (SPLFILE), spool file number 17 (SPLNBR),
user MAS (SFUSER) and convert the file to a TEXT file with SFTARGET(*TEXTFC). In
this case, the file is needed to read into a PC program and the user wants the ANSI
control characters in position 1 of each line.
PKZSPOOL ARCHIVE('/pkzshare/bills/splftest04.zip') TYPARCHFL(*IFS)
SPLFILE(QPRINTS) SFUSER(MAS) SPLNBR(17)
SFTARGET(*TEXTFC) SFTGFILE(*GEN1P)
Sample 5: Now we want to extract the text file created in Sample 4 to one of our
shared drives areas ('/PKZSHARE/PCFILES') that our PCs can access. In this case the
normal extraction would identify the file as a text file and would convert it to
EBCDIC. Since the file will be used by a PC program that is expecting the data to be
in ASCII, we will have to extract the file as binary since the internal file is already in
345

ASCII. By specifying FILETYPE(*BINARY), this ensures that no translation of the data
takes place.
PKUNZIP ARCHIVE('/pkzshare/bills/splftest04.zip') TYPARCHFL(*IFS) TYPFL2ZP(*IFS)
TYPE(*EXTRACT) FILETYPE(*BINARY)
EXDIR('/PKZSHARE/PCFILES') DROPPATH(*ALL)
Example 8 – PKZSPOOL The Last Spool File of Current Job
The following brief CLP example demonstrates using PKZSPOOL to compress to a
PDF, only the last spool file that was written out by the current job.
ZIPEXPL07: PGM
/* Program: ZIPEXPL07 Example */
/*****************************************************************/
/* Abstract: This is an example CL program that perform several */
/* task that prints reports. Then compresses only the LAST */
/* spool file created to a PDF file in a archive */
/* */
/*****************************************************************/
/* display the properties of the files start with "i" in QIBM folder */
DSPLNK OBJ('/QIBM/i*') OUTPUT(*PRINT) +
DETAIL(*EXTENDED) DSPOPT(*ALL)
/* display all libraries that start with Q and print */
DSPOBJD OBJ(*LIBL/Q*) OBJTYPE(*LIB) DETAIL(*BASIC) +
OUTPUT(*PRINT)
/* Compress the ONLY the last spool file created to a PDF file */
PKZSPOOL ARCHIVE('/pkzshare/bills/PKZdata1.zip') +
SFJOBNAM(*) SPLNBR(*LAST) +
SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P) +
TYPARCHFL(*IFS)
ENDOFJOB: ENDPGM
Example 9 - CL to Compress All Spool Files for a Job to a PDF
The following brief example demonstrates using PKZIP in a CL to pass the archive’s
library, file, and member as variables and then monitor for errors from the PKZIP
run.
ZIPEXPL08: PGM
/* Program: ZIPEXPL08 Example */
/*****************************************************************/
/* Abstract: This is an example CL program that perform several */
/* task that prints reports. Then submits a job at the end of */
/* the job that will compress all spool files to PDF files. The */
/* reason the job was submitted was to also compress the job log */
/* to a PDF */
/* */
/*****************************************************************/
/* Current Job Name */
DCL VAR(&MYJOBNM) TYPE(*CHAR) LEN(10) VALUE(' ')
/* Current Job User */
346

DCL VAR(&MYJUSER) TYPE(*CHAR) LEN(10) VALUE(' ')
/* Current Job Number */
DCL VAR(&MYJNBR) TYPE(*CHAR) LEN(10) +
VALUE('000000')
/* retrieve the job name, user, and job number for later use */
RTVJOBA JOB(&MYJOBNM) USER(&MYJUSER) NBR(&MYJNBR)
/* this job to get a full job log */
CHGJOB LOG(4 00 *SECLVL) LOGCLPGM(*YES)
/* display the properties of the files start with c in my folder */
DSPLNK OBJ('/pkzshare/bills/c*') OUTPUT(*PRINT) +
DETAIL(*EXTENDED) DSPOPT(*ALL)
DSPAUT OBJ('/pkzshare/BILLS') OUTPUT(*PRINT)
/* create an archive with one file */
PKZIP ARCHIVE('/pkzshare/bills/PKZtest1.zip') +
FILES('/pkzshare/bills/chartest2.zip') +
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO)
/* display detail attributes for the new archive created */
DSPLNK OBJ('/pkzshare/bills/PKZtest1*') OUTPUT(*PRINT) +
DETAIL(*EXTENDED) DSPOPT(*ALL)
/* submit a job to create all spool Files including the job log into a */
/* PDF file and place them in archive PKZdata1 */
SBMJOB CMD(PKZSPOOL +
ARCHIVE('/pkzshare/bills/PKZdata1.zip') +
SFJOBNAM(&MYJNBR/&MYJUSER/&MYJOBNM) +
SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P) +
TYPARCHFL(*IFS)) JOB(&MYJOBNM) +
INLLIBL(*CURRENT)
ENDOFJOB: ENDPGM
347

C
Memory Errors
In some rare cases, SecureZIP for iSeries may experience a memory error
condition. While running SecureZIP for iSeries the program allocates memory for
sorts, buffers, and other storage requirements. There are diagnostic checks in the
system to validate memory requests. If a request fails, the job will terminate and
send a message to the message queue indicating a memory allocation failure. Some
systems limit the memory allocation for certain user/jobs which may cause this
problem. In some cases, programs can have what are called “memory leaks” where
memory is never freed. Signing off or ending the job will free the allocated memory.
If a message indicates that a memory allocation error occurred, retrieve the failed
job log and contact the Product Services Division at 1-937-847-2687 for assistance.
348

D
External Name Conversion Program
CVTNAME
SecureZIP for iSeries provides an exit that calls a compiled CLP program named
CVTNAME. PKZIP can change the names of iSeries file names to a ZIPPED file name
to be used in the archive. PKUNZIP can change a ZIPPED file name in an archive to
an iSeries file name. This is activated by using the parameter CVTFLAG and not
setting the parameter to *NONE. SecureZIP for iSeries will call the first CVTNAME
program found in the library list.
SecureZIP for iSeries will call the program and pass three fields to CVTNAME and
will expect a return field. The first field passed is a 256-byte field that contains the
input name (in PKZIP, it is the iSeries name, and in PKUNZIP, it is the ZIPPED name
in the archive) that can be changed. The second field passed is a 5-byte field that
can be used to help code specific logic to control the name change process. The third
field is up to 256 bytes of extended data from the command to provide more
flexibility in controlling the conversion of file names.
The program will return up to 256 bytes of a file name that will be used as the
output name in the archive.
The exit can be divided into different conversion routines by assigning each routine a
five-character name, which is passed in as the CVTFLAG parameter value. This
routine works for both the PKZIP and PKUNZIP programs, but normally you will need
a different conversion routine or CVTFLAG for archiving or extraction. When the
CVTNAME returns, the returned name should either hold the new name, or remain
blank to indicate that the default conversion rules should be used.
Note: The PKZIP and PKUNZIP programs perform no validity checking on the name
that is passed back and assumes that the name is valid and unique. If the name is
not valid or unique, open errors or missing files may occur.
For PKZIP, the name exit receives the OS/400 file name and the returned name is
the name that will be used for the file name in the archive. Ensure that names
returned are unique; otherwise, only the first of the duplicated files will be
compressed.
For PKUNZIP, the CVTNAME exit receives the name of the file that is in the archive
and expects to return the name of a file on the OS/400 as ‘library/file(member)’. If
this is invalid, then file open errors will occur. If they are valid but did not exist
before, PKUNZIP will create the library, file, and member.
In the supplied library, there is a sample CVTNAME CLP that contains logic for the
following flags:
349

• If the flag is *400, there is no conversion taking place, and the input name is
passed back as a new name.
• If the flag is O4MS, the program will convert an iSeries file name
“library/file(member)” to a MS-DOS name with ‘/’ (such as
“library/file/member”).
• If the flag is MSO4, the program will take a MS-DOS file name
“/dir1/dir2/dir3/name.xxx” and make it an iSeries name (such as
“dir2/dir3{namexxx)”) where dir2 will be the library, dir3 will be a file name,
and namexxx will be up to a 10-byte character member name.
• If the flag is *MSD, the program will convert an iSeries file name
"library/file(member)" to a MS-DOS name with suffix .TXT to the file
"library/file.TXT".
• If the flag is *MSM, the program will convert an iSeries file name
"library/file(member)" to an MS-DOS name with a suffix .TXT added to the
member name, such as "library/file/member.TXT".
• If the flag is *IFS, the program will format a file name "library/file(member)"
for the iSeries QSYS.LIB integrated file system. For example
"/QSYS.LIB/LIBRARY.LIB/FILE.FILE/MEMBER.MBR".
• If the flag is SPLF1, the program will take a spool file name
"jobname/useriud/jobnumber/splfname/splfnbr.suffix" and build each in it
own DCL field. Then taking the first 10 bytes of the CVTDATA passed from the
command will build a new name that looks like “CVTDATA.splfnbr.suffix”.
• Of course the correct flag should be used with the appropriate file system.
Changes can be made to CVTNAME to fit the customer’s site requirements. The use
of (and changes to) the CVTNAME program is the customer’s responsibility.
The following is an example of the CVTNAME CLP source code included in the
SecureZIP for iSeries library:
Sample CVTNAME
/* Program: CVTNAME Sample VERSION 8.1.0 */
/*****************************************************************/
/* Abstract: This is a sample CL program that can be used by */
/* SecureZIP for iSeries product as an exit program to change the */
/* names from iSeries to an archive name and visa versus. */
/* There are 4 parameters: */
/* 1. The input name that is supplied by PKZIP or PKUNZIP */
/* to this program to analyze (up 255 bytes). */
/* 2. The Name that this program can change and passes back */
/* to the calling programs to use (up to 255 bytes). */
/* If this is passed back with the 1st position blank, */
/* PKZIP/PKUNZIP will revert back to settings of the */
/* CVTTYPE parameter. */
/* 3. A 5 byte field that represents a control field or */
/* or flags, that controls how CVTNAME should process the */
/* name. */
/* 4. A 255 byte field that is user defined in the command to*/
/* provide more information to assist controlling the */
/* logic in processing the name. For Example it may */
/* time stamp prefix of the file names */
/* */
/* This sample CVTNAME CLP has three flags accepted: */
350

* */
/* 1. If the flag is *400 there are no conversion taking */
/* place and the input name is passed back as new name. */
/* 2. If the flag is O4MS, the program will convert an */
/* iSeries name "library/file(member)" to a MS-DOS */
/* name with '/' such as "library/file/member". */
/* 3. If the flag is MSO4, the program will take a MS-DOS */
/* file name "/dir1/dir2/dir3/name.xxx" and make it an */
/* iSeries name such as "dir2/dir3{namexxx)" where dir2 */
/* will be the library, dir3 will be a file name and */
/* namexxx will be up to a 10 byte character */
/* member name. */
/* 4. If the flag is *MSD, the program will convert an */
/* iSeries file name "library/file(member)" to a MS-DOS */
/* name with suffix .TXT to the file "library/file.TXT". */
/* 5. If the flag is *MSM, the program will convert an */
/* iSeries file name "library/file(member)" to a MS-DOS */
/* name with suffix .TXT to the member name */
/* such as "library/file/member.TXT". */
/* 6. If the flag is *MST, the program will convert an */
/* iSeries file name "library/file(member)" to a MS-DOS */
/* name with suffix .TXT to the member name only */
/* such as "member.TXT". */
/* 7. If the flag is *IFS, the program will format a */
/* file name "library/file(member)" formatted for the */
/* iSeries QSYS.LIB Integrated File System. for example */
/* "/QSYS.LIB/LIBRARY.LIB/FILE.FILE/MEMBER.MBR" */
/* */
/* 8. If the flag is SPLF1, the program will format a */
/* spool file name formated as: */
/* "jobname/useriud/jobnumber/splfname/splfnbr.suffix" */
/* and rebuild a new name with data from the CVTDATA */
/* parameter. */
/* */
/* */
/*NOTE: PKZIP and PKUNZIP performs no validity checking on the */
/* name that is passed back and assumes that the name is valid */
/* and unique. If the name is not valid or unique, open errors */
/* or missing files may occur. */
/* */
/* */
/*****************************************************************/
CVTNAME: PGM PARM(&INNAME &OUTNAME &CVTFLAGS &CVTDATA)
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* Parameter Program Variables */
/* Input Name that is used examine for change */
INNAME: DCL VAR(&INNAME) TYPE(*CHAR) LEN(256)
/* Changed name that is passed back to SecureZIP for iSeries */
OUTNAME: DCL VAR(&OUTNAME) TYPE(*CHAR) LEN(256)
/* Flags from SecureZIP for iSeries for controlling logic flow */
CVTFLAGS: DCL VAR(&CVTFLAGS) TYPE(*CHAR) LEN(5)
/* data from PKZIP command for controlling logic flow */
CVTDATA: DCL VAR(&CVTDATA) TYPE(*CHAR) LEN(256)
/* */
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* Program Variables */
/* iSeries QSYS file name represented like "libnm/filenm(mbrnm)" */
LIBNM: DCL VAR(&LIBNM) TYPE(*CHAR) LEN(10) /* Library +
Name */
FILENM: DCL VAR(&FILENM) TYPE(*CHAR) LEN(10) /* File +
name */
MBRNM: DCL VAR(&MBRNM) TYPE(*CHAR) LEN(10) /* Member +
name */
DCL VAR(&IDX) TYPE(*DEC) LEN(3)
DCL VAR(&IDXPRV) TYPE(*DEC) LEN(3)
DCL VAR(&LEN) TYPE(*DEC) LEN(3)
/* DCL VAR(&MSGVAR) TYPE(*CHAR) LEN(300) */
/* DCL VAR(&MUVAR) TYPE(*CHAR) LEN(6) VALUE('..OUT=') */
/* Spool file name represented like */
/* "JOBNAM/USERID/JOBNBR/SPLFNAM/SPLFNBR.SPLSUFIX" */
351

JOBNAM: DCL VAR(&JOBNAM) TYPE(*CHAR) LEN(10) /* Job +
Name */
USERID: DCL VAR(&USERID) TYPE(*CHAR) LEN(10) /* User +
Id */
JOBNBR: DCL VAR(&JOBNBR) TYPE(*CHAR) LEN(7) /* Job +
Number */
SPLFNAM: DCL VAR(&SPLFNAM) TYPE(*CHAR) LEN(10) /* Spool +
File name */
SPLFNBR: DCL VAR(&SPLFNBR) TYPE(*CHAR) LEN(5) /* Spool +
File Number */
SPLSUFIX: DCL VAR(&SPLSUFIX) TYPE(*CHAR) LEN(4) /* +
Suffix */
/* blank out name uncase no hit */
CHGVAR VAR(&OUTNAME) VALUE(' ')
/* */
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* Flag set to *400 */
IF
COND(&CVTFLAGS *EQ '*400') THEN(DO)
CHGVAR
VAR(&OUTNAME) VALUE(&INNAME)
GOTO CMDLBL(ENDCHG)
ENDDO
/* */
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */
/* Flag set to O4MS */
/* Change iSeries Library/File(Member) to */
/* MSDOS library/File/Member */
O4MS: IF COND((&CVTFLAGS *EQ 'O4MS') *OR (&CVTFLAGS +
*EQ '*MSD') *OR (&CVTFLAGS *EQ '*MSM') +
*OR (&CVTFLAGS *EQ '*MST') +
*OR (&CVTFLAGS *EQ '*IFS')) +
THEN(DO)
CHGVAR VAR(&IDX) VALUE(0)
CHGVAR VAR(&IDXPRV) VALUE(1)
/* Find a Library Note:max length must be 11 */
DOLIB1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '/') +
THEN(GOTO CMDLBL(DOLIB1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&LIBNM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a File Note:max length must be 11 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
DOFILE1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '(') +
THEN(GOTO CMDLBL(DOFILE1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&FILENM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a Member Note:max length must be 11 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
DOMBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE ')') +
THEN(GOTO CMDLBL(DOMBR1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&MBRNM) VALUE(%SST(&INNAME &IDXPRV &LEN))
CHGVAR VAR(&OUTNAME) VALUE(&INNAME)
/* Save the new name lib/file/mbr */
DOOUT1:
AMSD: IF (&CVTFLAGS *EQ '*MSD') +
DO
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' +
*TCAT &FILENM *TCAT '.TXT ')
GOTO CMDLBL(ENDCHG)
ENDDO
352

AMSM: IF (&CVTFLAGS *EQ '*MSM') +
DO
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' +
*TCAT &FILENM *TCAT '/' *TCAT &MBRNM +
*TCAT '.TXT ')
GOTO CMDLBL(ENDCHG)
ENDDO
AMST: IF (&CVTFLAGS *EQ '*MST') +
DO
CHGVAR VAR(&OUTNAME) VALUE(&MBRNM +
*TCAT '.TXT ')
GOTO CMDLBL(ENDCHG)
ENDDO
AIFS: IF (&CVTFLAGS *EQ '*IFS') +
DO
CHGVAR VAR(&OUTNAME) VALUE('/QSYS.LIB/' *TCAT +
&LIBNM *TCAT '.LIB/' *TCAT &FILENM *TCAT +
'.FILE/' *TCAT &MBRNM *TCAT '.MBR')
GOTO CMDLBL(ENDCHG)
ENDDO
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' +
*TCAT &FILENM *TCAT '/' +
*TCAT &MBRNM *TCAT ' ')
ENDO4MS: GOTO CMDLBL(ENDCHG)
ENDDO /* end of O4MS do flag */
/* */
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */
/* Flag set to MSO4 */
/* Change a MSDOS file /dir1/dir2/../dirn/file.xxx to */
/* dir2/dirn(filexxx) iSeries file */
MSO4: IF COND(&CVTFLAGS *EQ 'MSO4') THEN(DO)
CHGVAR VAR(&IDX) VALUE(0)
CHGVAR VAR(&IDXPRV) VALUE(1)
CHGVAR VAR(&LIBNM) VALUE(' ')
CHGVAR VAR(&FILENM) VALUE(' ')
CHGVAR VAR(&MBRNM) VALUE(' ')
/* first find 1st blank and work backwards */
FINDLST2: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
if
COND(&IDX *GT 250) THEN(GOTO CMDLBL(ENDCHG))
IF COND(%SST(&INNAME &IDX 1) *NE ' ') +
THEN(GOTO CMDLBL(FINDLST2))
/* Find a Member Note:max length must be 11 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)
DOMBR2: CHGVAR VAR(&IDX) VALUE(&IDX - 1)
IF
COND(&IDX *LT 1) THEN(GOTO CMDLBL(ENDCHG))
IF COND(%SST(&INNAME &IDX 1) *NE '/') +
THEN(GOTO CMDLBL(DOMBR2))
CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX)
IF COND(&LEN > 11) +
THEN(CHGVAR VAR(&LEN) VALUE(11))
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)
CHGVAR VAR(&MBRNM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* REMOVE . IF ANY AND FORCE LENGTH TO 10 */
/* Find a File Note:max length must be 10 */
DOFILE2: CHGVAR VAR(&IDX) VALUE(&IDX - 1)
IF
COND(&IDX *LT 1) THEN(GOTO CMDLBL(SETNAME2))
IF COND(%SST(&INNAME &IDX 1) *NE '/') +
THEN(GOTO CMDLBL(DOFILE2))
CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX)
IF COND(&LEN > 11) +
THEN(CHGVAR VAR(&LEN) VALUE(11))
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)
CHGVAR VAR(&FILENM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a Library Note:max length must be 10 */
DOLIB2: CHGVAR VAR(&IDX) VALUE(&IDX - 1)
IF
COND(&IDX *LT 1) THEN(GOTO CMDLBL(ENDCHG))
353

IF COND(%SST(&INNAME &IDX 1) *NE '/') +
THEN(GOTO CMDLBL(DOLIB2))
CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX)
IF COND(&LEN > 11) +
THEN(CHGVAR VAR(&LEN) VALUE(11))
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)
CHGVAR VAR(&LIBNM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Save the new name lib/file/mbr */
SETNAME2:
IF COND(&LIBNM *NE ' ') THEN(DO)
CHGVAR VAR(&LIBNM) VALUE(&LIBNM *TCAT '/')
ENDDO
IF COND(&FILENM *NE ' ') THEN(DO)
CHGVAR VAR(&FILENM) VALUE(&FILENM *TCAT '/')
ENDDO
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT &FILENM +
*TCAT &MBRNM *TCAT ' ')
ENDMSO4: GOTO CMDLBL(ENDCHG)
ENDDO /* end of O4MS do flag */
/* */
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */
/* Flag set to SPLF1 Sample */
/* Change "jobname/useriud/jobnumber/splfname/splfnbr.suffix" */
/* and build new name with 10 bytes of the CVTDATA field */
/* with a '.' separator followed by splfnbr.suffix */
/* for CVTDATA.splfnbr.suffix */
/* all fields from the Spool File passed file name are built */
/* care should be taken not to build duplicate file names in */
/* Archive */
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */
SPLF1: IF COND((&CVTFLAGS *EQ 'SPLF1')) +
THEN(DO)
CHGVAR VAR(&IDX) VALUE(0)
CHGVAR VAR(&IDXPRV) VALUE(1)
/* Find a Jobname Note:max length must be 10 */
JOBNAM1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '/') THEN(GOTO +
CMDLBL(JOBNAM1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&JOBNAM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a User ID Note:max length must be 10 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
USERID1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '/') +
THEN(GOTO CMDLBL(USERID1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&USERID) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a Job Number Note:max length must be 6 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
JOBNBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '/') +
THEN(GOTO CMDLBL(JOBNBR1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 7) +
THEN(CHGVAR VAR(&LEN) VALUE(7))
CHGVAR VAR(&JOBNBR) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a SPLF Name Note:max length must be 10 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
SPLFNAM1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '/') +
354

THEN(GOTO CMDLBL(SPLFNAM1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&SPLFNAM) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a SPLF nbr Note:max length must be 5 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
SPLFNBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE '.') +
THEN(GOTO CMDLBL(SPLFNBR1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 5) +
THEN(CHGVAR VAR(&LEN) VALUE(5))
CHGVAR VAR(&SPLFNBR) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Find a Suffix Note:max length must be 4 */
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)
SPLSUFIX1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&INNAME &IDX 1) *NE ' ') +
THEN(GOTO CMDLBL(SPLSUFIX1))
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)
IF COND(&LEN > 4) +
THEN(CHGVAR VAR(&LEN) VALUE(4))
CHGVAR VAR(&SPLSUFIX) VALUE(%SST(&INNAME &IDXPRV &LEN))
/* Set CVTDATA Note:max length must be 4 */
CHGVAR VAR(&IDX) VALUE(0)
CVTDATA1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)
IF COND(%SST(&CVTDATA &IDX 1) *NE ' ') +
THEN(GOTO CMDLBL(CVTDATA1))
CHGVAR VAR(&LEN) VALUE(&IDX)
IF COND(&LEN > 10) +
THEN(CHGVAR VAR(&LEN) VALUE(10))
CHGVAR VAR(&LIBNM) VALUE(%SST(&CVTDATA 1 &LEN))
IF COND(&LEN > 1) +
THEN(CHGVAR VAR(%SST(&CVTDATA &LEN 1)) +
VALUE('.'))
/* Save the new name lib/file/mbr */
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT &SPLFNBR +
*TCAT '.' *TCAT &SPLSUFIX *TCAT ' ')
ENDSPLF1: GOTO CMDLBL(ENDCHG)
ENDDO /* end of SPLF1 do flag */
/* */
ENDERR: CHGVAR VAR(&OUTNAME) VALUE(' ')
/* */
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */
/* End of CVTNAME for return */
ENDCHG:
/* CHGVAR VAR(&MSGVAR) VALUE(&INNAME *BCAT &MUVAR + */
/* *BCAT &OUTNAME) */
/* SNDPGMMSG MSGID(AQZ0000) MSGF(*LIBL/PKZIPMSG) */
/* MSGDTA(&MSGVAR) TOPGMQ(*PRV) */
/* DMPCLPGM CL dump of variable to help debug */
ENDEXIT:
ENDPGM
355

E
List Files
The list file capabilities provided in the PKZIP and PKUNZIP commands can be a
powerful tool for maintaining detailed selection criteria and to exclude files. PKZIP
and PKUNZIP commands also allow creating a list of files that are located in a
particular archive.
Creating List Files
Both PKZIP and PKUNZIP can create a text format file of file names that meet criteria
entered within the FILES and EXCLUDE parameters. In PKZIP, the output files
contain the names of all files in the OS/400 format, depending on if the files are from
the QSYS file system or IFS. The PKUNZIP program will produce a list of names in
the format of the archive. To create an output list file, place the output file name in
the parameter CRTLIST(). The default value is CRTLIST(*NONE).
Depending on the value of the TYPLISTFL parameter, the output file can be put in
either the QSYS file system or IFS.
TYPLISTFL(*DB): When the file system is QSYS, the output file will create
a physical file (PF-DTA) with a record length of 132. For the file format in
CRTLIST, you can use any of the following formats: library/file,
library/file(member), file, or file(member). When a member is not entered,
the member name will be the same as the file name. You should use the
utility that your organization uses to edit data files.
TYPLISTFL(*IFS): When using the IFS, the output file will create a stream
file (*STMF object type). Most organization uses EDTF. For the file format in
CRTLIST, you can use any of the following formats: file, file.suffix, dir1/file,
dir1/dir2/../dirn/file, /dir1., etc. When the path does not start with ‘/’, then
the path starts in your current directory (relative path).
When creating a file manually, follow the creation attributes described above.
Using List Files as Input
Both PKZIP and PKUNZIP programs can use list file parameters for both selections of
files (INCLFILE(‘file name’)) and/or the excluding of file (EXCLFILE(‘file name’). They
can also use an inlist file for the encryption recipient ENTPREC. The file name of
356

parameters depends on the setting of TYPLISTFL (*DB or *IFS) and should follow the
guidelines in “Creating List Files,” above.
When using PKZIP, the format of files in the list file should be in the format of the
iSeries files that will be processed. See the parameters FILES and EXCLUDE for
specifications.
When using PKUNZIP, the format of the files in the list file should be in the format of
the archive. See the parameters FILES and EXCLUDE for specifications.
PKUNZIP also has an option to create a list file in expanded mode, which will create
the date and time along with the file names. This is accomplished by having a ‘>’
character being the in the first position of the CRTLIST parameter. See the two
examples below.
Create normal list file: PKUNZIP ARCHIVE('atest/V800/listf')
CRTLIST('atest/listfile(demo)')
Edit File: ATEST/LISTFILE(DEMO)
Record : 1 of 4 by 8 Column : 1 132 by 74
CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+
************Beginning of data**************
TESTLIB/MYFILE/MYMBR
TESTLIB/MYFILEGE.R/MYMBR
TESTLIB/MYFILETE.XT/MYMBR
TESTLIB/MYFILE27.3/MYMBR
************End of Data********************
Create an expanded list file: PKUNZIP ARCHIVE('atest/V800/listf')
CRTLIST('>atest/listfile(demo)')
Edit File: ATEST/LISTFILE(DEMO)
Record : 1 of 4 by 8 Column : 1 132 by 74
CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+
************Beginning of data**************
DT(05-20-03 16:16) TESTLIB/MYFILE/MYMBR
DT(02-14-03 16:44) TESTLIB/MYFILEGE.R/MYMBR
DT(02-14-03 16:44) TESTLIB/MYFILETE.XT/MYMBR
DT(02-14-03 16:44) TESTLIB/MYFILE27.3/MYMBR
************End of Data********************
357

F
Translation Tables
Text files (such as program source code) are usually held within an archive using the
ASCII character set for compatibility with other versions of PKZIP. For these to be
usable on OS/400, they must be converted to the IBM EBCDIC character set.
SecureZIP for iSeries uses one of two possible internal translation tables, which
should be suitable for most customers. These translation table members are used by
parameters FTRAN and TRAN in both the PKZIP and PKUNZIP programs. Included (as
part of the distribution) are a series of override translation tables. Some users may
wish to define their own table.
The override translation tables included are stored as source members in file
PKZTABLES SecureZIP for iSeries resources tables. By referencing the members in
parameters TRAN and FTRAN, SecureZIP for iSeries will access the selected
member in the PKZTABLES file and parse them to an internal hexadecimal table for
use in translation.
The following translation tables are included:
Table
Name
Translation
from
Translation
to
Explanation
ASCIIISO EBCDIC ASCII - iso Translate Table
LATIN1 EBCDIC ASCII Latin Translate Table
NOOP NO-OP Translation Table Straight Hex
UKASCII EBCDIC UK ASCII Translate Table
UKASCIIE EBCDIC UK ASCII Translate Table-Euro
USASCII EBCDIC USA ASCII Translate Table
(Internal Default)
USASCIIE EBCDIC USA ASCII Translate Table-Euro
Standard Code Page Support with Tables
Three data translation tables are available to assist with one or more of the latest
standard EBCDIC text translation to ASCII. These tables were built to relate directly
to IBM code pages numbers.
358

Code page tables available are:
Table
Name
ASCII
Code Page
EBCDIC
Code Page
Explanation
PKZ819037 819 037 ASCII-819 EBCDIC-037
Translation
PKZ819273 819 273 ASCII-819 EBCDIC-273
Translation German
PKZ819277 819 277 ASCII-819 EBCDIC-277
Translation Den/Nor
PKZ819278 819 278 ASCII-819 EBCDIC-278
Translation Fin/Swe
PKZ819280 819 280 ASCII-819 EBCDIC-0280
Translation Italy
PKZ819284 819 284 ASCII-819 EBCDIC-284
Translation Spanish
PKZ819297 819 297 ASCII-819 EBCDIC-297
Translation French
PKZ819500 819 500 ASCII-819 EBCDIC-500
Translation ISO8859-1
PKZ819871 819 871 ASCII-819 EBCDIC-871
Translation Icelandic
PKZ850037 850 037 ASCII-850 EBCDIC-037
Translation
PKZ850284 850 284 ASCII-850 EBCDIC-284
Translation Spanish
International Code Page Support
Some data-interchange environments require specialized multi-language character
translation support. SecureZIP for iSeries provides tables for character based data
translation through translation tables that are also included in the PKZTABLES.
The tables for the following international code pages are provided in the SecureZIP
for iSeries PKZTABLES as members TRTxxyy (where xx = “from” and yy = “to”).
Language EBCDIC ASCII EURO/ASCII FROM TO EURO
German 273 850* 858 EB AA AI
Spanish 284 850 858 EJ AA AI
Portuguese 282 850 858 EI AA AI
Italian 280 850 858 EG AA AI
Danish 277 850 858 EE AA AI
Norwegian 277 850 858 EE AA AI
Swedish 278 850 858 EF AA AI
Finnish 278 850 858 EF AA AI
359

French 297 850 858 EM AA AI
* IBM-850 = IBM-4946
These members are provided "as is.” It is the responsibility of the user to ensure
that data translation mapping is in accordance with their business needs.
Translation Table Layout
There are two translation tables in PKZTABLES. The first table is a translation from
ASCII to EBCDIC. The second is EBCDIC to ASCII.
In each table there are 256 entries representing hex values from x’00’ thru x’FF’.
Each entry is represented as a 4-character field such as 0x00 and 0xFF.
On each line there must be 8 entries with each entry separated by a space. With 8
entries per line, there must be 32 lines of table entries for each table set,
representing the 256 translation values.
The tables have embedded comments to help in their documentation.
In the table example below, to translate an ASCII character A (hexadecimal x’41’ or
decimal value of ‘65’), go to entry 65 in the table (Line 8, entry 2) and find a
hexadecimal x’C1’ which is the EBCDIC A.
See “Example of PKZTABLES (USASCII) Translation Table.”
Note: Do not alter any other members found in the PKZTABLES file or SecureZIP
for iSeries may not function correctly.
Creating New Translation Table Members
Take the following steps to define your own translation table:
1. Copy one of the distributed members in PKZTABLES to a member name of
your choice.
2. Edit the new table using the OS/400 Source Entry Utility (SEU).
3. Change the values with respect to the layout describe above, making sure not
to alter the overall table layout. If the overall layout is altered, SecureZIP
for iSeries may not work correctly.
4. Save the member and test your changes.
Example of PKZTABLES (USASCII) Translation Table
/* PKZIP/400 Translate Table USASCII to EBCDIC */
/*00-07*/ 0x00 0x01 0x02 0x03 0x37 0x2D 0x2E 0x2F /*00-07*/
/*08-0f*/ 0x16 0x05 0x25 0x0B 0x0C 0x0D 0x0E 0x9F /*08-0f*/
/*10-17*/ 0x10 0x11 0x12 0x13 0xB6 0xB5 0x32 0x26 /*10-17*/
/*18-1f*/ 0x18 0x19 0x3F 0x27 0x1C 0x1D 0x1E 0x1F /*18-1f*/
/*20-27*/ 0x40 0x5A 0x7F 0x7B 0x5B 0x6C 0x50 0x7D /*20-27*/
/*28-2f*/ 0x4D 0x5D 0x5C 0x4E 0x6B 0x60 0x4B 0x61 /*28-2f*/
/*30-37*/ 0xF0 0xF1 0xF2 0xF3 0xF4 0xF5 0xF6 0xF7 /*30-37*/
/*38-3f*/ 0xF8 0xF9 0x7A 0x5E 0x4C 0x7E 0x6E 0x6F /*38-3f*/
/*40-47*/ 0x7C 0xC1 0xC2 0xC3 0xC4 0xC5 0xC6 0xC7 /*40-47*/
/*48-4f*/ 0xC8 0xC9 0xD1 0xD2 0xD3 0xD4 0xD5 0xD6 /*48-4f*/
/*50-57*/ 0xD7 0xD8 0xD9 0xE2 0xE3 0xE4 0xE5 0xE6 /*50-57*/
360

*58-5f*/ 0xE7 0xE8 0xE9 0xBA 0xE0 0xBB 0xB0 0x6D /*58-5f*/
/*60-67*/ 0x79 0x81 0x82 0x83 0x84 0x85 0x86 0x87 /*60-67*/
/*68-6f*/ 0x88 0x89 0x91 0x92 0x93 0x94 0x95 0x96 /*68-6f*/
/*70-77*/ 0x97 0x98 0x99 0xA2 0xA3 0xA4 0xA5 0xA6 /*70-77*/
/*78-7f*/ 0xA7 0xA8 0xA9 0xC0 0x6A 0xD0 0xA1 0x07 /*78-7f*/
/*80-87*/ 0x68 0xDC 0x51 0x42 0x43 0x44 0x47 0x48 /*80-87*/
/*88-8f*/ 0x52 0x53 0x54 0x57 0x56 0x58 0x63 0x67 /*88-8f*/
/*90-97*/ 0x71 0x9C 0x9E 0xCB 0xCC 0xCD 0xDB 0xDD /*90-97*/
/*98-9f*/ 0xDF 0xEC 0xFC 0x4A 0xB1 0xB2 0x3E 0xB4 /*98-9f*/
/*a0-a7*/ 0x45 0x55 0xCE 0xDE 0x49 0x69 0x9A 0x9B /*a0-a7*/
/*a8-af*/ 0xAB 0x0F 0x5F 0xB8 0xB7 0xAA 0x8A 0x8B /*a8-af*/
/*b0-b7*/ 0x3C 0x3D 0x62 0x4F 0x64 0x65 0x66 0x20 /*b0-b7*/
/*b8-bf*/ 0x21 0x22 0x70 0x23 0x72 0x73 0x74 0xBE /*b8-bf*/
/*c0-c7*/ 0x76 0x77 0x78 0x80 0x24 0x15 0x8C 0x8D /*c0-c7*/
/*c8-cf*/ 0x8E 0x41 0x06 0x17 0x28 0x29 0x9D 0x2A /*c8-cf*/
/*d0-d7*/ 0x2B 0x2C 0x09 0x0A 0xAC 0xAD 0xAE 0xAF /*d0-d7*/
/*d8-df*/ 0x1B 0x30 0x31 0xFA 0x1A 0x33 0x34 0x35 /*d8-df*/
/*e0-e7*/ 0x36 0x59 0x08 0x38 0xBC 0x39 0xA0 0xBF /*e0-e7*/
/*e8-ef*/ 0xCA 0x3A 0xFE 0x3B 0x04 0xCF 0xDA 0x14 /*e8-ef*/
/*f0-f7*/ 0xE1 0x8F 0x46 0x75 0xFD 0xEB 0xEE 0xED /*f0-f7*/
/*f8-ff*/ 0x90 0xEF 0xB3 0xFB 0xB9 0xEA 0xBD 0xFF /*f8-ff*/
/* PKZIP/400 Translate Table EBCDIC to USASCII */
/*00-07*/ 0x00 0x01 0x02 0x03 0xEC 0x09 0xCA 0x7F /*00-07*/
/*08-0f*/ 0xE2 0xD2 0xD3 0x0B 0x0C 0x0D 0x0E 0xA9 /*08-0f*/
/*10-17*/ 0x10 0x11 0x12 0x13 0xEF 0xC5 0x08 0xCB /*10-17*/
/*18-1f*/ 0x18 0x19 0xDC 0xD8 0x1C 0x1D 0x1E 0x1F /*18-1f*/
/*20-27*/ 0xB7 0xB8 0xB9 0xBB 0xC4 0x0A 0x17 0x1B /*20-27*/
/*28-2f*/ 0xCC 0xCD 0xCF 0xD0 0xD1 0x05 0x06 0x07 /*28-2f*/
/*30-37*/ 0xD9 0xDA 0x16 0xDD 0xDE 0xDF 0xE0 0x04 /*30-37*/
/*38-3f*/ 0xE3 0xE5 0xE9 0xEB 0xB0 0xB1 0x9E 0x1A /*38-3f*/
/*40-47*/ 0x20 0xC9 0x83 0x84 0x85 0xA0 0xF2 0x86 /*40-47*/
/*48-4f*/ 0x87 0xA4 0x9B 0x2E 0x3C 0x28 0x2B 0xB3 /*48-4f*/
/*50-57*/ 0x26 0x82 0x88 0x89 0x8A 0xA1 0x8C 0x8B /*50-57*/
/*58-5f*/ 0x8D 0xE1 0x21 0x24 0x2A 0x29 0x3B 0xAA /*58-5f*/
/*60-67*/ 0x2D 0x2F 0xB2 0x8E 0xB4 0xB5 0xB6 0x8F /*60-67*/
/*68-6f*/ 0x80 0xA5 0x7C 0x2C 0x25 0x5F 0x3E 0x3F /*68-6f*/
/*70-77*/ 0xBA 0x90 0xBC 0xBD 0xBE 0xF3 0xC0 0xC1 /*70-77*/
/*78-7f*/ 0xC2 0x60 0x3A 0x23 0x40 0x27 0x3D 0x22 /*78-7f*/
/*80-87*/ 0xC3 0x61 0x62 0x63 0x64 0x65 0x66 0x67 /*80-87*/
/*88-8f*/ 0x68 0x69 0xAE 0xAF 0xC6 0xC7 0xC8 0xF1 /*88-8f*/
/*90-97*/ 0xF8 0x6A 0x6B 0x6C 0x6D 0x6E 0x6F 0x70 /*90-97*/
/*98-9f*/ 0x71 0x72 0xA6 0xA7 0x91 0xCE 0x92 0x0F /*98-9f*/
/*a0-a7*/ 0xE6 0x7E 0x73 0x74 0x75 0x76 0x77 0x78 /*a0-a7*/
/*a8-af*/ 0x79 0x7A 0xAD 0xA8 0xD4 0xD5 0xD6 0xD7 /*a8-af*/
/*b0-b7*/ 0x5E 0x9C 0x9D 0xFA 0x9F 0x15 0x14 0xAC /*b0-b7*/
/*b8-bf*/ 0xAB 0xFC 0x5B 0x5D 0xE4 0xFE 0xBF 0xE7 /*b8-bf*/
/*c0-c7*/ 0x7B 0x41 0x42 0x43 0x44 0x45 0x46 0x47 /*c0-c7*/
/*c8-cf*/ 0x48 0x49 0xE8 0x93 0x94 0x95 0xA2 0xED /*c8-cf*/
/*d0-d7*/ 0x7D 0x4A 0x4B 0x4C 0x4D 0x4E 0x4F 0x50 /*d0-d7*/
/*d8-df*/ 0x51 0x52 0xEE 0x96 0x81 0x97 0xA3 0x98 /*d8-df*/
/*e0-e7*/ 0x5C 0xF0 0x53 0x54 0x55 0x56 0x57 0x58 /*e0-e7*/
/*e8-ef*/ 0x59 0x5A 0xFD 0xF5 0x99 0xF7 0xF6 0xF9 /*e8-ef*/
/*f0-f7*/ 0x30 0x31 0x32 0x33 0x34 0x35 0x36 0x37 /*f0-f7*/
/*f8-ff*/ 0x38 0x39 0xDB 0xFB 0x9A 0xF4 0xEA 0xFF /*f8-ff*/
/* PKZIP/400 Translate Tables end */
361

G Implementation Considerations
SecureZIP for iSeries components have been structured and written for the iSeries
platforms and iSeries servers. The code base includes support for the OS/400
operating system.
As with any product placed into production, familiarity with (and verification of)
features is always highly recommended. Below is a list of key features that users of
PKZIP should thoroughly understand.
Key Features
• The commands PKZIP and PKUNZIP contain all parameters and options
required to use SecureZIP for iSeries. The parameters and options are in a
format that provide a migration path toward the open systems environment.
All parameters in the two commands are supported with the OS/400 help
panels. The parameters and options should be reviewed to understand the
features supported.
• With the IFS, long file names are supported for files, archive files, and list
files.
• List files for inputting file selections and outputting selections is supported for
both the QSYS library file system and the IFS.
• Archive files are supported in both the QSYS library file system and the IFS.
By using the archive files within the IFS, performance is enhanced. CPU
operation is more efficient and archive files are smaller. As a result, elapsed
run time is reduced.
• Provides a quick and easy method for installing on the iSeries without running
under the QSECOFR user or security authority.
• Using the parameter MSGTYPE, messages can be directed to a printer file, the
message queue, or both.
• When archive files are created in the QSYS library file system, the record
length can be defined to fit the customer environment.
• When a file is extracted to the QSYS library file system, and neither the file
nor the extended attribute for the record length exists, the default file’s
created record length can be defined externally.
362

• When compressing a file in text mode, you can define the record as a fixedlength
record with trailing blanks that are based on the file’s record length
description in the QSYS library file system.
• When selecting files for compression in the IFS, you can specify whether to
search recursively through the directories for file selection, or to only search
the currently specified directory.
• When extracting files with the PKUNZIP command, you can drop the path of
files in the archive and use only the file name. This allows you to build the
extracted file in new directories, libraries, and/or files. This applies to IFS and
QSYS library file systems.
• When using files with the product, the attributes are stored in the archive to
indicate how the file was stored (binary, text, text in EBCDIC, SAVF, or
Database Services) and can be used when extracting files with
FILETYPE(*DETECT).
• The PKUNZIP command allows for defining default paths and libraries for both
IFS and QSYS library file systems.
• File selection has been written to provide additional file filtering controls.
Individual file selection can be made using the FILE parameter and/or the
“List File” (INCLFILE) which allows a list of files to be selected.
• File exclusion has been written to provide additional file filtering controls.
Individual file exclusion can be made using the EXCLUDE parameter and/or
the “List File” (EXCLFILE), which allows a list of files to be excluded.
• SecureZIP for iSeries is a licensed product, and without proper licensing, it
can only be used to view archives. Licensing allows flexibility with the product
features and hardware platforms. The license dataset must be defined and
customized prior to use of the product.
• Extended attributes are stored within the archive directory.
• Note: These attributes are not published as part of a program control
interface and may change between releases. Using the parameter
TYPE(*VIEW) with VIEWOPT(*ALL) will report extended file information in the
same report format order, regardless of the order that extended attributes
are stored in the archive.
• SecureZIP for iSeries library can be renamed from the standard distribution
name of PKW81051S to fit the operational environment.
• PKZIP and PKUNZIP commands can be executed without the product’s library
being part of the library list.
363

H
SPOOL Files Considerations
This appendix contains information on how SecureZIP for iSeries handles spool
files in different scenarios that might be helpful to consider in planning for
compressing spool files.
Spool File Selections
Care should be taken when selecting spool files not to set all of the spool file
selection parameters to *ALL, as this will select all spool files on your iSeries. This is
why the default for the user ID is SFUSER(*CURRENT) to at least limit it to the
current user in case a selection is not filled in correctly.
If a spool file is deleted after the selection but before the actual compression takes
place, the PKZIP job will fail.
SPLF Attributes
When a spool file is selected and the parameter EXTRAFL is coded *YES (the
default), then the extended attributes listed below are stored in archive and can be
viewed with PKUNZIP TYPE(*VIEW) VIEWOPT(*ALL). Also when the spool files are
stored in the archive, the date and time for the file is the spool files creation date
and time and can be viewed with PKUNZIP.
Extended Attributes:
• Description: The spool file description is built as follows:
"Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-
Number.Suffix" For Example: "MYJOB/BILLS#152681/INVOICE/F0021.SPLF"
• Spool file type: *SCS: SNA Character Stream, *IPDS: An intelligent printer
data stream, *AFPDS: Advanced Function Print Data Stream, *USERASCII:
An ASCII data stream user defined, *LINE: Line data that is very printer
specific, and *AFPDSLINE: Mixed data (line data and AFPDS data).
• Target file created: Describes the target type file created during
compression. SPLF: Spool Files, TXT: ASCII Text Conversion, and PDF:
Portable Document Format.
• Number of pages contained in the spool file.
364

An example of the attributes view seen with –VIEWOPT(*ALL) for a spool file
converted to a PDF might appear as follows:
Filename: CRTCM60.PDF
Detected File type: Binary
Created by: SecureZIP for iSeries 8.1 PKZIP 2.x compatible
Minimum to Extract: PKZIP 2.0 Or Greater
Compression method: Deflated [Fast]
Date and Time 2003 Oct 17 07:22:00
Compressed size: 2316 bytes
Uncompressed size: 8146 bytes
32-bit CRC value (hex): 40950039
Extended attributes: yes, [Length = 112]
Spool File Type:*SCS, Target File:PDF, Nbr Of pages(3).
SPLF Desc:EVWSS/EVWSS/#007892/CRTCM/F0060.PDF.
File Comment:"none"
The preceding view comes from the following spool file:
5722SS1 V5R1M0 Work With Output Queue QPRINT2 in QGPL 11/19/02 14:08:53 Page 1
File User User Data Status Pages Cpy Form Tp Pty File Number Job Number Date
Time
CRTCM EVWSS RDY 3 1 *STD 5 60 EVWSS 007892 10/17/02
07:22:00
PDF Creation Attributes
When creating a PDF, the attributes are also stored in the PDF document to help
trace back what spool file they originated from.
• The date and time of the spool file creation will be the PDF date and time of
creation.
• The author will be the user ID that created the spool file.
• The subject will be made up of the spool file name, number, and the job
(number/user ID/job name).
365

An example of a PDF summary is:
366

I
History of Changes
RELEASE 5.6 September 2003
• Support for ZIP64 archive formats to support large file system feature.
• Control over extra data to reduce total archive size. (New options in PKZIP
parameter EXTRAFLD.)
• Warning when updating digitally signed archives.
• Ability to ignore case sensitivity when selecting files in the IFS. (New Option
*IFS2 with parameter TYPFL2ZP).
• Ability to use CVTNAME when selecting spool files to change name in archive.
• New warning message AQZ0024 to monitoring when no files are selected.
• Ability to create and maintain self extracting archives. (New PKZIP parameter
SELFXTRACT.)
• Ability to insert a path to the file names in archive. (New PKZIP parameter
ISRTPATH.)
• New translating tables for code pages included in file PKZTABLES.
• Ability to handle extremely large spool file conversions to PDF or TEXT.
• Ability to convert a spool file to an ASCII Text document with ANSI control
characters. The first character of every record contains an American National
Standards Institute (ANSI) forms control character. (New option *TEXTFC in
parameter SFTARGET.)
• More information with detail view of spool file in an archive.
• The ARCHIVE and FILE paths and file names has been expanded to 256
characters.
• The ARCHIVE will now accept imbedded spaces in the path and file name for
archives in the IFS..
• A new PKZIP global setting to disallow wildcard selection is provided
• PKZIP will now post a standard description to archive document file
descriptions for archives created in the /QDLS.
367

RELEASE 5.5 January 2003
• New parameter ADVCRYPT to specify encryption level.
• New parameter VPASSWORD which is required for advanced encryption and is
used to verify with PASSWORD to ensure accuracy.
• Password now accepts up to 200 characters.
• Spool files can be archived or converted to a TEXT or PDF format.
• PKUNZIP now supports using a member *FIRST or *LAST for a member when
using the QSYS file system.
• PKZIP now recognizes the older physical files with attributes of PF38
(System/38) physical files.
• Parameter CVTDATA is added to PKZIP and PKUNZIP commands and
CVTNAME program changed to accept 4 variables (old file name, new file
name, CVTFLAG, and CVTDATA).
• PKZIP and PKUNZIP will issues *STATUS message for completion messages
so they can be monitored. The following message can now be monitored:
AQZ0012 - PKZIP ending with nothing to do for .
AQZ0020 - PKZIP completed successfully.
AQZ0022 - PKZIP completed with errors.
AQZ0037 - PKUNZIP completed successfully.
AQZ0038 - PKUNZIP completed with errors.
• Fix security authorization when creating a new directory or folder in the IFS
so that authority is inherited from directory above.
• When only the file name is used in FILES parameter for selection, PKZIP was
defaulting to *CURLIB. This has been revised per documentation to use *LIBL
as the default.
• When creating a file in the integrated file system, the file will be created with
attributes of directory that is created in plus owner of the PKUNZIP run.
• PKZIP revised to include files with attribute DDMF and file type DDM while
searching for files in the selection parameters.
• Added translation code tables 850 ASCII and 037 EBCDIC to PKZIPTABLES file
(PKZ850037).
• PKZCHGOWN CLP program "source" is provided in the source file QCLSRC file
to assist customer who may want to change the owner of the object
distributed.
• When creating files, PKUNZIP uses SIZE(*NOMAX) with CRTPF to avoid
constant message replies.
• Added the informational program WHATOSV to distribution. WHATOSV shows
OS Version, serial number, and process group required for licensing. To use
CALL WHATOSV.
• EXDIR was expanded from 30 character to 224 characters to allow for more
flexibility with the IFS.
368

• When getting the message AQZ0148 "Archive file empty", PKZIP will also
issue the message AQZ0022 "PKZIP Completed with Errors" at the end of the
run. The AQZ0022 is a message that can be monitored. The message
AQZ0022 is now being issued as a diagnostic type message instead of a
completion message.
• PKUNZIP revised to not use IFS Stat when checking the archives in the QSYS
file system. This was preventing authority adoption for PKUNZIP archive files.
PKUNZIP is now performing object and file checking.
• PKZIP revised random number for creation of the temporary archive name
was improved to avoid duplication. The random routines now use the job
number for initial seed.
• When extracting with PKUNZIP TYPE(*NEWER) and the files do not exist,
extract the files as if they are the same as newer when files do exist.
• Improved performance extracting to a file that has a large number of
members. Improved performance selecting files for compression when files
have a large number of members.
• Expanded the field sizes of the ARCHIVE and FILES parameters to 140
characters in PKZIP and PKUNZIP commands to allow more folders in the path
of IFS files.
• Added keyword ?MBR to parameter EXDIR in command PKUNZIP. If EXDIR is
coded with keyword ?MBR and the file system is the QSYS library system
PKUNZIP will use the member name for the file name. For example:
EXDIR('newlib/?MBR') and DROPPATH(*ALL) parameters are coded and the
file name in archive is "mylib/myfile/mymbr", the file will be extract to the file
"newlib/mymbr(mymbr)". This is valid only for TYPFL2ZP(*DB) files.
• Support of spool files along with text document conversion.
• New parameter DELIM was added to PKZIP to provide the ability to define the
end-of-record characters at the end of a text record (such as CRLF, etc.).
• New install process from CD using LODRUN command.
RELEASE 5.5.1 – March 2003
• Resolved under rare conditions when extracting a text file from an archive
created in a UNIX environment, there may be 1- 2 invalid extra last text
records..
• Added new error check for spool files: AQZ0301 Parameter SFTARGET(*SPLF)
requires EXTRAFLD(*YES). Correct and rerun. AQZ0302 FILETYPE parameter
must be (*DETECT) when compressing spool files.
• Improved page fitting during spool file conversion when using *PDFLETTER
and PDFLEGAL as the option in the parameter SFTARGET.
369

RELEASE 5.5.2 – May 2003
• Under certain conditions when converting a spool file to a text or PDF file,
there are extraneous characters in some lines due to buffers not being
cleared properly.
• Added message AQZ0304 to indicate the job in parameter SFJOBNAM cannot
be found or is invalid when selecting a spool file.
• Added ability to have a GZIP archive file greater than 2 GB.
370

J
Creating Commands with new
defaults
There are times when some clients would like to change the defaults of the
commands for their environment. This is why the source for the commands PKZIP,
PKZSPOOL, and PKUNZIP are included in the distribution library in the QCMDSRC file.
It is important that the sequences, values, and properties of the parameters do not
change. To protect you ability to recover, it is suggested that you rename the
previous command and command source and copy them before make any changes.
If you want to restrict where the commands can be performed then change the
parameter ALLOW(*ALL) to the value you require. See IBM CL manuals or prompt
CRTCM.
Below are sample statements to create the commands. In this example, the PKZIP
library is PKW81051S.
Create PKZIP Command:
CRTCMD CMD(PKW81051S/PKZIP) PGM(PKW81051S/PKZIP)
SRCFILE(PKW81051S/QCMDSRC)
HLPPNLGRP(PKW81051S/ ZIPHLP) HLPID(*CMD)
Create PKZSPOOL Command
CRTCMD CMD(PKW81051S/PKZSPOOL) PGM(PKW81051S/PKZIP)
SRCFILE(PKW81051S/QCMDSRC)
HLPPNLGRP(PKW81051S/ ZIPHLP) HLPID(*CMD)
Create PKUNZIP Command:
CRTCMD CMD(PKW81051S/PKUNZIP) PGM(PKW81051S/PKUNZIP)
SRCFILE(PKW81051S/QCMDSRC)
HLPPNLGRP(PKW81051S/ UZIPHLP) HLPID(*CMD)
Appendix K 371

K
Extended Attributes
This chapter reviews the extended attributes that SecureZIP for iSeries builds
when using the parameters EXTRAFLD(*YES) or DBSERVICE(*YES). These extended
attributes can be viewed for a file by using PKUNZIP with parameters TYPE(*VIEW)
and VIEWOPT(*DETAIL) for the archive.
Within the ZIP archive are two directories that provide information about the files
that are held within it. A local directory (included at the beginning of each file)
contains information such as the file size and the date the file was zipped. The
central directory (located at the end of the ZIP archive) lists the complete contents
of the ZIP archive and is the primary source of information for UNZIP processing. In
each directory there can exist extended data or attributes for the compressed files.
When EXTRAFLD(*YES) is specified, a set of basic attributes are created for each file
in the archive. The type of attribute created depends on the type of file system
(QSYS library file system or IFS) in which the file being compressed exists. The
standard attributes for both systems are described below.
If the parameter DBSERVICE(*YES) is specified for the PKZIP command, and if the
file being compressed is a physical file (PF-DTA or PF_SRC), then the basic extended
attributes are created followed by the detailed database attributes. With the detailed
database attributes, PKUNZIP can build and compile the DDS source file to recreate
the database file (see DATABASE attributes). The database file will be compressed in
the binary mode.
Standard QSYS Library File System Attributes
When the files being compressed are from the QSYS library file system, the standard
attributes created are described in the following tables.
For additional information, see the DSPFD command in the IBM manuals.
Physical Files (both Source and Data)
Attribute
Description
1 Maximum Record Length Specifies the length (in bytes) of the records
stored in the physical file.
2 Library Text The text description of the library that the file
does exist.
372

SAVF
3 File Text The text description of the File.
4 Member Text The text description of the member.
5 File Type Specifies whether each member of the
physical file being created contains data
records or contains source records
(statements. PF_SRC or PF_DTA.).
6 Source Type Code Specifies the source type of the member,
such as, CLP, PF, LF, RPGLE, etc.
Attribute
Description
1 Library Text The text description of the library that the
SAVF exists.
2 File Text The text description of the SAVF.
Standard IFS Attributes
When the files being compressed are from the integrated file system, the standard
attributes for stream files are as described in the following table.
Attribute
Description
1 Code Page
2 File creations date/time The date and time when the file was created.
3 File last access date/time The date and time when the file was last
accessed.
4 File last modification
date/time
The data and time when the file was last
modified.
Advanced Encryption Attributes
When the files being compressed with advanced encryption, encryption attributes are
added to the archive.
Attribute
Description
1 Encryption Method/ Algorithm Indicates the Encryption Method.
2 Encryption Key Type The key type used with the encryption
algorithm.
3 Security Method Indicates whether a password, certificate, or
both password and certificate are in use.
DATABASE Attributes
With the parameter DBSERVICE(*YES) in PKZIP, a special set of attributes are
created for files that are physical files (both source and data types) in the QSYS
library file system. These attributes can be used by PKUNZIP to create a database by
building the DDS source and issuing the CRTPF command for the source.
373

These database attributes are described in the following tables.
File Physical Attributes
For more information, see the CRTPF and CHGPF commands or IBM publications.
Attribute
Description
1 File Record Format The name of the file’s record format.
2 File Record Text The Text description for the file’s format.
3 Maximum Number of
Members
Specifies the maximum number of members
that the physical file being created can have
at any time.
4 Number Fields The number of fields in the database.
5 Number of keys The number of key fields in the database.
6 SIZE - nbr Records SIZE parameter option - The number of
records that can be inserted before an
automatic extension occurs.
7 SIZE - increment value SIZE parameter option - Value for the number
of additional records.
8 SIZE - number of increments SIZE parameter option - Maximum number of
parts to be added automatically to the
member.
9 Public Authority AUT - Specifies the authority given to users
who do not have specific authority to the
physical file.
Note: If an authorization list was specified for
the file then AUT is set to *CHANGED. See
“Database Attributes Considerations.”
10 Record Description CCSID The coded character set identifier for the
record description.
11 Delete Percent DLTPCT - Specifies the percentage of deleted
records a file can contain before you want the
system to send a message to the system
history log.
12 Reuse deleted records REUSEDLT - Specifies whether deleted
record space should be reused on
subsequent write operations.
13 Access path size ACCPTHSIZ - Specifies the maximum size of
auxiliary storage that can be occupied by
access paths that are associated with keyed
source physical files.
14 Access path maintenance MAINT - Specifies the type of access path
maintenance used for all members of the
physical file.
15 Access path recovery RECOVER - For files having immediate or
delayed maintenance on their access paths,
specifies when recovery processing of the file
is done if a system failure occurs while the
access path is being changed.
16 Allocate storage ALLOCATE - Specifies storage space is
allocated for the initial number of records
(SIZE parameter) for each physical file
member when it is added.
374

Attribute
Description
17 Force keyed access path FRCACCPTH - For files with keyed access
paths only, specifies access path changes are
forced to auxiliary storage along with the
associated records in the file whenever the
access path is changed.
18 Record format level check LVLCHK - Specifies the record format level
identifiers in the program are checked against
those in the logical file when the file is
opened.
19 Program describe File Defines whether file is external file type.
20 Triggers Available File had triggers defined. See “Database
Attributes Considerations.”
21 File SQL Table File is an SQL Table.
22 Constraints Available File had Constraints defined. See “Database
Attributes Considerations.”
23 File has Null Fields File contains fields which allow NULL
contents. See “Database Attributes
Considerations.”
File Field Attributes
See “iSeries e DDS Reference Publication No. RBAF-P000-00” for a description of the
keywords.
Attribute
Description
1 Field Name Field name.
2 Field Data Type Specifies the data type associated with the
field (such as, A-character, P-Packed,
Decimal, etc.).
3 Field Length Specifies the field length for named field.
4 Number of Decimals Specifies the decimal placement within a
zoned decimal field and the data type of the
field as it appears in your program.
5 Field Usage Specifies that a named field is an output-only
or program-to-system field.
6 Field CCSID (CCSID) - Specifies a coded character set
identifier for character fields.
7 Field Text (TEXT) - A text description (or comment) for
the record format or field that is used for
program documentation.
8 Column Headings (COLHDG) - Specifies column headings used
as a label for this field by various iSeries file
tools.
9 Keyboard Shift Character (REFSHIFT) - Specifies a keyboard shift for a
field when the field is referred to in a display
file or DFU operation.
10 Allow NULLS (ALWNULL) - To define this field to allow the
null value.
11 Variable Length (VARLEN) - To define this field as a variable
length field.
12 Alias (ALIAS) - Specifies an alternative name for
the field.
13 Default Values (DFT) - Specifies a default value for a field.
375

Attribute
Description
14 Edit Formatting values (EDTCDE, EDTWRD, DATFMT, DATSEP,
TIMFMT, TIMSEP) - Specifies editing for the
field you are defining when the field is
referenced later during display or printer file
creation.
15 Validity Checking (CHECK, COMP, RANGE, etc.) - Specifies
validity checking in display files.
16 Indicator for Double Precision An indicator for float type fields specifying
single or double precision.
17 Allocated Length The allocated length in bytes for data types
that use variable lengths.
Key Field Attributes
See the IBM manual for the DDS description of keywords for KEYS.
Attribute
Description
1 Key Field Name The field name of the key.
2 Type of Sequence Defines the type of key and the sequence of
the key.
Database Attribute Considerations
Special database functionality and information such as triggers, file constraints,
authorization lists, and alternate collating sequences are not stored in an archive.
1. If a file has fields that have the option ALWNULL, warning message AQZ0521
will be issued.
2. If the file contains triggers, warning message AQZ0518 will be issued. Any
information about the triggers and associated programs are not stored in the
archive.
3. If a file has file constraints, warning message AQZ0519 will be issued.
4. If an authorization list was specified for the file, then the AUT parameter is
set to “*CHANGED.” The authorization list is not stored in the archive. It is
up to the user to set the authorization list when extracted.
5. If a file has an alternate collating sequence, warning message AQZ0520 will
be issued. The information about the alternate collating sequence is not
stored the archive.
If the database’s triggers, file constraints, alternate collating sequence, and logical
files are to be preserved, then save the database file, trigger programs (if they
exist), and logical files to a SAVF. Then compress the SAVF.
Note: Using DBSERVICE(*YES) can increase the size of the archive because some
databases may have hundreds of fields and attributes. If this archive will be used on
a platform other than iSeries with SecureZIP for iSeries , these attributes are
ignored and therefore should not be used.
376

Source File Considerations
When compressing source files, the use of the archive file should be considered. By
using the DBSERVICE(*NO), only the data is extracted in text mode. Other attributes
such as the sequences numbers and change dates are not included. This would be
the desired method if the source members are being transferred to another platform,
or if the sequence number and changes dates are not important. This method would
also give the best results for the total size of the archive.
If the sequence numbers and change dates are to be preserved, then you would use
DBSERVICE(*YES) to store this source file as a database file. This would not work
very well on non-EBCDIC platforms because the data is stored in binary mode with
no EBCDIC to ASCII translation. The problem is that each member will have all
available database attributes. This is still minimal because there are only three fields
for a source database.
Spool File Attributes
When the files being compressed are from a spool file, the standard attributes are:
Attribute
Description
1 Spool File Type Device type SCS, AFP, etc.
2 Target Output Type The type of file that was archived or converted
(spool file, text, or PDF).
3 Internal Job and spool ID Internal Job and Spool codes controlling the
spool file.
4 Spool File description The description of the file using the file name,
file number, job, user and job number.
5 Pages Number of pages in the spool file.
6 Code Page The code page the was used to convert the
spool file to TEXT or PDF.
7 OUTQ The OUTQ and the OUTQ library the spool
file resided.
8 User ID The user who created the spool file
377

L
FIPS-197 Certification of PKZIP for
AES
Advanced Encryption Standard FIPS Validation
PKZIP for OS/400 Version 5.5 and higher (which includes SecureZIP for
iSeries) use AES, which is the official US Government standard for encryption. The
AES algorithm was approved as the Federal Information Processing Standard by the
Commerce Department on May 26 th , 2002.
The National Institute of Standards and Technology (NIST) has announced approval
of the Federal Information Processing Standard (FIPS) for the AES algorithm (see
NIST AES FIPS Information at http://csrc.nist.gov/CryptoToolkit/aes/).
The PKZIP for OS/400 Version 5.5 implementation was validated in accordance
with FIPS-197 for the Advanced encryption Standard. Information regarding the
validation specification and certifications of PKWARE products can be found at
http://www.csrc.nist.gov/cryptval/aes/aesval.html (certificate #63).
The AES Algorithm
The Rijndael algorithm chosen uses a combination of advanced security,
performance, efficiency, ease of implementation, and flexibility to make it the
appropriate standard of advanced encryption for the AES.
Rijndael performs consistently in both hardware and software and in cross platform
environments regardless of its use in feedback or non-feedback modes. Rijndael’s
key setup time is very good, and its key agility is excellent. Memory requirements
are very low, making it the first choice for restricted-space environments, in which it
also demonstrates high performance. Power and timing attacks are easily defended
against due to Rijndael's operations.
Note that the AES was intentionally developed to replace DES.
AES Key Sizes
Currently, AES has three key sizes. They are: 128, 192, and 256 bits. Key sizes are
depicted in the following decimal terms:
• 3.4 x 10 38 possible 128-bit keys
378

• 6.2 x 10 57 possible 192-bit keys
• 1.1 x 10 77 possible 256-bit keys
In comparison, DES keys are only 56 bits, which means there are approximately 7.2
x 10 16 possible DES keys. Therefore, there they are on the order of 10 21 times more
AES 128-bit keys than DES 56-bit keys.
379

M Contact Information
PKWARE, Inc.
Web Site: www.pkware.com
For Licensing, please contact the Sales Division at 937-847-2374 or email
PKSALES@PKWARE.COM.
For Technical Support assistance, please contact the Product Services Division at
937-847-2687 or visit the support web site.
PROBLEM REPORTING
Providing appropriate documentation on the initial call for a problem expedites the
analysis and resolution process. The following sections describe the type of
information that should be supplied for each category of problem.
PROBLEM REPORTING (General)
When reporting a problem regarding PKZIP for iSeries, please be prepared to provide
the following information:
• The displayed output from CALL ziplib/WHATOSV or the details that
WHATOSV provides
• Release level of the operating system
• Release level of PKZIP for iSeries being run
• A description of the process being run and any differentiating circumstances
from job(s) that do run
• A display of the command problem with parameters
• A copy of the output and JobLog from the failing execution
• If run from a CL and practical, please include source listing of the CL
• If PKUNZIP is failing, provide the Output from the following:
PKUNZIP TYPE(*VIEW) VIEWOPT(*ALL)
380

• If requested by Technical Support, the display with various tracing options
turned on
• If practical, please include the archive/input file involved in the failing
execution
PROBLEM REPORTING (Licensing)
When reporting a problem regarding licensing, please be prepared to provide the
following information:
• The displayed output from CALL ziplib/WHATOSV
• A copy of the INSTPKLIC command and its parameters
• A copy of the output from the INSTPKLIC job
If the problem occurs in a PKZIP/PKUNZIP job then follow the steps outlined above
for PKZIP for iSeries.
381

Glossary
This glossary provides definitions for items that may have been referenced in the
PKZIP ® documentation. It is not meant to be exhaustive. One Web site that provides
excellent source documentation for computing terms is the IBM Terminology site:
http://www-306.ibm.com/ibm/terminology
Absolute Path Name
A string of characters that is used to refer to an object, starting at the highest
level (or root) of the directory hierarchy. The absolute path name must begin
with a slash (/), which indicates that the path begins at the root. This is in
contrast to a Relative Path Name. See also Path Name.
AES
The Advanced Encryption Standard is the official US Government encryption
stand for customer data.
American Standard Code for Information Interchange
The ASCII code (American Standard Code for Information Interchange) was
developed by the American National Standards Institute for information
exchange among data processing systems, data communications systems,
and associated equipment and is the standard character set used on MS-DOS
and UNIX-based operating systems. In a ZIP archive, ASCII is used as the
normal character set for compressed text files. The ASCII character set
consists of 7-bit control characters and symbolic characters, plus a single
parity bit. Since ASCII is used by most microcomputers and printers, textonly
files can be transferred easily between different kinds of computers and
operating systems. While ASCII code does include characters to indicate
backspace, carriage return, etc., it does not include accents and special
letters that are not used in English. To accommodate those special
characters, extended ASCII has additional characters (128-255). Only the
first 128 characters in the ASCII character set are standard on all systems.
Others may be different for a given language set. It may be necessary to
create a different translation tables (see Translation Table) to create standard
translation between ASCII and other character sets.
American National Standards Institute (ANSI)
An organization sponsored by the Computer and Business Equipment
Manufacturers Association for establishing voluntary industry standards.
382

ANSI
See American National Standards Institute.
API
See Application Programming Interface, below.
Application Programming Interface
An interface between the operating system (or systems-related program) that
allows an application program written in a high-level language to use specific
data or services of the operating system or the program. The API also allows
the user to develop an application program written in a high level language to
access PKZIP data and/or functions of the PKZIP system.
Application System/400 (iSeries)
One of a family of general purpose systems with a single operating system
(Operating System/400) that provides application portability across all
models.
Archive
The act of transferring files from the computer into a long-term storage
medium. Archived files are often compressed to save space.
An individual file or group of files which must be extracted and decompressed
in order to be used.
A file stored on a computer network, which can be retrieved by a file transfer
program (FTP) or other means.
The PKZIP file that holds the compressed/zipped data file.
ASCII
See American Standard Code for Information Interchange.
iSeries
See Application System/400, above.
iSeries Object
An object that exists in a library on the iSeries system and is represented by
an object on the PC. For example, a user profile is an iSeries object
represented on the PC by the user profile object.
Authorized Program Analysis Report (APAR)
A request for correction of a defect in a current release of an IBM supplied
program.
383

Bandwidth
The capacity of a communications line, normally expressed in bits per second
(bps). A lack of bandwidth is one of the prime motivations for using
compression software.
Batch Job
A predefined group of processing actions submitted to the system to be
performed with little or no interaction between the user and the system. This
is in contrast to an Interactive Job.
Binary File
A file that contains codes that are not part of the ASCII character set. Binary
files can utilize all 256 possible values for each byte in the file.
Bit
A contraction of binary digit. Either of the binary digits, 0 or 1. Compare with
Byte.
Block
A group of records that are recorded or processed as a unit.
A set of adjacent records stored as a unit on a disk, diskette, or magnetic
tape.
Byte
The smallest unit of storage that can be addressed directly.
A group of 8 adjacent bits. In the EBCDIC/ASCII coding system, 1 byte can
represent a character. In the double-byte coding system, 2 bytes represent a
character.
Code Page
A specification of code points for each graphic character set or for a collection
of graphic character sets. Within a given code page, a code point can have
only one specific meaning. A code page is also sometimes known as a code
set.
Command Line
The blank line on a display console where commands, option numbers, or
selections can be entered.
Control Language (CL) Program
A program that is created from source statements consisting entirely of
control language commands.
384

CRC
See Cyclic Redundancy Check.
Cryptography
A method of protecting data. Cryptographic services include data encryption
and message authentication.
In cryptographic software, the transformation of data to conceal its meaning;
secret code.
The transformation of data to conceal its information content, to prevent its
undetected modification, or to prevent its unauthorized use.
Current Library
The library that is specified to be the first user library searched for objects
requested by a user. The name for the current library can be specified on the
sign-on display or in a user profile. When you specify an object name (such
as the name of a file or program) on a command, but do not specify a library
name, the system searches the libraries in the system part of the library list,
then searches the current library before searching the user part of the library
list. The current library is also the library that the system uses when you
create a new object, if you do not specify a library name.
Cyclic Redundancy Check (CRC)
A Cyclic Redundancy Check is a number derived from a block of data, and
stored or transmitted with the data in order to detect any errors in
transmission. This can also be used to check the contents of a ZIP archive.
It's similar in nature to a checksum. A CRC may be calculated by adding
words or bytes of the data. Once the data arrives at the receiving computer,
a calculation and comparison is made to the value originally transmitted. If
the calculated values are different, a transmission error is indicated. The CRC
information is called redundant because it adds no significant information to
the transmission or archive itself. It’s only used to check that the contents of
a ZIP archive are correct. When a file is compressed, the CRC is calculated
and a value is calculated based upon the contents and using a standard
algorithm. The resulting value (32 bits in length) is the CRC that is stored
with that compressed file. When the file is decompressed, the CRC is
recalculated (again, based upon the extracted contents), and compared to the
original CRC. Error results will be generated showing any file corruption that
may have occurred.
Data Compression
The reduction in size (or space taken) of data volume on the media when
performing a save or store operations.
Data Integrity
The condition that exists as long as accidental or intentional destruction,
alteration, or loss of data does not occur.
385

Within the scope of a unit of work, either all changes to the database
management systems are completed or none of them are. The set of change
operations are considered an integral set.
DBCS
See Double-byte Character Set.
Double-byte Character Set (DBCS)
A set of characters in which each character is represented by 2 bytes.
Languages such as Japanese, Chinese, and Korean, which contain more
symbols than can be represented by 256 code points, require double-byte
character sets. Because each character requires 2 bytes, the typing,
displaying, and printing of DBCS characters requires hardware and programs
that support DBCS. Four double-byte character sets are supported by the
system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See
also the Single-Byte Character Set (SBCS).
EBCDIC
See the Extended Binary Coded Decimal Interchange Code, below.
Encryption
The transformation of data into an unintelligible form so that the original data
either cannot be obtained or can be obtained only by decryption.
Extended Attribute
Information attached to an object that provides a detailed description about
the object to an application system or user.
Extended Binary Coded Decimal Interchange Code (EBCDIC)
The Extended Binary Coded Decimal Interchange Code is an 8-bit binary code
for larger IBM mainframes in which each byte represents one alphanumeric
character or two decimal digits. The single-byte structure has a range of
X’00’ to X’FF’. Control commands are subset with a range of X’00’ to X’3F’
while graphic characters have a range from X’41’ to X’FE’. The space
character is represented by a X’40’. EBCDIC is similar in nature to ASCII
code, which is used on many other computers. When ZIP programs compress
a text file, they translate data from EBCDIC to ASCII characters within a ZIP
archive using a translation table.
File Transfer Protocol (FTP)
In TCP/IP, an application protocol used for transferring files to and from host
computers. FTP requires a user ID and possibly a password to allow access to
files on a remote host system. FTP assumes that the transmission control
protocol (TCP) is the underlying protocol.
386

FTP
See File Transfer Protocol above.
GZIP
GZIP (also known as GNU zip) is a compression utility designed to utilize a
different standard for handling compressed file data in an archive. Its main
advantages over other compression utilities are much better compression and
freedom from patented algorithms. It has been adopted by the GNU project
and is now relatively popular on the Internet. Additional information can be
found at http://www.gzip.org.
Host
The controlling or highest-level system in a data communications
configuration. For example, an iSeries system is the host system for the work
stations connected to it.
Integrated File System
A function of the operating system that provides storage support similar to
personal computer operating systems (such as DOS and OS/2) and UNIX
systems.
Interactive Job
A job started for a person who signs on to a work station and communicates
(or “converses”) with another computing entity such as a mainframe or
iSeries system. This is in contrast to a Batch Job.
Keyed Sequence
An order in which records are retrieved based on the contents of key fields in
records. For example, a bank name and address file might be in order and
keyed by the account number.
Keyword
A mnemonic (abbreviation) that identifies a parameter in a command.
A user-defined word used as one of the search values to identify a document
during a search operation.
In COBOL, a reserved word that is required by the syntax of a COBOL
statement or entry.
In DDS, a name that identifies a function.
In REXX, a symbol reserved for use by the language processor in a certain
context. Keywords include the names of the instructions and ELSE, END,
OTHERWISE, THEN, and WHEN.
In query management, one of the predefined words associated with a query
command.
A name that identifies a parameter used in an SQL statement.
387

LAC
See License Authorization Code, below.
Lempel-Ziv (LZ)
A technique for compressing data. This technique replaces some character
strings, which occur repeatedly within the data, with codes. The encoded
character strings are then kept in a common dictionary, which is created as
the data is being sent.
Library List
A list that indicates which libraries are to be searched and the order in which
they are to be searched. The system-recognized identifier is *LIBL.
License Authorization Code (LAC)
The inserted code that is needed to unlock an iSeries licensed program.
Logical Partition
A subset of a single iSeries system that contains resources (such as
processors, memory, and input/output devices). A logical partition operates
as an independent system. If hardware requirements are sufficient, multiple
logical partitions can exist within a system.
LZ
See the entry for Lempel-Ziv (LZ), above.
New ZIP Archive
A new ZIP archive is the archive created by a compression program when
either an old ZIP archive is updated or when files are compressed and no ZIP
archive currently exists. It may be thought of as the “receiving” archive.
Also see Old ZIP archive.
Null Value
A parameter position within a record for which no value is specified.
n-way Processor Architecture
A processor architecture that provides expandability for future system growth
by allowing for additional processors. To the user, the additional processors
are transparent because they separately manage the work load by sharing
the work evenly among the n-way processors.
Old ZIP Archive
An old ZIP archive is an existing archive which is opened by a compression
program to be updated or for its contents to be extracted. It may be thought
of as the “sending” archive. Also see New ZIP archive.
388

Operating System/400 (OS/400)
An IBM-licensed program that is as the primary operating system for an
iSeries system.
OS/400
See Operating System/400, above.
Output Queue
An AS/400 object that contains entries for spooled output files to be written
to an output device.
Packed Decimal Format
A decimal value in which each byte within a field represents two numeric
digits except the far right byte, which contains one digit in bits 0 through 3
and the sign in bits 4 through 7. For all other bytes, bits 0 through 3
represent one digit; bits 4 through 7 represent one digit. For example, the
decimal value +123 is represented as 0001 0010 0011 1111 (or 123F in
hexadecimal).
Path Name
A string of characters used to refer to an object. The string can consist of one
or more elements, each separated by a slash (/), and may begin with a slash.
Each element is typically a directory or equivalent, except for the last
element, which can be a directory or another object (such as a file).
A sequence of directory names followed by a file name, each separated by a
slash.
In a hierarchical file system (HFS), the name used to refer to a file or
directory. The path name must start with a slash (/) and consist of elements
separated by a slash. The first element must be the name of a registered file
system. All remaining elements must be the name of a directory, except the
last element, which can be the name of a directory or file. See also Absolute
Path Name and Relative Path Name.
The name of an object in the integrated file system. Protected objects have
one or more path names.
Physical File
Describes how data is to be presented to (or received from) a program and
how data is stored in the database. A physical file contains a single record
format and at least one member.
Physical File Member
A named subset of the data records in a physical file. See also member.
389

Production Library
A library which contains objects needed for normal processing. This contrasts
with a Test Library.
Program Temporary Fix (PTF)
A temporary solution to (or a bypass of) a problem that is necessary to
provide a complete solution to correct a defect in a current unaltered release
of a program. May also be used to provide an enhancement to a product
before a new release of the product is available. Generally, PTFs are
incorporated in a future release of the product.
PTF
See Program Temporary Fix, above.
QSYS
The library shipped with the iSeries system that contains objects, such as
authorization lists and device descriptions created by a user, and the system
commands and other system objects required to run the system. The system
identifier is QSYS.
Qualified Name
The full name of the library that contains the object and the name of the
object.
Record
A group of related data, words, or fields treated as a single unit, such as a
name, address, and social security number.
Reduced Instruction Set Computer (RISC)
A RISC computer uses a small, highly efficient subset of the instructions
available on a standard computer. This allows for rapid processing.
Relative Path Name
A string of characters that is used to refer to an object, starting at some point
in the directory hierarchy other than the root. A relative path name does not
begin with a slash (/). The starting point is frequently a user's current
directory. This is in contrast to an Absolute Path Name. See also Path Name.
Return Code
A value generated by operating system software to a program to indicate the
results of an operation by that program. The value may also be generated by
the program and passed back to the operator.
390

RISC
See Reduced Instruction Set Computer, above.
SBCS
See Single-Byte Character Set.
Service Pack
The iSeries product has available a collection of code fixes that contain PC
code. These fixes are contained in a single program temporary fix (PTF)
which makes installation easier.
Single-Byte Character Set (SBCS)
A coded character set in which each character is represented by a one-byte
code point. A one-byte code point allows representation of up to 256
characters. Languages that are based on an alphabet, such as the Latin
alphabet (as contrasted with languages that are based on ideographic
characters) are usually represented by a single-byte coded character set. For
example, the Spanish language can be represented by a single-byte coded
character set. See also the Double-Byte Character Set (DBCS).
Source File
A file of programming code that has not yet been compiled into machine
language. A source file can be created by the specification of
FILETYPE(*SRC) on the create command. A source file can contain source
statements for such items as high-level language programs and data
description specifications. Source files maintained on a PC typically use a
.TXT as the extension. On a mainframe, source files are typically found in a
partitioned data set or are maintained within a library management tool.
Spool File
Files that exist in an "output queue" which contain reports to printed on the
AS/400 system. Theses files along with attributes can then be directed and
transformed to a printer attached to your system.
Stream File
A data file that contains continuous streams of bits such as PC files,
documents, and other data stored in iSeries folders. Stream files are well
suited for storing strings of data such as the text of a document, images,
audio, and video. The content and format of stream files are managed by the
application rather than by the system.
System Library
The library shipped with the operating system that contains objects such as
authorization lists and device descriptions created by a user. Also included
are system commands and other system objects required to run the system.
The system identifier is QSYS.
391

System Processor
The operating system logic that contains the processor function to translate
and process OS/400 control language commands and programming language
statements.
Time Stamp
A software mechanism for recording the current date and/or current time of
day.
Translation Table
Translation tables are used by the PKZIP and PKUNZIP programs for
translating characters in compressed text files between the ASCII character
sets used within a ZIP archive and the EBCDIC character set used on IBMbased
systems. These tables may be created and modified by the user as
documented in the User's Guide.
Trigger
A set of predefined actions that run automatically whenever a specified action
or change occurs, for example, a change to a specified table or file. Triggers
are often used to automate environments, such as running a backup when a
certain number of transactions are processed.
Truncate
To cut off or delete the data that will not fit within a specified line width or
display. This may also be attributed to data that does not fit within the
specified length of a field definition.
User Interface
The actions or items that allow a user to interact with (and/or perform
operations on) a computer.
Variable-Length
A characteristic of a file in which the individual records (and/or the file itself)
can be of varying length. See also Fixed-Length.
ZIP64
ZIP64 is reference to the archive format that supports more than 65,534 files
per archive, uncompressed files greater than 4 Gig and archives greater than
4 Gig.
ZIP Archive
A ZIP archive is used to refer to a single file that contains a number of files
compressed into a much smaller physical space by the ZIP software.
392

3270 Display Emulation
A personal computer-based program that allows a PC to perform like a 3270
display station or printer. The program will allow use of the various iSeries
system functions.
5250 Emulation
A personal computer-based program that allows a PC to perform like a 5250
display station or printer. The program will allow use of the various iSeries
system functions.
393

Index
/ file system, 63
3
3270 Display Emulation, 393
3DES, 16, 17
5250 Emulation, 393
/
5
A
About this Manual, 1
Absolute Path Name, 382
ADVCRYPT, 116, 181
AES, 17, 382
AES Algorithm, 378
AES FIPS Validation, 378
AES Key Sizes, 378
Alternate Install from SAVF with Non-Standard
Library Name, 46
American National Standards Institute, 382
American Standard Code for Information Interchange,
382
ANSI, 383
API, 383
Application Programming Interface, 383
Application System/400 (AS/400), 383
AQZ0001 - AQZ0799 Messages, 234
AQZ0012 - PKZIP ending with Nothing to do for,
232, 235
AQZ0020 - PKZIP Completed Successfully, 232, 236
AQZ0022 - PKZIP Completed with Errors, 232, 236
AQZ0024 - PKZIP Completing with a Warning. No
Files Selected, 232, 236
AQZ0037, 232, 238
AQZ0038 - PKUNZIP Completed with Errors., 232,
238
AQZ0043, 239
AQZ0044 - PKUNZIP Completed with Errors., 239
AQZ0045, 239
AQZ0046 - PKUNZIP Completed with Errors., 239
AQZ0047, 240
AQZ0048 - PKUNZIP Completed with Errors., 240
AQZ0049, 240
AQZ0050 - PKUNZIP Completed with Errors., 240
AQZ0143-00, 246
AQZ0262, 261
AQZ0800 - AQZ0899 *VIEW Display Messages, 288
AQZ8xxx configuration messages, 302
AQZ9xxx LICENSE Messages, 311
Archive, 383
ARCHIVE, 117, 156
Archive Placement (IFS or in a Library), 336
archives, 6
updating, 103
viewing, 28, 94, 103
ARCHTEXT, 118
AS/400, 383
AS/400 Object, 383
ASCII, 57, 383
AUTHCHK, 118, 157
authenticating, 97
authentication, 13, 14
authority settings, 58
Authorized Program Analysis Report (APAR), 383
AUTHPOL, 122, 160, 185
Bandwidth, 384
Batch Job, 384
Binary File, 384
binary records, 52
Bit, 384
Block, 384
Byte, 384
CERTDB, 191
certificate
stores, 25
certificate authority, 15, 20, 80
certificate locator database, 81, 85, 92
certificate revocation list store, 81
certificate revocation lists, 81, 100
certificate stores, 79, 80, 81, 85, 215
testing, 88
certificates, 14, 15, 76, 215
end entity, 16
locating, 79
root, 16
CERTSELT, 189
Code Page, 384
Command Line, 384
B
C
394

Commands, 152
Comment Control Card, 41
COMPAT, 123
COMPRESS, 124
Compressing, 230
Compressing a file, 231
Compressing a SAVF file, 67
Compressing SPOOL Files, 68
Compression, 5, 40
Compression Type Performance, 335
Conditional Use, 44
configuration profiles, 77
Control Language (CL) Program, 384
Conventions Used in this Manual, 2
CRC, 6, 13, 385
Creating Commands with new defaults, 371
Creating List Files, 356
Creating new Translation Table Members, 360
CRL. See certificate revocation lists
CRL format, 217
cross-platform compatibility, 8, 229
CRTLIST, 124, 162
Cryptography, 385
CSCA, 193
CSCRL, 194
CSPRVT, 193
CSPUB, 192
CSROOT, 194
Current Library, 385
Customer Control Card, 41
CVTDATA, 125, 162
CVTFLAG, 125, 162
CVTNAME name conversion program, 349
CVTTYPE, 125, 163
CWRKPATH, 195
Cyclic Redundancy Check (CRC), 385
D
Data Compression, 385
data format, text vs. binary, 52
Data Integrity, 385
data security, 12, 22, 75
Data Type Selection, 336
Database Attribute Considerations, 376
DATABASE Attributes, 373
DATEAB, 126
DATETYPE, 126
DBCS, 386
DBSERVICE, 126
Decompression, 40
decrypting, 94
DELIM, 127
DES, 16
DFTARCHREC, 126
DFTDBRECLN, 163
directories, 62
DIRNAMES, 127
DIRRECRS, 127
Document Library Services file system, 63
Document Library Services file system (QDLS), 64
Double-byte Character Set (DBCS), 386
DROPPATH, 163
E
EBCDIC, 57, 386
ENCRYPOL, 131, 187
encryption, 12, 22, 24, 386
algorithms, 16
filename, 26, 102
methods, 23
passwords, 19, 24
recipient-based, 19, 24, 93
Windows compatibility, 23
Encryption Performance, 337
ENTPREC, 128, 164, 195
Escape Messages, 232, 236, 238, 239, 240
Example 1 - PKUNZIP Files to a New or Different
Library, 339
Example 2 - CLP with Override for Stdout and Stderr
to an OUTQ, 340
Example 3 - Creating an Archive in Personal Folders
(QDLS), 341
Example 4 - Processing Archive on a CD (QOPT),
342
Example 5 - Compressing files from a CD (QOPT),
343
Example 6 - Compressing CL with MSG Checking,
344
Example 7 - Compressing Spool Files Samples, 345
Example 8 - PKZSPOOL the last spool file of current
Job, 346
Example 9 - CL to submit a job to compress all spool
files for a job to a PDF, 346
Example of PKZTABLES (USASCII) Translation
Table, 360
Examples, 339
EXCLFILE, 132, 167
EXCLUDE, 133, 167
EXDIR, 168
EXRROPT, 132
Extended Attributes, 372, 386
Extended Attributes Selections, 337
Extended Binary Coded Decimal Interchange Code
(EBCDIC), 386
extended features, 30
Extracting, 230
extracting files, 55
IFS, 57
Extracting Records into a SAVF file, 67
extracting spool files, 58
extracting Windows text files, 54
EXTRAFLD, 133
F
Feature Control Card, 41
file attributes, 53
File Considerations, 7
file exclusion inputs, 50
File Field Attributes, 375
file names, 32
File Physical Attributes, 374
file processing support, 61
395

file selection and name processing, 48
file selection inputs, 48
File Transfer Protocol (FTP), 386
filename encryption, 102
GZIP, 229
FILES, 134, 168
FILESTEXT, 134
FILETYPE, 135, 169
FIPS, 16
FND, 136
FTP, 35, 387
FTRAN, 136, 169
G
GIGA ZIP, 40
Global settings, 45
Glossary, 382
GNU zip, 227
GZIP, 137, 387
GZIP archives, 228
GZIP Compressing, 230
GZIP Extracting, 230
GZIP processing, 227, 229
GZIP restrictions, 229
History of Changes, 367
Host, 387
I
IBM publications, 3
IFS File Handler, 40
IFS file system, 62, 63
IFS Summary, 67
IFSCDEPAGE, 137, 170
Implementation Considerations, 362
INCLFILE, 138, 170
Information on the Internet, 4
Input ZIP Archive files, 51
Install Basic, 42
Install Demo, 41
Install Single, 42
installation, 33
Installation Procedures, 35
Integrated File System, 387
Interactive Job, 387
interactive performance, 335
intermediate store, 81
International Code Page Support, 359
H
K
Key Features, 362, 364, 365
Key Field Attributes, 376
Keyed Sequence, 387
keys, 14, 18, 20
accessing, 76
Keyword, 387
L
LAC, 388
Large File Considerations, 7
Large File Support File Capacities, 7
Large File Support Summary, 7
LDAP, 79
LDAP certificate store, 81
LDAP directories, 80, 86
LDAP1, 196
LDAPACTV, 196
Library file system, 63
Library List, 388
License Authorization Code (LAC), 388
Licensed Product Features, 38
Licensing Requirements, 36
List Files, 61, 67, 124, 132, 138, 151, 162, 167, 170,
173, 356
List Files and their Usage, 356
local certificate store, 80, 84
Logical Partition, 388
LZ, 388
M
MD5, 13
memory errors, 348
Messages, 232
MONMSG, 232, 235, 236, 238, 239, 240
MSGTYPE, 138, 171
N
name conversion program CVTNAME, 349
name processing, 48
Network File System, 64
New Features, 10
New ZIP Archive, 388
NFS, 64
Non-Standard Library Name, 46
Notices, 1
Null Value, 388
n-way Processor Architecture, 388
O
OAEP processing, 24
Old ZIP Archive, 388
Open Systems file system, 64
operating environment, 44
Optical file system, 63
Optical File System (QOPT), 65
OS/400, 389
Other IFS Objects, 63
Output Queue, 389
OVERWRITE, 171
Overwriting Current SAVF File, 68
Packed Decimal Format, 389
PASSWORD, 138, 151, 171, 182
passwords, 19, 29
path name, 62, 389
P
396

absolute, 62
relative, 63
paths, 57
to certificate stores, 84
PDF Creation Attributes, 365
PEM format, 84, 217
performance considerations, 335
Physical File, 389
Physical File Member, 389
Physical Files (both Source and Data), 372
PING option, 87
PKBLDCDB command details, 204
PKBLDCDB command summary, 203
PKBLDCDB utility, 85
PKCFGSEC command, 77, 86
PKCFGSEC command details, 180
PKCFGSEC command summary, 176
PKCS#12 format, 84
PKCS#7 format, 81, 84, 217
PKI, 13, 14
PKLDAPTST command details, 200
PKLDAPTST command summary, 199
PKQRYCDB command details, 210
PKQRYCDB command summary, 210
PKSTORADM command details, 216
PKSTORADM command summary, 215
PKUNZIP Command, 152
PKUNZIP command details, 156
PKUNZIP command summary, 152
PKZCF1F file, 81
PKZCF1LCN file, 81
PKZCF1LEM file, 81
PKZCF1LPH file, 81
PKZDTA5 Data Area, 45
PKZIP command, 110
PKZIP command details, 116
PKZIP for DOS, 32
PKZIP library
renaming, 45
PKZSPOOL command, 110
PKZTABLES, 360
platform-specific differences, 31
Preface, 1
private key, 14, 15, 76, 86
private-key, 23
Processing with GZIP, 227
Production Library, 390
Program Temporary Fix (PTF), 390
PTF, 390
public key, 14, 15, 16, 76, 85
QDLS, 63
QDLS file system, 64
QFileSvr.400, 64
QNetWare, 64
QNTC, 64
QOpenSys, 64
QOPT, 63, 65
QSYS, 390
QSYS file system, 61
Q
QSYS library file system, 55
QSYS.LIB, 63
Qualified Name, 390
R
RC4, 18
recipients, 19, 23, 26, 79, 95
searching for, 79
Record, 390
Record Layouts, 40
Reduced Instruction Set Computer (RISC), 390
Related Publications, 3
Relative Path Name, 390
Release Licensing, 36
Release Summary, 10
Reporting, 42
Reporting Environment, 36
restoring the library, 35
Restrictions, 10
Return Code, 390
REVKEPOL, 189
RISC, 391
root, 63
root store, 81, 84
Running Without the Library in the Library List, 46
Sample CVTNAME, 350
Sample GZIP Processing, 231
SAVF, 67, 373
SAVF method, 32
SBCS, 391
SECTYPE, 180
SecureZIP
invoking, 31
Self Extracting, 40, 139, 245, 320
self-extracting archives, 71
SELFXTRACT, 139
Service Pack, 391
SFFORM, 140
SFJOBNAM, 141
SFQUEUE, 140, 172
SFSTATUS, 141
SFTARGET, 141
SFTGFILE, 142
SFUSER, 139
SFUSRDTA, 140
SHA-1, 13
signatures, 13
SIGNERS, 144
signing, 14, 15, 96, 99
SIGNPOL, 147, 183
Source File, 391
Source File Considerations, 377
SPLF Attributes, 364
SPLFILE, 143
SPLNBR, 143
SPLUSRID, 172
Spool File, 391
Spool File Attributes, 377
SPOOL File Selecting, 51
S
397

Spool File Selections, 364
spool files, 68
SPOOL Files Considerations, 364
Standard “IFS” Attributes, 373
Standard Code Page Support, 358
Standard QSYS Library File System Attributes, 372
Status Messages, 232, 235, 236, 238, 239, 240
STOREPATH, 149
Stream File, 391
stream files, 63
System Library, 391
System Processor, 392
T
temporary archive files, 71
test certificates, 87
text records, 52
Time Stamp, 392
TMPPATH, 149
TRAN, 150, 172
Translation Tables, 358, 360, 392
Trial Period, 36
Trigger, 392
Triple DES, 16
Truncate, 392
trust chain, 15
TSTCERTS program, 88
TYPARCHFL, 150, 173
TYPE, 116, 156, 180
TYPFL2ZP, 150, 173
TYPLISTFL, 151, 173
UDFS, 64
U
unloading from a CD ROM, 34
unloading from tape, 33
Updating License Files, 37
USASCII, 360
User Interface, 392
User-Defined File System, 64
Using QSYS.LIB Through the Integrated File System
Interface, 66
V
Variable-Length, 392
VERBOSE, 151, 173
View Demo, 42
View Single, 43
View Single with Exception, 43
VIEWOPT, 174
VIEWSORT, 174
W
Windows NT Server file system, 64
X.509, 15
ZIP archives, 70, 71, 392
ZIP file format specification, 9
ZIP files, 52
ZIP Processing File Selection, 48
ZIP64, 7, 250, 299, 336, 367, 392
ZIP64 Processing Considerations, 336
ZPCA801x – ZPCA899x Messages, 321
X
Z
398