SecureZIP™ for iSeries User's Guide - PKWare
SecureZIP™ for iSeries User's Guide - PKWare
SecureZIP™ for iSeries User's Guide - PKWare
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
User’s <strong>Guide</strong><br />
SZIU-V8R0000<br />
PKWARE Inc.
PKWARE Inc.<br />
9009 Springboro Pike<br />
Miamisburg, Ohio 45342<br />
Sales: 937-847-2374<br />
Support: 937-847-2687<br />
Fax: 937-847-2375<br />
Web Site: http://www.pkware.com<br />
Sales - Email: pksales@pkware.com<br />
Support - http://www.pkware.com/support<br />
8.1 Edition (2005)<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> , PKZIP <strong>for</strong> <strong>iSeries</strong>, PKZIP <strong>for</strong> MVS, PKZIP <strong>for</strong> zSeries, PKZIP <strong>for</strong><br />
OS/400, PKZIP <strong>for</strong> VSE, PKZIP <strong>for</strong> UNIX, and PKZIP <strong>for</strong> Windows are just a few of the<br />
many members in the PKZIP ® family. PKWARE, Inc. would like to thank all the individuals and<br />
companies -- including our customers, resellers, distributors, and technology partners -- who<br />
have helped make PKZIP ® the industry standard <strong>for</strong> Trusted ZIP solutions. PKZIP ® enables our<br />
customers to efficiently and securely transmit and store in<strong>for</strong>mation across systems of all<br />
sizes, ranging from desktops to mainframes.<br />
This edition applies to the following PKWARE, Inc. licensed program:<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (Version 8, Release 1, 2005)<br />
PKZIP is a registered trademark of PKWARE Inc. SecureZIP is a trademark of PKWARE Inc.<br />
Other product names mentioned in this manual may be a trademark or registered trademarks<br />
of their respective companies and are hereby acknowledged.<br />
Any reference to licensed programs or other material, belonging to any company, is not<br />
intended to state or imply that such programs or material are available or may be used. The<br />
copyright in this work is owned by PKWARE, Inc., and the document is issued in confidence <strong>for</strong><br />
the purpose only <strong>for</strong> which it is supplied. It must not be reproduced in whole or in part or used<br />
<strong>for</strong> tendering purposes except under an agreement or with the consent in writing of PKWARE,<br />
Inc., and then only on condition that this notice is included in any such reproduction. No<br />
in<strong>for</strong>mation as to the contents or subject matter of this document or any part thereof either<br />
directly or indirectly arising there from shall be given or communicated in any manner<br />
whatsoever to a third party being an individual firm or company or any employee thereof<br />
without the prior consent in writing of PKWARE, Inc.<br />
Copyright © 1989 - 2005 PKWARE, Inc. All rights reserved.
Contents<br />
PREFACE............................................................................................................. 1<br />
Notices ........................................................................................................................ 1<br />
About this Manual...................................................................................................... 1<br />
Conventions Used in this Manual ............................................................................ 2<br />
Related Publications.................................................................................................. 3<br />
Related IBM Publications .......................................................................................... 3<br />
Related In<strong>for</strong>mation on the Internet ......................................................................... 4<br />
User Help and Contact In<strong>for</strong>mation.......................................................................... 4<br />
1 SECUREZIP FOR ISERIES............................................................................ 5<br />
Data Compression ..................................................................................................... 5<br />
ZIP Archives ............................................................................................................... 6<br />
Cyclic Redundancy Check ........................................................................................ 6<br />
Encryption .................................................................................................................. 7<br />
Large Files Considerations....................................................................................... 7<br />
Large File Support Summary ................................................................................... 7<br />
Large File Support File Capacities ........................................................................... 7<br />
Cross Plat<strong>for</strong>m Compatibility ................................................................................... 8<br />
ZIP File Format Specification.................................................................................... 9<br />
Release Summary .................................................................................................... 10<br />
New Features in SecureZIP <strong>for</strong> <strong>iSeries</strong> Release 8.1.............................................. 10<br />
New Features in SecureZIP <strong>for</strong> <strong>iSeries</strong> Release 8.0.............................................. 10<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> Restrictions ......................................................................... 10<br />
2 DATA SECURITY ......................................................................................... 12<br />
Encryption ................................................................................................................ 12<br />
Authentication .......................................................................................................... 13<br />
Data Integrity .......................................................................................................... 13<br />
Digital Signature Validation .................................................................................... 13<br />
Digital Signature Source Validation........................................................................ 14<br />
iii
Public-Key Infrastructure and Digital Certificates................................................ 14<br />
Public-Key Infrastructure (PKI)............................................................................... 14<br />
X.509 ...................................................................................................................... 15<br />
Digital Certificates................................................................................................... 15<br />
Certificate Authority (CA)........................................................................................ 15<br />
Private Key ............................................................................................................. 15<br />
Public Key............................................................................................................... 16<br />
Certificate Authority and Root Certificates ............................................................. 16<br />
Types of Encryption Algorithms ............................................................................ 16<br />
FIPS 46-3, Data Encryption Standard (DES) ......................................................... 16<br />
Triple DES Algorithm (3DES) ................................................................................. 16<br />
Advanced Encryption Standard (AES) ................................................................... 17<br />
Comparison of the 3DES and AES Algorithms ...................................................... 17<br />
RC4 ........................................................................................................................ 18<br />
Key Management...................................................................................................... 18<br />
Passwords and PINS ............................................................................................... 19<br />
Recipient Based Encryption ................................................................................... 19<br />
Random Number Generation .................................................................................. 19<br />
Integrity of Public and Private Keys....................................................................... 20<br />
Meeting Current Challenges ................................................................................... 20<br />
Industry-Specific Mandates .................................................................................... 20<br />
Data Encryption........................................................................................................ 22<br />
Cross Product Matrix.............................................................................................. 23<br />
Operating System Levels ....................................................................................... 23<br />
Windows Compatibility ........................................................................................... 23<br />
General Questions to help you get started with SecureZip <strong>for</strong> <strong>iSeries</strong> .................. 24<br />
User Encryption Examples ..................................................................................... 26<br />
Zip Compress File(s) and Write to an Archive File................................................. 27<br />
Display the contents of an Archive File .................................................................. 28<br />
Incorrect Password Use ......................................................................................... 29<br />
3 GETTING STARTED WITH SECUREZIP FOR ISERIES............................. 30<br />
Basic Features of SecureZIP <strong>for</strong> <strong>iSeries</strong>................................................................ 30<br />
Extended Features of SecureZIP <strong>for</strong> <strong>iSeries</strong> ......................................................... 30<br />
Invoking SecureZIP <strong>for</strong> <strong>iSeries</strong> Services ............................................................... 31<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> Differences with other Plat<strong>for</strong>ms ...................................... 31<br />
Use of SAVF Method................................................................................................ 32<br />
4 SECUREZIP FOR ISERIES INSTALLATION............................................... 33<br />
Unloading SecureZIP <strong>for</strong> <strong>iSeries</strong> from Tape.......................................................... 33<br />
Unloading SecureZIP <strong>for</strong> <strong>iSeries</strong> from a CD-ROM ................................................ 34<br />
METHOD A. LODRUN Command.......................................................................... 34<br />
METHOD B. RSTLIB Command ............................................................................ 34<br />
Using FTP to <strong>iSeries</strong> to Transfer a PKZIP Save File............................................. 35<br />
Restoring SecureZIP <strong>for</strong> <strong>iSeries</strong> Product Library from a Save File .................... 35<br />
iv
Installation Procedures ........................................................................................... 35<br />
Licensing Requirements ......................................................................................... 36<br />
Trial Period ............................................................................................................. 36<br />
Release Licensing .................................................................................................. 36<br />
Reporting Environment........................................................................................... 36<br />
Updating License Files ........................................................................................... 37<br />
Licensed Product Features .................................................................................... 38<br />
Record Layouts ...................................................................................................... 40<br />
Reporting ................................................................................................................ 42<br />
Conditional Use ...................................................................................................... 44<br />
Operating Environment ........................................................................................... 44<br />
PKZDTA5 Data Area .............................................................................................. 45<br />
How to Change the Standard PKZIP Library Name............................................... 45<br />
Alternate Install from SAVF with Non-Standard Library Name .............................. 46<br />
Running Without the PKZIP Library in the Library List........................................... 46<br />
5 FILE SELECTION AND NAME PROCESSING............................................ 48<br />
ZIP Processing File Selection................................................................................. 48<br />
Primary File Selection Inputs.................................................................................. 48<br />
File Exclusion Inputs ............................................................................................... 50<br />
Input ZIP Archive Files ............................................................................................ 51<br />
SPOOL File Selecting .............................................................................................. 51<br />
6 ZIP FILES ..................................................................................................... 52<br />
Data Format - Text Records vs. Binary Records .................................................. 52<br />
File Attributes ........................................................................................................... 53<br />
PC Shared Drives Format........................................................................................ 54<br />
7 FILE EXTRACTING PROCESS ................................................................... 55<br />
Extracting Files to the QSYS Library File System ................................................ 55<br />
Authority Settings ................................................................................................... 56<br />
Extracting Files to the IFS....................................................................................... 57<br />
Path Considerations ............................................................................................... 57<br />
Changing the path(s).............................................................................................. 57<br />
File Type Considerations........................................................................................ 57<br />
Extracting Spool Files ............................................................................................. 58<br />
8 ISERIES FILE PROCESSING SUPPORT.................................................... 61<br />
QSYS (Library File System) .................................................................................... 61<br />
QSYS Summary ..................................................................................................... 61<br />
IFS (Integrated File System).................................................................................... 62<br />
Directories and Current Directory........................................................................... 62<br />
Path and Path Names ............................................................................................ 62<br />
Stream Files ........................................................................................................... 63<br />
Other IFS Objects................................................................................................... 63<br />
v
File Systems in the IFS .......................................................................................... 63<br />
Document Library Services File System (QDLS) ................................................... 64<br />
Optical File System (QOPT)................................................................................... 65<br />
Using QSYS.LIB via the Integrated File System Interface..................................... 66<br />
IFS Summary.......................................................................................................... 67<br />
SAVF.......................................................................................................................... 67<br />
Compressing a SAVF file ....................................................................................... 67<br />
Extracting Records into a SAVF file ....................................................................... 67<br />
Overwriting Current SAVF File ............................................................................... 68<br />
Compressing Spool Files........................................................................................ 68<br />
9 ZIP ARCHIVES ............................................................................................. 70<br />
“Old” ZIP Archive..................................................................................................... 71<br />
“Temporary” Archive File ....................................................................................... 71<br />
“New” ZIP Archive ................................................................................................... 71<br />
Self-Extracting Archive............................................................................................ 71<br />
10 ABOUT SECURITY, CERTIFICATES, AND ENCRYPTION........................ 75<br />
Keywords, Phrases, and Acronyms Used in This Chapter.................................. 75<br />
Accessing Public and Private Key Certificates .................................................... 76<br />
Public Key Certificate ............................................................................................. 76<br />
Private Key Certificates .......................................................................................... 76<br />
Enterprise Security Configuration ......................................................................... 77<br />
Contents of the Configuration Profile ..................................................................... 77<br />
File and Data Base (DB) (Local Certificate Store) ................................................. 79<br />
LDAP Profile (Networked Certificate Store) ........................................................... 80<br />
Certificate Store Administration and Configuration............................................. 80<br />
Access x.509 Public and Private Key Certificates.................................................. 80<br />
Local Certificate Store ............................................................................................ 80<br />
Certificate Authority and Root Certificates Stores.................................................. 80<br />
Certificate Revocation List Stores .......................................................................... 81<br />
Local Certificate Locator Database ........................................................................ 81<br />
LDAP Certificate Store ........................................................................................... 81<br />
Certificate Authority, Root Certificates and CRL Store Administration............. 82<br />
Local Certificate Store Administration .................................................................. 84<br />
Build Private and Public Store Paths...................................................................... 84<br />
Initialize and Build Certificate Locator Database:................................................... 85<br />
Directory Certificate Store Configuration - LDAP................................................. 86<br />
Testing the LDAP Connection ................................................................................ 86<br />
Getting Started with PKWARE Test Digital Certificates....................................... 87<br />
Step 1: Define IFS Certificate Stores .................................................................... 88<br />
Step 2: Extract Test Certificates, Inlist, Inputs, and Stores................................... 89<br />
Step 3: Setup Security Configuration File with PKCFGSEC Command ............... 90<br />
Step 4: Add Trusted Roots and Intermediate Certificates to the Certificate Stores.91<br />
Step 5: Build the Certificate Locator Database with PKBLDCDB ......................... 92<br />
Step 6: Compress File with Public Digital Certificates .......................................... 93<br />
Step 7: View Details of Archive ............................................................................. 94<br />
vi
Step 8: Decrypting File with Private Key Certificates............................................ 94<br />
Step 9: Using Input List File <strong>for</strong> ENTPREC Certificate List................................... 95<br />
Step 10: Sign Files and Archive with Private Keys ............................................... 96<br />
Step 11: Authenticate Signed Files and Archive................................................... 97<br />
Step 12: Sign Files and Archive with PK Test 9 Certificate .................................. 99<br />
Step 13: Add CA to Make the Trust Valid and Then Sign Archive........................ 99<br />
Step 14: Revoke PK Test 9 Certificate and Confirm Revocation........................ 100<br />
Filename Encryption.............................................................................................. 102<br />
How SecureZIP Encrypts File Names.................................................................. 102<br />
When SecureZIP Encrypts File Names................................................................ 102<br />
Encrypting File Names When You Update an Archive......................................... 103<br />
Opening and Viewing an Archive that Has Encrypted File Names ...................... 103<br />
Security Examples ................................................................................................. 104<br />
SecureZIP using Recipients or Combo ................................................................ 104<br />
SecureZIP Encryption Using a Recipients List..................................................... 105<br />
SecureZIP Encryption using LDAP search <strong>for</strong> Recipients ................................... 106<br />
UNZIP Compressed File(s) from an Archive File Using Recipients.................. 106<br />
Unzip Output using Recipients ............................................................................. 107<br />
View the Contents of an Archive File................................................................... 107<br />
View Detail Display............................................................................................... 108<br />
11 PKZIP COMMAND ..................................................................................... 110<br />
PKZIP Command Summary with Parameter Keyword Format.......................... 110<br />
PKZIP Command Keyword Details....................................................................... 116<br />
12 PKUNZIP COMMAND ................................................................................ 152<br />
PKUNZIP Command Summary with Parameter Keyword Format..................... 152<br />
PKUNZIP Command Keyword Details.................................................................. 156<br />
13 PKCFGSEC “CONFIGURE SECURITY PARAMETERS” COMMAND..... 176<br />
PKCFGSEC Command Summary with Parameter Keyword Format ................ 176<br />
Usage Notes......................................................................................................... 176<br />
PKCFGSEC Command Keyword Details ............................................................. 180<br />
Windows Compatibility ......................................................................................... 198<br />
14 PKLDAPTST “LDAP TEST” COMMAND.................................................. 199<br />
PKLDAPTST Command Summary with Parameter Keyword Format............... 199<br />
PKLDAPTST Command Keyword Details............................................................ 200<br />
15 PKBLDCDB “BUILD CERTIFICATE DATABASE” COMMAND............... 203<br />
PKBLDCDB Command Summary with Parameter Keyword Format ................ 203<br />
PKBLDCDB Command Keyword Details ............................................................. 204<br />
vii
16 PKQRYCDB “QUERY CERT DATABASE” COMMAND .......................... 210<br />
PKQRYCDB Command Summary with Parameter Keyword Format............... 210<br />
PKQRYCDB Command Keyword Details............................................................. 210<br />
17 PKSTORADM “CERTIFICATE STORE ADMINISTRATION” COMMAND215<br />
PKSTORADM Command Summary with Parameter Keyword Format ............. 215<br />
PKSTORADM Command Keyword Details .......................................................... 216<br />
18 PROCESSING WITH GZIP......................................................................... 227<br />
Introduction to GZIP (GNU zip)............................................................................. 227<br />
GZIP Archive Files Used By SecureZIP <strong>for</strong> <strong>iSeries</strong> ............................................ 228<br />
Cross Plat<strong>for</strong>m Compatibility ............................................................................... 229<br />
GZIP Restrictions ................................................................................................. 229<br />
Special Note on GZIP Passwords........................................................................ 229<br />
Processing GZIP Archives .................................................................................... 229<br />
GZIP Compressing............................................................................................... 230<br />
GZIP Extracting .................................................................................................... 230<br />
Sample GZIP Processing ...................................................................................... 231<br />
Compressing a file................................................................................................ 231<br />
19 MESSAGES................................................................................................ 232<br />
AQZ0001 - AQZ0799 Messages ............................................................................ 234<br />
AQZ0800 - AQZ0899 *VIEW Display Messages................................................... 288<br />
AQZ8xxx Configuration Messages....................................................................... 302<br />
AQZ9xxx LICENSE Messages............................................................................... 311<br />
ZPCA801x – ZPCA899x Messages ....................................................................... 321<br />
A PERFORMANCE CONSIDERATIONS ...................................................... 335<br />
Interactive Per<strong>for</strong>mance ........................................................................................ 335<br />
Compression Type Per<strong>for</strong>mance.......................................................................... 335<br />
Data Type Selection............................................................................................... 336<br />
Archive Placement (IFS or in a Library)............................................................... 336<br />
ZIP64 Processing Considerations........................................................................ 336<br />
Encryption Per<strong>for</strong>mance ....................................................................................... 337<br />
Extended Attributes Selections............................................................................ 337<br />
B EXAMPLES ................................................................................................ 339<br />
Example 1 - PKUNZIP Files to a New or Different Library ................................. 339<br />
Example 2 - CLP with Override <strong>for</strong> Stdout and Stderr to an OUTQ .................. 340<br />
Example 3 - Creating an Archive in Personal Folders (QDLS).......................... 341<br />
viii
Example 4 - Processing Archive on a CD (QOPT) .............................................. 342<br />
Example 5 - Compressing files from a CD (QOPT)............................................. 343<br />
Example 6 - Compressing CL with MSG Checking ............................................ 344<br />
Example 7 – Compressing Spool Files Samples ................................................ 345<br />
Example 8 – PKZSPOOL The Last Spool File of Current Job ........................... 346<br />
Example 9 - CL to Compress All Spool Files <strong>for</strong> a Job to a PDF ..................... 346<br />
C MEMORY ERRORS.................................................................................... 348<br />
D EXTERNAL NAME CONVERSION PROGRAM CVTNAME...................... 349<br />
Sample CVTNAME.................................................................................................. 350<br />
E LIST FILES ................................................................................................. 356<br />
Creating List Files .................................................................................................. 356<br />
Using List Files as Input........................................................................................ 356<br />
F TRANSLATION TABLES ........................................................................... 358<br />
Standard Code Page Support with Tables .......................................................... 358<br />
International Code Page Support ......................................................................... 359<br />
Translation Table Layout...................................................................................... 360<br />
Creating New Translation Table Members........................................................... 360<br />
Example of PKZTABLES (USASCII) Translation Table....................................... 360<br />
G IMPLEMENTATION CONSIDERATIONS .................................................. 362<br />
Key Features........................................................................................................... 362<br />
H SPOOL FILES CONSIDERATIONS........................................................... 364<br />
Spool File Selections............................................................................................. 364<br />
SPLF Attributes .................................................................................................... 364<br />
PDF Creation Attributes ....................................................................................... 365<br />
I HISTORY OF CHANGES ........................................................................... 367<br />
RELEASE 5.6 September 2003 ............................................................................ 367<br />
RELEASE 5.5 January 2003 ................................................................................. 368<br />
RELEASE 5.5.1 – March 2003 ............................................................................... 369<br />
RELEASE 5.5.2 – May 2003 ................................................................................... 370<br />
J CREATING COMMANDS WITH NEW DEFAULTS ................................... 371<br />
K EXTENDED ATTRIBUTES......................................................................... 372<br />
Standard QSYS Library File System Attributes .................................................. 372<br />
ix
Physical Files (both Source and Data)................................................................. 372<br />
SAVF .................................................................................................................... 373<br />
Standard IFS Attributes......................................................................................... 373<br />
Advanced Encryption Attributes .......................................................................... 373<br />
DATABASE Attributes ........................................................................................... 373<br />
File Physical Attributes ......................................................................................... 374<br />
File Field Attributes............................................................................................... 375<br />
Key Field Attributes .............................................................................................. 376<br />
Database Attribute Considerations....................................................................... 376<br />
Source File Considerations .................................................................................. 377<br />
Spool File Attributes.............................................................................................. 377<br />
L FIPS-197 CERTIFICATION OF PKZIP FOR AES...................................... 378<br />
Advanced Encryption Standard FIPS Validation ................................................ 378<br />
The AES Algorithm ................................................................................................ 378<br />
AES Key Sizes ........................................................................................................ 378<br />
M CONTACT INFORMATION ........................................................................ 380<br />
PKWARE, Inc. ......................................................................................................... 380<br />
PROBLEM REPORTING ..................................................................................... 380<br />
PROBLEM REPORTING (General) ..................................................................... 380<br />
PROBLEM REPORTING (Licensing)................................................................... 381<br />
GLOSSARY...................................................................................................... 382<br />
INDEX ............................................................................................................... 394<br />
x
Preface<br />
The PKZIP ® family of products consists of high per<strong>for</strong>mance data compression<br />
software. The archives resulting from compression by SecureZIP <strong>for</strong> <strong>iSeries</strong> can be<br />
transported or transmitted to other operating system plat<strong>for</strong>ms where they will<br />
undergo decompression by PKUNZIP or an acceptable substitute.<br />
Notices<br />
Licensing requirements have changed <strong>for</strong> this release. See “Licensing Requirements”<br />
in Chapter 4 <strong>for</strong> more details.<br />
About this Manual<br />
This manual provides the in<strong>for</strong>mation needed to utilize SecureZIP <strong>for</strong> <strong>iSeries</strong> in an<br />
operational environment. It is assumed that people using this manual have a good<br />
understanding of (Control Language) CL and dataset processing. Note that the<br />
contents of this manual apply to the following operating systems:<br />
• OS/400<br />
• <strong>iSeries</strong><br />
• Chapter 1. Provides a general description of the SecureZIP product, which is<br />
applicable to all supported plat<strong>for</strong>ms. It goes on to describe the OS/400<br />
specific features of the SecureZIP <strong>for</strong> <strong>iSeries</strong> product and provides a simple<br />
description of how the SecureZIP <strong>for</strong> <strong>iSeries</strong> product is used to provide the<br />
compression and decompression of datasets.<br />
• Chapter 2. Provides a general discussion of data security along with specific<br />
implementations of encryption<br />
• Chapter 3. Provides all of the general getting started in<strong>for</strong>mation <strong>for</strong> invoking<br />
PKZIP and PKUNZIP. This chapter explains the details associated with<br />
compression, decompression, restrictions, migration, and a complete view of<br />
the general SecureZIP <strong>for</strong> <strong>iSeries</strong> features.<br />
• Chapter 4. Provides detailed in<strong>for</strong>mation and guidance on installation from<br />
tape, CD-ROM, using FTP, general installation procedures, and licensing<br />
procedures<br />
• Chapter 5. Provides all of the general file selection and naming processing to<br />
include: primary file selection, exclusions, and ZIP archive files<br />
• Chapter 6. Provides a summary of the ZIP file data <strong>for</strong>mats, such as text<br />
versus binary, and file attributes<br />
1
• Chapter 7. Provides all of the general rules <strong>for</strong> extracting files to the QSYS<br />
library file system, integrated file system (IFS), and spool files<br />
• Chapter 8. Provides in<strong>for</strong>mation regarding the OS/400 file processing support<br />
<strong>for</strong> library, integrated file system, SAVF (save files), and spool files<br />
• Chapter 9. Provides detailed in<strong>for</strong>mation regarding old ZIP files, temporary<br />
archives, and new ZIP archives<br />
• Chapter 10. Provides s quick reference to how to start using certificates and<br />
file name encryption and discusses how to utilize SecureZIP <strong>for</strong> <strong>iSeries</strong> to<br />
secure your data<br />
• Chapter 11. Provides a summary and detail of the PKZIP command’s<br />
parameters with keyword <strong>for</strong>mats and details<br />
• Chapter 12. Provides a summary and detail of the PKUNZIP command’s<br />
parameters with keyword <strong>for</strong>mats and details<br />
• Chapter 13. Provides a summary and detail of the PKCFGSEC command’s<br />
parameters with keyword <strong>for</strong>mats and details<br />
• Chapter 14. Provides a summary and detail of the PKLDAPTST command’s<br />
parameters with keyword <strong>for</strong>mats and details<br />
• Chapter 15. Provides a summary and detail of the PKBLDCDB command’s<br />
parameters with keyword <strong>for</strong>mats and details<br />
• Chapter 16. Provides a summary and detail of the PKQRYCDB command, used<br />
to query the certificate locator database files or a certificate file in the IFS<br />
• Chapter 17. Describes the PKSTORADM (Certificate Store Administration)<br />
command<br />
• Chapter 18. Describes the GZIP archive <strong>for</strong>mat and the GZIP processing<br />
supported by SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
• Chapter 19. Lists and explains SecureZIP-generated messages<br />
• Glossary. Contains a glossary of OS/400 specific terms<br />
• Index. Contains a detailed list of terms and their locations within this<br />
document<br />
This manual is intended <strong>for</strong> persons responsible <strong>for</strong> implementing and using<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>. The manual assumes that the reader has a good<br />
understanding of CL and dataset processing.<br />
Conventions Used in this Manual<br />
Throughout this manual, the following conventions are used:<br />
The use of the Courier font indicates text that may be found in control language<br />
(CL), parameter controls, or printed output.<br />
The use of italics indicates a value that must be substituted by the user, <strong>for</strong> example,<br />
a dataset name. It may also be used to indicate the title of an associated manual or<br />
the title of a chapter within this manual.<br />
Bullets (•) indicate items (or instructions) in a list.<br />
2
The use of in a command definition indicates a mandatory<br />
parameter.<br />
The use of [square brackets] in a command definition indicates an optional<br />
parameter.<br />
A vertical bar (|) in a command definition is used to separate mutually exclusive<br />
parameter options or modifiers.<br />
Related Publications<br />
The PKZIP family of products includes the following manuals:<br />
• SecureZIP <strong>for</strong> <strong>iSeries</strong> <strong>User's</strong> <strong>Guide</strong><br />
• PKZIP <strong>for</strong> <strong>iSeries</strong> <strong>User's</strong> <strong>Guide</strong><br />
• SecureZIP <strong>for</strong> zSeries <strong>User's</strong> <strong>Guide</strong><br />
• PKZIP <strong>for</strong> zSeries <strong>User's</strong> <strong>Guide</strong><br />
• PKZIP <strong>for</strong> zSeries & PKZIP <strong>for</strong> VSE Messages and Codes<br />
• PKZIP <strong>for</strong> VSE <strong>User's</strong> <strong>Guide</strong><br />
• PKZIP <strong>for</strong> Command Line - UNIX <strong>User's</strong> <strong>Guide</strong><br />
• PKZIP <strong>for</strong> Command Line - Windows <strong>User's</strong> <strong>Guide</strong><br />
Related IBM Publications<br />
IBM manuals relating to the SecureZIP <strong>for</strong> <strong>iSeries</strong> product include:<br />
• System Messages: This manual documents messages issued by the <strong>iSeries</strong><br />
operating system. The descriptions explain why the component issued the<br />
message, provide the actions of the operating system, and suggest responses<br />
by the applications programmer, system programmer, and/or operator.<br />
• OS/400 CL Programming (SC41-5721): This manual provides a widerange<br />
discussion of <strong>iSeries</strong> e Advanced Series programming topics, including:<br />
Control language programming, <strong>iSeries</strong> e Advanced Series programming<br />
concepts, objects and libraries, and message handling.<br />
• OS/400 CL Reference (SC41-5722 thru SC41-5726): This manual may<br />
be used in the <strong>iSeries</strong> In<strong>for</strong>mation Center to find in<strong>for</strong>mation on the following<br />
CL reference topics: OS/400 commands, OS/400 objects, command<br />
description <strong>for</strong>mat, command parts, command syntax, about syntax<br />
diagrams, CL character sets and values, object naming rules, expressions in<br />
CL commands, and command definition statements.<br />
• Integrated File System Introduction (SC41-5711): This book provides<br />
an overview of the integrated file system includes these topics:<br />
• What is the integrated file system?<br />
• Why might you want to use it<br />
• Integrated file system concepts and terminology<br />
• Interfaces you can use to interact with the integrated file system<br />
3
• APIs and techniques you can use to create programs that interact with the<br />
integrated file system<br />
• Characteristics of individual file systems<br />
• File Management (SC41-5710): This manual describes the data<br />
management portion of the Operating System/400 licensed program. Data<br />
management provides applications with access to input and output file data<br />
that is external to the application. There are several types of these input and<br />
output files, and each file type has its own characteristics. In addition, all of<br />
the file types share a common set of characteristics.<br />
• DDS Reference (RBAF-P000-00): This manual contains detailed<br />
instructions <strong>for</strong> coding the data description specifications (DDS) <strong>for</strong> files that<br />
can be described externally. These files are the physical, logical, display,<br />
printer, and intersystem communications functions, hereafter referred to as<br />
ICF files.<br />
Related In<strong>for</strong>mation on the Internet<br />
PKWARE, Inc.<br />
www.pkware.com<br />
FTP site<br />
Product Downloads<br />
Product Manuals<br />
National Institutes of Standards Computer Security Resource Center<br />
http://csrc.ncsl.nist.gov<br />
In<strong>for</strong>mation on AES development<br />
http://csrc.nist.gov/encryption/aes/<br />
In<strong>for</strong>mation on key Management<br />
http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html/<br />
RSA BSAFE ® Content library<br />
http://www.rsasecurity.com<br />
User Help and Contact In<strong>for</strong>mation<br />
For Licensing, please contact the Sales Division at 937-847-2374 or email<br />
PKSALES@PKWARE.COM.<br />
For Technical Support assistance, please contact the Product Services Division at<br />
937-847-2687 or email technical support or visit the support web site<br />
Appendix M lists the types of in<strong>for</strong>mation needed to resolve issues with the product.<br />
4
1 SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses two main commands—PKZIP and PKUNZIP—to control<br />
its high-per<strong>for</strong>mance data compression functionality. The PKZIP command launches a<br />
utility that compresses files and places them in a ZIP <strong>for</strong>mat archive. PKUNZIP<br />
reverses this process: it decompresses data in a ZIP archive created by SecureZIP or<br />
another file compression program and restores the files to their original <strong>for</strong>m. Both<br />
commands are controlled by options that allow a variety of functions to be<br />
per<strong>for</strong>med.<br />
Multiple levels of processing control are available through the use of customized<br />
option modules, shared command lists, and individual job inputs. In addition to file<br />
selection, features such as compression levels and per<strong>for</strong>mance selections can be<br />
specified. Also, a 32-bit cyclic redundancy check (CRC) is a standard feature used to<br />
guarantee data integrity.<br />
A ZIP archive is plat<strong>for</strong>m-independent; there<strong>for</strong>e, data compressed (ZIPPED) on one<br />
plat<strong>for</strong>m, <strong>for</strong> example, UNIX, can be decompressed (UNZIPPED) on another plat<strong>for</strong>m,<br />
<strong>for</strong> example, OS/400 and MVS/ESA, by using a compatible version of PKUNZIP.<br />
Data Compression<br />
Because data compression techniques reduce file size, a compressed data file will use<br />
less storage space and can be transferred in a faster, more efficient manner. A file<br />
can be compressed (a ZIP candidate) to a compact size (ZIPPED file), and then to<br />
use the file again, it must be uncompressed or extracted to its original size<br />
(UNZIPPED file).<br />
One easy data compression method eliminates repeating or redundant data by<br />
replacing it with representative in<strong>for</strong>mation that will be used when restoring the<br />
data. An example of this data compression technique is the Run-Length Encoding<br />
method, which applies to redundant data where a repeating character (the run) is<br />
represented as a count or value (the length). The compressed <strong>for</strong>m is the repeated<br />
character with its count.<br />
Example: B 2 2 2 2 E H H H H H H H H H<br />
Compressed: B *4 2 E *9 H<br />
Note: The efficiency of this method is dependent upon the amount of redundancy in<br />
the data.<br />
5
To per<strong>for</strong>m a thorough compression operation, more advanced algorithms and<br />
enhanced techniques are required. SecureZIP <strong>for</strong> <strong>iSeries</strong> uses just such methods<br />
to achieve maximum results.<br />
ZIP Archives<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> is capable of storing compressed data in ZIP archives. There<br />
is no limit to the number of archives you may create.<br />
ZIP archive capability:<br />
• ZIP archive refers to any valid ZIP-<strong>for</strong>mat file created by a PKZIP ® 4.xcompatible<br />
product.<br />
• ZIP64 refers to ZIP archives that include the ZIP64 <strong>for</strong>mat that can handle<br />
more than 65,534 files and files that exceed 4 GB. (See “Large Files<br />
Considerations”).<br />
• Each standard archive can store up to 65,534 files.<br />
• Files that are over 4 GB have to be archived with GIZP or by using the Large<br />
File Support.<br />
• Each standard archive may contain up to 4 GB of data. ZIP64 is required <strong>for</strong><br />
larger archives.<br />
For each file in the archive, the following in<strong>for</strong>mation is stored with the compressed<br />
data:<br />
• Filename.<br />
• File directory date and time.<br />
• File’s initial CRC value (see Cyclic Redundancy Check).<br />
• Method of compression used.<br />
• SecureZIP <strong>for</strong> <strong>iSeries</strong> version required <strong>for</strong> file extraction.<br />
• File size, uncompressed.<br />
• File size, compressed.<br />
Some files may contain the following additional in<strong>for</strong>mation:<br />
• The version of SecureZIP <strong>for</strong> <strong>iSeries</strong> that created the file.<br />
• File attributes.<br />
• Any comment about the file.<br />
• Any comment about the archive.<br />
• Plat<strong>for</strong>m specific attributes (see Cross Plat<strong>for</strong>m Compatibility).<br />
• If encrypted and what method of encryption.<br />
Cyclic Redundancy Check<br />
Cyclic redundancy check (CRC) is a method used to verify the integrity of a data file<br />
after it is restored from a ZIP archive.<br />
6
Be<strong>for</strong>e a file is compressed, a SecureZIP <strong>for</strong> <strong>iSeries</strong> algorithm computes a 32 bit<br />
hexadecimal value <strong>for</strong> its data. The CRC value is stored in a file that is within the ZIP<br />
archive. When the data in the file is extracted, SecureZIP <strong>for</strong> <strong>iSeries</strong> processes it<br />
again using the same algorithm to produce a second CRC value. Once the file is<br />
processed, the original CRC value is compared to the new CRC value to ensure that<br />
they match.<br />
Note: If the data is the same as its previous state, the same CRC value will be<br />
produced. When the two CRC values are compared, and should the extracted value<br />
not match the stored, initial value, the integrity of the file is in question and<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> reports the results. In this case, it is possible the data was<br />
corrupted within the ZIP Archive.<br />
Encryption<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> can encrypt data <strong>for</strong> security control and provide a password<br />
lockout <strong>for</strong> extracting data. Various security levels are available, with multiple<br />
encryption algorithms. See Chapter 2 <strong>for</strong> a description of security features in<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
Large Files Considerations<br />
Large File Support Summary<br />
The large file support feature known as ZIP64 throughout this manual was added to<br />
PKZIP <strong>for</strong> <strong>iSeries</strong> in release 5.6. This separately licensed feature of SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> provides several enhancements relating to capacity, size, and per<strong>for</strong>mance.<br />
Some of the key features include:<br />
Processing support (ZIP and UNZIP) <strong>for</strong> Archives enabled with the standard ZIP64<br />
<strong>for</strong>mats from other plat<strong>for</strong>ms.<br />
An increased ZIP archive file capacity is raised from 65,534 to the theoretical limit of<br />
4,294,967,295 files.<br />
An increased user file size handler, raised from 4 Gigabytes minus 1 byte (32 bit<br />
binary counter) to a theoretical limit of 9 Exabytes (64 bit binary counter).<br />
An increased support <strong>for</strong> ZIP archive sizes exceeding 4 Gigabytes (same as user file<br />
size limit).<br />
The preceding values are given only as theoretical limits. In practice, there are<br />
reasonable limitations due to the availability of resources along with processing<br />
tolerances.<br />
Note: 4 GB or Gigabyte is equal to 4,294,967,295 bytes. 9 EB or Exabyte is equal to<br />
9,223,372,036,854,775,807 bytes.<br />
Large File Support File Capacities<br />
The original .ZIP file <strong>for</strong>mat has faithfully met the needs of computer users since it<br />
was introduced by PKWARE in 1989. As computer technology has advanced over<br />
time, storage capacities have increased dramatically. These increases make the<br />
7
numbers and sizes of files that seemed unimaginable ten years ago a reality today.<br />
To extend the utility of the .ZIP file <strong>for</strong>mat to meet these changing system needs,<br />
PKWARE extended the .ZIP file <strong>for</strong>mat to support more than 65,535 files per archive<br />
and archive sizes greater than 4 Gigabytes (GB). This is known as the ZIP64 <strong>for</strong>mat.<br />
The specification <strong>for</strong> the .ZIP file <strong>for</strong>mat has been publicly available and distributed<br />
by PKWARE in a file called APPNOTE.TXT. This file documents the internal data<br />
structures and layout that define a .ZIP archive. The extensions introduced by<br />
PKWARE fully supports all the features of your existing archives and newer versions<br />
of PKZIP that supports these new extensions will continue to read all of your current<br />
archives. Prior to the PKZIP <strong>for</strong> <strong>iSeries</strong> 5.6 release, versions of PKZIP on the<br />
OS/400 were limited to storing no more than 65,534 files in a .ZIP archive.<br />
Another limitation that existed prior to the 5.6 version of the PKZIP <strong>for</strong> <strong>iSeries</strong> was<br />
that a single .ZIP archive or files in archive could not be larger than 4 GB<br />
(4,294,967,295 bytes). The extended ZIP64 file <strong>for</strong>mat specification available with<br />
PKZIP 5.6 supports creating .ZIP archives containing over 4 billion files and with<br />
sizes larger than 9 quintillion bytes. These are only theoretical limits and most<br />
<strong>iSeries</strong> systems and other computer systems in common use today do not have<br />
enough storage capacity, CPU or available memory to create and store ZIP64<br />
archives approaching these limits.<br />
The practical limits imposed by a typical <strong>iSeries</strong> system in use today and configured<br />
with various memory sizes will support compressing up to approximately 265,000<br />
files. Compressing this number of files can take a long time, not only <strong>for</strong> the<br />
compression process, but to manage the directories and properties of each of these<br />
files.<br />
Your available system resources (processor speed, DADS, Memory, and other<br />
processing) limits the per<strong>for</strong>mance you can expect from SecureZIP when processing<br />
large numbers of files or large archives. If you are compressing large numbers of<br />
files on an <strong>iSeries</strong> with insufficient memory or other resources you can expect slow<br />
processing.<br />
When compressing large files, it is a good idea to have your archives set up to be<br />
stored in the IFS rather than in a library/file. The overhead is much less when storing<br />
the archive in the IFS. It is even more important when updating or adding to an<br />
archive where the temporary archive will also be processed in the IFS<br />
Versions of PKZIP <strong>for</strong> <strong>iSeries</strong> prior to 5.6 will not recognize these new features and<br />
will be unable to view or extract any files in your archives that are dependent on<br />
these ZIP64 features. Also, any ZIP compatible programs you may be using from<br />
other companies will not be able to access all of the contents of your large archives.<br />
They may report that an archive is too large, or they may incorrectly report that the<br />
archive has errors. To ensure access to data in your large archives, always use<br />
genuine PKZIP/SecureZIP from PKWARE.<br />
Cross Plat<strong>for</strong>m Compatibility<br />
Cross plat<strong>for</strong>m compatibility provides SecureZIP <strong>for</strong> <strong>iSeries</strong> its ability to allow data<br />
to move between different computer operating environments. SecureZIP was<br />
intentionally designed <strong>for</strong> cross plat<strong>for</strong>m use. Regardless of plat<strong>for</strong>m, SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> archives are compatible with PKZIP <strong>for</strong> zSeries, PKZIP <strong>for</strong> MVS, PKZIP<br />
<strong>for</strong> OS/400, PKZIP <strong>for</strong> VSE, PKZIP <strong>for</strong> UNIX, PKZIP <strong>for</strong> LINUX, PKZIP <strong>for</strong><br />
DOS, and PKZIP <strong>for</strong> Windows to name a few. Because SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
8
automatically converts the data between EBCDIC and ASCII, files prepared on the<br />
host are readable on any PC or UNIX system. The internal <strong>for</strong>mat of a ZIP archive is<br />
identical regardless of which plat<strong>for</strong>m compressed the files that the archive contains.<br />
If you want to transfer data across plat<strong>for</strong>ms using any other ZIP utility, you should<br />
always run a test to verify the cross plat<strong>for</strong>m compatibility.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses the same ZIP file <strong>for</strong>mat used by other ZIP compatible<br />
products, independent of the plat<strong>for</strong>m on which it is running. SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
archives are not plat<strong>for</strong>m dependent allowing greater flexibility in file usage. Data<br />
can be zipped on one plat<strong>for</strong>m, <strong>for</strong> example UNIX, and unzipped onto another<br />
plat<strong>for</strong>m, such as OS/400. To do this, SecureZIP <strong>for</strong> <strong>iSeries</strong> converts the data<br />
structure into the ZIP <strong>for</strong>mat and saves the appropriate file in<strong>for</strong>mation in the ZIP<br />
archival directory entries.<br />
ZIP File Format Specification<br />
The following table lists features of the ZIP file <strong>for</strong>mat specification supported on the<br />
zSeries and <strong>iSeries</strong> plat<strong>for</strong>ms.<br />
ZIP Feature Version MVS/zSeries OS400/<strong>iSeries</strong><br />
Default 1.0<br />
File represents a volume label 1.1 Not supported Not supported<br />
File represents a folder 2.0 Not supported Not supported<br />
Deflate compression 2.0 2.x 2.x<br />
Traditional encryption 2.0 2.x 2.x<br />
Deflate64 compression 2.1 Not supported Not supported<br />
DCL Implode compression 2.5 Not supported Not supported<br />
File is a patched data set 2.7 Not supported Not supported<br />
File uses Zip64 size extensions 4.5 5.6 5.6<br />
BZip2 compression 4.6 Not supported Not supported<br />
DES encryption 5.0 8.0 8.0<br />
3DES encryption 5.0 8.0 8.0<br />
RC2 encryption 5.0 Not supported Not supported<br />
RC4 encryption 5.0 8.0 8.0<br />
AES encryption 5.1 5.5 5.5<br />
Certificate encryption using non-OAEP key wrapping 6.1 8.0 8.0<br />
Central Directory Encryption (File Name Encryption) 6.2 8.0 8.0<br />
If you want to transfer data across plat<strong>for</strong>ms using any other ”ZIP compatible”<br />
product, you should check with the supplier first to confirm which versions of PKZIP<br />
it is compatible with.<br />
For more in<strong>for</strong>mation regarding data <strong>for</strong>mats, see “Data Format - Text Records vs.<br />
Binary Records” in Chapter 6 <strong>for</strong> a discussion regarding special considerations when<br />
transferring files between different plat<strong>for</strong>m types.<br />
9
Release Summary<br />
New Features in SecureZIP <strong>for</strong> <strong>iSeries</strong> Release 8.1<br />
• File and archive signing<br />
• File and archive authentication<br />
• Digital signing and authentication<br />
• Support <strong>for</strong> a static certificate revocation list<br />
• Master recipient/contingency key <strong>for</strong> use with strong encryption<br />
• New command PKSTORADM – Certificate Store Administration<br />
• New command PKQRYCDB – Query Certificate Locator Database<br />
New Features in SecureZIP <strong>for</strong> <strong>iSeries</strong> Release 8.0<br />
• Product separation: PKZIP <strong>for</strong> <strong>iSeries</strong> and SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
• BSAFE ® encryption<br />
• More encryption algorithms <strong>for</strong> strong security<br />
• Per<strong>for</strong>mance improvement with AES encryption<br />
• ZIP and UNZIP supports encrypting and decrypting using digital certificates.<br />
• Support <strong>for</strong> storing and managing digital certificates<br />
• Support <strong>for</strong> utilizing directory integration (LDAP) <strong>for</strong> public certificate access<br />
• File name encryption<br />
• More translations tables included <strong>for</strong> ASCII-EDCDIC translations<br />
• Provided the ability to have embedded spaces in the EXCLUDE file names<br />
• Added the new option *LIBS to Spool File selection parameter SFQUEUE. By<br />
specifying *LIBS (Library Scan) <strong>for</strong> the OUTQ and a valid OUTQ library name,<br />
PKZIP will only select spool files from all OUTQs in the specified library.<br />
• Expanded the CRTLIST file name parameter to handle up to 255 characters<br />
<strong>for</strong> longer paths in the IFS<br />
• Added *SIMULATE to the CRTLIST parameter in the PKZIP command.<br />
*SIMULATE will list all files selected instead of writing the selected list to a<br />
file.<br />
• Default Changes: For SecureZIP ADVCRYPT is now AES256<br />
• New Commands: PKCFGSEC –Update Security Configuration, PKLDAPTST -<br />
LDAP Testing, and PKBLDCDB –Build Certificate Locator Database<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> Restrictions<br />
Due to various <strong>iSeries</strong> processing characteristics, the following restrictions should be<br />
carefully reviewed to determine the best way to proceed when using SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>:<br />
10
SecureZIP <strong>for</strong> <strong>iSeries</strong> in the QSYS file system will only work with objects that have<br />
an object type of *FILE and an attribute of PF-DTA, PF-SRC, and SAVF. To process<br />
other objects such as *PGM, *CMD, etc., use the SAVF method (see “Use of SAVF<br />
Method” in Chapter 3).<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> in the integrated file system (IFS) will only work with stream<br />
files (*STRM) and directories (*DIR).<br />
Special database functionality, such as triggers, file constraints, alternate collating<br />
sequence, and logical files are not stored in an archive. To maintain this<br />
functionality, use the SAVF method (see “Use of SAVF Method”).<br />
Special database fields <strong>for</strong> large objects (LOB) are not supported. These fields<br />
include: character large objects (CLOBs), double-byte character large objects<br />
(DBCLOBs), and binary large objects (BLOBs). In cases where the database contains<br />
one of these types of fields, use the SAVF Method.<br />
11
2 Data Security<br />
This chapter details how SecureZIP <strong>for</strong> <strong>iSeries</strong> can strongly encrypt data <strong>for</strong><br />
security control and protection. Much of the reference in<strong>for</strong>mation in this chapter<br />
derives from the National Institutes of Standards and Technology. The NIST<br />
Computer Security Resource Center web site, http://csrc.ncsl.nist.gov/, contains<br />
FAQ’s and documentation relating to computer security along with the Federal<br />
In<strong>for</strong>mation Processing Standard (FIPS) documents. In addition, the PKWARE web<br />
site, WWW.PKWARE.COM, contains in<strong>for</strong>mation relating to security and links to the<br />
RSA Security, Inc web site that describes in detail the BSAFE implementation used in<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
The following sections describe encryption, authentication, types of algorithms in<br />
use, in<strong>for</strong>mation about specific mandates requiring the use of secure data and how<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> will secure that data. Examples of how SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> can be used are provided in Chapter 10. Documentation <strong>for</strong> each command<br />
can be found in the subsequent chapters.<br />
Encryption<br />
Encryption provides confidentiality <strong>for</strong> data. The data to be protected is called<br />
plaintext. Encryption trans<strong>for</strong>ms the plaintext data into an unreadable <strong>for</strong>m, called<br />
ciphertext, using an encryption key. Decryption trans<strong>for</strong>ms the ciphertext back into<br />
plaintext using a decryption key. Several algorithms have been approved in FIPS <strong>for</strong><br />
the encryption of general purpose data. Each of these algorithms is a symmetric key<br />
algorithm, where the encryption key is the same as the decryption key. In order to<br />
maintain the confidentiality of the data encrypted by a key, the key must be known<br />
only by the entities that are authorized to access the data. These symmetric key<br />
algorithms are commonly known as block cipher algorithms, because the encryption<br />
and decryption processes each operate on blocks (chunks) of data of a fixed size.<br />
FIPS 46-3 and FIPS 197 have been approved <strong>for</strong> the encryption of general-purpose<br />
data. The protection of keys is discussed below under Key Management.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses symmetric key algorithms when encrypting user data.<br />
12
Authentication<br />
Authentication is the process of validating digital signatures that may be attached to<br />
files in an archive or to an archive’s central directory.<br />
Authentication is a separate operation from data encryption. Whereas encryption is<br />
concerned with preventing parties from accessing sensitive data (such as private<br />
medical or financial in<strong>for</strong>mation), authentication confirms that in<strong>for</strong>mation actually<br />
comes unchanged from the purported source.<br />
Authenticating digitally signed data both verifies the signature and validates the<br />
signed data.<br />
Data Integrity<br />
SecureZIP uses a cyclic redundancy check (CRC) to ensure that data is successfully<br />
transferred into and out of a ZIP archive. The CRC process creates a unique hash<br />
value “thumbprint” from the original data stream. The thumbprint is regenerated at<br />
the receiving end and compared with the hash of the source <strong>for</strong> equality. The<br />
thumbprint value is stored independently of the data stream and is used during<br />
UNZIP processing to complete validation of the data.<br />
SecureZIP extends the concept of the CRC in two ways <strong>for</strong> the purpose of providing<br />
a tamper-resistant container within the ZIP archive. First, more rigorous HASH<br />
algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG<br />
command) in place of the 32-bit CRC to accurately reflect the uniqueness of the data<br />
stream. Second, the hash value is encrypted within a digital signature using a<br />
private-key certificate to protect it from tampering.<br />
For more in<strong>for</strong>mation regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-<br />
1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-<br />
1.htm.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides two commands, SIGN_ARCHIVE and SIGN_FILES,<br />
to intiate the creation of digital signatures within the ZIP archive. The AUTHCHK<br />
command is used to per<strong>for</strong>m a tamper check operation using the digital signature<br />
and hash.<br />
Digital Signature Validation<br />
SecureZIP makes use of certificate-based encryption within the public key<br />
infrastructure (PKI) to generate and validate digital signatures. PKI provides an<br />
authentication chain <strong>for</strong> certificates to guarantee that the signature was created by<br />
the purported source. SecureZIP supports the certificate chain authentication<br />
process by including necessary identification in<strong>for</strong>mation within the ZIP archive.<br />
Subsequently, the certificate(s) used <strong>for</strong> signing can be authenticated through a<br />
complete chain of trust.<br />
To complete the chain of trust, a root (or self-signed) certificate representing the<br />
certificate’s issuing organization is installed on the authenticating system. This<br />
provides the receiving organization with the authority to declare how the final trust<br />
sequence should be treated. Signatures based on certificates from certificate<br />
authorities (CA) that are not authorized or trusted are declared as being untrusted<br />
by SecureZIP.<br />
13
Additional facets of validating a certificate’s viability <strong>for</strong> use include a defined range<br />
of dates within which a certificate may be used and whether the certificate has been<br />
declared to have been revoked. Configurable SecureZIP policies (EXPIRED and<br />
REVOKED attributes) provide support to ensure that the certificates involved in<br />
authentication also adhere to these restrictions.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides a means to install and access the certificates<br />
necessary <strong>for</strong> signing and authentication. The AUTHCHK command, along with<br />
configured policy settings governs the type (archive directory or data files) and level<br />
of authentication that is to be per<strong>for</strong>med.<br />
Digital Signature Source Validation<br />
A final step in completing the authentication process is to ensure that the archive<br />
and/or file data was sent from a particular source. Up to this point, using the<br />
previous two aspects of authentication, we are certain that the archive directory<br />
and/or files were signed with a private-key certificate that came from a trusted<br />
source (CA) and that the data stream has not been tampered with since it was<br />
placed into the ZIP archive. However, these steps alone do not guarantee that a<br />
different party under the same root/CA chain did not per<strong>for</strong>m the signing operation.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides an optional parameter in the AUTHCHK command<br />
to declare the specific party from whom the data is expected.<br />
Public-Key Infrastructure and Digital Certificates<br />
Public-Key Infrastructure (PKI)<br />
Use of digital certificates <strong>for</strong> encryption and digital signing relies on a combination of<br />
supporting elements known as a public-key infrastructure (PKI). These elements<br />
include software applications such as SecureZIP that work with certificates and keys<br />
as well as underlying technologies and services.<br />
The heart of PKI is a mechanism by which two cryptographic keys associated with a<br />
piece of data called a certificate are used <strong>for</strong> encryption/decryption and <strong>for</strong> digital<br />
signing and authentication. The keys look like long character strings but represent<br />
very large numbers. One of the keys is private and must be kept secure so that only<br />
its owner can use it. The other is a public key that may be freely distributed <strong>for</strong><br />
anyone to use to encrypt data intended <strong>for</strong> the owner of the certificate or to<br />
authenticate signatures.<br />
How the Keys Are Used<br />
With encryption/decryption, a copy of the public key is used to encrypt data such<br />
that only the possessor of the private key can decrypt it. Thus anyone with the public<br />
key can encrypt <strong>for</strong> a recipient, and only the targeted recipient has the key with<br />
which to decrypt.<br />
With digital signing and authentication, the owner of the certificate uses the private<br />
key to sign data, and anyone with access to a copy of the certificate containing the<br />
public key can authenticate the signature and be assured that the signed data really<br />
proceeds unchanged from the signer.<br />
14
Authentication has one additional step. As an assurance that the signer is who he<br />
says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s<br />
certificate itself is signed by an issuing certificate authority (CA). The CA in effect<br />
vouches that Bob is who he says he is. The CA signature is authenticated using the<br />
public key of the CA certificate used. This CA certificate too may be signed, but at<br />
some point the trust chain stops with a self-signed root CA certificate that is simply<br />
trusted. The PKI provides <strong>for</strong> these several layers of end-user public key certificates,<br />
intermediate CA certificates, and root certificates, as well as <strong>for</strong> users’ private keys.<br />
X.509<br />
X.509 is an International Telecommunication Union (ITU-T) standard <strong>for</strong> PKI. X.509<br />
specifies, among other things, standard <strong>for</strong>mats <strong>for</strong> public-key certificates. A publickey<br />
certificate consists of the public portion of an asymmetric cryptographic key (the<br />
public key), together with identity in<strong>for</strong>mation, such as a person’s name, all signed<br />
by a certificate authority. The CA essentially guarantees that the public key belongs<br />
to the named entity.<br />
Digital Certificates<br />
A digital certificate is a special message that contains a public key and identify<br />
in<strong>for</strong>mation, such as the owner’s name and perhaps email address, about the owner.<br />
An ordinary, end-user digital certificate is digitally signed by the CA that issued it to<br />
warrant that the CA issued the certificate and has received satisfactory<br />
documentation that the owner of the certificate is who he says he is. This warrant,<br />
from a trusted CA, enables the certificate to be used to support digital signing and<br />
authentication, and encryption of data uniquely <strong>for</strong> the owner of a certificate.<br />
For example, Web servers frequently use digital certificates to authenticate the<br />
server to a user and create an encrypted communications session to protect<br />
transmitted secret in<strong>for</strong>mation such as Personal Identification Numbers (PINs) and<br />
passwords.<br />
Similarly, an email message may be digitally signed, enabling the recipient of the<br />
message to authenticate its authorship and that it was not altered during<br />
transmission.<br />
To use PKI technology in SecureZIP <strong>for</strong> <strong>iSeries</strong> <strong>for</strong> encryption and to attach digital<br />
signatures, you must have a digital certificate. To learn how to get a digital<br />
certificate and to use certificates <strong>for</strong> encryption, see Chapter 10.<br />
Certificate Authority (CA)<br />
A certificate authority (CA) is a company (usually) that, <strong>for</strong> a fee, will issue a publickey<br />
certificate. The CA signs the certificate to warrant that the CA issued the<br />
certificate and has received satisfactory documentation that the owner of the new<br />
certificate is who he says he is.<br />
Private Key<br />
A digital certificate contains both private and public portions of an asymmetric<br />
cryptographic key together with identity in<strong>for</strong>mation, such as a person's name and<br />
(possibly) email address. The private portion of the key is called the private key and<br />
15
is used to decrypt data encrypted with the associated public key and to attach digital<br />
signatures.<br />
A private key must be accessible solely by the owner of the certificate because it<br />
represents that person and provides access to encrypted data intended only <strong>for</strong> the<br />
owner.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses a private key maintained in x.509 PKCS#12 <strong>for</strong>mat.<br />
This means that the private key cannot be accessed unless a password is entered <strong>for</strong><br />
each SecureZIP request.<br />
Public Key<br />
A public key consists of the public portion of an asymmetric cryptographic key in a<br />
certificate that also contains identity in<strong>for</strong>mation, such as the certificate owner’s<br />
name.<br />
The public key is used to authenticate digital signatures created with the private key<br />
and to encrypt files <strong>for</strong> the owner of the key’s certificate.<br />
For in<strong>for</strong>mation on the digital enveloping process SecureZIP <strong>for</strong> <strong>iSeries</strong> uses <strong>for</strong><br />
certificate-based encryption, see the Secure .ZIP Envelopes whitepaper at the<br />
PKWARE Web site.<br />
Certificate Authority and Root Certificates<br />
End entity certificates and their related keys are used <strong>for</strong> signing and authentication.<br />
They are created at the end of the trust hierarchy of certificate authorities. Each<br />
certificate is signed by its CA issuer and is identified in the “Issued By” field in the<br />
end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such<br />
certificates are known as intermediate CA certificates. At the top of the issuing chain<br />
is a self-signed certificate known as the root.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses public-key certificates in PKCS#7 <strong>for</strong>mat. The<br />
intermediate CA certificates are maintained independently from the ROOT<br />
certificates.<br />
Types of Encryption Algorithms<br />
FIPS 46-3, Data Encryption Standard (DES)<br />
The FIPS (Federal In<strong>for</strong>mation Processing Standards) specification 46-3 <strong>for</strong>merly<br />
specified the DES algorithm <strong>for</strong> use in Federal government applications. In 2004, the<br />
specification was changed such that DES is no longer approved <strong>for</strong> Federal<br />
government applications.<br />
Triple DES Algorithm (3DES)<br />
Triple DES is a more recent algorithm related to DES. Triple DES is a method <strong>for</strong><br />
encrypting data in 64-bit blocks using three 56-bit keys by combining three<br />
successive invocations of the DES algorithm.<br />
16
ANSI X9.52 specifies seven modes of operation <strong>for</strong> 3DES and three keying options:<br />
1) the three keys may be identical (one key 3DES), 2) the first and third key may be<br />
the same but different from the second key (two key 3DES), or 3) all three keys may<br />
be different (three key 3DES). One key 3DES is equivalent to DES under the same<br />
key; there<strong>for</strong>e, one key 3DES, like DES, will not be approved after 2004. Two key<br />
3DES provides more security than one key 3DES (or DES), and three key 3DES<br />
achieves the highest level of security <strong>for</strong> 3DES. NIST recommends the use of three<br />
different 56-bit keys in Triple DES <strong>for</strong> Federal Government sensitive/unclassified<br />
applications.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses three-key 3DES when Triple DES is selected as the data<br />
encryption algorithm.<br />
Advanced Encryption Standard (AES)<br />
The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197<br />
is the result of a multiyear, worldwide competition to develop a replacement<br />
algorithm <strong>for</strong> DES. The winning algorithm (originally known as Rijndael) was<br />
announced in 2000 and adopted in FIPS 197 in 2001.<br />
The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible<br />
key sizes: 128, 192, or 256 bits. The nomenclature <strong>for</strong> the AES algorithm <strong>for</strong> the<br />
different key sizes is AES-x, where x is the size of the AES key. NIST considers all<br />
three AES key sizes adequate <strong>for</strong> Federal Government sensitive/unclassified<br />
applications.<br />
Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release<br />
recapping NIST’s position<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses AES as the default encryption algorithm.<br />
Comparison of the 3DES and AES Algorithms<br />
Both the 3DES and AES algorithms are considered to be secure <strong>for</strong> the <strong>for</strong>eseeable<br />
future. Below are some points of comparison:<br />
• 3DES builds on DES implementations and is readily available in many<br />
cryptographic products and protocols. The AES algorithm is new; although<br />
many implementers are quickly adding the algorithm to their products, and<br />
protocols are being modified to incorporate the algorithm, it may be several<br />
years be<strong>for</strong>e the AES algorithm is as pervasive as 3DES.<br />
• The AES algorithm was designed to provide better per<strong>for</strong>mance (e.g., faster<br />
speed) than 3DES.<br />
• Although the security of block cipher algorithms is difficult to quantify, the<br />
AES algorithm, at any of the key sizes, appears to provide greater security<br />
than 3DES. In particular, the best attack known against AES-128 is to try<br />
every possible 128-bit key (i.e., per<strong>for</strong>m an exhaustive key search, also<br />
known as a brute <strong>for</strong>ce attack)). By contrast, although three key 3DES has a<br />
168-bit key, there is a “shortcut” attack on 3DES that is comparable, in the<br />
number of required operations, to per<strong>for</strong>ming an exhaustive key search on<br />
112-bit keys. However, unlike exhaustive key search, this shortcut attack<br />
requires a lot of memory. Assuming that such shortcut attacks are not<br />
discovered <strong>for</strong> the AES algorithm, the uses of the AES algorithm may be more<br />
appropriate <strong>for</strong> the protection of high-risk or long-term data.<br />
17
• The smallest AES key size is 128 bits; the recommended key size <strong>for</strong> 3DES is<br />
168 bits. The smaller key size means that fewer resources are needed <strong>for</strong> the<br />
generation, exchange, and storage of key bits.<br />
• The AES block size is 128 bits; the 3DES block size is 64 bits. For some<br />
constrained environments, the smaller block size may be preferred; however,<br />
the larger AES block size is more suitable <strong>for</strong> cryptographic applications,<br />
especially those requiring data authentication on large amounts of data.<br />
See http://www.nist.gov/public_affairs/releases/g00-176.htm <strong>for</strong> a press release<br />
describing NIST’s position on the two algorithms.<br />
With a block cipher algorithm, the same plaintext block will always encrypt to the<br />
same ciphertext block whenever the same key is used. If the multiple blocks in a<br />
typical message were to be encrypted separately, an adversary could easily<br />
substitute individual blocks, possibly without detection. Furthermore, data patterns<br />
in the plaintext would be apparent in the ciphertext. Cryptographic modes of<br />
operation have been defined to alleviate these problems by combining the basic<br />
cryptographic algorithm with a feedback of the in<strong>for</strong>mation derived from the<br />
cryptographic operation.<br />
FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes <strong>for</strong><br />
the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the<br />
Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the<br />
Output Feedback (OFB) mode.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses Cipher Block Chaining <strong>for</strong> data encryption.<br />
RC4<br />
The RC4 algorithm is a stream cipher designed by Rivest <strong>for</strong> RSA Security. It is a<br />
variable key-size stream cipher with byte-oriented operations. The algorithm is<br />
based on the use of a random permutation. Analysis shows that the period of the<br />
cipher is overwhelmingly likely to be greater than 10 100 . Eight to sixteen machine<br />
operations are required per output byte, and the cipher can be expected to run very<br />
quickly in software. Independent analysts have scrutinized the algorithm and it is<br />
considered secure.<br />
RC4 is used <strong>for</strong> secure communications, as in the encryption of traffic to and from<br />
secure web sites using the SSL protocol.<br />
Key Management<br />
The proper management of cryptographic keys is essential to the effective use of<br />
cryptography <strong>for</strong> security. Keys are analogous to the combination of a safe. If the<br />
combination becomes known to an adversary, the strongest safe provides no security<br />
against penetration. Similarly, poor key management may easily compromise strong<br />
algorithms. Ultimately, the security of in<strong>for</strong>mation protected by cryptography directly<br />
depends on the strength of the keys, the effectiveness of mechanisms and protocols<br />
associated with keys, and the protection af<strong>for</strong>ded the keys.<br />
Cryptography can be rendered ineffective by the use of weak products, inappropriate<br />
algorithm pairing, poor physical security, and the use of weak protocols. All keys<br />
need to be protected against modification, and secret and private keys need to be<br />
protected against unauthorized disclosure. Key management provides the foundation<br />
18
<strong>for</strong> the secure generation, storage, distribution, and destruction of keys. Another role<br />
of key management is key maintenance, specifically, the update/replacement of<br />
keys.<br />
Further in<strong>for</strong>mation is available on key management at the NIST Computer Security<br />
Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html<br />
Passwords and PINS<br />
FIPS 112, Password Usage, provides guidance on the generation and management of<br />
passwords that are used to authenticate the identity of a system user and, in some<br />
instances, to grant or deny access to private or shared data. This standard<br />
recognizes that passwords are widely used in computer systems and networks <strong>for</strong><br />
these purposes, although passwords are not the only method of personal<br />
authentication, and the standard does not endorse the use of passwords as the best<br />
method.<br />
The password used to encrypt a file with SecureZIP may be from 1 to 200 characters<br />
in length. Different passwords may be used <strong>for</strong> various files within a ZIP archive,<br />
although only one password may be specified per run.<br />
The password is not stored in the ZIP archive and, as a result, care must be taken to<br />
keep passwords secure and accessible by some other source.<br />
Recipient Based Encryption<br />
Password-based encryption depends on both the sender and receiver knowing, and<br />
providing intellectual input (the password) in clear text. The password is used to<br />
derive a binary master session key <strong>for</strong> each decryption run. No key in<strong>for</strong>mation is<br />
kept within the ZIP Archive, there<strong>for</strong>e both parties must retain the password in an<br />
external location.<br />
Recipient-based encryption provides a means by which the master session key (MSK)<br />
in<strong>for</strong>mation can be hidden, protected, and carried within the ZIP Archive. This is<br />
done by using technique known as Digital Enveloping with public key Encryption. The<br />
technique requires that the creating process have a copy of the recipient's public key<br />
Digital Certificate, which is used to protect and store the MSK. In addition, the<br />
receiving side must have a copy of the recipient’s private key digital certificate. With<br />
these two pieces of in<strong>for</strong>mation in place, there is no need <strong>for</strong> users to retain or recall<br />
a password <strong>for</strong> decryption.<br />
Random Number Generation<br />
Random numbers are used within many cryptographic applications, such as the<br />
generation of keys and other cryptographic values, the generation of digital<br />
signatures, and challenge response protocols. Some approved algorithms to produce<br />
random numbers have been specified in FIPS 186-2, Digital Signature Standard. An<br />
ef<strong>for</strong>t is in progress by the Financial Services Committee of ANSI to develop a<br />
random number generation standard.<br />
19
Integrity of Public and Private Keys<br />
Public and private keys must be managed properly to ensure their integrity. The key<br />
owner is responsible <strong>for</strong> protecting private keys. The private signature key must be<br />
kept under the sole control of the owner to prevent its misuse. The integrity of the<br />
public key, on the other hand, is established through a digital certificate issued by a<br />
certificate authority that cryptographically binds the individual’s identity to his or her<br />
public key. Binding the individual’s identity to the public key corresponds to the<br />
protection af<strong>for</strong>ded to an individual’s private signature key.<br />
A PKI includes the ability to recover from situations where an individual’s private<br />
signature key is lost, stolen, compromised, or destroyed; this is done by revoking<br />
the digital certificate that contains the private signature key’s corresponding public<br />
key. The user then creates or is issued a new public/private signature key pair, and<br />
receives a new digital certificate <strong>for</strong> the new public key.<br />
The certificate authority (CA) plays a critical role in ensuring the integrity of public<br />
keys in the PKI. Upon being presented with proper evidence of identity (usually<br />
through a separate entity called a Registration authority), the CA issues a digital<br />
certificate which contains the applicant’s public key, identity, and other in<strong>for</strong>mation<br />
(such as duration of the certificate), all signed by the CA’s private signature key. The<br />
certificate may then be distributed or placed in publicly available databases, called<br />
repositories. The CA operates under a Certificate Policy (CP) and Certification<br />
Practices Statement (CPS) that collectively describe the CA’s responsibilities and<br />
duties to its customers and trading partners. These policies include how the CA is<br />
conducting its affairs in compliance with its contracts and, where applicable, federal<br />
or state laws. The uses <strong>for</strong> which a certificate may be employed depend upon the<br />
requirements surrounding its issuance; <strong>for</strong> example, the method of identity proofing<br />
by the RA be<strong>for</strong>e certificate issuance and how well the private signature key is<br />
protected.<br />
Meeting Current Challenges<br />
The need to secure sensitive data during transport and storage is increasingly<br />
evident. Combining proven data compression technology with sophisticated data<br />
security capabilities provides a logical mechanism <strong>for</strong> securely and efficiently storing<br />
and transferring sensitive in<strong>for</strong>mation. Millions of users around the world already rely<br />
on and trust the ZIP <strong>for</strong>mat to store and exchange data. By offering support <strong>for</strong><br />
multiple levels of encryption, SecureZIP <strong>for</strong> <strong>iSeries</strong> is now advancing the usability<br />
and accessibility of file security, enabling ZIP users to achieve more secure and<br />
efficient modes of data communication than were previously possible.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> enables support <strong>for</strong> encryption and meets government<br />
established requirements by applying strong encryption (DES, RC4, 3DES and AES).<br />
See Appendix L <strong>for</strong> FIPS-197 AES Certification of PKZIP.<br />
Industry-Specific Mandates<br />
Financial Services Modernization Act - Gramm-Leach-Bliley Act (GLBA), also known<br />
as the Financial Services Modernization Act, permits the cross ownership of banks,<br />
brokerage firms and insurance companies, which was banned during the Great<br />
Depression. Prompted by the merger of Citicorp and Travelers Insurance, which also<br />
owned brokerage house Salomon Smith Barney, to <strong>for</strong>m what is now known as<br />
20
Citigroup, the GLB Act was enacted in 1999 to enable financial services firms to<br />
provide a wide range of services to their customers. To protect sensitive customer<br />
in<strong>for</strong>mation, the GLB Act requires institutions to ensure the privacy and security of<br />
customer data. Compliance with these security standards requirements is essential<br />
and organizations must have their infrastructures audited to ensure they are meeting<br />
federal guidelines.<br />
The Electronic Signature Act - A digital signature is now just as valid as a<br />
handwritten one. The Electronic Signature Act went into effect in 2000 and states<br />
that a digital signature is legally binding. However, there has been no simple<br />
software tool that a business can give to an employee, or a customer <strong>for</strong> that matter,<br />
that allows individuals to easily invoke a digital signature on a file. By accepting<br />
digital signatures, companies can more expeditiously eliminate paper documents<br />
from processes that once required handwritten ones-such as filing an application <strong>for</strong><br />
a loan or opening a new brokerage account online. This streamlines business' ability<br />
to process transactions by eliminating the need and cost of human intervention, and<br />
it promises to improve customer satisfaction.<br />
The Health Insurance Portability and Accountability Act (HIPAA)- HIPAA allows <strong>for</strong><br />
the secure exchange of patient records between insurance companies and agencies,<br />
including clearing houses and the Medicare and Medicaid programs, with the aim of<br />
simplifying administration. HIPAA stipulates that industry participants should be able<br />
to exchange documentation electronically and that electronic signatures are binding.<br />
Those transmitting the data over networks are responsible <strong>for</strong> encrypting patient<br />
data to assure patient privacy is not compromised. Meeting critical HIPAA electronic<br />
security requirements using SecureZIP extends the trusted de-facto standard ZIP<br />
archive in an evolutionary way to provide persistent secure archive <strong>for</strong> sensitive<br />
medical records <strong>for</strong> online transmission or transport. The United States Department<br />
of Health and Human Services has established rolling deadlines <strong>for</strong> supporting<br />
HIPAA, with some already in effect while others are yet to be determined. HHS<br />
recommends, however, that affected healthcare providers implement standards prior<br />
to any established deadlines. Meeting HIPAA security and electronic signature<br />
requirements now helps protect against fraud and abuse of patient in<strong>for</strong>mation. Once<br />
the rules take effect, those entities that do not protect sensitive patient in<strong>for</strong>mation<br />
as mandated by HIPAA could face criminal penalties and fines of $25,000 per<br />
individual per year.<br />
The Basel II Capital Accord - Basel II is an amended regulatory framework that<br />
has been developed by the Bank of International Settlements that requires all<br />
internationally active banks, at every tier within the banking group, to adopt similar<br />
or consistent risk-management practices <strong>for</strong> tracking and publicly reporting exposure<br />
to operational, credit and market risks. It requires the identification of risks that a<br />
company is exposed to, a report detailing the processes in place <strong>for</strong> identifying and<br />
measuring future risk, and confirmation that sufficient cash reserves are available to<br />
cover all risk exposure – capital held must be closely matched to risks undertaken.<br />
UK Data Protection Act - The Data Protection Act 1998 came into <strong>for</strong>ce on March<br />
1, 2000 and implements the EC Directive. It applies to computerized personal data<br />
as well as data held in structured manual files. There are eight principles put in place<br />
by the DPA to make sure that sensitive personal in<strong>for</strong>mation is handled properly.<br />
They say that data must be:<br />
21
• Fairly and lawfully processed<br />
• Processed <strong>for</strong> limited purposes<br />
• Adequate, relevant and not excessive<br />
• Accurate<br />
• Not kept <strong>for</strong> longer than is necessary<br />
• Processed in line with the individual’s rights<br />
• Secure<br />
• Not transferred to countries without adequate protection<br />
Data Encryption<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> security functions include strong encryption tools using RSA<br />
BSAFE and the PKWARE implementation of the Advanced Encryption Standard.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides the option <strong>for</strong> password encryption using DES, RC4,<br />
3DES and AES.<br />
RSA High-Quality Security - RSA Security submits its Crypto-C products <strong>for</strong> FIPS<br />
140 testing and validation. FIPS 140-1 and FIPS 140-2 are U.S. Government<br />
standards which specify the security requirements to be satisfied by a cryptographic<br />
module. RSA Security supports this testing and certification with over 20 years of<br />
experience in the security industry.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses a multi-layer key generation process, based on a userspecified<br />
password of up to 200 characters, and/or a user’s digital certificate, that<br />
creates a unique internal key <strong>for</strong> each file being processed. In addition, the same<br />
password will result in a different system generated key <strong>for</strong> each file.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> also implements the use of Cipher Block Chaining (CBC) to<br />
further enhance industry standard encryption algorithms. This feature ensures that<br />
each block of data is uniquely modified, further protecting the data from fraudulent<br />
access.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> encryption is activated through the use of the -PASSWORD<br />
and -RECIPIENT commands. If a value is present <strong>for</strong> either setting, whether through<br />
commands or default settings, then encryption will be attempted in accordance with<br />
other settings (<strong>for</strong> example, -ADVCRYPT); however, if ADVCRYPT=NONE is specified,<br />
then encryption will be bypassed.<br />
The following matrix illustrates cross-product compatibility of encrypted data and<br />
general encryption options available on the operating systems supported by PKZIP.<br />
22
Cross Product Matrix<br />
The following table shows encryption methods and features available with various<br />
PKWARE products.<br />
ENCRYPTION<br />
TYPES/<br />
PRODUCTS<br />
Generic ZIP<br />
Utilities<br />
PKZIP <strong>for</strong><br />
Windows<br />
PKZIP <strong>for</strong><br />
UNIX<br />
PKZIP <strong>for</strong><br />
OS/400<br />
PKZIP <strong>for</strong><br />
zSeries<br />
SecureZIP <strong>for</strong><br />
zSeries<br />
PKZIP <strong>for</strong> VSE<br />
PKZIP <strong>for</strong><br />
MVS 5.5<br />
PKZIP <strong>for</strong><br />
<strong>iSeries</strong><br />
SecureZIP <strong>for</strong><br />
<strong>iSeries</strong><br />
96 bit<br />
Password<br />
X<br />
PKWARE<br />
Certificate*<br />
128, 192, &<br />
256-bit AES<br />
Password<br />
BSAFE®<br />
AES 128,<br />
192, & 256-<br />
bit<br />
CIPHER-<br />
BLOCK<br />
CHAINING<br />
X X X X X X<br />
X X X X X X<br />
X X X<br />
X X X X X<br />
X X X X X X<br />
X<br />
X X X<br />
X X X X X<br />
X X X X X X<br />
BSAFE®<br />
DES, 3DES,<br />
& RC4<br />
*Archives created under PKZIP <strong>for</strong> Windows and PKZIP <strong>for</strong> UNIX using the setting<br />
Strong: Recipient List or Password can be decrypted with the password on <strong>iSeries</strong><br />
systems running release 8.0 or later.<br />
Operating System Levels<br />
V5R1M0 or above is required to run certificate-based operations.<br />
Windows Compatibility<br />
When using BSAFE AES encryption with recipients, there is a cross-system<br />
compatibility issue to be addressed by the user community. Windows operating<br />
systems running pre-Windows XP may experience a decryption problem depending<br />
on the state of the private-key certificate on the workstation. During the Windows<br />
certificate import process, a dialog check-box "Mark the private key as exportable"<br />
may be selected. If this option was not selected, then Windows will not allow an AES<br />
encrypted file to be decrypted unless the master session key was wrapped with<br />
3DES.<br />
The setting of the parameter is enterprise wide and is set using the PKCFGSEC<br />
command. When turned on, the MSK3DES flag is set in the NDH/DIB; indicating that<br />
23
the master session key in<strong>for</strong>mation is protected with 3DES when recipients are<br />
specified.<br />
PKZIP <strong>for</strong> Windows has a variance in processing <strong>for</strong> 6.0 and 7.x due to OAEP<br />
processing. PKZIP <strong>for</strong> Windows 5.0 through 6.0 used OAEP processing. However,<br />
that was found to be incompatible with SmartCards, so 6.1 and above began setting<br />
the NO_OAEP flag in the NDH/DIB flags and stopped creating OAEP encryption-mode<br />
files.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> will always set NO_OAEP, there<strong>for</strong>e PKZIP <strong>for</strong> Windows 5.0 -<br />
6.0 will not be able to read recipient-based files from the large plat<strong>for</strong>ms.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> should be able to detect whether the NO_OAEP flag is set<br />
and successfully extract either. No change in logic is required within the SecureZIP<br />
high-level code, but the low-level EVTCERTD code should handle the switch based on<br />
the flag.<br />
General Questions to help you get started with SecureZip <strong>for</strong><br />
<strong>iSeries</strong><br />
How do I activate encryption in SecureZIP <strong>for</strong> <strong>iSeries</strong>?<br />
Encryption is activated through the use of the PASSWORD (and/or ENTPREC <strong>for</strong><br />
SecureZIP) parameters. If a value is present <strong>for</strong> either setting then encryption will be<br />
attempted in accordance with other settings (such as ADVCRYPT). However, if<br />
ENTPREC (*NONE) is specified, then encryption will be bypassed.<br />
Note that certificate-based encryption with ENTPREC <strong>for</strong> recipients is only supported<br />
by SecureZIP. In addition, this mode of encryption requires that one of the Strong<br />
ENCRYPTION Methods (minimum 128-bit) be selected.<br />
How does Master Recipient / Contingency Key affect activation?<br />
When SecureZIP is used to encrypt data, either with ENTPREC or PASSWORD, then a<br />
recipient specified in the enterprise security configuration file is automatically<br />
included. However, simply setting a master recipient in the enterprise security<br />
configuration file does not cause encryption to take place.<br />
How does recipient-based encryption differ from password?<br />
Password-based encryption depends on both the sender and receiver knowing, and<br />
providing input (the password) in clear text. The password is used to derive a binary<br />
master session key <strong>for</strong> each decryption run. No key in<strong>for</strong>mation is kept within the<br />
ZIP Archive, there<strong>for</strong>e both parties must retain the password in an external location.<br />
Recipient-based encryption provides a means by which the master session key (MSK)<br />
in<strong>for</strong>mation can be hidden, protected, and carried within the ZIP archive. This is done<br />
by using technique known as digital enveloping with public key encryption. The<br />
technique requires that the creating process have a copy of the recipient's public key<br />
digital certificate, which is used to protect and store the MSK. In addition, the<br />
receiving side must have a copy of the recipient's private key digital certificate. With<br />
these two pieces of in<strong>for</strong>mation in place, there is no need <strong>for</strong> users to retain or recall<br />
a password <strong>for</strong> decryption.<br />
24
What is a digital certificate store?<br />
Recipient-based encryption requires that public and private key certificates be used<br />
by SecureZip <strong>for</strong> <strong>iSeries</strong>. These are kept in file streams encoded according to the<br />
X.509 standard. A certificate store is the location of where various types of<br />
certificates are kept and accessed.<br />
The primary stores used by SecureZip <strong>for</strong> <strong>iSeries</strong> include:<br />
CSPUB: Certificate store <strong>for</strong> individual public-key X.509 certificates on the local<br />
system.<br />
CSPRVT: Certificate store <strong>for</strong> individual private-key X.509 certificates on the local<br />
system.<br />
CSCA: Certificate store For Certificate authority public-key X.509 certificates on the<br />
local system.<br />
CSROOT: Certificate store <strong>for</strong> the trusted root public-key X.509 certificates on the<br />
local system.<br />
CSCRL: Certificate revocation list store static CRL processing on the local system.<br />
LDAP: Certificate store <strong>for</strong> individual public-key X.509 certificates accessible via a<br />
TCPIP network.<br />
Can both recipient-based and password encryption be used together?<br />
Yes, when both ENTPREC <strong>for</strong> recipient and PASSWORD settings are used, to encrypt<br />
a file, the master session key is derived from the password and also protected by<br />
using public key encryption. This means that a ZIP file may be decrypted either by a<br />
user who knows the password, or who has their private key certificate available.<br />
How does ENCRYPTION METHOD pertain to recipient or password<br />
encryption?<br />
Public/private key encryption using BSAFE is used to digitally envelope the master<br />
session key in<strong>for</strong>mation. Once the master session key is determined, an independent<br />
file session key is derived (which is unique <strong>for</strong> each file) to encrypt the file data with<br />
a symmetric algorithm specified by ADVCRYPT. Several algorithms are supplied with<br />
SecureZip <strong>for</strong> <strong>iSeries</strong>. Any algorithm may be specified <strong>for</strong> use with PASSWORD.<br />
However, only those prefixed with "BSAFE" are valid <strong>for</strong> use with ENTPREC <strong>for</strong><br />
recipients.<br />
Which encryption settings should I choose?<br />
Various external factors such as legislative requirements or corporate policy may<br />
influence your decision to select an algorithm or mode of encryption. However, when<br />
operating within those requirements, the following SecureZip <strong>for</strong> <strong>iSeries</strong><br />
in<strong>for</strong>mation may be of value.<br />
NIST has instructional in<strong>for</strong>mation regarding password versus certificate-based (PKI)<br />
encryption. In general, certificate-based encryption is accepted to be more secure<br />
than password-based encryption.<br />
With the exception of supporting the older 96-bit "Standard" SecureZip <strong>for</strong> <strong>iSeries</strong><br />
ADVCRYPT, newer algorithms are provided at a minimum of 128 bits.<br />
PKWARE provides interoperability between OS/390, zOS, OS400, <strong>iSeries</strong>, UNIX and<br />
Windows <strong>for</strong> all algorithms provided with ADVCRYPT with its product set at release<br />
25
8.0 and above. This includes more advanced algorithms with minimum key lengths of<br />
128 bits.<br />
Older releases of PKWARE products, including PKZIP <strong>for</strong> VSE and PKZIP <strong>for</strong> VM<br />
support "Standard" 96-bit encryption <strong>for</strong> wider cross-plat<strong>for</strong>m compatibility when<br />
required.<br />
When RECIPIENT PKI exchanges are required, then ADVCRYPT must specify<br />
algorithms that begin with BSAFE.<br />
Password-based AES encryption is supported by PKWARE products at release 5.5 or<br />
higher.<br />
BSAFE_AES and AES password-based encryption are 100% compatible. Archives<br />
created with PKZIP <strong>for</strong> <strong>iSeries</strong> Release 5.5 can be bi-directionally exchanged with<br />
SecureZip or PKZIP products using the BSAFE AES algorithms.<br />
The BSAFE algorithms provided <strong>for</strong> the OS/400 and <strong>iSeries</strong> products are highper<strong>for</strong>mance<br />
algorithms. The 128-bit BSAFE algorithms out-per<strong>for</strong>m the older 96-bit<br />
PKZIP "Standard" algorithm.<br />
How many recipients can be specified?<br />
The ZIP file <strong>for</strong>mat specification allows <strong>for</strong> a maximum recipient list size of 3,275.<br />
This can be restricted further by other file attributes associated with the data, and by<br />
run-time capacity limitations (such as virtual storage). (Note: Approximately 20<br />
bytes are required <strong>for</strong> each recipient within the ZIP Archive central directory record<br />
<strong>for</strong> each file. This area is limited to 64K in size). At this time the command allows 30<br />
recipients so to reach the max would require using the Inlist approach.<br />
What is Filename Encryption?<br />
Someone who cannot decrypt the contents of an archive may still be able to infer<br />
sensitive in<strong>for</strong>mation just from the unencrypted names of files. To prevent this, you<br />
can encrypt the names of files in addition to their contents. Encrypted file names can<br />
be viewed in the clear—that is, unencrypted—only when the archive is opened by an<br />
intended recipient, if the archive was encrypted using a recipient list, or by someone<br />
who has the password, if the archive was encrypted using a password.<br />
SecureZip <strong>for</strong> <strong>iSeries</strong> encrypts file names using your current settings <strong>for</strong> (strong)<br />
encryption method and algorithm. File names can be encrypted using either strong<br />
password encryption or a recipient list (or both). You must use one of the strong<br />
encryption methods: you cannot encrypt file names using traditional,<br />
ADVCRYPT(ZIPSTD), which uses a 96-bit key.<br />
Encrypting names of files and folders in an archive encrypts and hides a good deal of<br />
other internal in<strong>for</strong>mation about the archive as well. To encrypt file names,<br />
SecureZip <strong>for</strong> <strong>iSeries</strong> encrypts the archive's central directory, where virtually all<br />
such metadata about the archive is stored. Be aware, however, that archive<br />
comments are not encrypted even when you encrypt file names. Do not put sensitive<br />
in<strong>for</strong>mation in an archive comment.<br />
User Encryption Examples<br />
Below are examples of how to invoke encryption processing using PKZIP commands.<br />
26
Zip Compress File(s) and Write to an Archive File<br />
This is the main PKZIP compression screen. Here you specify the method and mode<br />
of encryption.<br />
File Compression<br />
8.0 (PKZIP)<br />
Type choices, press Enter.<br />
Archive Zip File name . . . . .<br />
List Include file or pattern . .<br />
+ <strong>for</strong> more values<br />
'/pkzshare/encryption/as400.des3.zip'<br />
'/pkzshare/encryption/*.txt'<br />
Type of processing . . . . . . . *ADD *ADD, *UPDATE, *FRESHEN ..<br />
Compression Level . . . . . . . *SUPERFAST *FAST, *NORMAL, *MAX...<br />
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ........<br />
Advance Encryption :<br />
Method . . . . . > 3des<br />
ZIPSTD, AES128, AES192...<br />
Mode . . . . . . > BSAFE<br />
PKWARE, BSAFE<br />
More...<br />
F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel<br />
F13=How to use this display F24=More keys<br />
Parameter ARCHIVE required.<br />
Placing the cursor on the “Method” and hitting F4 presents the next screen that<br />
allows you to select one of the encryption methods to use.<br />
Specify Value <strong>for</strong> Parameter ADVCRYPT<br />
Type choice, press Enter.<br />
Method . . . . . . > 3DES<br />
ZIPSTD<br />
AES128<br />
AES192<br />
AES256<br />
3DES<br />
DES<br />
RC4_128<br />
When the next screen appears if you do not enter a password no encryption<br />
processing is completed on the file(s) to be archived. If you desire encryption, you<br />
must enter the password twice; once in the Archive Password and again in the Verify<br />
Password.<br />
File Compression<br />
8.0 (PKZIP)<br />
Type choices, press Enter.<br />
Archive Password . . . . . . . .<br />
Verify Password . . . . . . . .<br />
Archive File Type . . . . . . . *ifs *DB, *IFS<br />
Files to Zip Type . . . . . . . *ifs *DB, *IFS, *IFS2, *DBA, *SPL<br />
Be<strong>for</strong>e/After Selection . . . . . *NO *NO, *BEFORE, *AFTER<br />
Date <strong>for</strong> Selection . . . . . . . 0 Date mmddyyyy<br />
File Name actions . . . . . . . *SUFFIX *NONE, *DROP, *SUFFIX<br />
External Conversion Flags . . . *NONE Character value, *NONE<br />
Create Self Extract Archive . . *MAINTAIN *MAINTAIN, WINDOWS, AIX...<br />
Bottom<br />
27
F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel<br />
F13=How to use this display F24=More keys<br />
Following is the output of the PKZIP run.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2004/02/13<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Scanning files in *IFS <strong>for</strong> match ...<br />
Found 2 matching files<br />
Compressing /pkzshare/encryption/appnote.txt in BINARY mode<br />
Add /pkzshare/encryption/appnote.txt -- Deflating (69%) encrypt(BSAFE 3DES)<br />
Compressing /pkzshare/encryption/readme.txt in BINARY mode<br />
Add /pkzshare/encryption/readme.txt -- Deflating (58%) encrypt(BSAFE 3DES)<br />
PKZIP Compressed 2 files in Archive /pkzshare/encryption/as400.des3.zip<br />
PKZIP Completed Successfully<br />
Commands generated from the PKZIP screen using the retrieve key after the PKZIP<br />
run.<br />
Previous commands and messages:<br />
Command Entry<br />
COSMOS<br />
Request level: 4<br />
(No previous commands or messages)<br />
Bottom<br />
Type command, press Enter.<br />
===> PKZIP ARCHIVE('/pkzshare/encryption/as400.des3.zip')<br />
FILES('/pkzshare/encryption/*.txt') ADVCRYPT(3DES BSAFE) PASSWORD() VPASSWORD()<br />
TYPARCHFL(*IFS) TYPF<br />
Display the contents of an Archive File<br />
When the files within an archive have strong encryption the “!” (bang) character is<br />
placed in front of the file name to in<strong>for</strong>m you that you must have the correct<br />
password to view or extract the file.<br />
File Extraction<br />
8.0 (PKUNZIP)<br />
Type choices, press Enter.<br />
Archive Zip File name . . . . .<br />
List Include file or pattern . .<br />
+ <strong>for</strong> more values<br />
'/pkzshare/encryption/as400.des3.zip'<br />
*ALL<br />
Type of processing . . . . . . . *VIEW *VIEW, *EXTRACT, *NEWER...<br />
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ...<br />
Press ENTER to end terminal session.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2004/02/13<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) is running under Beta release B1<br />
Archive: /pkzshare/encryption/as400.des3.zip 33451 bytes 2 files<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
97182 Defl:F 30230 69% 01-30-04 13:16 223c2ea4 !/pkzshare/encryption/<br />
appnote.txt<br />
28
5747 Defl:F 2710 53% 10-06-03 15:14 d193af9b !/pkzshare/encryption/<br />
readme.txt<br />
-------- ------- ---- -------<br />
102929 32940 68% 2 files<br />
PKUNZIP extracted 0 files<br />
PKUNZIP Completed Successfully<br />
Incorrect Password Use<br />
The following illustration is an example of what to expect if you enter an incorrect<br />
password. The error message indicates that the file(s) were skipped because of an<br />
incorrect password and that PKUNZIP completed with errors.<br />
PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) Compression Utility Version 8.0.0, 2004/02/17<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) is running under Beta release B1<br />
PKUNZIP Archive: /pkzshare/encryption/as400.des.zip<br />
Archive Comment:"PKZIP <strong>for</strong> <strong>iSeries</strong> by PKWARE"<br />
Searching Archive /pkzshare/encryption/as400.des.zip <strong>for</strong> files to extract<br />
skipping: /pkzshare/encryption/appnote.txt incorrect password<br />
skipping: /pkzshare/encryption/readme.txt incorrect password<br />
Caution: zero files tested in /pkzshare/encryption/as400.des.zip.<br />
2 file(s) skipped because of incorrect password<br />
PKUNZIP Completed with Errors<br />
Press ENTER to end terminal session.<br />
29
3 Getting Started with SecureZIP <strong>for</strong><br />
<strong>iSeries</strong><br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> is a broad, flexible product on the <strong>iSeries</strong>, and AS/400<br />
plat<strong>for</strong>ms, allowing <strong>for</strong> compression and decompression of files. It is fully compliant<br />
with other PKZIP-compatible compression products running on other operating<br />
systems.<br />
Because the PKZIP standard <strong>for</strong> text data storage is ASCII, SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
facilitates conversion between the ASCII and EBCDIC character sets. There<strong>for</strong>e,<br />
compressed text files can be transferred between IBM mainframe environments and<br />
systems using the ASCII character sets, including UNIX, DOS, SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>, PKZIP <strong>for</strong> zSeries, and PKZIP <strong>for</strong> VSE.<br />
In addition to PKZIP-<strong>for</strong>mat archive support, SecureZIP <strong>for</strong> <strong>iSeries</strong> can also<br />
produce and manipulate (GNU) GZIP-<strong>for</strong>mat archives. See Chapter 18.<br />
Basic Features of SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> is generally compatible with PKZIP 2.x, and as such, has<br />
the following features:<br />
Compliance with compression programs on other plat<strong>for</strong>ms, including Windows,<br />
LINUX, UNIX, DOS, SecureZIP <strong>for</strong> <strong>iSeries</strong> , PKZIP <strong>for</strong> zSeries, and PKZIP <strong>for</strong><br />
VSE.<br />
• User-selected compression ratios.<br />
• Storage capability of 65,535 files within one ZIP Archive.<br />
• Compression of files of up to 4 gigabytes.<br />
• A maximum ZIP archive size of 4 gigabytes.<br />
• Data integrity assurance using 32-bit CRC error detection.<br />
• Translation of data to a system-independent <strong>for</strong>mat, thus providing easy file<br />
transfers within a mixed or varied file environment.<br />
Extended Features of SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> also offers a series of extended features such as creation of<br />
GZIP archive, spool files support, large file support (files greater than 4 GB and files<br />
30
in archive exceeding 65,535), advanced encryption and self-extracting archives. All<br />
licensable features can be found in “Licensed Product Features” in Chapter 4.<br />
Invoking SecureZIP <strong>for</strong> <strong>iSeries</strong> Services<br />
Three main commands control SecureZIP <strong>for</strong> <strong>iSeries</strong> functionality in the OS/400<br />
operating environments. The commands are:<br />
• PKZIP - Launches compression utility<br />
• PKUNZIP - Launches archive extraction utility<br />
• PKZSPOOL - Launches compression utility <strong>for</strong> spool files<br />
Each of the commands can be invoked interactively, submitted <strong>for</strong> a batch run, or<br />
used anywhere that an <strong>iSeries</strong> command can be issued.<br />
Help panels <strong>for</strong> each command can be activated by using the F1 (help) key.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> Differences with other Plat<strong>for</strong>ms<br />
This section covers the differences between SecureZIP <strong>for</strong> <strong>iSeries</strong> and other<br />
versions, including versions that run on other operating systems or plat<strong>for</strong>ms. Most<br />
of the differences are due to the QSYS library file type system and the <strong>iSeries</strong> objectoriented<br />
base.<br />
Attributes<br />
(non-extended)<br />
ANSI comments<br />
Archive file date<br />
controls PKZIP<br />
Archive Comments<br />
PKZIP<br />
File naming<br />
differences<br />
Various MS/DOS options support the selection of files by file<br />
attributes such as hidden, read-only, and system. These<br />
attributes are not meaningful on the OS/400 file system.<br />
Because OS/400 does not support ANSI control codes,<br />
related options are not supported. When unzipping from an<br />
archive, the archive comment will be displayed, but ANSI<br />
control codes in this comment will not be masked out. This<br />
could cause attribute changes on the <strong>iSeries</strong> display.<br />
DOS options control whether the ZIP file date is updated or<br />
retained when altering the archive. Because the last used<br />
date on OS/400 is not under program control or alterable by<br />
a command, these options are not supported.<br />
DOS options allow editing of comments <strong>for</strong> individual files in<br />
an archive. This version supports editing of a file’s text<br />
description, but is not recommended <strong>for</strong> batch running, or <strong>for</strong><br />
a large number of files due to the interactive message<br />
responses required.<br />
The files used in the QSYS library file system have their own<br />
naming style. Each file associated with a library file and<br />
members would be depicted as library/file(member). Usually,<br />
all file names are stored as open system file names with<br />
directories, ending with a file name. For a detailed<br />
description and techniques see Chapter 8.<br />
31
HELP<br />
Mixed Case<br />
Filenames<br />
PKZIP <strong>for</strong> DOS has options to display a list of commands.<br />
Because SecureZIP <strong>for</strong> <strong>iSeries</strong> uses <strong>iSeries</strong> commands, the<br />
help system is built <strong>for</strong> each command and is activated by<br />
PF1 on each parameter.<br />
When using the IFS (integrated file system), the file names<br />
are case sensitive and act like other file systems (UNIX,<br />
DOS, Windows, etc.). When using the QSYS library file<br />
system, the file names are always in UPPER CASE.<br />
Occasionally, when trying to update and archive (or select<br />
from an archive), you may encounter a case sensitive<br />
search. Use PKUNZIP view to get the exact name stored.<br />
This would be appropriate when doing a PKZIP TYPE(<br />
*DELETE) where the selection file would need to match.<br />
Use of SAVF Method<br />
At this time, only physical files with attributes of PF-DTA, PF-SRC, and SAVF in the<br />
QSYS file system, stream files and directories in the IFS, and spool files can be<br />
processed by SecureZIP <strong>for</strong> <strong>iSeries</strong>. Also, some special database functionality such<br />
as triggers, file constraints, alternate collating sequence, and large object fields, are<br />
not stored in the archives.<br />
To overcome some of the restrictions listed above, SecureZIP <strong>for</strong> <strong>iSeries</strong> can<br />
compress and decompress SAVF. The objects to be compressed are saved to a SAVF<br />
using SAVOBJ or SAVLIB. The SAVF is then compressed to an archive using PKZIP.<br />
To restore the data, first use PKUNZIP to re-create the SAVF, and then use RSTOBJ<br />
or RSTLIB to restore objects from within the decompressed SAVF. SAVF are binary<br />
and only pertain to OS/400.<br />
32
4 SecureZIP <strong>for</strong> <strong>iSeries</strong> Installation<br />
This chapter describes the process of receiving SecureZIP <strong>for</strong> <strong>iSeries</strong>, either by<br />
tape, CD-ROM or by FTP, the process of setting the environment (optional) and the<br />
process of installing the license. These processes consists of building the SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> version library, adding the library to your library list, optionally setting<br />
environmental pointers and running the install license command with an authorized<br />
license.<br />
Even though the default library <strong>for</strong> SecureZIP <strong>for</strong> <strong>iSeries</strong> Version 8.0 patch level 0<br />
is PKW81051S and is referenced in this manual, the library name <strong>for</strong> the product can<br />
be named otherwise to suit your environmental needs. The SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
product is distributed with a predefined library of PKW810vrT (where vr is the<br />
minimum OS/400 operation system release supported, T is the product type,<br />
P=PKZIP and S=SecureZIP). V5R1M0 would be 51. If you would like to use another<br />
library name or would like to run SecureZIP <strong>for</strong> <strong>iSeries</strong> without it being in the<br />
library list, review the operating environment discussion later in this chapter.<br />
It is recommended that you use a generic name <strong>for</strong> the library that will be used <strong>for</strong><br />
production (such as PKZIP or PKZIPPROD). This will allow new updates to be<br />
implemented without changing a lot of CL programs or processes. To use another<br />
library name, review the procedures described later in this chapter (section<br />
“Operating Environment”) on how to use the CALL PKZSETLIB program to change the<br />
standard library name or run without the library in your library list.<br />
Unloading SecureZIP <strong>for</strong> <strong>iSeries</strong> from Tape<br />
The SecureZIP <strong>for</strong> <strong>iSeries</strong> installation tape contains a SAVF file with the product<br />
library <strong>for</strong> the OS/400. The file PKW810vrT library contains SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
Version 8.0 patch level 0 with the OS/400 version specified as vr (OS/400 version,<br />
target release, and modification <strong>for</strong> the product build, <strong>for</strong> example, 51 <strong>for</strong> V5R1M0)<br />
and T is the product type.<br />
To unload the required library <strong>for</strong> SecureZIP <strong>for</strong> <strong>iSeries</strong>, load the tape and issue<br />
the following command:<br />
RSTLIB SAVLIB( PKW810vrT) DEV(tapnn)<br />
Where vr is the version, release, and modification level, T is product type, and<br />
tapnn is the appropriate tape device name.<br />
33
At this point the PKZIP library exists on your system and you can proceed to the<br />
section, “Restoring SecureZIP <strong>for</strong> <strong>iSeries</strong> Product Library from a Save File.”<br />
Unloading SecureZIP <strong>for</strong> <strong>iSeries</strong> from a CD-ROM<br />
The SecureZIP <strong>for</strong> <strong>iSeries</strong> installation from a CD-ROM can be per<strong>for</strong>med using<br />
either of the following two methods. One method is to use the LODRUN command<br />
and the second method would be to restore the library manually. First load the<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> CD into the optical unit and note the device name (usually<br />
OPT01).<br />
METHOD A. LODRUN Command<br />
At a command line type LODRUN DEV(*OPT) or LODRUN DEV(optical device).<br />
LODRUN will first display the following screen showing the default library with the<br />
version of SecureZIP <strong>for</strong> <strong>iSeries</strong> that will be installed from the CD. The display will<br />
wait <strong>for</strong> a valid library and the pressing of the Enter key to install SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>. If the F3 or F12 key is pressed the install will end without installing the<br />
product.<br />
LODRUN screen example:<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm)<br />
Version V8.0.0<br />
Install SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) to Library PKW81051S<br />
(Note: Library Must Not Exist)<br />
Press Enter to Continue<br />
F3-Exit<br />
F12-Cancel<br />
Error message Area------------------------------------------------------<br />
Next the install process will restore the SecureZIP <strong>for</strong> <strong>iSeries</strong> product to the library<br />
requested and add the new library to the library list. Then using the program PKZIP<br />
program PKZSETLIB, all settings <strong>for</strong> commands, data area and help files will be<br />
resolved to the new library.<br />
At this point, SecureZIP <strong>for</strong> <strong>iSeries</strong> is in your library list and is ready to load keys<br />
(DEMO or registered) using the INSTPKLIC command as describe later in this<br />
chapter.<br />
METHOD B. RSTLIB Command<br />
The SecureZIP <strong>for</strong> <strong>iSeries</strong> installation CD-ROM contains a Save file with the<br />
product library <strong>for</strong> the OS/400. The PKW810vrT library contains SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> Version 8.0 patch level 0 with the OS/400 version specified as vr (OS/400<br />
version, Target Release, and Modification <strong>for</strong> the product build, <strong>for</strong> example, 510 <strong>for</strong><br />
V5R1M0) and T is product type.<br />
To unload the required library <strong>for</strong> SecureZIP <strong>for</strong> <strong>iSeries</strong>, load the CD-ROM and<br />
issue the following command:<br />
RSTLIB SAVLIB( PKW810vrT) DEV(optnn) OPTFILE(pkzip)<br />
34
Where vr is the version, release, T is product type and optnn is the correct optical<br />
device name to use.<br />
Using FTP to <strong>iSeries</strong> to Transfer a PKZIP Save File<br />
1. After downloading the product self-extracting file to your PC, extract it. The<br />
save file is named PKW81051S.SAV. Be sure to note the path to this file, as it<br />
will be required in your FTP session (defaults to<br />
C:\PKZIP\PKAS4R\PKW81051S.SAV).<br />
2. Start an <strong>iSeries</strong> workstation type session, and then sign on with sufficient<br />
authority to per<strong>for</strong>m the commands used below.<br />
3. Create a save file on the <strong>iSeries</strong> - CRTSAVF YourLIB/PKZIP810. The TCP/IP<br />
network server must be running (or start the TCP/IP network server with<br />
STRTCP).<br />
4. Start a PC-based FTP session with your normal FTP procedures and send the<br />
PC file in binary mode to the <strong>iSeries</strong> SAVF you created, or run the following:<br />
5. Type "FTP" at the command prompt.<br />
6. Open the <strong>iSeries</strong> IP address and sign on (ftp> open 208.222.150.11 as an<br />
example).<br />
7. Next, type "BIN" at the command line (this will transfer the file as a binary<br />
object which is required).<br />
8. Now type "PUT" and then the local file name (in other words, "PUT<br />
C:\PKZIP\PKAS4R\PKW81051S.SAV")<br />
9. Finally, you type your remote file name (the destination):<br />
(YourLIB/PKZIP810) and the FTP transfer of the file should start.<br />
Restoring SecureZIP <strong>for</strong> <strong>iSeries</strong> Product Library from a Save File<br />
At this time you should have the save file built on your system. Now you can restore<br />
the library from the save file.<br />
RSTLIB SAVLIB(PKW81051S) DEV(*SAVF) SAVF(YourLIB/PKZIP810)<br />
RSTLIB(your_pkzip_lib)<br />
where "your_pkzip_lib" - is the name you want to call the restored PKZIP library.<br />
At this point the SecureZIP <strong>for</strong> <strong>iSeries</strong> product library should exist on <strong>iSeries</strong> and<br />
you can proceed to the Installation procedures below.<br />
If you want, you can now delete the save file created earlier with:<br />
DLTF YourLIB/PKZIP810<br />
Installation Procedures<br />
The SecureZIP <strong>for</strong> <strong>iSeries</strong> product library should now exist on the <strong>iSeries</strong>. All<br />
objects including the library are owned by QPGMR. The objects’ owner can be change<br />
35
to any valid owner with the CHGOBJOWN command. The SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
library should now be added to the library list (ADDLIBLE your_pkzip_lib).<br />
If you keep the PKZIP library name at PKW81051S, then you do not need to take this<br />
additional step. If you change the name from PKW81051S to something else, then<br />
you will need to run a program to setup your PKZIP Environment. In this case you<br />
will type on a command line, "CALL PKZSETLIB your_pkzip_lib", where<br />
"your_pkzip_lib" is the name of the PKZIP library you restored. This will link the<br />
objects to your PKZIP library name. For more in<strong>for</strong>mation see “How to Change the<br />
Standard PKZIP Library Name” later in this chapter.<br />
Licensing Requirements<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> is a licensed product. Without proper licensing, the product<br />
can only be used to view archives. Product features and license types can be licensed<br />
separately as the user’s needs dictate. The license key will contain all of the<br />
elements necessary to validate a customer’s use of SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
The licensing process is comprised of several key elements that are described in the<br />
following sections.<br />
Trial Period<br />
You will need to contact your reseller or PKWARE, Inc. Sales at 937.847.2374, or<br />
email Sales at pksales@pkware.com to initialize your version of SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> <strong>for</strong> the 15-day DEMO. If you do not work in the USA, please refer to the<br />
GLOBAL CONTACTS.TXT file to contact a dealer in your region.<br />
Release Licensing<br />
Each release of SecureZIP <strong>for</strong> <strong>iSeries</strong> requires that a new license key be obtained<br />
from Customer Service and that a new license record be generated. The new release<br />
will fail with AQZ9077 "License Keys have invalid version setting" if the license file is<br />
used from a previous release.<br />
Reporting Environment<br />
To report on the status of a license at your location, you can run the environment<br />
“WHATOSV” program by doing a program call:CALL WHATOSV. It will provide a<br />
report similar to:<br />
PKWARE WHATOSV Current Operating Environment Thu May 15 12:05:49 2003<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Version 8.0.0 with build date 2003/05/14<br />
Current PKZIP Library is PKW81051S<br />
IBM <strong>iSeries</strong> Model 9406, Type 270-23E7<br />
Serial Number , PRC Group < P10>, OS is at V5R2M0.<br />
Press ENTER to end terminal session.<br />
The output of this report is what you will need to send to your reseller or PKWARE<br />
sales representative to obtain a DEMO code.<br />
36
Note: The PKZIP Library must be added to the library list prior to<br />
running this program.<br />
Please have the output of this report handy when speaking with your reseller or<br />
account rep. You will be expected to supply the following additional in<strong>for</strong>mation:<br />
• Company name<br />
• Company contact<br />
• Phone number<br />
• Contact email<br />
Updating License Files<br />
Installing the PKZIP license activation keys is done by adding the licensing<br />
in<strong>for</strong>mation into a source file member (one is provided with distribution library call<br />
PKZLICIN) and then running the install license program to activate.<br />
Trial activation is accomplished by first editing the member PKWARELIC and adding<br />
the company customer record and keys supplied by PKWARE, Inc. One way of editing<br />
the member would to use the following command with the correct library:<br />
EDTF FILE(PKW81051S/PKZLICIN) MBR(PKWARELIC)<br />
or<br />
STRSEU SRCFILE(PKW81051S/PKZLICIN) SRCMBR(PKWARELIC)<br />
Remember since this a source file member and you use the EDTF command that the<br />
data will start in column 13, because the source sequence number and date stamp is<br />
in the true columns 1 thru 12.<br />
For example:<br />
EDTF FILE(PKW81051S /PKZLICIN) MBR(PKWARELIC)<br />
Edit File: PKW81051S /PKZLICIN(PKWARELIC)<br />
Record : 1 of 3 by 8 Column : 13 92 by 74<br />
Control :<br />
CMD ..+....2....+....3....+....4....+....5....+....6....+....7....+....8....+.<br />
************Beginning of data**************<br />
*LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel<br />
55 A4CMD1NR 000014581 PKWARE Internal Demo Customer<br />
99 CMDOAXB1 20030703 0107X8WTP10<br />
************End of Data********************<br />
F2=Save F3=Save/Exit F12=Exit F15=Services F16=Repeat find<br />
Notice in this case the columns on the ruler shows column 13 <strong>for</strong> the first column of<br />
the license data.<br />
For Example:<br />
STRSEU SRCFILE(PKW81051S/PKZLICIN) SRCMBR(PKWARELIC) :<br />
Columns . . . : 1 71 Edit PKW81051S/PKZLICIN<br />
SEU==><br />
PKWARELIC<br />
37
FMT ** ...+... 1 ...+... 2 ...+... 3 ...+... 4 ...+... 5 ...+... 6 ...+... 7<br />
*************** Beginning of data *************************************<br />
0001.00 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel<br />
0002.00 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer<br />
0003.00 99 CMDOAXB1 20030703 0107X8WTP10<br />
****************** End of data ****************************************<br />
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F10=Cursor F11=Toggle<br />
F16=Repeat find F17=Repeat change F24=More keys<br />
Once you have typed or copied the license in<strong>for</strong>mation provided by PKWARE, you will<br />
need to save these changes by pressing F3 and exit the edited member by pressing<br />
F3 again. Next, run the install program using the following command:<br />
INSTPKLIC INFILE(*LIBL/PKZLICIN) INMBR(PKWARELIC) or prompt F4<br />
Type choices, press Enter.<br />
Install SecureZIP <strong>for</strong> <strong>iSeries</strong> License (INSTPKLIC)<br />
Type . . . . . . . . . . . . . *INSTALL *INSTALL, *VIEW<br />
Input Control File . . . . . . . PKZLICIN Name, PKZLICIN<br />
Library name . . . . . . . . . *LIBL Name, *LIBL<br />
Control Member . . . . . . . . . pkwarelic Name, *FIRST<br />
Bottom<br />
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display<br />
F24=More keys<br />
By executing the INSTPKLIC command, the LICENSE dataset will be updated and a<br />
report will be produced that will reflect the state of SecureZIP <strong>for</strong> <strong>iSeries</strong> at your<br />
location.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2003/06/09<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
Rec - 1 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel<br />
Rec - 2 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer<br />
Rec - 3 99 CMDOAXB1 20030703 0107X8WTP10<br />
Compression - Evaluation set to expire in 23 days on 20030703<br />
Decompression - Evaluation set to expire in 23 days on 20030703<br />
Database File Handlers- Evaluation set to expire in 23 days on 20030703<br />
IFS File Handlers - Evaluation set to expire in 23 days on 20030703<br />
GZIP - Evaluation set to expire in 23 days on 20030703<br />
Spool Files - Evaluation set to expire in 23 days on 20030703<br />
Self Extracting - Evaluation set to expire in 23 days on 20030703<br />
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully<br />
Press ENTER to end terminal session.<br />
Licensed Product Features<br />
The license key will be comprised of codes to reflect the product features selected by<br />
the customer.<br />
38
Licensing Product Type Cross Reference with Features Codes.<br />
Type<br />
Feature<br />
Code<br />
PKZIP SecureZIP Standard<br />
77<br />
Enterprise<br />
BASE Module 01 X X X X X<br />
Compression 02 X X X X X<br />
Decompression 03 X X X X X<br />
GZIP 04 Opt X X X<br />
66<br />
x Demo<br />
Days<br />
Directory Integration 05 N/A Opt Opt Opt X<br />
(SecureZIP<br />
Only)<br />
ADVANCED<br />
Encryption<br />
06 N/A Opt N/A X<br />
(SecureZIP<br />
Only)<br />
99<br />
X<br />
(SecureZIP<br />
Only)<br />
Decryption 07 Included Included X X X<br />
(SecureZIP<br />
Only)<br />
Spool File Support 08 Opt X N/A X X<br />
Self Extraction<br />
Creator<br />
10 Opt X N/A X X<br />
39
Licensing Features Code Descriptions<br />
The following table shows the product features available:<br />
Feature<br />
Code<br />
Type<br />
Description<br />
01 Base Module The base module is either PKZIP or SecureZIP (depending on the<br />
product has been selected and which licensed code was issued).<br />
02 Compression This licensable module allows <strong>for</strong> the compression of data into a ZIP<br />
file. This license is required to read the input data and write out the<br />
archive or ZIP file.<br />
03 Decompression This licensable module allows <strong>for</strong> the decompression of data from a<br />
ZIP file or an archive. This license is required to read the ZIP archive<br />
and to write the OS/400 datasets during the extraction routine.<br />
04 GZIP Support This licensable module allows a user to read and write GZIP<br />
compatible files. GZIP files created using PKZIP <strong>for</strong> <strong>iSeries</strong> can be<br />
extracted with any compatible GZIP utility on any other plat<strong>for</strong>m.<br />
05 Directory Integration This module allows the use of LDAP <strong>for</strong> certificate accessing.<br />
06 Advanced Encryption<br />
Module<br />
This licensable module allows a user to compress files with advanced<br />
encryption methods, encrypt files with certificates, sign files/archives,<br />
and authenticate files/archives.<br />
07 Decryption This licensable module allows a user to extract files with advanced<br />
encryption methods.<br />
08 Spool File Handler This licensable module allows a user to compress and extract spool<br />
files. The module also allows the spool file to be converted another<br />
<strong>for</strong>mat, such as a PDF or text <strong>for</strong>mat.<br />
10 Self Extract Support This licensable feature allows the creation and maintenance of self<br />
extracting archives.<br />
Splash Screens:<br />
SecureZIP:<br />
SecureZIP(tm) <strong>for</strong> <strong>iSeries</strong> Compression Utility Version 8.0.0B, 2004/07/21<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
SecureZIP(tm) is a trademark of PKWARE (R), Inc.<br />
PKZIP:<br />
PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) Compression Utility Version 8.0.0B, 2004/07/21<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP(R) is a registered trademark of PKWARE (R), Inc.<br />
Record Layouts<br />
The record layouts <strong>for</strong> control file records (portions of which your reseller of<br />
PKWARE, Inc. will provide) are described below <strong>for</strong> each type. Remember, the<br />
columns are relative to column 1 in a source file and if you use EDTF then column 1<br />
is now column 13.<br />
40
Comment Control Card<br />
Comment cards are free <strong>for</strong>mat and begin with an * in column 1.<br />
Customer Control Card<br />
Customer records always begin with a “55” or ‘57”.<br />
Control<br />
Code<br />
Check<br />
Characters<br />
Customer<br />
Number<br />
Customer<br />
Name<br />
Format 55 cccccccc nnnnnnnnn xxx . . . xxx<br />
Columns 1-2 4-11 13-21 23-74<br />
Length 2 8 9 50<br />
55 Feature Control Code (always a 55 or 57)<br />
cccccccc<br />
nnnnnnnnn<br />
xxx . . . xxx<br />
Feature Control Card<br />
Check Character (supplied by PKWARE, Inc.)<br />
Customer Number (supplied by PKWARE, Inc.)<br />
Customer Name (supplied by customer - must be<br />
alphanumeric (AA-99)<br />
Feature<br />
Code<br />
Check<br />
Characters<br />
Expiration<br />
Date<br />
Hardware<br />
In<strong>for</strong>mation<br />
Format ff cccc yyyymmdd ssssssstttt<br />
Columns 1-2 4-11 13-20 22-33<br />
Length 2 8 8 12<br />
ff<br />
cccccccc<br />
yyyy year (2001)<br />
mm month (01-12)<br />
Feature Control Code (provided by PKWARE, Inc.)<br />
Check Character (provided by PKWARE, Inc.)<br />
dd day (01-31)<br />
sssssss<br />
CPU serial # (12345ABC)<br />
tttt<br />
CPU Processing Group (P10)<br />
By executing this command, the LICENSE dataset will be updated and a report will<br />
be produced that will reflect the state of SecureZIP <strong>for</strong> <strong>iSeries</strong> at your location.<br />
Install Demo<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2003/06/09<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
Rec - 1 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel<br />
Rec - 2 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer<br />
Rec - 3 99 CMDOAXB1 20030703 0107X8WTP10<br />
Compression - Evaluation set to expire in 23 days on 20030703<br />
Decompression - Evaluation set to expire in 23 days on 20030703<br />
Database File Handlers- Evaluation set to expire in 23 days on 20030703<br />
IFS File Handlers - Evaluation set to expire in 23 days on 20030703<br />
41
GZIP - Evaluation set to expire in 23 days on 20030703<br />
Advanced Encryption - Evaluation set to expire in 23 days on 20030703<br />
Spool Files - Evaluation set to expire in 23 days on 20030703<br />
Self Extracting - Evaluation set to expire in 23 days on 20030703<br />
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully<br />
Press ENTER to end terminal session.<br />
Install Basic<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0, 2003/07/12<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
Rec - 1 *LICENSED BY PKWARE 07/13/01 WSS<br />
Rec - 2 55 B7LJJ3A0 110531837<br />
My Company Name, Dayton OH<br />
Rec - 3 *<br />
yyyymmdd ssssssssttt<br />
Rec - 4 77 lLTJ1233 20020801 0107X8WTP10<br />
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully<br />
Install Single<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0, 2003/07/12<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
Rec - 1 *LICENSED BY PKWARE 07/13/01 WSS<br />
Rec - 2 55 X1LT83K1 110531837<br />
My Company Name, Dayton OH<br />
Rec - 3 *<br />
yyyymmdd ssssssttttii<br />
Rec - 4 *<br />
ssssssssttt<br />
Rec - 5 01 LLTB7233 20030801 0107X8WTP10<br />
Rec - 6 02 ELTH823F 20030801 0107X8WTP10<br />
Rec - 7 03 RLTB723U 20030801 0107X8WTP10<br />
Rec - 8 04 MLTH823B 20030801 0107X8WTP10<br />
License File PKW81051S/PKZLIC(PKZLIC) Updated successfully<br />
Reporting<br />
To report on the status of a license at your location, you can run the license program<br />
with the following command: INSTPKLIC TYPE(*VIEW).<br />
Examples from above:<br />
View Demo<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2003/06/09<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
*********************************************<br />
A License Report requested on 0107X8WT from CPU Serial#<br />
8.0 Product Licensed to Customer # 000014581 -PKWARE Internal Demo Customer<br />
*********************************************<br />
Compression -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
Decompression -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
GZIP -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
42
IFS File Handlers -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
Database File Handlers-DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
Advanced Encryption -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
Spool Files -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
Self Extracting -DEMO with 23 Days remaining (07/03/2003)<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing<br />
*********************************************<br />
Press ENTER to end terminal session.<br />
View Single<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2003/06/09<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
*********************************************<br />
A License Report requested on 0107X8WT from CPU Serial#<br />
8.0 Product Licensed to Customer # 000003079 -Key Testers Inc.<br />
*********************************************<br />
Compression<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Decompression<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
GZIP<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
IFS File Handlers :Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Database File Handlers:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Advanced Encryption :Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Spool Files<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Self Extracting :Licensed -Expires 00/00/0000 <strong>for</strong> processors:<br />
*********************************************<br />
Press ENTER to end terminal session.<br />
View Single with Exception<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.0.0, 2003/06/09<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
*********************************************<br />
A License Report requested on 0107X8WT from CPU Serial#<br />
8.0 Product Licensed to Customer # 000003079 -Key Testers Inc.<br />
*********************************************<br />
Compression<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Decompression<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
43
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
GZIP<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
IFS File Handlers :Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Database File Handlers:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Advanced Encryption :Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Spool Files<br />
:Licensed -Expires 02/28/2400 <strong>for</strong> processors:<br />
Serial# 0107X8WT Processor Type P10<br />
*********************************************<br />
Self Extracting :Licensed -Expires 00/00/0000 <strong>for</strong> processors:<br />
Serial# 0107X8WT is Not Licensed. Use Of The Product will CEASE in 7 days<br />
(6/17/2003)<br />
*********************************************<br />
Press ENTER to end terminal session<br />
Conditional Use<br />
PKWARE, Inc. recognizes that there may be periods where the licensing environment<br />
established by the customer is no longer valid. Circumstances such as disaster<br />
recovery processing or the installation or upgrade of new processors will affect the<br />
environment. To accommodate the customer, SecureZIP <strong>for</strong> <strong>iSeries</strong> has a process<br />
that will allow a customer to continue using the product <strong>for</strong> a period of five days.<br />
During this time, error messages will be displayed on the console (as well as the<br />
printout) <strong>for</strong> each execution of SecureZIP <strong>for</strong> <strong>iSeries</strong>. At the end of the grace<br />
period, if the license keys are not updated, the product will no longer function in any<br />
environment other than to view an archive. This five-day grace period is designed in<br />
such a way that it will not cease to function on a weekend or the Monday following<br />
the five-day grace period.<br />
During this process you must contact your reseller or PKWARE, Inc. at 1-937-847-<br />
2687 to obtain licensing to allow use beyond the conditional period.<br />
Operating Environment<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> is distributed in a standard library, such as PKW81051S<br />
where the 800 is the version release of SecureZIP <strong>for</strong> <strong>iSeries</strong> and 510 is the<br />
minimum OS/400 operation system release that it supports (such as V5R1M0). The<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> library contains programs, commands, help panels, message<br />
file, license files, translation source file, command source file, CL source file<br />
(CVTNAME CL program and examples), and the SecureZIP <strong>for</strong> <strong>iSeries</strong> control data<br />
area necessary to run the product. As released, the distributed library PKW81051S<br />
must be in the library list and the library name must be the same as distributed.<br />
The library name used by SecureZIP <strong>for</strong> <strong>iSeries</strong> is determined by the data area<br />
PKZDTA5.<br />
44
PKZDTA5 Data Area<br />
The “PKZDTA5” data area is required to be in the library list in order run the<br />
programs and commands of SecureZIP <strong>for</strong> <strong>iSeries</strong>. The data area is 50 bytes in<br />
length with the following layout:<br />
Bytes 1 thru 10 - Library name <strong>for</strong> the product (required to run the product).<br />
Bytes 11 thru 20 - Release Levels <strong>for</strong> SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
Bytes 21 thru 40 - Distribution and Generation In<strong>for</strong>mation only.<br />
Bytes 41 thru 50 - Global settings.<br />
Byte 41 - Disallow wildcard selection<br />
N = Wildcard selection is permitted (default).<br />
Y = Wildcard selection with PKZIP is not permitted.<br />
An example of the “DSPDTAARA PKZDTA5” output might look like:<br />
Display Data Area<br />
Data area . . . . . . . : PKZDTA5<br />
Library . . . . . . . : PKW81051S<br />
Type . . . . . . . . . : *CHAR<br />
Length . . . . . . . . : 50<br />
Text . . . . . . . . . : SecureZIP <strong>for</strong> <strong>iSeries</strong> Library-V8.0<br />
Value<br />
Offset *...+....1....+....2....+....3....+....4....+....5<br />
0 'PKW81051S V8.0 NNOV5R1M0 N '<br />
The running of SecureZIP <strong>for</strong> <strong>iSeries</strong> requires the data area to determine the<br />
library name to use <strong>for</strong> running the commands, help panels, and message file.<br />
How to Change the Standard PKZIP Library Name<br />
To assist the customer in changing the environment <strong>for</strong> running the SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> product, the program “PKZSETLIB” has been included in the distribution<br />
library. PKZSETLIB will set the PKZDAT5 data area’s library name and will change the<br />
commands and help panels to recognize the library links.<br />
An example of how use PKZSETLIB to change the standard library name to a user<br />
environment library name is shown in the steps below:<br />
1. Rename the SecureZIP <strong>for</strong> <strong>iSeries</strong> standard library to the new library name:<br />
RNMOBJ OBJ('PKW81051S) OBJTYPE(*LIB) NEWOBJ(newlib)<br />
2. Verify that newlib is in library list with ADDLIBLE or EDTLIBL:<br />
ADDLIBLE newlib<br />
3. Execute PKZSETLIB program to change the data area and change links:<br />
CALL PKZSETLIB ('newlib')<br />
4. Display the PKZDTA5 data area and verify that the Library has been changed.<br />
DSPDTAARA PKZDTA5 (Positions 1 thru 10 should contain newlib)<br />
5. Test the commands PKZIP or PKUNZIP to make sure they execute correctly.<br />
45
At this point the “newlib” is the new SecureZIP <strong>for</strong> <strong>iSeries</strong> library <strong>for</strong> this<br />
environment and will need to be placed in the library list to run.<br />
Alternate Install from SAVF with Non-Standard Library Name<br />
After the SAVF is ready to restore the library, a slight modification to the commands<br />
as shown in above will be required. In the RSTLIB command you will specify “newlib”<br />
in the parameter RSTLIB to restore the library with the new library name.<br />
For example:<br />
RSTLIB SAVLIB('PKW81051S) DEV(*SAVF) SAVF(mylib/ PKW810)<br />
RSTLIB(newlib)<br />
To complete the installation, do the following:<br />
1. Add the “newlib” to your library list with ADDLIBLE:<br />
ADDLIBLE newlib<br />
2. Execute the PKZSETLIB program to change data area and change links:<br />
CALL PKZSETLIB ('newlib')<br />
3. Display the PKZDTA5 data area and verify that the Library has been changed.<br />
DSPDTAARA PKZDTA5 (Positions 1 thru 10 should contain newlib)<br />
4. Test the commands PKZIP or PKUNZIP to make sure they execute correctly.<br />
At this point the “newlib” is the new SecureZIP <strong>for</strong> <strong>iSeries</strong> library <strong>for</strong> this<br />
environment and will need to be placed in the library list to run.<br />
Running Without the PKZIP Library in the Library List<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> can run without the library in the library list as long as a<br />
data area as described above is in a library that is in the library list. One method is<br />
qualifying the command with the library name, such as:<br />
mylibrary/PKZIP ARCHIVE(‘myarchive/V5(test1)’ FILES(“testlib/*all’)<br />
The other method copies the commands to a library that exist in their library List.<br />
Note: The running of SecureZIP <strong>for</strong> <strong>iSeries</strong> requires the data area to determine<br />
the library name to use <strong>for</strong> running the commands, help panels, and message files.<br />
The following are five steps to run SecureZIP <strong>for</strong> <strong>iSeries</strong> without its distribution<br />
library in the library list.<br />
Assume 'PKW81051S’ is the SecureZIP <strong>for</strong> <strong>iSeries</strong> library and the customer’s<br />
library MYlibrary is in the customer’s standard library list. We will now add three new<br />
objects to the library MYlibrary.<br />
1. Create a new data area in the chosen library MYlibrary:<br />
CRTDTAARA DTAARA(MYlibrary/PKZDTA5) TYPE(*CHAR) LEN(50)<br />
TEXT('PKZIP control data area')<br />
2. Next set the data area value to the same values found in supplied data area<br />
in the PKZIP Library.<br />
“DSPDTAARA 'PKW81051S/PKZDTA5” output might look like:<br />
46
Display Data Area<br />
Data area . . . . . . . : PKZDTA5<br />
Library . . . . . . . : PKW81051S<br />
Type . . . . . . . . . : *CHAR<br />
Length . . . . . . . . : 50<br />
Text . . . . . . . . . : SecureZIP <strong>for</strong> <strong>iSeries</strong> Library-V8.0<br />
Value<br />
Offset *...+....1....+....2....+....3....+....4....+....5<br />
0 'PKW81051S V8.0 NNOV5R1M0 N '<br />
3. Now change the data area:<br />
CHGDTAARA DTAARA(MYlibrary/PKZDTA5)<br />
VALUE(''PKW81051S V8.0xxxV5R1M0')<br />
4. Next we need to copy the two commands to the MYlibrary Library.<br />
CRTDUPOBJ OBJ(PKZIP) FROMLIB(PKW81051S) OBJTYPE(*CMD)<br />
TOLIB(MYlibrary)<br />
RTDUPOBJ OBJ(PKUNZIP) FROMLIB(PKW81051S) OBJTYPE(*CMD)<br />
TOLIB(MYlibrary)<br />
At this point, PKZIP will work <strong>for</strong> all users that have the library MYlibrary in<br />
their library list.<br />
Note: When installing another SecureZIP <strong>for</strong> <strong>iSeries</strong> version the same process<br />
should be followed in order to pick up the latest settings of the data area and<br />
commands.<br />
Next ensure the SecureZIP <strong>for</strong> <strong>iSeries</strong> library is NOT in your library list and run a<br />
few sample tests <strong>for</strong> PKZIP and PKUNZIP to make sure the product works.<br />
47
5 File Selection and Name Processing<br />
ZIP Processing File Selection<br />
This section discusses how file selection is per<strong>for</strong>med <strong>for</strong> ZIP processing with<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>. The primary commands used <strong>for</strong> ZIP processing are<br />
discussed here, along with some overview notes and known restrictions.<br />
This section also discusses how files are selected within an <strong>iSeries</strong> environment.<br />
Remember, ZIP directory entries within a ZIP archive will be defined in a systemindependent<br />
<strong>for</strong>mat, which is not <strong>iSeries</strong> compatible.<br />
Note: Directory entries within a ZIP archive are actually in a <strong>for</strong>mat compatible with<br />
UNIX systems and have been translated into the ASCII character set. In addition, the<br />
dataset level separators are typically set as the <strong>for</strong>ward slash (“/”), not the period<br />
(“.”) as in <strong>iSeries</strong>, although this can be controlled through command actions in<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
See Chapter 8 <strong>for</strong> further in<strong>for</strong>mation on how SecureZIP <strong>for</strong> <strong>iSeries</strong> handles file<br />
name interchanges between <strong>iSeries</strong> and common ZIP <strong>for</strong>mat.<br />
Primary File Selection Inputs<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> will only process:<br />
• <strong>iSeries</strong> objects of type FILE (only with attributes PF-SRC, PF-DTA, and SAVF).<br />
• IFS stream files (*STMR) and IFS directories(*DIR).<br />
• Spool files.<br />
Other objects must first be unloaded into an <strong>iSeries</strong> save file (SAVF) be<strong>for</strong>e they can<br />
be processed by SecureZIP <strong>for</strong> <strong>iSeries</strong> (see: Use of SAVF Method).<br />
The FILES parameter in both PKZIP and PKUNZIP specifies which files are to be<br />
processed <strong>for</strong> all files except spool files (SPLF have their own selection parameters).<br />
One or more names can be specified, and each name is in either OS/400 QSYS<br />
<strong>for</strong>mat, or IFS <strong>for</strong>mat, depending on F2ZTYPE settings. An asterisk may be used at<br />
the end of the library name, file name, or member name to select names beginning<br />
with the prefix used. To select all members of a file, *ALL may be used. To select all<br />
files in a library *ALL may be used (as long as it is qualified by at least a library<br />
48
name), <strong>for</strong> example, FILES('mylib/*ALL' ). If *ALL is specified without at least a<br />
qualifying library name, the specification is ignored and no files will be selected.<br />
The SecureZIP <strong>for</strong> <strong>iSeries</strong> QSYS file system expands a partial file specification in<br />
several ways to make file specification more convenient. Each file specification may<br />
consist of a filename; a library name; a file name and member name; a library name<br />
and file name; or a library name, file name, and member name. <strong>iSeries</strong> SAVF may<br />
also be selected, but because a *SAVF file does not contain members, a SAVF will<br />
not be selected if a member name was included in the file specification.<br />
In the Integrated file system, each file specification may consist of a directory, a<br />
path of directories, a directory and file, or a path of directories and file.<br />
The various combinations that may be used are shown below:<br />
File<br />
Type<br />
File specification Expanded As Notes<br />
QSYS library*/ library*/*all(*all) Finds all files in libraries<br />
beginning with library.<br />
fileinlib *LIBL/fileinlib(*ALL) Searches library list <strong>for</strong><br />
all files called fileinlib. If<br />
a matching file is found,<br />
all of its members will<br />
be selected. If a SAVF<br />
is found, it will be<br />
selected.<br />
fileinlib*(mem*) *LIBL/fileinlib*(mem*) Searches library list <strong>for</strong><br />
all files beginning with<br />
fileinlib. If a matching<br />
file is found, members<br />
beginning with mem*<br />
will be selected. If a<br />
SAVF is found, it will<br />
NOT be selected<br />
because the file<br />
specification includes a<br />
member name.<br />
library*/file* library*/file*(*ALL) Searches libraries that<br />
begin with library prefix<br />
and <strong>for</strong> files that begin<br />
with file prefix. If a<br />
matching file is found,<br />
all of its members will<br />
be selected. If a SAVF<br />
is found, it will be<br />
selected.<br />
49
File<br />
Type<br />
File specification Expanded As Notes<br />
library*/file*(memo*) library*/file*(mem*) Searches libraries that<br />
begin with library prefix<br />
and files that begin with<br />
file prefix. If a matching<br />
file is found, members<br />
beginning with mem<br />
prefix will be selected.<br />
If a SAVF is found, it will<br />
not be selected<br />
because the file<br />
specification includes a<br />
member name.<br />
IFS Dir/* Dir/*all Searches all files in<br />
path DIR.<br />
Spool<br />
Files<br />
N/A<br />
Uses parameters:<br />
SPLFILE, SFUSER,<br />
SFQUEUE, SFFORM,<br />
SFUSRDTA,<br />
SFSTATUS,<br />
SFJOBNAM, and/or<br />
SPLNBR.<br />
Note: If parameter TYPE(*DELETE) is used, then the file name <strong>for</strong>mat <strong>for</strong> these<br />
names must be in MS/DOS <strong>for</strong>mat (that is, if CVTFLAG has not been used). See the<br />
FILES keyword. Files may also be excluded. See the EXCLUDE keyword.<br />
The valid parameter values <strong>for</strong> the FILES keyword are as follows:<br />
'file specification 1' 'file specification 2'...'file_specification nn'<br />
This is the list of one or more file specifications, separated by spaces.<br />
For example:<br />
mylib/myfile(prf*)<br />
mylib/*all(*all)<br />
By default, SecureZIP <strong>for</strong> <strong>iSeries</strong> does a match on files in the QSYS library system<br />
with no case sensitivity and in the IFS with case sensitivity. Some IFS file systems<br />
contain case sensitive file names. To <strong>for</strong>ce SecureZIP <strong>for</strong> <strong>iSeries</strong> to per<strong>for</strong>m noncase<br />
sensitive file name matching use TYPFL2ZP(*IFS2).<br />
File Exclusion Inputs<br />
Using similar file specification techniques as described above in the Primary file<br />
Selection Inputs section, SecureZIP <strong>for</strong> <strong>iSeries</strong> can specify from one to many file<br />
patterns that will be used to exclude files that were selected with the FILE<br />
parameter. The files can be inputted into the command parameter EXCLUDE or into a<br />
text file that can be processed by parameter EXCLFILE.<br />
Care should be taken when using wildcards excluding inputs to ensure that FILES<br />
and EXCLUDE parameters select the desired files.<br />
50
Input ZIP Archive Files<br />
During a FRESHEN or UPDATE request, files contained within the existing ZIP archive<br />
are added to a candidate list. Names stored previously are used to search the system<br />
files <strong>for</strong> viability (any file names not found in the system remain in the ZIP archive).<br />
SPOOL File Selecting<br />
The FILES parameter is not used to select spool files <strong>for</strong> compression, but instead<br />
uses its own selection parameters.<br />
There are eight positional parameters that can be specified to select the spool files:<br />
the SPOOL FILE NAME (SPLFILE), the SPOOL FILE NUMBER (SPLNBR), the user that<br />
created the files (SFUSER), the OUTQ that the file is residing (SFQUEUE), the <strong>for</strong>m<br />
type specified (SFFORM), the user data tag associated with the spool file<br />
(SFUSRDTA), the status of the spool file (SFSTATUS), or the specific job name/user<br />
name/job number (SFJOBNAM). Only files that meet all of the selection values will be<br />
selected.<br />
If the parameter SFJOBNAM is coded, the job must exist and the parameter SFUSER<br />
will be ignored, since it is already part of the SFJOBNAM parameter.<br />
51
6 ZIP Files<br />
Data Format - Text Records vs. Binary Records<br />
Binary data is stored in a ZIPPED archive in its original <strong>for</strong>mat. Binary data may be<br />
graphics or numbers that are already in “computer <strong>for</strong>mat.” There<strong>for</strong>e, no translation<br />
is done, and EBCDIC will remain EBCDIC. The length of binary records in UNZIP<br />
processing is determined by the archive’s fixed-length records. SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> will fill the available block automatically according to allocation<br />
specifications.<br />
In the context of ZIPPED archives, a “text file” is one that is stored in the ASCII<br />
<strong>for</strong>mat. A text file contains records of data, each separated by a delimiter to signify<br />
the end of the record.<br />
Note: An EBCDIC file containing text in<strong>for</strong>mation (such as source code) can be<br />
stored in its original <strong>for</strong>mat by using BINARY, but it is not considered to be a “text”<br />
file within the ZIP architecture.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses the default line delimiter CR-LF (X’0D0A’) at the end of<br />
each text record. Text file members in the QSYS library file system use new line<br />
characters (NL=X’15’) internally. SecureZIP <strong>for</strong> <strong>iSeries</strong> will handle the CR-LF and<br />
NL in both extraction and compressions automatically.<br />
At the time of PKUNZIP file extraction, SecureZIP <strong>for</strong> <strong>iSeries</strong> will convert text data<br />
from ASCII to EBCDIC by using a translation table. During installation, several<br />
translation tables are available, and the customization process will select one of the<br />
translation tables as a default. Additional translation tables may be created through<br />
the customizing procedure.<br />
Situations may arise in unique plat<strong>for</strong>m interchanges, or when working with text files<br />
from other countries where the default text translation table is not adequate. Users<br />
may select any available translation table by using TRAN and FTRAN parameters.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> extracts text records stored in the ZIP archive by examining<br />
data <strong>for</strong> record delimiter and file terminator indicators. Using these indicators,<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> aligns records in accordance with target file attributes.<br />
Text files (such as program source code) are held within an archive using the ASCII<br />
character set <strong>for</strong> compatibility with other versions of PKZIP ® . For these to be usable<br />
on OS/400, they must be converted to the IBM EBCDIC character set. Additionally,<br />
the carriage return and line feed characters must be removed be<strong>for</strong>e writing lines to<br />
52
a file because OS/400 files are record-based and do not use control characters to<br />
separate records or lines. Text files usually have spaces at the end of a line. When<br />
using the text file handlers, SecureZIP <strong>for</strong> <strong>iSeries</strong> has less data to read because<br />
the input/output routines remove trailing spaces and replace them with a new line<br />
character. This improves SecureZIP <strong>for</strong> <strong>iSeries</strong> per<strong>for</strong>mance.<br />
When extracting files from an archive, SecureZIP <strong>for</strong> <strong>iSeries</strong> must know whether<br />
to per<strong>for</strong>m text conversions. SecureZIP <strong>for</strong> <strong>iSeries</strong> stores an indicator in the<br />
archive file’s local header defining if a file is binary or text-based. Because this<br />
indicator may be wrong in some circumstances, use the FILETYPE keyword to specify<br />
whether text conversions are required. When adding files to an archive, SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> will flag the file according to the FILETYPE used.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses translation tables that should be suitable <strong>for</strong> most<br />
customers, but some users may wish to alter the tables. The procedure <strong>for</strong> changing<br />
the translation tables is discussed. If text files are only used on <strong>iSeries</strong>, then the<br />
FILETYPE(*EBCDIC) may be used. This uses <strong>iSeries</strong> files “as is” <strong>for</strong> the file (which are<br />
faster <strong>for</strong> text files), but does not translate the data to ASCII. This will provide a<br />
small improvement in per<strong>for</strong>mance.<br />
Additionally, SecureZIP <strong>for</strong> <strong>iSeries</strong> will translate each character in a text file from<br />
EBCDIC character <strong>for</strong>mat to ASCII character <strong>for</strong>mat by default. This is done using<br />
one of the two internal translation tables, which are named UKASCII and USASCII. It<br />
is recognized that these translation tables may not suffice <strong>for</strong> all countries or all<br />
situations, especially on those sites where text files are received from several<br />
different countries <strong>for</strong> processing into a single <strong>for</strong>mat. The source of the translation<br />
tables used by the PKZIP and PKUNZIP programs has been supplied, together with<br />
instructions <strong>for</strong> modifying the tables to create additional files (see Appendix F <strong>for</strong><br />
details). This enables sites to modify the translation table as required.<br />
In a case where FILETYPE is neither *TEXT nor *BINARY, *DETECT is the default<br />
mode. PKZIP will read up to 64K of data from the input file and scan it <strong>for</strong> nontranslatable<br />
text characters using the active text translation table. If any characters<br />
will not translate successfully using this method, the entire file will be treated as if<br />
*BINARY has been used.<br />
Note: One exception to this is X’00’ or the NULL terminator character, which is<br />
commonly used in C language. The NULL character will be allowed within the files. If<br />
file type is of a file in the archive is unknown whether it is text or binary, the user<br />
may use the TYPE(*VIEW) and VIEWOPT(*DETAIL) parameters to examine the file<br />
attributes.<br />
File Attributes<br />
Within each ZIP archive there are two different directories providing in<strong>for</strong>mation<br />
about the files held in that archive. A local directory is included at the front of each<br />
file, with in<strong>for</strong>mation pertaining to each file (<strong>for</strong> example: file size and date ZIPPED),<br />
and a central directory is located at the end of the ZIP archive. The central directory<br />
lists the complete contents of the ZIP archive and is the primary source of<br />
in<strong>for</strong>mation <strong>for</strong> UNZIP processing.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> will store extended attributes about the file that can be<br />
useful in recreating the file during UNZIP processing. See Appendix K.<br />
53
PC Shared Drives Format<br />
One common mistake made when extracting a text file to a shared drive folder in the<br />
IFS where the file will be used by a Windows application is to extract the file in text<br />
mode. Extracting a file as a TEXT file on the <strong>iSeries</strong> will cause PKUNZIP to translate<br />
the file to the EBCDIC <strong>for</strong>mat since this is the native <strong>iSeries</strong> <strong>for</strong>mat. The Windows<br />
application expects the file to be in ASCII, so there<strong>for</strong>e this file should be extracted<br />
using binary, since the files are stored in ASCII in the archive.<br />
54
7 File Extracting Process<br />
Extracting Files to the QSYS Library File System<br />
When extracting files to the QSYS library file system using TYPFL2ZP(*DB), some<br />
items to consider are 1) does the file exist or will a new file be create?, 2) did the file<br />
come from SecureZIP <strong>for</strong> <strong>iSeries</strong> or did it come from another plat<strong>for</strong>m?, 3) are the<br />
files text type files from another plat<strong>for</strong>m where I need to know the record length,<br />
etc. These are just a few questions that might impact how you want to extract the<br />
files.<br />
If the file does not exist and if the file did not come from SecureZIP <strong>for</strong> <strong>iSeries</strong>,<br />
you should provide a record length <strong>for</strong> the file with the parameter DFTDBRECLN. If<br />
the file is coming from SecureZIP <strong>for</strong> <strong>iSeries</strong> or PKZIP <strong>for</strong> zSeries the record<br />
length will be in the extra data. If the file is from SecureZIP <strong>for</strong> <strong>iSeries</strong> and the<br />
parameter was DBSERVICE(*YES), the complete database definition from the<br />
extract data <strong>for</strong> database will be used to create the file.<br />
If the file is to be created as text and the record length is too short then you will<br />
receive messages indicating the records are being truncated.<br />
Two common parameters that are used to alter or guide the extraction process are<br />
the EXDIR and DROPPATH parameters. EXDIR provides the path library or library/file<br />
that the file will be extracted to when no library or path exist <strong>for</strong> the files in the<br />
archive. Of course, this is where the DROPPATH comes in to drop the first path or<br />
library with *LIB or to remove all paths in a name with *ALL.<br />
For example, files in an archive might look like this:<br />
Archive/#1:<br />
My Document/myfiles/test/myheader.txt<br />
My Document/myfiles/test/mydata.txt<br />
My Document/myfiles/test/mytrailer.txt<br />
Archive/#2:<br />
QGPL/QCLSRC/MYCL01<br />
QGPL/QCLSRC/MYCL02<br />
QGPL/QCLSRC/MYCL03<br />
QGPL/QCLSRC/MYCL04<br />
In archive #1 lets assume that all three text files are of different records lengths. If<br />
we want to extract each with their own length, we would have to make three runs to<br />
55
create the files with different parameters. Or we could use CRTPF and create each of<br />
the files so the files would exist with the proper record length.<br />
PKUNZIP ARCHIVE('Archive/#1') FILES('My<br />
Document/myfiles/test/myheader.txt') TYPE(*EXTRACT)<br />
EXDIR('MYLIB/MYHEADER') DROPPATH(*ALL) DFTDBRECLN(50)<br />
CVTTYPE(*DROP)<br />
PKUNZIP ARCHIVE('Archive/#1') FILES('My Document/myfiles/test/mydata.txt')<br />
TYPE(*EXTRACT) EXDIR('MYLIB/MYDATA') DROPPATH(*ALL) DFTDBRECLN(150)<br />
CVTTYPE(*DROP)<br />
PKUNZIP ARCHIVE('Archive/#1') FILES('My<br />
Document/myfiles/test/myheader.txt') TYPE(*EXTRACT)<br />
EXDIR('MYLIB/MYTRAILER') DROPPATH(*ALL) DFTDBRECLN(20)<br />
CVTTYPE(*DROP)<br />
The commands above would create three files in library MYLIB, with all files having<br />
different record lengths.<br />
Now suppose the files already exist with the names and record lengths. In this case,<br />
we could do all three files at once with:<br />
PKUNZIP ARCHIVE('Archive/#1') TYPE(*EXTRACT) EXDIR('MYLIB/?MBR')<br />
DROPPATH(*ALL) CVTTYPE(*DROP) OVERWRITE(*YES)<br />
The MBR will <strong>for</strong>ce each member name to also become the file name.<br />
In archive #2, let’s assume that we want to extract the CL source member and place<br />
them in a different library call MYNEWLIB. If the QCLSRC file does not exist and the<br />
archive was not built with DBSERVICE(*YES), then you would need to do a<br />
CRTSRCPF FILE(MYNEWLIB/QCLSRC)<br />
to have the file setup correctly <strong>for</strong> source files. If the QCLSRC file already exist in<br />
MYNEWLIB or the archive was built with DBSERVICE(*YES), then no special handling<br />
is required.<br />
Authority Settings<br />
When extracting files into the QSYS library file system, whether the files came from<br />
the AS/400 or another plat<strong>for</strong>m, the authorities are not taken from the archive, but<br />
from the user’s current environment settings. The file’s authority is not stored in the<br />
archive.<br />
If a library is required to be created, PKUNZIP would create the library as if the<br />
current user was issuing a CRTLIB command. For standard settings, it might create<br />
the library with the following authority settings:<br />
Data --Object Authorities--<br />
User Authority Exist Mgt Alter Ref<br />
*PUBLIC *RWX<br />
USER *RWX X X X X.<br />
If the file does not exist, PKUNZIP will be required to create the file. If the file does<br />
exist no authorities are changed. If the file is created, the authority will be the same<br />
as if the user was issuing a CRTPF command in their environment. For most standard<br />
settings, it would create the file with the following authority settings:<br />
56
Data --Object Authorities--<br />
User Authority Exist Mgt Alter Ref<br />
*PUBLIC *RWX<br />
MYOWNER *RWX X X X X<br />
Extracting Files to the IFS<br />
When extracting files to the integrated file system with TYPFL2ZP(*IFS), record<br />
lengths are not a concern as they were in the QSYS library file system. The main<br />
considerations when extracting to the IFS is “what paths do you want <strong>for</strong> the file, or<br />
should the file be stored in EBCDIC or ASCII”.<br />
Path Considerations<br />
If the name of files in the archive, starts with ‘/’, then with no other changes this will<br />
be extracted to the root of the system with the first name in the path. This <strong>for</strong>m of<br />
pathname is called a fully qualified path.<br />
If the name does not start with a ‘/’, the item will be extracted to the paths based on<br />
the current directory (DSPCURDIR). This <strong>for</strong>m of pathname is called a relative path.<br />
In both cases if the path(s) does not exist, the path(s) will be created with the<br />
attributes of the parent folder.<br />
Changing the path(s)<br />
In cases where the path that is stored with a name of the file in archive is not<br />
desired, then using the EXDIR and DROPPATH parameters should help guide the file<br />
to where it should be placed.<br />
Using EXDIR, you can define the path of the file(s) that will be extracted. If you need<br />
to remove the path of the file in the archive, you can use DROPPATH(*ALL) to<br />
remove all the paths be<strong>for</strong>e extracting or you can use DROPPATH(*LIB) to remove<br />
only the first path name.<br />
Again the coding of EXDIR follows the same rule with regards to fully qualified path<br />
or relative path.<br />
File Type Considerations<br />
When extracting a file, the decision to whether the contents of file should be stored<br />
in ASCII or EBCDIC needs to be made.<br />
If the file is not a text file, it does not matter and should be stored as binary. If the<br />
file is text, and will be used by a PC program, chances are the data is expected to be<br />
in ASCII. Since the files are stored in the archive as ASCII, these files should be<br />
extricated as TYPEFILE(*BINARY). If the file is to be used by an AS/400 application<br />
or will be translated later, then chances are the file should be stored in EBCDIC. In<br />
this case use TYPEFILE(*TEXT) to extract the file in EBCDIC.<br />
57
Authority Settings<br />
If directories are required to be created during the extraction, the authority settings<br />
will be created according to the create directory definitions of the DTAAUT(*INDIR)<br />
and OBJAUT(*INDIR) parameters.<br />
The authority <strong>for</strong> the directory being created is determined by the directory it is<br />
being created in. The directory immediately preceding the new directory determines<br />
the authority. A directory created in the root is assigned the public authority given to<br />
objects in the root directory. A directory created in QDLS <strong>for</strong> a folder defaults to<br />
*EXCLUDE <strong>for</strong> a first level folder. If created in the second level or greater, the<br />
authority of the previous level is used. The QOpenSys and root file systems use the<br />
parent directory's DTAAUT value.<br />
The object authority is based on the authority <strong>for</strong> the directory where this directory is<br />
being created.<br />
For IFS files, the access permissions flags of the file are captured. For Example:<br />
• S_IRUSR - Read permission <strong>for</strong> the file owner<br />
• S_IWUSR - Write permission <strong>for</strong> the file owner<br />
• S_IXUSR - Search permission (<strong>for</strong> a directory) or execute permission (<strong>for</strong> a<br />
file) <strong>for</strong> the file owner<br />
• S_IRGRP - Read permission <strong>for</strong> the file's group<br />
• S_IWGRP - Write permission <strong>for</strong> the file's group<br />
• S_IXGRP - Search permission (<strong>for</strong> a directory) or execute permission (<strong>for</strong> a<br />
file) <strong>for</strong> the file's group<br />
• S_IROTH - General read permission<br />
• S_IWOTH - General write permission<br />
• S_IXOTH - General search permission (<strong>for</strong> a directory) or general execute<br />
permission (<strong>for</strong> a file)<br />
These access permission flags will be set <strong>for</strong> the owner that is running the PKUNZIP<br />
job and not the original owner.<br />
Other user permissions from the parent folder will also be set <strong>for</strong> the file.<br />
For example, the folder being extracted into has *PUBLIC as *EXCLUDE, the<br />
extracted file will also have *PUBLIC as *EXCLUDE.<br />
Extracting Spool Files<br />
When extracting spool files with PKUNZIP, the attributes at the time of compression,<br />
will be preserved except <strong>for</strong> new spool file numbers. That will be generated.<br />
Parameter SPLUSRID is <strong>for</strong> the user ID on the new extracted spool file. If it is *DFT<br />
the original user ID will stay with the new spool file. Parameter SFQUEUE is <strong>for</strong> the<br />
OUTYQ and OUTQ library that the new extracted spool file will be placed. If *DFT is<br />
specified then the original OUTQ will be used to place the spool file.<br />
58
Note on extracting Spool Files: To create or extract spool file with<br />
PKUNZIP, the user must have *USE authority to the API QSPCRTSP.<br />
The normal setting <strong>for</strong> the API QSPCRTSP is Authority<br />
PUBLIC(*EXCLUDE). The API authority is set this way so that system<br />
administrators can control the use of this API. This API has security<br />
implications because you can create spooled file from the data of<br />
another spooled file. To allow user to extract spool files change the<br />
API authority on a need basis.<br />
When extracting a spool file with PKUNZIP, the new spooled file will be created with<br />
attributes based on values taken from the spooled file attributes when PKZIP<br />
archived the spool file. The spool file’s file number, job, job user, job number, date,<br />
and time are controlled by IBM OS/400 operating system during the creation of a<br />
spool file.<br />
The new spool file that is created by the PKUNZIP is spooled under one of two jobs<br />
and is dictated by IBM’s create spool file API. The job is determined by the username<br />
field from the attributes. If the user name is the current user, it is a part of the<br />
user's job and is owned by the user profile that the job was started with. First the<br />
user profile <strong>for</strong> the user name must already exist. When using the user id override<br />
(parameter SPLUSRID), the spool file will be now belong to the override user.<br />
If the ownership of the new spooled file is assigned to a different user by a different<br />
user profile name in the user-name field from the attributes, then the current user<br />
must have *SPLCTL authority to assign the spooled file to another user. When this is<br />
done, the new spooled file is by the user specified in the user name field or override<br />
parameter. The new spooled file is then part of a special system job (QPRTJOB) that<br />
is created <strong>for</strong> each user.<br />
The new spooled file is placed on the output queue specified in the output queue<br />
name field from the original spool file attributes. If the parameter SFQUEUE is used it<br />
will override the attribute <strong>for</strong> the output queue.<br />
In both cases, the spooled file name is the one contained in the spooled file<br />
attributes parameter. The spooled file number will be the next sequential one<br />
available <strong>for</strong> the job that the spooled file becomes a part of.<br />
OS/400 authority requirements when extracting spool files:<br />
• Special Authority - *SPLCTL. This authority is needed if you are creating a<br />
spooled file <strong>for</strong> another user.<br />
• Output Queue Authority -*USE<br />
• Output Queue Library Authority - *EXECUTE<br />
• Object QSPCRTSP API Authority -*USE<br />
The following are several examples of results of extracting spool files:<br />
Start with archiving the following spool files that were created with job MYJOB1 and<br />
user EVWSS:<br />
File File Nbr Job User Number Date Time<br />
QSYSPRT 397 MYJOB1 EVWSS 010893 12/11/02 13:35:29<br />
QSYSPRT 398 MYJOB1 EVWSS 010893 12/11/02 13:36:09<br />
QSYSPRT 399 MYJOB1 EVWSS 010893 12/11/02 13:36:09<br />
59
Now extract with job MYJOB1 and user EVWSS but now on a different day and job<br />
number:<br />
File File Nbr Job User Number Date Time<br />
QSYSPRT 2 MYJOB1 EVWSS 010927 12/12/02 09:57:42<br />
QSYSPRT 3 MYJOB1 EVWSS 010927 12/12/02 09:57:42<br />
QSYSPRT 4 MYJOB1 EVWSS 010927 12/12/02 09:57:42<br />
Next extract with job MYJOB2 and user EVWSS but now on a different day and job<br />
number:<br />
File File Nbr Job User Number Date Time<br />
QSYSPRT 2 MYJOB2 EVWSS 010928 12/12/02 09:59:06<br />
QSYSPRT 3 MYJOB2 EVWSS 010928 12/12/02 09:59:06<br />
QSYSPRT 4 MYJOB2 EVWSS 010928 12/12/02 09:59:06<br />
Next, using the user, override with the SPLUSRID(WSS) and submit MYJOB1 with<br />
user EVWSS.<br />
File File Nbr Job User Number Date Time<br />
QSYSPRT 26 QPRTJOB WSS 010118 12/12/02 10:02:50<br />
QSYSPRT 27 QPRTJOB WSS 010118 12/12/02 10:02:50<br />
QSYSPRT 28 QPRTJOB WSS 010118 12/12/02 10:02:50<br />
Notice that the job was changed to QPRTJOB since the user being extracted was<br />
different than the user running the Job.<br />
Next being signed on as user WSS, submit a job MYJOB11 with the job parameter<br />
USER profile specified <strong>for</strong> user EVWSS.<br />
SBMJOB CMD(PKUNZIP ARCHIVE('atest/splftst/tst02')<br />
TYPE(*EXTRACT)) JOB(MYJOB11) USER(EVWSS)<br />
File File Nbr Job User Number Date Time<br />
QSYSPRT 2 MYJOB11 EVWSS 010936 12/12/02 10:25:25<br />
QSYSPRT 3 MYJOB11 EVWSS 010936 12/12/02 10:25:25<br />
QSYSPRT 4 MYJOB11 EVWSS 010936 12/12/02 10:25:25<br />
60
8 <strong>iSeries</strong> File Processing Support<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> can support files maintained in both the traditional QSYS<br />
library file system and in IFS (integrated file system) along with supporting spool<br />
files.<br />
QSYS (Library File System)<br />
The QSYS file system supports the <strong>iSeries</strong> library structure. This file system provides<br />
access to database files and all other <strong>iSeries</strong> object types that the library manages.<br />
On the IBM <strong>iSeries</strong> system, each QSYS type file (also called a file object) has a<br />
description that details the file characteristics and how the data associated with the<br />
file is organized into records, and, in many cases, the fields associated <strong>for</strong> each<br />
record. Whenever a file is processed, the <strong>iSeries</strong> uses this description.<br />
Of the objects in the library system, SecureZIP <strong>for</strong> <strong>iSeries</strong> will only process<br />
physical files that have an attribute type of PF-DTA (physical data files), PF-SRC<br />
(physical source file), or SAVF (save files).<br />
QSYS files always exist in a library, and the PF-DTA and PF-SRC files (if data exist)<br />
will always have one to many members in the file. There<strong>for</strong>e, PF-DTA and PF-SRC<br />
files have a name <strong>for</strong>mat of “library/file(member).” A SAVF (a special type of <strong>iSeries</strong><br />
file <strong>for</strong> saving and restoring <strong>iSeries</strong> objects) does not have any members giving a file<br />
<strong>for</strong>mat of “library/file.” Because SAVF types are handled in a special way, they are<br />
given additional consideration (see SAVF and use of SAVF method).<br />
QSYS Summary<br />
If the archive file is to be in the QSYS library system, set parameter<br />
TYPARCHFL(*DB).<br />
If the file being compressed or extracted is in the QSYS library system, set<br />
parameter TYPFL2ZP(*DB).<br />
If the list files (see Appendix E) are to be in the QSYS library system, set parameter<br />
TYPLISTFL(*DB).<br />
61
Format Summary:<br />
PF-DTA<br />
PF-SRC<br />
SAVF<br />
LIBRARY/FILE(MEMBER)<br />
LIBRARY/FILE(MEMBER)<br />
LIBRARY/FILE<br />
IFS (Integrated File System)<br />
The integrated file system is a part of <strong>iSeries</strong> which supports stream input/output<br />
and storage management similar to personal computer and UNIX operating systems,<br />
while providing an integrating structure over all in<strong>for</strong>mation stored in the <strong>iSeries</strong>.<br />
The key features of the integrated file system are:<br />
• Support <strong>for</strong> storing in<strong>for</strong>mation in stream files that can contain long<br />
continuous strings of data. These strings of data might be, <strong>for</strong> example, the<br />
text of a document or the picture elements in a picture. The stream file<br />
support is designed <strong>for</strong> efficient use in client/server applications.<br />
• A hierarchical directory structure that allows objects to be organized by<br />
specifying the path through the directories to an object <strong>for</strong> access to an<br />
object.<br />
• A common view of stream files stored locally on <strong>iSeries</strong>, Integrated Netfinity<br />
Server <strong>for</strong> <strong>iSeries</strong>, or a remote Windows NT server. Stream files can also be<br />
stored remotely on a local Area Network (LAN) server.<br />
Directories and Current Directory<br />
A directory is a special object that is used to locate objects by names specified by<br />
users. Each directory contains a list of objects that are attached to it, and that list<br />
may include other directories.<br />
The current directory is the first directory in which the operating system locates files,<br />
and where it also stores temporary files and output files. When you request an<br />
operation <strong>for</strong> an object, such as a file, the system searches <strong>for</strong> the object in the<br />
current directory, unless a different directory path is specified. The current directory<br />
is similar in nature to the current library. If the file selection does not start with ‘/’<br />
(Root Directory), the files should be in the path of the current directory.<br />
Path and Path Names<br />
A path name (also called a pathname on some systems) in<strong>for</strong>ms the system how to<br />
locate an object. The path name is expressed as a sequence of directory names<br />
followed by the name of the object. Individual directories and the object name are<br />
separated by a slash (/) character. An example might be: directory1/directory2/file.<br />
For convenience, the back slash (\) can be used instead of the slash in integrated file<br />
system commands.<br />
There are two ways of indicating a path name:<br />
An absolute path name begins at the highest level, or root directory (which is<br />
identified by the / character). For example, consider the following path from the /<br />
directory to the file named testit: /mydept/myfiles/testit.<br />
62
If the path name does not begin with the / character, the system assumes that the<br />
path begins at your current directory. This type of path name is called a relative path<br />
name. For example, if your current directory is mydept and it has a sub-directory<br />
named myfiles containing the file testit, the relative path name to the file is:<br />
myfiles/testit. Notice that the path name does not include the name of the current<br />
directory. The first item in the name is the directory or object at the next level below<br />
the current directory.<br />
Stream Files<br />
A stream file is a randomly accessible sequence of bytes with no further structure<br />
imposed by the system. The integrated file system provides support <strong>for</strong> storing and<br />
operating on in<strong>for</strong>mation in the <strong>for</strong>m of stream files. Documents that are stored in<br />
<strong>iSeries</strong> folders are stream files. Other examples of stream files are PC files and the<br />
files in UNIX systems. An integrated file system stream file is a system object that<br />
has an object type of *STMF.<br />
Other IFS Objects<br />
There are other object types (such as link objects, etc.) in the IFS which at this time<br />
are not supported by SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
File Systems in the IFS<br />
There are currently ten (10) file systems that are part of the integrated file system.<br />
Each file system is a major sub-tree in the IFS directory structure. A file system<br />
provides the support to access specific segments of storage that are organized as<br />
logical units. These logical units on the <strong>iSeries</strong> are files, directories, libraries, and<br />
objects.<br />
Each of these file systems has a set of logical structures and rules <strong>for</strong> interacting<br />
with in<strong>for</strong>mation in storage. These structures and rules may be (and often are)<br />
different from one file system to another. The IFS treats the library support and<br />
folders support as separate file systems.<br />
The ten file systems are:<br />
• “root” - / file system. This file system takes full advantage of stream file<br />
support and hierarchical directory structure of the integrated file system. The<br />
root file system has the characteristics of the Disk Operating System (DOS)<br />
and OS/2 file systems. Most of references throughout this guide refer to the<br />
“root” system.<br />
• QDLS - Document Library Services file system. This file system provides<br />
access to documents and folders. See IBM’s Office Services Concepts and<br />
Programmer’s <strong>Guide</strong> (SH21-0703) <strong>for</strong> additional in<strong>for</strong>mation.<br />
• QOPT - Optical file system. This file system provides access to stream<br />
data that is stored on optical media (such as CDs). See IBM’s Optical Support<br />
(SC41-5310) <strong>for</strong> additional in<strong>for</strong>mation.<br />
• QSYS.LIB - Library file system. This file system supports the <strong>iSeries</strong><br />
library structure and provides access to database files and all of the other<br />
<strong>iSeries</strong> object types that the library support manages.<br />
63
• NFS - Network File System. This file system provides the user with access<br />
to data and objects that are stored on a remote NFS server. An NFS server<br />
can export a network file system that NFS clients will then mount<br />
dynamically. See IBM’s OS/400 Network File System Support (SC41-5714) <strong>for</strong><br />
additional in<strong>for</strong>mation.<br />
• QFileSvr.400. This file system provides access to other file systems that<br />
reside on remote <strong>iSeries</strong> systems. See IBM’s Integrated File System<br />
Introduction (SC41-5711) <strong>for</strong> additional in<strong>for</strong>mation.<br />
• QNetWare - QNetWare file system. This file system provides access to<br />
local or remote data and objects that are stored on a server that runs Novell<br />
NetWare 4.10 or 4.11 or to standalone PC servers running Novell Netware<br />
3.12, 4.10, 4.11, or 5.0. A user can mount NetWare file systems over existing<br />
local file systems dynamically. See File Management (SC41-5710) <strong>for</strong><br />
additional in<strong>for</strong>mation.<br />
• QNTC Windows NT Server file system. This file system provides access to<br />
data and objects that are stored on a server running Windows NT 4.0 or<br />
higher. It allows <strong>iSeries</strong> applications to use the same data as Windows NT<br />
clients. This includes access to the data on a Windows NT Server that is<br />
running on an integrated PC Server. See IBM’s OS/400-<strong>iSeries</strong> Integration<br />
with Windows NT Server (SC41-5439) <strong>for</strong> details.<br />
• QOpenSys - Open Systems file system. This file system is compatible<br />
with UNIX-based open system standards, such as POSIX and XPG. Like the<br />
root file system, this file system takes advantage of the stream file and<br />
directory support that is provided by the integrated file system. In addition, it<br />
supports case-sensitive object names. See IBM’s Integrated File System<br />
Introduction (SC41-5711) <strong>for</strong> additional in<strong>for</strong>mation.<br />
• UDFS - User-Defined File System. This file system resides on the Auxiliary<br />
storage pool (ASP) of the user’s choice. The user creates and manages this<br />
file system. See IBM’s Integrated File System Introduction (SC41-5711) <strong>for</strong><br />
additional in<strong>for</strong>mation.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> works with all file systems, but the rules of each file system<br />
must be adhered to or a file I/O error will most likely occur. In most cases, the files<br />
can be compressed and extracted in one run when all the file names and paths meet<br />
the file system’s rules. When creating an archive file in one file system, one<br />
restriction is that when using the TMPPATH option, the temp path must also be in the<br />
same file system as the archive files.<br />
On the following pages are rules <strong>for</strong> some of the most used file systems.<br />
Document Library Services File System (QDLS)<br />
The QDLS file system supports the folders structure. It provides access to documents<br />
and folders. Additionally, it supports <strong>iSeries</strong> folders and document library objects<br />
(DLOs) and supports data stored in stream files.<br />
Considerations and Limitations:<br />
• You must be enrolled in the system distribution directory when working with<br />
objects in QDLS.<br />
• QDLS converts the lowercase English alphabetic characters a through z to<br />
uppercase when used in object names. There<strong>for</strong>e, a search <strong>for</strong> object names<br />
64
using only those characters is not case sensitive. All other characters are case<br />
sensitive in QDLS.<br />
• Each component of the path name can consist of just a name, such as:<br />
/QDLS/MYFLR1/MYDOC1 - or - a name plus an extension (similar to a DOS<br />
file extension), such as: /QDLS/MYFLR1/MYDOC1.TXT.<br />
• The name in each component can be up to 8 characters long, and the<br />
extension (if any) can be up to 3 characters long. The maximum length of the<br />
path name is 82 characters, assuming an absolute path name that begins<br />
with /QDLS.<br />
• The directory hierarchy within QDLS can be 32 levels deep.<br />
• Must have proper authority within the path.<br />
• The folders in the path must already exist.<br />
• PKZIP will not create folders at this time.<br />
• For more details, see the “Rules <strong>for</strong> Specifying Folder and Document Names”<br />
discussion in the publication CL Reference.<br />
Optical File System (QOPT)<br />
The QOPT file system provides access to stream data that is stored on optical media<br />
(such as CDs). Additionally, it provides a hierarchical directory structure (similar to<br />
PC operating systems such as DOS and OS/2), is optimized <strong>for</strong> stream file<br />
input/output, and supports data stored in stream files (known as DSTMF or<br />
Distributed Stream Files).<br />
Considerations and Limitations:<br />
• QOPT converts the lowercase English alphabetic characters a to z to<br />
uppercase when used in object names. There<strong>for</strong>e, a search <strong>for</strong> object names<br />
using only those characters is not case-sensitive. For more details, see the<br />
publication Optical Support.<br />
• The path name must begin with a slash (/) and contain no more than 294<br />
characters. The path is made up of the file system name, the volume name,<br />
the directory and sub-directory names, and the file name. For example:<br />
/QOPT/VOLUMENAME/DIRECTORYNAME/SUBDIRECTORYNAME/FILENAME<br />
• The file system name (/QOPT) is required.<br />
• The volume name is required and can be up to 32 characters long.<br />
• You can include one or more directories or sub-directories in the path name,<br />
but QOPT requires none. The total number of characters in all directory<br />
names and sub-directory names (including the leading slash) cannot exceed<br />
256 characters. Directory and file names allow any character except X'00'<br />
through X'3F', X'FF', lowercase alphabetic characters, and the following<br />
characters:<br />
• Asterisk (*)<br />
• Hyphen (-)<br />
• Question mark (?)<br />
• Quotation mark (")<br />
65
• Greater than (>)<br />
• Less than (
For in<strong>for</strong>mation about code pages, see the publication National Language Support.<br />
IFS Summary<br />
Only directories and stream files are supported by SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
If the archive file is to be in IFS, set parameter TYPARCHFL(*IFS).<br />
If the file being compressed or extracted is in IFS, set parameter TYPFL2ZP(*IFS)<br />
If the files to be selected <strong>for</strong> compression are to be non-case sensitive set parameter<br />
TYPARCHFL(*IFS2).<br />
If the list files are to be in IFS (see Appendix E), set parameter TYPLISTFL(*IFS).<br />
Format Summary:<br />
Directory Directory1/directory2 will be current<br />
directory<br />
Stream File filename or directory/filename will be current<br />
directory<br />
Full Path<br />
/Directory1/Directory2/filename<br />
For more in<strong>for</strong>mation, see the IBM publication Integrated File System Introduction<br />
(SC41-5711) or visit the IBM web site.<br />
SAVF<br />
SAVF, denoted by the OS/400 system TYPE(*FILE) and ATTR(SAVF), is a special<br />
<strong>for</strong>m of file designed specifically to handle save/restore data in the <strong>iSeries</strong> system.<br />
Some SAVF special characteristics are:<br />
• The SAVF is always processed as binary with all records being 528 characters<br />
in length.<br />
• Only a save and restore <strong>iSeries</strong> function can update or change data.<br />
• A SAVF will not be selected if a member name is included in the file<br />
specification.<br />
• A SAVF is a means to compress other <strong>iSeries</strong> object types (programs,<br />
modules, commands, logical files, triggers, etc.) that are in the <strong>iSeries</strong> system<br />
by first doing a SAVLIB or SAVOBJ <strong>for</strong> those objects to a SAVF. Then you can<br />
compress and extract the SAVF.<br />
Compressing a SAVF file<br />
The only difference when compressing a SAVF is not to specify a member (only<br />
library/file). If a member is specified, then no SAVF types will be compressed.<br />
Extracting Records into a SAVF file<br />
It is helpful be<strong>for</strong>e extracting records from a ZIP archive to be aware of what file<br />
names and file attributes are being stored <strong>for</strong> the compressed file. VIEWOPT(<br />
67
*DETAIL) may be used on the archive to verify the in<strong>for</strong>mation. An attribute is stored<br />
in the archive header that identifies if the file is a SAVF. The PKUNZIP program will<br />
also retain the original attribute from the extended attributes, such as SAVF<br />
description and library description.<br />
A common problem in some <strong>iSeries</strong> environments is that some users may not have<br />
the authority to the SAVF commands which can result in failures.<br />
Overwriting Current SAVF File<br />
When extracting a compressed file, it may be desirable to overwrite the existing file.<br />
By using the OVERWRITE(*YES) parameter, PKUNZIP will first issue a CLRSAVF<br />
command to clear the save file. This demonstrates why care should be taken when<br />
extracting a SAVF.<br />
Compressing Spool Files<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> has the ability to select, compress and extract spool files.<br />
Not only can a spool file be compressed, they can be converted to other document<br />
<strong>for</strong>mats that will allow the document file to be distributed and read by other media<br />
and software.<br />
All spool files are eligible <strong>for</strong> compression but only spool file types *SCS, *IPDS are<br />
supported <strong>for</strong> text document conversion.<br />
By using the PKZIP command and setting parameter TYPFL2ZP(*SPL), other<br />
parameters will be shown to help select the spool files. To assist, a new command<br />
PKZSPOOL is provided to sequenced the selections and to eliminate parameters that<br />
are not valid <strong>for</strong> the selection of spool files.<br />
Spool file parameters specifies the group of spool files that are to be selected. Eight<br />
positional values can be specified to select the spool files: the spool file name<br />
(SPLFILE), the spool file number (SPLNBR), the user that created the files (SFUSER),<br />
the OUTQ that the file is residing (SFQUEUE), the <strong>for</strong>m type specified (SFFORM), the<br />
user data tag associated with the spool file (SFUSRDTA), the status of the spool file<br />
(SFSTATUS), or the specific job name/user name/job number (SFJOBNAM). Only files<br />
that meet all of the selection values will be selected. A sample of the default<br />
selection parameters is shown in the window below:<br />
Selection sample using the PKZSPOOL command.<br />
Type choices, press Enter.<br />
SPLF File Compression 8.0 (PKZSPOOL)<br />
Archive Zip File name . . . . . > myar<br />
Spool File . . . . . . . . . . . *ALL Spool File Name, *All<br />
Spool File User . . . . . . . . *CURRENT User ID, *CURRENT, *ALL<br />
+ <strong>for</strong> more values<br />
Output Queue Name . . . . . . . *ALL OutQ name, *ALL<br />
Library . . . . . . . . . . .<br />
Library, *LIBL, *CURLIB<br />
Print Form Type . . . . . . . . *ALL Form Type, *STD, *ALL<br />
Print File User Specified Data *ALL User Data, *all<br />
Spool Files Status . . . . . . . *ALL *ALL, *READY, *HELD...<br />
+ <strong>for</strong> more values<br />
68
Spool File Job Name . . . . . .<br />
Job name, blank <strong>for</strong> all<br />
User . . . . . . . . . . . . .<br />
User Id<br />
Job Number . . . . . . . . . .<br />
Job Number<br />
Spooled file number . . . . . . *ALL 1-9999, *ALL, *LAST<br />
Target File Format . . . . . . . *SPLF *SPLF, *TEXT, *PDF, *TEXT1...<br />
Target File Name . . . . . . . . *GEN1<br />
Type of processing . . . . . . . *ADD *ADD, *UPDATE, *FRESHEN ..<br />
Compression Level . . . . . . . *SUPERFAST *NO, *FAST, *NORMAL, *MAX...<br />
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ........<br />
Zip Spool Files . . . . . . . . *SPL *SPL<br />
Archive Password . . . . . . . .<br />
After defining what spool files are to be selected <strong>for</strong> compression, you will need to<br />
define the file <strong>for</strong>mat the spool file should be stored in the archive. At this time,<br />
there three <strong>for</strong>mats: *SPLF (spool file native mode), *TEXT (ASCII text document<br />
with three variations of how a new page is handled) and *PDF (Adobe portable<br />
document <strong>for</strong>mat).<br />
For use with *TEXT and *PDF there are three variations of storing the file name in<br />
the archive with the parameter SFTGFILE. SFTGFILE (*GEN1) will generate a very<br />
specific name using most of the spool file name attributes to <strong>for</strong>m the file name so<br />
that it will not be a duplicated. The name will be built as follows:<br />
"Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool- File-<br />
Number.Suffix"<br />
For example: "MYJOB/BILLS/#152681/INVOICE/F0021.SPLF"<br />
The suffix is dependent on the SFTARGET setting. *SPLF can only be stored<br />
as SFTGFILE (*GEN1).<br />
SFTGFILE (*GEN1P) will generate the same specific name generated by *GEN1<br />
except the ‘/’ <strong>for</strong> folders will all be replaced by ‘.’ to make the file name one lone<br />
name. For example:<br />
MYJOB.BILLS.#152681.INVOICE.F0021.SPLF<br />
SFTGFILE (*GEN2) uses the spool file name and appends the spool file number<br />
followed by the suffix that is depended on the SFTARGET setting. Caution should be<br />
taken in that a duplicate file name in the archive could be created. An example of<br />
GEN2 is a spool file INVOICE with spool file number of 21 that will be converted to a<br />
text file will generate a file name of INVOICE21.TXT.<br />
In cases where a very specific name is desired <strong>for</strong> the file in archive name,<br />
SFTGFILE() can be coded with the name. This is designed <strong>for</strong> selecting only one file<br />
at a time otherwise file names will be duplicated. Alternatively, you could add coding<br />
to the CVTNAME routine and use the CVTFLAG to generate the desired file name.<br />
69
9 ZIP Archives<br />
A ZIP archive is the storage facility <strong>for</strong> files that are compressed (or simply stored)<br />
using the PKZIP product. The basic archive can hold up to 65,535 files, which may<br />
have been compressed by up to 99% of their original size. Data integrity is validated<br />
by a cyclic redundancy check (CRC) to maintain integrity of the data from the<br />
compression through the extraction process. If the archive contains the ZIP64<br />
archive <strong>for</strong>mat, the archive can support more than the 65,535 files and can be larger<br />
than 4 Gig (See “Large Files Considerations”). In addition to the data, file attributes<br />
are retained, allowing extraction of the same file characteristics without the need of<br />
control card specifications. An archive can exist in three possible states during<br />
processing, described as “old archive,” “temporary archive,” and “new archive.” An<br />
explanation of the functions of each of these is described in the sections below.<br />
A ZIP archive is transferable between plat<strong>for</strong>ms. That is, files that are compressed by<br />
PKZIP on one plat<strong>for</strong>m may be extracted by PKZIP on a different plat<strong>for</strong>m,<br />
maintaining identical data.<br />
This chapter describes the types of files used by SecureZIP <strong>for</strong> <strong>iSeries</strong> and<br />
provides a description of the way in which they are accessed by SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> ZIP archives.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (by default) creates a new archives in the *DB file system as<br />
members of PF-DTA files with 132-byte records. The archive file is given a text field<br />
of “file created by SecureZIP <strong>for</strong> <strong>iSeries</strong>.” The archive member is given a text field<br />
of “Member created by SecureZIP <strong>for</strong> <strong>iSeries</strong>.” If you wish to create your own<br />
archive (perhaps to have a larger record size, <strong>for</strong> per<strong>for</strong>mance) then you can do so,<br />
but try to adhere to the following:<br />
• When you create the file, do not create any members in it.<br />
• After having created the file, change the MAXMBRS parameter <strong>for</strong> the file<br />
from 1 to *NOMAX.<br />
A ZIP archive holds files internally in one of several <strong>for</strong>mats, which are compatible<br />
with other plat<strong>for</strong>ms supported by PKZIP. These <strong>for</strong>mats are described here, and<br />
several commands are available <strong>for</strong> trans<strong>for</strong>ming files into one of these <strong>for</strong>mats as<br />
they are compressed. You may specify in which <strong>for</strong>mat a file is stored using the<br />
FILETYPE(*BINARY) or FILETYPE(*TEXT) command parameters. OS/400 SAVF are<br />
always stored as *BINARY type. If you do not specify FILETYPE(*BINARY) or<br />
(*TEXT), then the PKZIP and PKUNZIP programs both will default to<br />
FILETYPE(*DETECT). For more in<strong>for</strong>mation, see FILETYPE(*DETECT).<br />
70
“Old” ZIP Archive<br />
When the PKZIP or PKUNZIP command is run, the ZIP archive (which is specified by<br />
use of the ARCHIVE parameter is known as the old ZIP archive, except when the<br />
TYPE(*ADD) parameter is being used to create a new ZIP archive. The old ZIP<br />
archive may have been created by SecureZIP <strong>for</strong> <strong>iSeries</strong> during an earlier<br />
operation or may have been created by PKZIP on another plat<strong>for</strong>m and transferred<br />
from there. When a ZIP archive is being updated (or when PKUNZIP is extracting<br />
files from a ZIP archive), the necessary details are taken from the old ZIP archive. It<br />
should be noted that when SecureZIP <strong>for</strong> <strong>iSeries</strong> is updating a ZIP archive, it takes<br />
the necessary data from the old ZIP archive, merges it with any new data, and<br />
transfers it to a new ZIP archive (in a temporary member in the same <strong>iSeries</strong> file as<br />
the old archive). When all updating is completed, SecureZIP <strong>for</strong> <strong>iSeries</strong> deletes the<br />
old ZIP archive and then renames the new ZIP archive to the same name as the old<br />
ZIP archive. For this reason a file containing a ZIP archive should allow <strong>for</strong> at least<br />
one temporary member to be allocated. When SecureZIP <strong>for</strong> <strong>iSeries</strong> creates an<br />
archive file, it uses MAXMBRS(*NOMAX).<br />
“Temporary” Archive File<br />
A temporary archive file refers to an archive work in progress. SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> will always use a temporary archive file and its definition depends on the file<br />
system. If the file system type is IFS, then the temporary archive file will be in the<br />
same directory of the specified new archive. If the file system type is QSYS, the<br />
temporary archive file will become a member of the specified archive file. The<br />
temporary file or member will have a unique name PKnnnnnnnn (where nn<br />
represents an internal random number). When the file has been completed<br />
successfully, the temporary name will be renamed to the specified name in the<br />
ARCHIVE parameter. If this is a process in which an old archive is being updated,<br />
then (if successful) the old archive will be deleted be<strong>for</strong>e the rename. If a problem<br />
occurs, the temporary archive may stay with the temporary name. View the job log if<br />
this happens to determine the status of the archive.<br />
“New” ZIP Archive<br />
When the processing of the temporary dataset is finalized, SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
creates a new ZIPPED archive that is the modified “after” version of the old archive.<br />
The modified name of the old archive and specified allocation in<strong>for</strong>mation is<br />
transferred automatically to the new archive after updating, and the old Archive is<br />
deleted. A new ZIP archive is created when an old ZIP archive is updated, or when a<br />
TYPE(*ADD) parameter (see Chapter 11) is used with SecureZIP <strong>for</strong> <strong>iSeries</strong> where<br />
there is no old ZIP archive.<br />
Self-Extracting Archive<br />
The self extracting programs are held as binary entities in the file PKZIPSFX of the<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> library. The appropriate member is loaded and the<br />
executable data copied to the beginning of the Archive as a preamble when<br />
requested.<br />
71
The resulting archive can still be processed by SecureZIP <strong>for</strong> <strong>iSeries</strong> as a normal<br />
ZIP Archive.<br />
When an input archive containing a self-extraction preamble is passed to SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> <strong>for</strong> PKZIP processing and no value is supplied by SELFXTRACT, the<br />
default of *MAINTAIN will keep any preamble if one exist. If the parameter<br />
SELFXTRACT(*REMOVE) is supplied then the PREAMBLE is removed when writing the<br />
new archive.<br />
A self-extracting archive can be created from an existing archive by using<br />
SELFXTRACT with a valid self-extractor. If the original archive contained a preamble,<br />
it will be removed and the newly specified preamble will be inserted.<br />
When transferring a self-extracting archive to a target system, be sure to transfer<br />
the archive in binary <strong>for</strong>mat and adhere to requirements <strong>for</strong> executables in that<br />
environment. (For example, a Windows program should be saved with an application<br />
extension of EXE, and a UNIX file attribute should have executable authorization set<br />
via the UNIX chmod command).<br />
The self-extraction programs provided are at the 2.5 level of PKZIP. As such, the<br />
following restrictions apply to the operation of the self-extraction program(s). Care<br />
should be taken to control the creation of the self-extracting archive within these<br />
restrictions, although the resulting archive may still be processed with PKZIP<br />
programs at higher levels that support these features.<br />
• The number of files in the archive should be limited to 65,535 or less.<br />
• Strong encryption is not supported.<br />
• The size of the archive should not exceed 4 gigabytes.<br />
• The uncompressed size of individual files should be less than 4 gigabytes.<br />
• Some target file systems (such as Windows FAT and UNIX kernals earlier than<br />
release 2.4) do not support files greater than 2 gigabytes.<br />
To assist in the usage of the self-extraction programs on the target systems, some of<br />
the command parameters are listed below. Note that some parameters may not be<br />
valid on all systems. By executing the transferred self-extracting archive on the<br />
target system with “-help”, the commands syntax appropriate to that system will be<br />
displayed.<br />
Usage: sfx.exe [options] [.ZIP archive] [files...]<br />
Where sfx.exe = the name of the self-extracting executable file<br />
Options:<br />
after<br />
be<strong>for</strong>e<br />
console<br />
extract files that are newer than or equal to a specified date<br />
suboptions:<br />
"date specification" [<strong>for</strong>mat: mmddyy or mmddyyyy]<br />
e.g.: sfx.exe -aft=12311999 file.zip<br />
extract files that are older than a specified date<br />
suboptions:<br />
"date specification" [<strong>for</strong>mat: mmddyy or mmddyyyy]<br />
e.g.: sfx.exe -bef=12311999 file.zip<br />
display the contents of specified archived files on your screen<br />
e.g.: sfx.exe -con= file.zip readme.txt<br />
directories recreate directory path while extracting including any<br />
sub-directories<br />
e.g.: sfx.exe -dir file.zip<br />
72
exclude<br />
extract<br />
help<br />
Id<br />
include<br />
larger<br />
license<br />
locale<br />
lowercase<br />
mask<br />
more<br />
newer<br />
noextended<br />
older<br />
overwrite<br />
exclude specified files from being extracted<br />
e.g.: sfx.exe -exc=*.txt file.zip<br />
extract files from the .ZIP archive<br />
suboptions:<br />
all [extract everything in archive]<br />
freshen [extract if newer than destination copy]<br />
update [extract if newer or not in destination directory]<br />
e.g.: sfx.exe -ext=all file.zip<br />
display help screen<br />
e.g.: sfx.exe -help<br />
preserve original file uid/gid. Must be root/file owner (UNIX only)<br />
include specified files <strong>for</strong> extraction<br />
e.g.: sfx.exe -inc=*.txt file.zip<br />
extract files that are the specified size (in bytes) and larger<br />
suboptions:<br />
a numerical value (in bytes) that indicates a minimum desired<br />
file size<br />
e.g.:sfx.exe -larger=400<br />
displays license in<strong>for</strong>mation<br />
e.g.: sfx.exe -lic<br />
reads and/or adjusts the locale variable <strong>for</strong> date and time <strong>for</strong>mat<br />
input<br />
suboptions:<br />
environment [read system variable and apply accordingly]<br />
"valid country name" [<strong>for</strong> example locale=germany]<br />
e.g.: sfx.exe -loc=us -aft=12311999 file.zip<br />
change filenames to lower case on extraction<br />
e.g.: sfx.exe -lowercase<br />
remove specified file attributes upon extraction<br />
suboptions:<br />
archive [mask archive attribute from file(s)/folder(s)]<br />
hidden [mask hidden attribute from file(s)/folder(s)]<br />
system [mask system attribute from file(s)/folder(s)]<br />
readonly [mask read-only attribute from file(s)/folder(s)]<br />
none [do not mask attributes from file(s)/folder(s)]<br />
all [mask all attributes from file(s)/folder(s)]<br />
e.g.: sfx.exe -mask=archive,readonly file.zip<br />
display output one screen at a time<br />
e.g.: sfx.exe -more file.zip<br />
process only those files that are newer than a specified<br />
(calendar) day in the past<br />
suboptions:<br />
a numerical value (in calendar days) that indicates some<br />
date in the past relative to the current date<br />
e.g.: sfx.exe -newer=2<br />
suppress the extraction of extended attributes<br />
e.g.: sfx.exe -noex file.zip<br />
process only those files that are older than a specified<br />
(calendar) day in the past<br />
suboptions:<br />
a numerical value (in calendar days) that indicates some<br />
date in the past relative to the current date<br />
e.g.: sfx.exe -older=2<br />
overwrite existing files<br />
prompt [prompt be<strong>for</strong>e overwriting]<br />
all [always overwrite]<br />
73
never [never overwrite]<br />
e.g.: sfx.exe -o=all file.zip<br />
password<br />
print<br />
silent<br />
smaller<br />
sort<br />
test<br />
times<br />
translate<br />
version<br />
volume<br />
warning<br />
specify a decryption password<br />
e.g.: sfx.exe -pass=grendel file.zip<br />
print the specified archived file<br />
suboptions:<br />
"print device name" [<strong>for</strong> example print=lpt1]<br />
e.g.: sfx.exe -print=lpt2 file.zip readme.txt<br />
suppress warning messages when extracting<br />
e.g.: sfx.exe -silent file.zip<br />
extract files that are the specified size (in bytes) and<br />
smaller<br />
suboptions:<br />
a numerical value (in bytes) that indicates a maximum desire<br />
file size<br />
e.g.:sfx.exe -smaller=400<br />
sort files when extracting<br />
suboptions:<br />
crc [sort by crc value]<br />
date [sort by date of the file]<br />
extension [sort by file extension]<br />
name [sort by file name]<br />
natural [sort in the order that the file was archived]<br />
ratio [sort by compression ratio]<br />
size [sort by file size]<br />
none [do not sort]<br />
e.g.: sfx.exe -sort=size file.zip<br />
test the integrity of archived files<br />
suboptions:<br />
all [test everything in archive]<br />
freshen [test if newer than destination copy]<br />
update [test if newer or not in destination directory]<br />
e.g.: sfx.exe -test=all file.zip<br />
preserve specified file date/time stamp<br />
suboptions:<br />
access [preserve accessed date/time stamp on extraction]<br />
modify [preserve modified date/time stamp on extraction]<br />
create [preserve created date/time stamp on extraction]<br />
all [preserve all date/time stamps on extraction]<br />
none [do not preserve date/time stamps on extraction]<br />
e.g.: sfx.exe -time=access,modify file.zip<br />
translate the end of line sequence <strong>for</strong> give operating system<br />
suboptions:<br />
DOS [convert to DOS style line endings]<br />
MAC [convert to MAC style line endings]<br />
unix [convert to unix style line endings]<br />
e.g.:sfx.exe -translate=unix<br />
display SFX version and return appropriate value to the shell<br />
suboptions:<br />
major [return major version number]<br />
minor [return minor version number]<br />
step [return step or patch version number]<br />
e.g.: sfx.exe -ver=step<br />
restore the volume label when extracting<br />
e.g.: sfx.exe -vol file.zip<br />
prompt to continue after warning message<br />
e.g.: sfx.exe -warn file.zip<br />
74
10 About Security, Certificates, and<br />
Encryption<br />
This section discusses how to use SecureZIP <strong>for</strong> <strong>iSeries</strong> to secure your data.<br />
Elements that are required to make a SecureZIP <strong>for</strong> <strong>iSeries</strong> archive are discussed<br />
in detail. These elements, when selectively used, combine to create a SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> archive or allow the extraction of a file or files from a SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> created archive.<br />
A series of commands and CLPs are provided to assist you in building and<br />
maintaining the SecureZIP certificate store. They come standard with SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>. The SecureZIP commands that are used to accomplish these tasks are<br />
shown in this chapter, along with notes and comments.<br />
Keywords, Phrases, and Acronyms Used in This Chapter<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> introduces new terminology to users that are familiar with<br />
PKZIP. These expressions directly relate to the security features inherent in<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
• Public key certificate(s)<br />
• Private key certificate(s)<br />
• Data base profile (local certificate store)<br />
• LDAP profile (networked certificate store)<br />
• Password<br />
• Recipient<br />
• Master recipient (contingency recipient)<br />
• Configuration profile<br />
• Certificate store<br />
• Certificate authority intermediate store<br />
• Trusted root store<br />
• Certificate revocation list (CRL) store<br />
• Enterprise security configuration<br />
• Common name<br />
75
• Path<br />
• Certificate configuration<br />
• PING<br />
• TCP/IP<br />
• User certificate<br />
• Certificate authority<br />
• Recipient database<br />
• Recipient searches<br />
• Filename encryption<br />
Accessing Public and Private Key Certificates<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides access to both public and private key certificates<br />
through a set of IFS files and a DB2 locator database when the parameter<br />
ENTPREC(*DB:...) or ENTPREC(*FILE:...) is requested.<br />
In addition, ENTPREC(*LDAP:...) requests are resolved through configured network<br />
definitions.<br />
Public Key Certificate<br />
Certificate-based encryption allows the exchange of encrypted data without the<br />
security risks of exchanging or retaining a password. This <strong>for</strong>m of encryption uses a<br />
public-key digital certificate when creating an archive and it then uses a<br />
corresponding private-key certificate by the recipient to decrypt the archive. Digital<br />
certificates may be identified and selected by naming in<strong>for</strong>mation, such as "common<br />
name" or an email address.<br />
To do this SecureZIP <strong>for</strong> <strong>iSeries</strong> per<strong>for</strong>ms a process called digital enveloping using<br />
digital certificates when encrypting data <strong>for</strong> specified public key recipients. Access<br />
the Secure .ZIP Envelopes whitepaper at the PKWARE web site.<br />
The public key certificate consists of the public portion of an asymmetric<br />
cryptographic key (the "public key"), together with identity in<strong>for</strong>mation, such as a<br />
person's name, all of which is signed by a certificate authority (CA). The CA<br />
essentially guarantees that the public key belongs to the named entity.<br />
Private Key Certificates<br />
To UNZIP a file that has been encrypted with a public-key certificate, the receiver<br />
must supply a matching private-key certificate. This is done by including ENTPREC<br />
parameter that specifies the location of the private-key certificate along with its<br />
associated access password. Note that this password is not used to encrypt a file but<br />
rather to access the private-key certificate.<br />
ENTPREC parameters can be coded directly (up to 30 entries) or can point to the<br />
Inlist input stream file. One method is <strong>for</strong> each user to create an Inlist <strong>for</strong> their<br />
private key in<strong>for</strong>mation and define the security such that only their user ID can read<br />
76
this profile Inlist. A private-certificate Inlist designates a saved repository of the<br />
private key certificates.<br />
Enterprise Security Configuration<br />
SecureZIP utilizes an enterprise security configuration file to define the enterprise<br />
policies. With the command PKCFGSEC, you can view the policies or make revisions<br />
to these policies. PKCFGSEC updates and views the SecureZIP security configuration<br />
file. This configuration file is where the enterprise security options and defaults<br />
reside. It is recommended that you define your standard enterprise options in a CL<br />
using the PKCFGSEC command. Then as changes occur or new versions are<br />
upgraded the CL can be run to reset the parameters. This will also help if you need<br />
to temporarily change one or more settings, as the CL provides a quick means to<br />
reset the configuration back to the enterprise setting.<br />
It is suggested that a specific user ID (such as ZIPADMN), user or group be assigned<br />
to administrate the enterprise configuration. This can be accomplished by changing<br />
the security <strong>for</strong> the configuration file PKZCFG in the SecureZIP library with the<br />
EDTOBJAUT command. First *Public should be changed to use only the file PKZCFG;<br />
then set the administrator as the owner with security <strong>for</strong> changes. For example:<br />
Edit Object Authority<br />
Object . . . . . . . : PKZCFG Owner . . . . . . . : ZIPADMN<br />
Library . . . . . : PKW810XXS Primary group . . . : *NONE<br />
Object type . . . . : *FILE ASP device . . . . . : *SYSBAS<br />
Type changes to current authorities, press Enter.<br />
Object secured by authorization list . . . . . . . . . . . .<br />
*NONE<br />
Object ----------Object-----------<br />
User Group Authority Opr Mgt Exist Alter Ref<br />
*PUBLIC *USE X<br />
ZIPADMN *ALL X X X X X<br />
Contents of the Configuration Profile<br />
Below is a sample of the PKCFGSEC command. For more in<strong>for</strong>mation about the<br />
command, see Chapter 13. Be<strong>for</strong>e running SecureZIP <strong>for</strong> <strong>iSeries</strong>, it is<br />
recommended that all parameters be reviewed and defined <strong>for</strong> your enterprise.<br />
SecureZIP Secure Config 8.1 (PKCFGSEC)<br />
Type Processing . . . . . . . . *UPDATE *UPDATE, *VIEW<br />
ZIP Secure Settings:<br />
SecureZIP Active . . . . . *YES *NO, *YES, *SAME<br />
AES 3DES Keys . . . . . . . *YES *NO, *YES, *SAME<br />
Password . . . . . . . . . *NO *NO, *RQD, *SAME<br />
Recipient Secure . . . . . *NO *NO, *RQD, *SAME<br />
File Signing . . . . . . . *NO *NO, *SAME<br />
Archive Signing . . . . . *NO *NO, *SAME<br />
File Authentication . . . *NO *NO, *SAME<br />
Archive Authentication . . *NO *NO, *SAME<br />
File Name Encryption . . . *NO *NO, *RQD, *OPT, *SAME<br />
Strong Encryption:<br />
Lockdown Method . . . . . > AES<br />
*SAME, *NONE, AES, AES128...<br />
77
Mode . . . . . . . . . . > BSAFE<br />
PKWARE, BSAFE, *SAME<br />
Hash . . . . . . . . . . > *SHA1<br />
*SAME, *SHA1<br />
Archive Password Specs:<br />
Min Length . . . . . . . . > 1<br />
1-200, *SAME<br />
Max Length . . . . . . . . > 200<br />
1-200, *SAME<br />
Hardening Options . . . . . > 0 *SAME, 0, 1, 2<br />
Signing Settings:<br />
Signing Hash . . . . . . . . > *SHA1<br />
*SAME, *SHA1, *MD5<br />
Validate Level . . . . . > *VALIDATE<br />
Lockdown Filters . . . . > *NO<br />
*NO, *YES, *SAME<br />
Filters . . . . . . . . . > *ALL<br />
*SAME, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Authenticate Filters:<br />
Validate Level . . . . . > *VALIDATE<br />
Lockdown Filters . . . . > *NO<br />
*NO, *YES, *SAME<br />
Filters . . . . . . . . . > *ALL<br />
*SAME, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Encryption Filters:<br />
Validate Level . . . . . > *VALIDATE<br />
Lockdown Filters . . . . > *NO<br />
*NO, *YES, *SAME<br />
Filters . . . . . . . . . > *ALL<br />
*SAME, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Decryption Filters:<br />
Validate Level . . . . . > *NONE *VALIDATE, *WARN, *NONE...<br />
Revocation Settings:<br />
CRL Type . . . . . > *NONE *STATICCRL, *NONE, *SAME<br />
Revoke Level . . . . . . *SAME *NONE, *SAME<br />
Certificate Validation Level:<br />
Cert. Best Fit . . . . . . . > *NONE<br />
*NONE, *LATESTVALID...<br />
Cert. Secure Type . . . . . > *NONE<br />
*NONE, *ENCRYPTION...<br />
Certificate DataBase Locator:<br />
Active? . . . . . . . . . . > *YES<br />
*NO, *YES, *SAME<br />
Store Type . . . . . . . . > *LIB<br />
*LIB, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Library . . . . . . . . . . > PKW81051S DB Library<br />
Search Mode . . . . . . . . > *EMAIL *EMAIL, *CN, *SAME<br />
Certificate PUBLIC Store:<br />
Store Type . . . . . . . . > *PATH<br />
*PATH, *SAME<br />
Sequence . . . . . . . . . > 1 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/Public'<br />
Certificate PRIVATE Store:<br />
Store Type . . . . . . . . > *PATH<br />
*PATH, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/Private'<br />
Certificate CA Store:<br />
Store Type . . . . . . . . > *FILE<br />
*FILE, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/CA/pkwareCA.store'<br />
Certificate ROOT Store:<br />
Store Type . . . . . . . . > *FILE<br />
*FILE, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/Root/pkwareRT.store'<br />
Certificate CRL Store:<br />
Store Type . . . . . . . . > *FILE<br />
*FILE, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/CRL/pkwareCRL.store'<br />
Certificate Work Path:<br />
Path Location . . . . . . . > '/pkzshare/CStores/CTemp'<br />
Enterprise Encrypt Recipient:<br />
LookUp Type . . . . . . . . > *MBRSET *NONE, *DB, *LDAP, *FILE...<br />
Recipient . . . . . . . . . > 'pkwareCertAdmin04.cer'<br />
Required . . . . . . . . . . > *RQD<br />
*RQD, *OPT, *SAME<br />
LDAP Definitions:<br />
Nbr Active LDAPs . . . . . > 3<br />
1-99, *NONE, *SAME<br />
Primary LDAP:<br />
78
1 Network Name . . . . . . > '192.168.132.25'<br />
1 Port . . . . . . . . . . > 389 1-9999<br />
1 Sequence . . . . . . . . > 1 0-9<br />
1 TimeOut . . . . . . . . . > 0 0-9999<br />
1 Access User . . . . . . . > 'PKWAREADDEV\test'<br />
1 Access Password . . . . . > 'xxxxxx'<br />
1 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN<br />
1 Start Node . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'<br />
1 Test . . . . . . . . . . > N N, Y<br />
Secondary LDAP:<br />
2 Network Name . . . . . . > '192.168.115.15'<br />
2 Port . . . . . . . . . . > 389 1-9999<br />
2 Sequence . . . . . . . . > 2 0-9<br />
2 TimeOut . . . . . . . . . > 0 0-9999<br />
2 Access User . . . . . . . > 'cn=Jon Smith,ou=browndeer,o=pkware,c=US,cn=<br />
user,dc=cosmos,dc=pkware,dc=com'<br />
2 Access Password . . . . . > 'xxxxxxx'<br />
2 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN<br />
2 Start Node . . . . . . . ><br />
'o=pkware,c=US,cn=user,dc=cosmos,dc=pkware,d=com'<br />
2 Test . . . . . . . . . . > N N, Y<br />
Tertiary LDAP:<br />
3 Network Name . . . . . . > '192.168.115.32'<br />
3 Port . . . . . . . . . . > 4389 1-9999<br />
3 Sequence . . . . . . . . > 3 0-9<br />
3 TimeOut . . . . . . . . . > 0 0-9999<br />
3 Access User . . . . . . . > ''<br />
3 Access Password . . . . . > 'xxxxxx'<br />
3 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN<br />
3 Start Node . . . . . . . > 'o=PKWARE'<br />
3 Test . . . . . . . . . . > Y N, Y<br />
File and Data Base (DB) (Local Certificate Store)<br />
During SecureZIP <strong>for</strong> <strong>iSeries</strong> processing that requires encryption intended <strong>for</strong> an<br />
ENTPREC, the associated public-key certificate(s) must be located. One way of<br />
designating which public-key recipients to include is through an IFS file or by using<br />
the DB to locate the recipients with the ENTPREC parameter. By using DB or LDAP,<br />
this allows <strong>for</strong> recipient selection based on name or email address through a<br />
configured database of certificates on the system that is executing SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>. The lookup type would be the type of recipient search that will be used <strong>for</strong><br />
the recipient string.<br />
1. *DB - The recipient string is defined to search using the certificate locator<br />
database to access the digital certificate.<br />
2. *LDAP - The recipient string is defined to search using the LDAP server to access<br />
the digital certificate.<br />
3. *FILE - The recipient string is defined to read a specific file in a specific path in the<br />
IFS in order to access the digital certificate.<br />
79
4. *MBRSET - The recipient string is defined to read this specific file from the<br />
enterprise public certificate store to access the digital certificate.<br />
5. *INLIST - The recipient string defines a specific file that will contain one to many<br />
recipients.<br />
Your technical support staff is responsible <strong>for</strong> configuring the local certificate store<br />
and should provide you with in<strong>for</strong>mation on which method they prefer.<br />
LDAP Profile (Networked Certificate Store)<br />
During SecureZIP <strong>for</strong> <strong>iSeries</strong> processing that requires encryption intended <strong>for</strong> a<br />
recipient, the associated public-key certificate(s) must be located.<br />
One way of designating which public-key recipients to include is through the LDAP<br />
interface to a directory server in the ENTPREC parameters. This allows <strong>for</strong> recipient<br />
selection based on name, email address or other installation-configured LDAP fields.<br />
One or more LDAP compliant servers may be configured <strong>for</strong> searching.<br />
Your technical support staff is responsible <strong>for</strong> configuring the LDAP-compliant<br />
directory that stores certificates and will provide you with in<strong>for</strong>mation on the<br />
enterprise approach <strong>for</strong> your facility.<br />
Certificate Store Administration and Configuration<br />
Access X.509 Public and Private Key Certificates<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> introduces new modules that utilize RSA’s BSAFE Cert-C<br />
Toolkit to access X.509 public and private key certificates. The access to the various<br />
certificate stores by this task is governed by various <strong>for</strong>ms of the ENTPREC<br />
parameter, as well as by a suite of new configuration commands.<br />
All local certificates are stored in a path of the IFS and the store paths are defined<br />
using the PKCFGSEC command. The other method of certificate access is through the<br />
LDAP. The first step of the startup is to define the public and private stores and their<br />
security. The next part is to define a procedure to maintain the certificates.<br />
Local Certificate Store<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides access to both public and private key certificates<br />
through a set of local IFS paths which contain the certificate files. These paths are<br />
defined using the PKCFGSEC command.<br />
Certificate Authority and Root Certificates Stores<br />
End entity certificates and their related keys are used <strong>for</strong> signing and authentication.<br />
They are created at the end of the trust hierarchy of certificate authorities. Each<br />
certificate is signed by its CA issuer and is identified in the “Issued By” field in the<br />
end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such<br />
certificates are known as intermediate CA certificates. At the top of the issuing chain<br />
is a self-signed certificate known as the root.<br />
80
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses public-key certificates in PKCS#7 <strong>for</strong>mat as a store<br />
<strong>for</strong>mat. The intermediate CA certificates are maintained independently from the root<br />
certificates. These files are defined to SecureZIP in the PKCFGSEC with the CSCA and<br />
CSROOT parameters.<br />
Certificate Revocation List Stores<br />
If a certificate revocation list (CRL) is to be used, the certificate revocation list store<br />
will contain all CRLs <strong>for</strong> revocation processing. The CRL store is separate from the CA<br />
store <strong>for</strong> more efficient certificate processing. The store is defined in PKCFGSEC with<br />
parameters CSCRL. To use the CRL, SecureZIP needs to know that a static CRL is<br />
used. This is defined with the REVKEP parameter in PKCFGSEC.<br />
Local Certificate Locator Database<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> comes with one new physical file PKZCF1F and three logical<br />
files: PKZCF1LCN, PKZCF1LEM and PKZCF1LPH. These files are part of the certificate<br />
locator database used <strong>for</strong> certificate processing. These files are activated by<br />
changing the security settings using the PKCFGSEC command. To use these files, see<br />
Chapter 15.<br />
This locator database allows access to the public and private certificates using the<br />
common name, email address or public hash key.<br />
Here again, <strong>for</strong> security reasons, it is suggested that a specific user ID (such as<br />
ZIPADMN), user, or group be assigned to administrate the database. This can be<br />
accomplished by changing the security <strong>for</strong> the configuration file PKZCF1F and the<br />
logical files in the SecureZIP library with the EDTOBJAUT command. First change<br />
*Public to only *Use <strong>for</strong> the files, and then set the administrator as the owner with<br />
security <strong>for</strong> changes. For example:<br />
Edit Object Authority<br />
Object . . . . . . . : PKZCF1F Owner . . . . . . . : ZIPADMN<br />
Library . . . . . : PKW810XXS Primary group . . . : *NONE<br />
Object type . . . . : *FILE ASP device . . . . . : *SYSBAS<br />
Type changes to current authorities, press Enter.<br />
Object secured by authorization list . . . . . . . . . . . .<br />
*NONE<br />
Object ----------Object-----------<br />
User Group Authority Opr Mgt Exist Alter Ref<br />
*PUBLIC *USE X<br />
ZIPADMN *ALL X X X X X<br />
LDAP Certificate Store<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> also provides access to public key certificates located in an<br />
external LDAP (Lightweight Directory Access Protocol) server via a TCP/IP network<br />
connection.<br />
Each LDAP server to be used should be defined with the PKCFGSEC command.<br />
Each certificate store is described in detail in the following sections.<br />
81
Usage Notes:<br />
It is recommended that, as you define your enterprise configuration, you build it in a<br />
CL source. This will provide the ability to reset the configuration quickly if it gets<br />
changed or destroyed. One way is to copy the DFTCFGSEC member of QCLSRC in<br />
your zip library to a secure source file <strong>for</strong> your custom changes. Then update this<br />
custom configuration CL as you build your system.<br />
Certificate Authority, Root Certificates and CRL Store<br />
Administration<br />
This section assists with allocating the components necessary to support the local DB<br />
and with administering the certificates in it.<br />
The following stores are maintained by the utility PKSTORADM:<br />
Intermediate<br />
Certificate<br />
Authority<br />
Trusted Root<br />
Certificate<br />
Authority<br />
Certificate<br />
Revocation List<br />
A store of issuing certificates files associated with the end-entity<br />
certificates. These certificates are used to authenticate the<br />
validity of an end-entity digital signature on a receiving system.<br />
They are also included in a SecureZIP archive when a signing<br />
operation is per<strong>for</strong>med.<br />
Other system types may refer to this store as “CA”.<br />
A store of issuing certificates that are classified as “self signed,”<br />
meaning that each one is at the top of a hierarchy of issuing<br />
CAs. These certificates are used to authenticate the validity of<br />
an end-entity digital signature on a receiving system. They are<br />
considered “trusted” by virtue of their installation on an<br />
authenticating system. They are included in a SecureZIP<br />
archive when a signing operation is per<strong>for</strong>med.<br />
Other system types may refer to this store as “ROOT”.<br />
A store of certificate revocation lists published by each CA.<br />
Other system types may refer to this store as “CRL”.<br />
First define the path and file name with PKCFGSEC parameters: CSCA (intermediate<br />
certificate authority), CSROOT (trusted root certificate authority), and CSCRL<br />
(certificate revocation list).<br />
Packaged in the TSTCERTS archive are three empty initialized stores<br />
(pkwareCA.store, pkwareRT.store, and pkwareCRL.store) that can be<br />
restored to your directories. After restoring the store files, you can name the files<br />
anything that you want to match your definition in PKCFGSEC.<br />
For example:<br />
1. Create the store paths:<br />
MD DIR('/myroot/pkware/CStore/CA') Certificate Authority Store<br />
MD DIR('/myroot/pkware/CStore/Root') Trusted Authority Root Store<br />
MD DIR('/myroot/pkware/CStore/CRL) Certificate Revocation List<br />
82
2. Extract the initialized stores:<br />
Extract initialized empty CA intermediate certificate store:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.store')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CA’)<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract initialized empty trusted root store:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareRT.store')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Root’)<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract initialized empty revocation list store:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCRL.store')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CRL')<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
3. Change the security of the files and paths.<br />
It is suggested that a specific user ID (such as ZIPADMN), user, or group be<br />
assigned to administrate the stores. This can be accomplished by changing the<br />
security <strong>for</strong> the paths and files created above with the CHGAUT and CHGOWN<br />
commands. First change *Public to only *Use <strong>for</strong> the files, and then set the<br />
administrator as the owner with security <strong>for</strong> changes.<br />
For example changes <strong>for</strong> the Root Store path and file might be:<br />
Change ownership to ZIPADMN:<br />
CHGOWN OBJ('/myroot/pkware/CStores/Root/') NEWOWN(ZIPADMN)<br />
CHGOWN OBJ('/myroot/pkware/CStores/Root/pkwareRT.store')<br />
NEWOWN(ZIPADMN)<br />
Change *PUBLIC <strong>for</strong> use of root path and file:<br />
CHGAUT OBJ('/myroot/pkware/CStores/Root') USER(*PUBLIC) DTAAUT(*R)<br />
OBJAUT(*NONE)<br />
CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(*PUBLIC)<br />
DTAAUT(*R) OBJAUT(*NONE)<br />
Change ZIPADMN <strong>for</strong> all security:<br />
CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(ZIPADMN)<br />
DTAAUT(*RWX) OBJAUT(*ALL)<br />
CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(ZIPADMN)<br />
DTAAUT(*RWX) OBJAUT(*ALL)<br />
If any other users or groups are defined <strong>for</strong> the path or file remove them by using<br />
the WRKLNK command and displaying authority.<br />
83
Display Authority<br />
Object . . . . . . . . . . . . :<br />
Owner . . . . . . . . . . . . :<br />
Primary group . . . . . . . . :<br />
Authorization list . . . . . . :<br />
/myroot/pkware/CStores/Root/pkwareRT.store<br />
ZIPADMN<br />
*NONE<br />
*NONE<br />
Data --Object Authorities--<br />
User Authority Exist Mgt Alter Ref<br />
*PUBLIC *R<br />
ZIPADMN *RWX X X X X<br />
At this point you can use the PKSTORADM command to import the trusted roots and<br />
the intermediate certificates.<br />
It is very important that you control the addition of trusted roots to your root store<br />
since they will define the certificate chains to be trusted.<br />
Local Certificate Store Administration<br />
This section assists with allocating the components necessary to support the local DB<br />
to administer the certificates within it.<br />
Build Private and Public Store Paths<br />
This section describes the process to build the public and private certificate paths in<br />
the IFS.<br />
The public store is a path in the IFS that contains files with X.509 public certificate<br />
files known as PEM files.<br />
The private store is a path in the IFS that contains a file with X.509 public certificate<br />
and private key packaged as a file.<br />
SecureZIP can work with certificates and keys in the following file <strong>for</strong>mats:<br />
Format<br />
PEM<br />
PKCS#12<br />
PKCS#7<br />
Not<br />
Supported<br />
<strong>for</strong> public<br />
and private<br />
keys<br />
Description<br />
Contains a single end-entity public-key certificate. It may be in<br />
Base-64 encoded (ASCII text with ASCII headers) or DERencoded<br />
binary <strong>for</strong>mat.<br />
Common file extensions: .pem, .cer, .key, .crt<br />
Contains a single end-entity private-key certificate (and its public<br />
key). By definition, it is in binary <strong>for</strong>mat.<br />
Common file extensions: .pfx, .p12<br />
Contains one or more CA (and or Root) certificates<br />
Common file extension: .p7b<br />
For example:<br />
84
1. Define the public and private stores paths with the PKCFGSEC command using<br />
the CSPUB and CSPRVT parameters.<br />
2. Create the public and private store paths:<br />
MD DIR('/myroot/pkware/CStore/Public') Public store path<br />
MD DIR('/myroot/pkware/CStore/Private') Private store path<br />
Initialize and Build Certificate Locator Database:<br />
This section describes the process to build the certificate locator databases. The<br />
databases are distributed with product as empty files, but the DSS source is also<br />
distributed in case they ever need to be rebuilt. An easier way to rebuild the<br />
database is to clear the physical file member (CLRPFM).<br />
1. Clear the file:<br />
CLRPFM FILE(PKW81051S/PKZCF1F) MBR(*FIRST)<br />
OR<br />
Build the databases with the CRTCERTDB CL program. CRTCERTDB will create<br />
the “<strong>iSeries</strong> Certificate Locator” physical file PKZCF1F and its associated<br />
logical files:<br />
• PKZCF1LCN “Certificate locator by CN (Common Name)”<br />
• PKZCF1LEM “Certificate locator by EM (Email Address)”<br />
• PKZCF1LFN “Certificate locator by FN (Friendly Name)”<br />
• PKZCF1LPH “Certificate locator by Public Hash”.<br />
The program will create the files in the target library parameter of the<br />
program such as Call CRTCERTDB ‘PKW81051S’.<br />
2. Define the paths and places <strong>for</strong> the certificates in the proper directories.<br />
3. By using the PKCFGSEC command, update the certificate store settings <strong>for</strong><br />
the certificates and set the CERTDB settings <strong>for</strong> the certificate database<br />
locator.<br />
4. Run the PKBLDCDB as many times as necessary to process your certificates in<br />
the IFS stores.<br />
5. Run the PKQRYCDB to view the certificates in the locator database.<br />
The following stores are maintained by the utility PKBLDCDB:<br />
Store<br />
Public<br />
Description<br />
A store <strong>for</strong> end-entity certificates used to identify encryption<br />
recipients or <strong>for</strong> authentication of digital signatures. Certificate<br />
files in this store contain only public keys; they do not contain<br />
private keys. SecureZIP <strong>for</strong> <strong>iSeries</strong> represents these<br />
certificates held in the local certificate store through the ISPF<br />
interface as “CER” entries. Other system types may refer to this<br />
store as “Other People” or “Address Book”<br />
85
Store<br />
Private<br />
Description<br />
A store <strong>for</strong> end-entity certificate files with their respective private<br />
keys. Private keys are used to decrypt files or per<strong>for</strong>m digital<br />
signing. SecureZIP <strong>for</strong> <strong>iSeries</strong> represents these certificates<br />
held in the local certificate store through the ISPF interface as<br />
“PFX” entries.<br />
(Private keys in this store are encrypted using PKCS#8 <strong>for</strong>mat<br />
and PKCS#5 version 2.)<br />
Other system types may refer to this store as “Personal” or “MY<br />
Store”<br />
Directory Certificate Store Configuration - LDAP<br />
This section assists with defining the network connectivity to access certificate stores<br />
in an LDAP-compliant directory. Certificate stores are often located on an LDAP<br />
server. Please note that prior to using LDAP services to locate public key digital<br />
certificates <strong>for</strong> recipient processing, network connections must be defined.<br />
Command settings will be kept in a LDAP SecureZIP <strong>for</strong> <strong>iSeries</strong> enterprise security<br />
configuration file.<br />
To assist in entering the correct settings that are defined in the configuration file<br />
using the PKCFGSEC command, there is a LDAP test command (PKLDAPTST). This<br />
command verifies that the settings are correct and shows the type of response to<br />
expect. With PKLDAPTST, the LDAP connection parameters can be coded manually.<br />
However, the PKCFGSEC command has the ability to run the LDAP test to assist in<br />
properly <strong>for</strong>matting the LDAP parameters and to test connectivity to the desired<br />
LDAP server.<br />
Testing the LDAP Connection<br />
For more in<strong>for</strong>mation, see the PKLDAPTST command in Chapter 14.<br />
The presence of a server can be established by using the PING and PKLDAPTST<br />
command:<br />
SecureZIP LDAP Test<br />
8.1 (PKLDAPTST)<br />
Type choices, press Enter.<br />
Action Type . . . . . . . . . . *SUMMARY *SUMMARY, *DETAIL<br />
Server Name or IP . . . . . . . > '192.168.132.25'<br />
Port Number . . . . . . . . . . 389 Character value<br />
Access User . . . . . . . . . . > 'PKWAREADDEV\test'<br />
Access Password . . . . . . . .<br />
Start Node . . . . . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'<br />
Search Filter . . . . . . . . . '(cn=*)(userCertificate=*)'<br />
Max Item . . . . . . . . . . . . > 100<br />
Character value<br />
Or<br />
PKLDAPTST SNAME('192.168.132.25') USER('PKWAREADDEV\test')<br />
PASSWORD(‘xxxx’)<br />
STRNODE('cn=users,dc=pkwareaddev,dc=com') MAXI(100)<br />
Sample results:<br />
86
PKLDAPTEST LDAP Test Starting 2004/07/22 06:23:34<br />
PKLDAPTESTT Parameters:Action<br />
- Server Port<br />
- User Password<br />
- Start Node<br />
- Search Filter<br />
- Max Items to Search ,100<br />
LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - --SizeLimit=100 TimeLimit=0<br />
LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - --LDAP Search ...... 21 entries found<br />
LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - Total Entries=21<br />
PKLDAPTESTT LDAP Testing Ending RC=0<br />
When creating a configuration <strong>for</strong> an LDAP server at a new network address, it is<br />
recommended that a PING test be per<strong>for</strong>med first using the PING command.<br />
OPTION - PING<br />
The PING option will per<strong>for</strong>m a "TSO PING" command to verify that the network<br />
address can be resolved and the associated IP address reached. Once completed, a<br />
BROWSE of the output will be automatically presented. Be aware that some network<br />
administrators may turn off PING response capabilities, so it is possible that the<br />
PING may time out even if the network name (e.g. www.pkware.com) can be<br />
resolved to an IP address.<br />
PING '192.168.132.25'<br />
Verifying connection to host system 192.168.132.25.<br />
PING reply 1 from 192.168.132.25 took 91 ms. 256 bytes. TTL 125.<br />
PING reply 2 from 192.168.132.25 took 22 ms. 256 bytes. TTL 125.<br />
PING reply 3 from 192.168.132.25 took 91 ms. 256 bytes. TTL 125.<br />
PING reply 4 from 192.168.132.25 took 20 ms. 256 bytes. TTL 125.<br />
PING reply 5 from 192.168.132.25 took 20 ms. 256 bytes. TTL 125.<br />
Round-trip (in milliseconds) min/avg/max = 20/48/91.<br />
Connection verification statistics: 5 of 5 successful (100 %).<br />
Possible errors:<br />
• The network address cannot be resolved by the domain name server (DNS).<br />
TCP3202 Unknown host www.unknown-name.com<br />
• Network services may be down along the routes to reach the IP address.<br />
HOST unreachable<br />
• The specified host may not be up, or is not accepting PING requests.<br />
Timed out<br />
Getting Started with PKWARE Test Digital Certificates<br />
Included with the SecureZIP library is an archive containing two public certificates,<br />
two corresponding PKCS#12 private keys files, a test public certificate with private<br />
key <strong>for</strong> CRL testing, one CRL file to apply, three initialized stores, and several<br />
samples Inlist files. See the $readme.txt to see content description.<br />
87
These certificates are provided to assist in initial certificate testing and are not<br />
needed to run SecureZIP.<br />
Note that the test certificates are not trusted certificates and were<br />
not issued by a trusted certificate authority. They should never be<br />
used <strong>for</strong> production or <strong>for</strong> securing any of your organization’s<br />
sensitive data. They are provided <strong>for</strong> testing only.<br />
The archives in the distribution library (assuming PKW81051S) would be the file<br />
named TSTCERTS with the member called TSTCERTS.<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')<br />
SecureZIP(TM) <strong>for</strong> <strong>iSeries</strong> Compression Utility Version 8.1.0, 2005/03/08<br />
Copyright. 1989-2005 PKWARE, Inc. All Rights Reserved.<br />
SecureZip(tm) is a trademark of PKWARE (R), Inc.<br />
SecureZIP(TM) <strong>for</strong> <strong>iSeries</strong> is running under Beta release B2<br />
Archive: PKW810XXS/TSTCERTS(TSTCERTS) 17424 bytes 22 files<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
785 Defl:F 324 59% 03-08-05 07:29 6ca9e42e $readme.txt<br />
654 Defl:F 489 25% 02-09-05 13:18 2d32433a crl1.crl<br />
786 Defl:F 658 16% 12-27-04 13:18 4458cfef pktestdb3.crt<br />
2106 Defl:F 2058 2% 12-27-04 13:18 1773a716 pktestdb3.p12<br />
786 Defl:F 660 16% 12-27-04 13:17 6bc95df5 pktestdb4.crt<br />
2106 Defl:F 2052 3% 12-27-04 13:18 ba20cadd pktestdb4.p12<br />
2106 Defl:F 2055 2% 03-07-05 12:41 b7f957bb pktestdb9.pfx<br />
3573 Defl:F 1882 47% 02-09-05 13:17 0c6cc373 pktica_ca.cer<br />
3565 Defl:F 1878 47% 02-09-05 13:15 60f503e4 pkwareCA.crt<br />
37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwareca.p7b<br />
37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwarecrl.p7b<br />
1192 Defl:F 691 42% 02-09-05 13:15 40f1ec95 pkwareroot.cer<br />
37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwarert.p7b<br />
49 Stored 49 0% 02-25-05 10:50 b5002c1b tstauth_db3.inlist<br />
51 Stored 51 0% 01-10-05 12:14 3a6ddda4 tstauth_mb3.inlist<br />
47 Stored 47 0% 02-25-05 10:50 18df8708 tstauth_mb4.inlist<br />
52 Stored 52 0% 02-25-05 10:50 7c830a06 tstpriv_db4.inlist<br />
45 Stored 45 0% 02-25-05 10:50 cddd548c tstpriv_mb3.inlist<br />
78 Defl:F 52 33% 02-25-05 10:50 e6816f7e tstpubl_1.inlist<br />
83 Defl:F 72 13% 02-25-05 10:51 f3e66e5b tstpubl_2.inlist<br />
55 Stored 55 0% 02-25-05 10:51 d110fa75 tstsign_db3.inlist<br />
51 Stored 51 0% 02-25-05 10:51 441dad6d tstsign_mb4.inlist<br />
-------- ------- ---- -------<br />
18281 13311 27% 22 files<br />
SecureUNZIP extracted 0 files .<br />
The following steps can be automated <strong>for</strong> testing using the included CL program<br />
TSTCERTS. The source is located in the QCLSRC file of the distribution library. Be<strong>for</strong>e<br />
using the TSTCERTS CL program, make any modification required <strong>for</strong> your<br />
environment and then compile the CL program. The TSTCERTS program requires two<br />
external parameters. The first parameter is the SecureZIP library. The second<br />
parameter is the base path where the certificate store will reside (<strong>for</strong> example:<br />
‘/myroot/pkware’). This base path must exist be<strong>for</strong>e running TSTCERTS.<br />
Step 1: Define IFS Certificate Stores<br />
First you will need to decide where the certificate stores will be located in the IFS<br />
and then create the following folders in that path. After creating the paths, take time<br />
to set all the proper authorities <strong>for</strong> each path. If an administrator will be assigned,<br />
you can set the group ID as the owner. It is recommend that *PUBLIC should only<br />
88
have read authority to the files once you enter production. Assuming that you will be<br />
creating the stores in the directory called ‘/myroot/pkware’, create the following<br />
directories in that base path:<br />
MD DIR('/myroot/pkware/CStore')<br />
Be sure to define the folder<br />
security<br />
MD DIR('/myroot/pkware/CStore/Public')<br />
Public Store<br />
MD DIR('/myroot/pkware/CStore/Private')<br />
Private Store<br />
MD DIR('/myroot/pkware/CStore/CA')<br />
Certificate Authority Store<br />
MD DIR('/myroot/pkware/CStore/Root')<br />
Trusted Authority Root<br />
Store<br />
MD DIR('/myroot/pkware/CStore/CRL')<br />
Certificate Revocation List<br />
MD DIR('/myroot/pkware/CStore/CTemp')<br />
Admin Temp Work Area<br />
MD DIR('/myroot/pkware/CStore/Testzips')<br />
MD DIR('/myroot/pkware/CStore/InList')<br />
For initial archives <strong>for</strong><br />
testing and inputs to admin<br />
Used <strong>for</strong> testing Inlist<br />
samples<br />
The contents can be deleted after the test is competed, but the enterprise<br />
configuration should be reviewed <strong>for</strong> production.<br />
Note: if you need to start over and want to clear the certificate locator database <strong>for</strong><br />
testing, you can clear the database with:<br />
CLRPFM FILE(PKW81051S/PKZCF1F) MBR(*FIRST).<br />
Caution should be taken to make sure you are clearing a test-only database.<br />
Step 2: Extract Test Certificates, Inlist, Inputs, and Stores<br />
Extract public test certificates:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')<br />
FILES('pktestdb3.crt' 'pktestdb4.crt’)<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Public')<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract private test certificates:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')<br />
FILES('pktestdb3.p12' 'pktestdb4.p12' 'pktestdb9.pfx' )<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Private')<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract initialized empty CA certificate intermediate store:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.store')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CA')<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract initialized empty trusted root store:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareRT.store')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Root')<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract initialized empty revocation list store:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCRL.store')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CRL')<br />
89
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Extract sample test Inlist files:<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')<br />
FILES('*inlist')<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/InList’)<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Restore test inputted certs and CRL to Testzips area<br />
PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts')<br />
FILES('pkwareCA.cer' 'pkwareRoot.cer'<br />
'pktica_ca.crt' 'crl1.crl' )<br />
TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Testzips')<br />
DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)<br />
Step 3: Setup Security Configuration File with PKCFGSEC<br />
Command<br />
First, verify what the current settings in the security configuration with:<br />
PKCFGSEC TYPE(*VIEW)<br />
Next, update the certificate stores and activate the certificate locator database.<br />
1. Activate signing and authentication with filename encryption optional.<br />
PKCFGSEC TYPE(*Update)<br />
SECTYPE(*YES *YES *SAME *SAME *YES *YES *YES *YES *OPT)<br />
2. Define all of the store paths and files with CSPUB, CSPRVT, CSCA, CSROOT,<br />
CSCRL.<br />
3. Define the certificate database settings with CERTDB. Make certain that the<br />
correct library is specified or errors will occur later.<br />
4. Define certificate policies <strong>for</strong> signing (SIGNPOL), encryption (ENCRYPOL), and<br />
authentication (AUTHPOL).<br />
5. Define the static CRL settings with REVKEPOL.<br />
6. We could define a contingency key or master recipient at this time with<br />
ENTPREC<br />
PKCFGSEC TYPE(*Update)<br />
SECTYPE(*YES *YES *SAME *SAME *YES *YES *YES *YES *OPT)<br />
CERTDB(*YES *LIB 0 PKW81051S *EMAIL)<br />
CSPUB(*PATH 0 '/myroot/pkware/CStore/Public')<br />
CSPRVT(*PATH 0 '/myroot/pkware/CStore/Private')<br />
CSCA(*FILE 0 '/myroot/pkware/CStore/CA/pkwareCA.store')<br />
CSROOT(*FILE 0 '/myroot/pkware/CStore/ROOT/pkwareRT.store')<br />
CSCRL(*FILE 0 '/myroot/pkware/CStore/CRL/pkwareCRL.store')<br />
CWRKPATH('/myroot/pkware/CStore/CTemp')<br />
REVKEPOL(*STATICCRL *NONE)<br />
SIGNPOL(*SHA1 *VALIDATE *NO (*ALL))<br />
AUTHPOL(*VALIDATE *NO (*ALL))<br />
ENCRYPOL(*VALIDATE *NO (*ALL))<br />
ENTPREC(*NONE) LDAPACTV(*NONE)<br />
90
Step 4: Add Trusted Roots and Intermediate Certificates to the<br />
Certificate Stores.<br />
Using the PKSTORADM store administrator maintenance command, we should import<br />
all the trusted roots first, followed by all CA certificates.<br />
But first we need to think about the security of our stores. Most installations will<br />
want to have a specific user, user ID, or group per<strong>for</strong>m store maintenance and let<br />
the users of SecureZIP have only read access to the stores. It is suggested that<br />
*PUBLIC be only allowed to read the stores. For example, if we have a user ID of<br />
ZIPADMIN that is the only user that has the authority to do maintenance, then the<br />
paths and stores might have a sample authority setting as follows:<br />
Object . . . . . . . . . . . . : /myroot/pkware/CStore/Root/pkwareRT.store<br />
Data --Object Authorities--<br />
Opt User Authority Exist Mgt Alter Ref<br />
*PUBLIC *RX X<br />
ZIPADMIN *RWX X X X X<br />
First you might want to verify all the stores to make sure they are OK and empty.<br />
PKSTORADM RUNTYPE(*VERIFY) STYPE(*ALL)<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:10:19<br />
ZPCA000I SUCCESS: CA Store '/myroot/pkware/CStore/CA/pkwareCA.store' verified<br />
successfully. 0 certificates found.<br />
ZPCA000I SUCCESS: Root Store '/myroot/pkware/CStore/ROOT/pkwareRT.store'verified<br />
successfully. 0 certificates found.<br />
ZPCA000I SUCCESS: CRL store '/myroot/pkware/CStore/CRL/pkwareCRL.store'<br />
successfully verified. 0 revocation lists found.<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
Now add the PKWARE test trusted root certificate to the root store:<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT)<br />
FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:10:19<br />
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/<br />
pkwareRT.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;F<br />
N=PKTESTDB Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBR<br />
oot@nowhere.com;ROOT<br />
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/Root/pkw<br />
areRT.store' to disk.<br />
ZPCA000I Added 1 of a possible 1 certificates to the ROOT store.<br />
ZPCA000I 0 certificates in the ROOT store be<strong>for</strong>e the Add command.<br />
ZPCA000I 1 certificates in the ROOT store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
Now add the PKWARE test intermediate certificate authority certificate to the CA<br />
store:<br />
91
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA)<br />
FNAME(‘/myroot/pkware/CStore/Testzips/pkwareCA.cer’)<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:12:36<br />
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pk<br />
wareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareCA.cer;CER=1;FN=PK<br />
WARE Test Intermediate Cert;TP=2B3C27C30067690EFB77A8A84DAB1D39A1368906;SN=01<br />
;E=PKTESTDBIC@nowhere.com;CA<br />
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwar<br />
eCA.store' to disk.<br />
ZPCA000I Added 1 of a possible 1 certificates to the CA store.<br />
ZPCA000I 0 certificates in the CA store be<strong>for</strong>e the Add command.<br />
ZPCA000I 1 certificates in the CA store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
Step 5: Build the Certificate Locator Database with PKBLDCDB<br />
First build the public keys. In this case, we can use the *DIRECTORY option since all<br />
the public certificates are in one folder. You can use your user ID <strong>for</strong> the new owner<br />
or the ZipAdmin. If you do not have proper authority, then you will receive an API<br />
error when the CHGAUT command is issued. The database is ok, but the authority of<br />
the file may not be what you intended.<br />
PKBLDCDB MAINT(*UPDATE) MTYPE(*DIRECTORY) CTYPE(*PUBLIC)<br />
FNAME('/myroot/pkware/CStore/Public') DUPOPT(*REPLACE)<br />
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))<br />
PKBLDCDB Update SecureZIP Cert DataBase starting------2004/07/23 10:47:15<br />
Sample Authorty:<br />
PKBLDCDB Running Update Mode--Replace Duplicates---<br />
PKBLDCDB Adding <br />
PKBLDCDB Adding <br />
PKBLDCDB Run Totals:<br />
Total Records Added =2<br />
Total Records Updated =0<br />
Total Duplicateds Found =0<br />
Total Records In Error =0<br />
Total Records Processed =2<br />
PKBLDCDB Scan ending------<br />
Usually when updating private certificates you will use the *FILE option since each<br />
private key will have a different password. The best practice is to have the individual<br />
to whom the certificate was issued run the PKBLDCDB command since, <strong>for</strong> security<br />
reasons, he or she should be the only one with access to the password used to<br />
export the certificate file.<br />
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE)<br />
FNAME('/myroot/pkware/CStore/Private/pktestdb4.p12')<br />
DUPOPT(*REPLACE) PASSWORD('PKWARE')<br />
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))<br />
PKBLDCDB Update SecureZIP Cert DataBase starting------2004/07/23 10:53:17<br />
Sample Authorty:<br />
PKBLDCDB Running Update Mode--Replace Duplicates---<br />
92
PKSCANCRT Private Cert will be processed (6)<br />
PKBLDCDB Adding <br />
PKBLDCDB Run Totals:<br />
Total Records Added =1<br />
Total Records Updated =0<br />
Total Duplicateds Found =0<br />
Total Records In Error =0<br />
Total Records Processed =1<br />
PKBLDCDB Scan ending------<br />
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE)<br />
FNAME('/myroot/pkware/CStore/Private/pktestdb3.p12')<br />
DUPOPT(*REPLACE) PASSWORD('PKWARE')<br />
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))<br />
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE)<br />
FNAME('/myroot/pkware/CStore/Private/pktestdb9.pfx')<br />
DUPOPT(*REPLACE) PASSWORD('PKWARE')<br />
LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))<br />
Step 6: Compress File with Public Digital Certificates<br />
The first ZIP test will use both of the public certificates and 256-bit AES algorithm to<br />
encrypt and compress one file to an archive in the folder that was created earlier.<br />
This test will use the *MBRSET and *FILE types <strong>for</strong> the selection of the certificates.<br />
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC01.zip')<br />
FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256)<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
ENTPREC((*MBRSET pktestdb3.crt)<br />
(*FILE '/myroot/pkware/CStore/Public/pktestdb4.crt'))<br />
Scanning files in *DB <strong>for</strong> match ...<br />
Total Recipients processed 2<br />
Archive Recipient List:<br />
CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com<br />
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com<br />
Found 1 matching files<br />
Compressing PKW81051S/$CONTACT($CONTACT) in TEXT mode<br />
Add PKW81051.S/$CONTACT/$CONTACT -- Deflating (80%) encrypt(BSAFE AES 256<br />
Key)<br />
SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC0<br />
1.zip<br />
SecureZIP Completed Successfully<br />
The second ZIP test will use both of the public certificates and AES256 algorithm to<br />
encrypt and compress one file to an archive in the folder. This test will use the *DB<br />
with email and common name <strong>for</strong> the selection of the certificates.<br />
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC02.zip')<br />
FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256)<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
ENTPREC((*DB 'EM=PKTESTDB3@nowhere.com')<br />
(*DB 'CN=PKWARE Test4'))<br />
Scanning files in *DB <strong>for</strong> match ...<br />
Total Recipients processed 2<br />
Archive Recipient List:<br />
CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com<br />
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com<br />
93
Found 1 matching files<br />
Compressing PKW81051S/$CONTACT($CONTACT) in TEXT mode<br />
Updating:PKW81051.S/$CONTACT/$CONTACT Deflating (80%) encrypt(BSAFE AES 2<br />
56Key)<br />
SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC0<br />
2.zip<br />
SecureZIP Completed Successfully<br />
Step 7: View Details of Archive<br />
By per<strong>for</strong>ming a PKUNZIP with TYPE(*VIEW) VIEWOPT(*ALL), you will see the<br />
recipients, and the number of recipients, that can be found in the certificate<br />
database. It will also list each recipient and show each common name and email<br />
address.<br />
Archive: /myroot/pkware/CStore/Testzips/TestC01.zip 2259 bytes 1 file<br />
Archive Comment:"PKZIP <strong>for</strong> <strong>iSeries</strong> by PKWARE"<br />
Filename: PKW81051.S/$CONTACT/$CONTACT<br />
Detected File type: Text Encrypt=Strong Encrypted<br />
Created by: PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) 8.1<br />
Minimum to Extract: PKZIP 5.1 Or Greater<br />
Compression method: Deflated [Fast]<br />
Date and Time 2004 Jul 23 10:10:56<br />
Compressed size: 1702 bytes<br />
Uncompressed size: 5451 bytes<br />
32-bit CRC value (hex): f091572d<br />
Extended attributes: yes, [Length = 218]<br />
Strong Encryption AES 256 Key (BSAFE).<br />
Algorithm Key 256, Security type Certificate Key<br />
Number Certifcate Recipients 2<br />
Recipient List:<br />
CN=PKWARE Test4, EM=PKTESTDB4@nowhere.com<br />
CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com<br />
Record Length: 80<br />
Lib Text Desc: SecureZIP <strong>for</strong> <strong>iSeries</strong>(tm) Lib-V8.1.0B<br />
File Text Desc: SecureZIP <strong>for</strong> <strong>iSeries</strong>(tm) Contact In<strong>for</strong>mation<br />
Mbr Text Desc: SecureZIP <strong>for</strong> <strong>iSeries</strong>(tm) Contact In<strong>for</strong>mation<br />
Source or Data: PF-DTA<br />
File Comment:"none"<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Found 1 file, 5451 bytes uncompressed, 1702 bytes compressed: 69%<br />
SecureUnZip extracted 0 files<br />
SecureUnZip Completed Successfully 1<br />
Step 8: Decrypting File with Private Key Certificates<br />
In order to decrypt the file you will need to provide at least one valid private<br />
certificate with the password that matches a recipient on the archive.<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC01.zip')<br />
TYPE(*TEST)<br />
TYPARCHFL(*IFS)<br />
ENTPREC((*DB 'CN=PKWARE Test4' ('PKWARE')))<br />
OR<br />
ENTPREC((*MBRSET 'pktestdb3.crt' ('PKWARE')))<br />
ENTPREC((*FILE '/myroot/pkware/CStore/Public/pktestdb4.crt'<br />
('PKWARE')))<br />
ENTPREC((*DB 'EM=PKTESTDB4@nowhere.com' ('PKWARE')))<br />
ENTPREC((*INLIST<br />
94
'/myroot/pkware/CStore/InList/tstpriv_mb3.inlist'))<br />
Step 9: Using Input List File <strong>for</strong> ENTPREC Certificate List<br />
The encryption recipients parameter can read a file with a recipient list. This is<br />
activated by using the *INLIST followed by the file to use <strong>for</strong> the recipients list.<br />
path/filename<br />
Enter the file path and name of the file to read. The<br />
layout depends on which file system you want to read<br />
the file from.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
Usage Notes:<br />
• For an Inlist that contains a password to open a private certificate, make sure<br />
that the security is sufficient to only allow the owner of the certificate to have<br />
read access. Otherwise this would leave a security hole where others could<br />
browse the password.<br />
• The path/filename depends on the settings of the TYPLISTFL (*DB or *IFS)<br />
parameter.<br />
• For more in<strong>for</strong>mation on using list files see “Using List Files as Input” in<br />
Appendix E.<br />
Each entry on a list file should begin with “{RECEPIENT=” and end with the character<br />
“}”. Each entry is separated by the “;” (semi-colon). The in<strong>for</strong>mation <strong>for</strong> each<br />
recipient is the same as described in the ENTPREC parameter, except *INLIST is<br />
invalid <strong>for</strong> lookup type. If an entry is not required such as password just enter the<br />
separator.<br />
Format: {RECEPIENT=Lookup Type;Recipient;Password;Required}<br />
*...+....1....+....2....+....3....+....4....+....5....+....6..<br />
{RECEPIENT=db;EM=robb.roy@pkware.com;;RQD}<br />
{RECEPIENT=file;/pkzshare/CStores/Public/suesmith04.cer;;OPT}<br />
{RECEPIENT=LDAP;EM=kevin.Goodguy@pkware.com;;OPT}<br />
{RECEPIENT=LDAP;EM=troy.theman@pkware.com;;OPT}<br />
****** END OF DATA ******<br />
The ENTPREC parameter would look like the following to process the ENTPREC Inlist:<br />
ENTPREC( (*INLIST 'ATEST/INLIST(techsup1)' *N))<br />
Test Inlist tstpriv_mb3.inlist:<br />
....+....1....+....2....+....3....+....4....+....5..<br />
************Beginning of data**************<br />
{AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
************End of Data********************<br />
95
Test inlist tstpriv_db4.inlist:<br />
....+....1....+....2....+....3....+....4....+....5.<br />
************Beginning of data**************<br />
{RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}<br />
************End of Data********************<br />
An example to decrypt a file that was encrypted with pktestdb3 public certificate.<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC02.zip')<br />
TYPE(*TEST) TYPARCHFL(*IFS) TYPLISTFL(*IFS)<br />
ENTPREC((*inlist '/myroot/pkware/CStore/InList/tstpriv_mb3.inlist'))<br />
Digital Certificate Request List:Encryption Recipients<br />
Rqrd *MbrSet - pktestdb3.p12<br />
Encryption Recipients List-----------1 processed:<br />
UNZIP Archive: /myroot/pkware/CStore/Testzips/TestC01.zip<br />
Searching Archive /myroot/pkware/CStore/Testzips/TestC01.zip <strong>for</strong> files to extract<br />
Testing: WSS810S/$CONTACT/$CONTACT<br />
WSS810S/$CONTACT/$CONTACT tested OK<br />
No errors detected in compressed data of<br />
/myroot/pkware/CStore/Testzips/TestC01.zip.<br />
SecureUNZIP Completed Successfully<br />
Step 10: Sign Files and Archive with Private Keys<br />
Create an archive and sign the files in the archive by two signers and then sign the<br />
archive directory. Note that signing requires the private key.<br />
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')<br />
FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256)<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
ENTPREC((*DB 'EM=PKTESTDB3@nowhere.com')<br />
(*DB 'CN=PKWARE Test4'))<br />
SIGNERS((*FILE *MBRSET 'pktestdb3.p12' (PKWARE) )<br />
(*ALL *MBRSET 'pktestdb4.p12' (PKWARE)) )<br />
Scanning files in *DB <strong>for</strong> match ...<br />
2 Encryption Recipients processed<br />
Encryption Recipients List:<br />
--CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com<br />
--CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com<br />
2 File Signers processed<br />
File Signers List:<br />
--CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com<br />
--CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com<br />
1 Archive Signer processed<br />
Archive Signer List:<br />
--CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com<br />
Found 1 matching files<br />
Compressing PKW810XXS/$CONTACT($CONTACT) in TEXT mode<br />
Add PKW810XX.S/$CONTACT/$CONTACT -- Deflating (80%) encrypt(BSAFE AES 256Key)<br />
SecureZIP Compressed 1 files in Archive<br />
/myroot/pkware/CStore/Testzips/TestC03.zip<br />
SecureZIP Completed Successfully<br />
96
Step 11: Authenticate Signed Files and Archive<br />
When doing a basic view of the newly signed archive, notice that only the archive<br />
directory signatures are validated. To validate the signature of the files would require<br />
a TYPE(*TEST).<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')<br />
TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
AUTHCHK((*ARCHIVE *MBRSET 'pktestdb4.crt')) AUTHPOL(*WARN (*ALL))<br />
1 Archive Signer processed<br />
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 7053 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
5451 Defl:F 1702 69% 01-11-05 13:34 f091572d<br />
!PKW810XX.S/$CONTACT/$CONTACT<br />
-------- ------- ---- -------<br />
5451 1702 69% 1 file<br />
Archive has been Digitally Signed.<br />
Archive was signed by "PKWARE Test4" and verified<br />
SecureUNZIP extracted 0 files<br />
SecureUNZIP Completed Successfully<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')<br />
TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) VIEWOPT(*ALL)<br />
AUTHPOL(*WARN *ARCHIVE (*SYSTEM))<br />
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file<br />
Filename: PKW810XX.S/$CONTACT/$CONTACT<br />
Detected File type: Text Encrypt=Strong Encrypted<br />
Created by: PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) 8.1<br />
Zip Spec to Extract: 6.1 Or Greater<br />
Compression method: Deflated [Fast]<br />
Date and Time 2005 Jan 11 16:05:36<br />
Compressed size: 1702 bytes<br />
Uncompressed size: 5451 bytes<br />
32-bit CRC value (hex): f091572d<br />
Extended attributes: yes, [Length = 4598]<br />
Strong Encryption AES 256 Key (BSAFE).<br />
Algorithm Key 256, Security type Certificate Key<br />
Number Certifcate Recipients 2<br />
Recipient List:<br />
CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com<br />
CN=PKWARE Test4, EM=PKTESTDB4@nowhere.com<br />
Record Length: 80<br />
Lib Text Desc: SecureZip <strong>for</strong> <strong>iSeries</strong>(tm) Lib-V8.1.0B<br />
File Text Desc: SecureZip <strong>for</strong> <strong>iSeries</strong>(tm) Contact In<strong>for</strong>mation<br />
Mbr Text Desc: SecureZip <strong>for</strong> <strong>iSeries</strong>(tm) Contact In<strong>for</strong>mation<br />
Source or Data: PF-DTA<br />
A subfield with ID 0x0014 (Certificate Store) and 3369 data bytes<br />
A subfield with ID 0x0016 (Archive Signature) and 245 data bytes<br />
File Signature: CN=PKWARE Test4; EM=PKTESTDB4@nowhere.com; S/N=04<br />
File Signature: CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com; S/N=03<br />
File Comment:"none"<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Found 1 file, 5451 bytes uncompressed, 1702 bytes compressed: 69%<br />
Archive has been Digitally Signed.<br />
Archive was signed by "PKWARE Test4" and verified<br />
SecureUNZIP extracted 0 files<br />
SecureUNZIP Completed Successfully<br />
97
Do a VIEWOPT(*SECURE) and you will notice that the internal archive store is<br />
displayed (see certificate listing). This store contains all public certificates of the<br />
signatories including the full chain of each signatory.<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')<br />
TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) VIEWOPT(*SECURE)<br />
AUTHPOL(*WARN (*ALL))<br />
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
5451 Defl:F 1702 69% 01-11-05 16:05 AES256<br />
!PKW810XX.S/$CONTACT/$CONTACT<br />
-------- ------- ---- -------<br />
5451 1702 69% 1 file<br />
Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file<br />
Certificate Listing:<br />
#1:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com;<br />
#2:CN=PKWARE Test4; EM=PKTESTDB4@nowhere.com;<br />
#3:CN=PKTESTDB Root; EM=PKTESTDBRoot@nowhere.com;<br />
#4:CN=PKWARE Test Intermediate Cert; EM=PKTESTDBIC@nowhere.com;<br />
Archive has been Digitally Signed.<br />
Archive was signed by "PKWARE Test4" and verified<br />
SecureUNZIP extracted 0 files<br />
SecureUNZIP Completed Successfully<br />
When the files in the archive are tested or extracted, the archive signature is<br />
validated first and then, after each file has been tested, the file’s signatures are<br />
tested. If no AUTHCHK parameter is entered, all signatures are validated.<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip')<br />
TYPE(*TEST) TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
ENTPREC((*DB 'CN=PKWARE Test3' 'PKWARE'))<br />
1 Encryption Recipients processed<br />
UNZIP Archive: /myroot/pkware/CStore/Testzips/TestC03.zip<br />
Searching Archive /myroot/pkware/CStore/Testzips/TestC03.zip <strong>for</strong> files to<br />
extract<br />
Archive was signed by "PKWARE Test4" and verified<br />
Testing: PKW810XX.S/$CONTACT/$CONTACT<br />
File was signed by "PKWARE Test4" and verified<br />
File was signed by "PKWARE Test3" and verified<br />
PKW810XX.S/$CONTACT/$CONTACT tested OK<br />
No errors detected in compressed data of<br />
/myroot/pkware/CStore/Testzips/TestC03.zip.<br />
SecureUNZIP Completed Successfully<br />
98
Step 12: Sign Files and Archive with PK Test 9 Certificate<br />
Try signing an archive with the PKWARE test 9 certificate, which does not have an<br />
intermediate certificate in the CA store. The attempt will fail because of the trust<br />
settings.<br />
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')<br />
FILES('PKW81051s/$CONTACT')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )<br />
Scanning files in *DB <strong>for</strong> match ...<br />
Required Signer or Authenticator failed selection process<br />
Digital Certificate Request List:Archive Signer<br />
Rqrd *MbrSet Not Usable - pktestdb9.pfx<br />
Required Recipient Failed<br />
Archive Signer List-----------0 processed:<br />
CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com<br />
--Certificate Invalid:Certificate is Not Trusted;<br />
SecureZIP Compressed 0 files in Archive<br />
/myroot/pkware/CStore/Testzips/TestC04.zip<br />
SecureZIP Completed with Errors<br />
Press ENTER to end terminal session.<br />
Step 13: Add CA to Make the Trust Valid and Then Sign Archive.<br />
If we now add the intermediate certificate that “PKWARE test 9” certificate uses, the<br />
PKZIP command will sign the archive.<br />
Add new CA certificate to the CA store:<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA)<br />
FNAME('/myroot/pkware/CStore/Testzips/pktica_ca.crt')<br />
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pk<br />
wareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pktica_ca.crt;CER=1;FN=P<br />
KWARE Test Intermediate Cert A;TP=C405A5BC36942149D5C212CB6C213C4F1FE893E6;SN<br />
=02;E=PKTESTDBICA@nowhere.com;CA<br />
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwar<br />
eCA.store' to disk.<br />
ZPCA000I Added 1 of a possible 1 certificates to the CA store.<br />
ZPCA000I 1 certificates in the CA store be<strong>for</strong>e the Add command.<br />
ZPCA000I 2 certificates in the CA store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
Press ENTER to end terminal session.<br />
99
Run PKZIP to sign the archive with PK test certificate 9.<br />
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')<br />
FILES('PKW81051s/$CONTACT')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )<br />
Scanning files in *DB <strong>for</strong> match ...<br />
Digital Certificate Request List:Archive Signer<br />
Rqrd *MbrSet - pktestdb9.pfx<br />
Archive Signer List-----------1 processed:<br />
CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com<br />
Found 1 matching files<br />
Compressing PKW810XXS/$CONTACT($CONTACT) in TEXT mode<br />
Add PKW810XX.S/$CONTACT/$CONTACT -- Deflating (80%)<br />
SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/Te<br />
stC04.zip<br />
SecureZIP Completed Successfully<br />
Press ENTER to end terminal session.<br />
Run PKUNZIP to test the authentication <strong>for</strong> a specific authenticator.<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
AUTHCHK((*ALL *MBRSET 'pktestdb9.pfx' (PKWARE) ))<br />
Digital Certificate Request List:File Signers<br />
Rqrd *MbrSet - pktestdb9.pfx<br />
File Signers List-----------1 processed:<br />
Digital Certificate Request List:Archive Signer<br />
Rqrd *MbrSet - pktestdb9.pfx<br />
Archive Signer List-----------1 processed:<br />
Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C<br />
ONTACT<br />
-------- ------- ---- -------<br />
5451 1069 80% 1 file<br />
Archive has been Digitally Signed.<br />
Archive was signed by "PKWARE Test9;" and verified<br />
SecureUNZIP extracted 0 files<br />
SecureUNZIP Completed Successfully<br />
Step 14: Revoke PK Test 9 Certificate and Confirm Revocation<br />
Now apply the certificate revocation list to revoke the PKWARE test 9 certificate.<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CRL) STYPE(*CRL)<br />
FNAME('/myroot/pkware/CStore/Testzips/crl1.crl')<br />
100
PKSTORADM SecureZIP CA Store Administration starting------2005/03/08 15:20:38<br />
ZPCA000I SUCCESS: Added certificate '/myroot/pkware/CStore/Testzips/crl1.<br />
crl' to store '/myroot/pkware/CStore/CRL/pkwareCRL.store'.<br />
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CRL/pkwa<br />
reCRL.store' to disk.<br />
ZPCA000I Added 1 out of 1 certificates to the CRL store.<br />
ZPCA000I 0 entries in the CRL store be<strong>for</strong>e the Add command.<br />
ZPCA000I 1 entries in the CRL store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
Press ENTER to end terminal session.<br />
Run PKZIP to test the authentication and signing. The attempt will fail since the<br />
signing certificate was revoked.<br />
PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')<br />
FILES('PKW81051s/$CONTACT')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )<br />
Scanning files in *DB <strong>for</strong> match ...<br />
Required Signer or Authenticator failed selection process<br />
Digital Certificate Request List:Archive Signer<br />
Rqrd *MbrSet Not Usable - pktestdb9.pfx<br />
Required Recipient Failed<br />
Archive Signer List-----------0 processed:<br />
CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com<br />
--Certificate Invalid:Certificate has been Revoked;<br />
Input Archive was found to be Digitally Signed.<br />
Archive Authentication check unsuccessful<br />
Archive was Signed by "PKWARE Test9;" but NOT verified.<br />
--Contents have not been altered<br />
--Certificate Invalid:Certificate has been Revoked;<br />
Run being terminated <strong>for</strong> Authentication failure<br />
SecureZIP Compressed 0 files in Archive /myroot/pkware/CStore/Testzips/Te<br />
stC04.zip<br />
SecureZIP Completed with Errorsy<br />
Run PKUNZIP to test the authentication. The test will fail since the signing certificate<br />
was revoked. If we did not have the AUTHPOL (*SYSTEM *ALL), you would only see<br />
that archive was signed. The AUTHPOL is what activates the authentication<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
AUTHCHK((*ALL *MBRSET 'pktestdb9.pfx' (PKWARE) ))<br />
AUTHPOL(*SYSTEM *ALL (*NOTREVOKED))<br />
Digital Certificate Request List:File Signers<br />
Rqrd *MbrSet - pktestdb9.pfx<br />
File Signers List-----------1 processed:<br />
Digital Certificate Request List:Archive Signer<br />
Rqrd *MbrSet - pktestdb9.pfx<br />
Archive Signer List-----------1 processed:<br />
Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C<br />
ONTACT<br />
101
-------- ------- ---- -------<br />
5451 1069 80% 1 file<br />
Archive has been Digitally Signed.<br />
Archive Authentication check unsuccessful<br />
Archive was Signed by "PKWARE Test9;" but NOT verified.<br />
--Contents have not been altered<br />
--Certificate Invalid:Certificate has been Revoked;<br />
SecureUNZIP extracted 0 files<br />
SecureUNZIP Completed with Errors<br />
Run PKUNZIP to test the authentication with a revoked signer but using AUTHPOL to<br />
ignore the revoked status of the signer.<br />
PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*DB)<br />
AUTHPOL(*SYSTEM *ALL (*NOTREVOKED))<br />
Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C<br />
ONTACT<br />
-------- ------- ---- -------<br />
5451 1069 80% 1 file<br />
Archive has been Digitally Signed.<br />
Archive was signed by "PKWARE Test9;" and verified<br />
SecureUNZIP extracted 0 files<br />
SecureUNZIP Completed Successfully<br />
Filename Encryption<br />
How SecureZIP Encrypts File Names<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> encrypts file names using your current settings <strong>for</strong> (strong)<br />
encryption method and algorithm. File names can be encrypted using either strong<br />
password encryption, a recipient list, or both. You must use one of the strong<br />
encryption methods. You cannot encrypt file names using traditional<br />
ADVCRYPT(ZIPSTD), which uses a 96-bit key.<br />
Note: Encrypting names of files and folders in an archive encrypts and hides a good<br />
deal of other internal in<strong>for</strong>mation about the archive as well. To encrypt file names,<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> encrypts the archive's central directory, where virtually all<br />
such metadata about the archive is stored.<br />
Be aware, however, that archive comments are not encrypted even when you<br />
encrypt file names. Do not put sensitive in<strong>for</strong>mation in an archive comment.<br />
When SecureZIP Encrypts File Names<br />
With archives that do not already contain encrypted file names:<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> encrypts file names whenever you update an archive<br />
requesting FNE(*YES): including Add, Freshen, Update, Delete and Copy.<br />
102
SecureZIP <strong>for</strong> <strong>iSeries</strong> encrypts file names only when you provide encryption<br />
parameters such as PASSWORD and/or ENTPREC <strong>for</strong> recipients and set parameter<br />
FNE(*YES).<br />
Encrypting File Names When You Update an Archive<br />
If you turn on the setting to encrypt file names and then update an archive that<br />
already contains no encrypted files with unencrypted file names, SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> encrypts all the filenames in the archive.<br />
If the archive contains any files whose contents are already encrypted, SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> will bypass an attempt to add filename encryption.<br />
If you update an archive that already contains files with encrypted file names,<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses the current ADVCRYPT setting to determine whether<br />
filenames should be encrypted in the output archive.<br />
If FNE(*YES) is enabled when updating an archive already containing filename<br />
encryption, SecureZIP <strong>for</strong> <strong>iSeries</strong> encrypts the new archive directory using the<br />
same password or recipient list originally used to encrypt file names in the archive.<br />
Newly supplied values <strong>for</strong> PASSWORD or RECIPIENT are discarded. However, if a<br />
PASSWORD is used to access the input archive <strong>for</strong> the update process to begin, it<br />
must match the original password used to create the encrypted archive directory.<br />
Note:<br />
Once file names in an archive are encrypted, you cannot change the password or<br />
recipient list used.<br />
You cannot change the encryption method on files that are already in an archive that<br />
contains encrypted file names.<br />
Filename encryption is not compatible with GZIP and will not be used if requested.<br />
Opening and Viewing an Archive that Has Encrypted File Names<br />
An archive that contains encrypted file names requires SecureZIP <strong>for</strong> <strong>iSeries</strong> 8.0 or<br />
later to open it. To view the filename encrypted archive encryption detail and not the<br />
archive's content, use TYPE(*VIEW) VIEWOPT(*FNEALL).<br />
The version number is not a version of the SecureZIP <strong>for</strong> <strong>iSeries</strong> program but<br />
rather a version of the ZIP file <strong>for</strong>mat. Version 8.0 of the program uses features of<br />
the 6.20 ZIP file <strong>for</strong>mat specification (ZipSpec) that are not available in earlier<br />
versions. All preceding versions of the program used earlier versions of the ZipSpec.<br />
When opening an archive, SecureZIP <strong>for</strong> <strong>iSeries</strong> automatically decrypts file names<br />
<strong>for</strong> anyone on a recipient list <strong>for</strong> the encrypted file names, (or the correct password if<br />
PASSWORD was specified when the archive was updated with ADVCRYPT).<br />
If file names are encrypted using a password (with or without a recipient list),<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> requires the correct password when anyone who is not on<br />
the recipient list tries to open the archive. If the correct password is not entered,<br />
PKZIP does not open the archive.<br />
103
Security Examples<br />
Below are examples of how to invoke SecureZIP <strong>for</strong> <strong>iSeries</strong> processing using PKZIP<br />
and PKUNZIP commands with sample output listings.<br />
SecureZIP using Recipients or Combo<br />
When protection modes of "Recipient" or "Combo" are selected, recipients can be<br />
designated such that a password is not required to extract the data.<br />
If a password is entered, the lines will be concatenated to create a single password<br />
string of up to 200 characters and each line must begin and end with a non-blank.<br />
Each recipient is represented by a public-key x.509 digital certificate. The public-key<br />
certificates can be stored and accessed in one or more of the following locations:<br />
• Individual data sets in an IFS path<br />
• The local certificate store database as described by DB profile<br />
• One or more network LDAP servers as described by LDAP Profile<br />
Recipient designations:<br />
1. ENTPREC( (*LDAP;CN=Joe Smith))<br />
2. ENTPREC( (*file;'/PKZIP/CERTSTOR/PRIVATE/MAS2004';’abcdef’; RQD))<br />
3. ENTPREC( (*db;EM=somebody@somewhere.com))<br />
4. A. ENTPREC( (*MBRSET;MAS2004;’abcdef’;RQD))<br />
B. ENTPREC( (*MBRSET;MAS2004;;RQD))<br />
It is important to note the following:<br />
• CN=Joe Smith may return more than one recipient digital certificate. The<br />
LDAP entry <strong>for</strong> Joe Smith may contain multiple certificates, such as one <strong>for</strong><br />
each year of employment with the company, since certificates are frequently<br />
valid <strong>for</strong> only one year.<br />
• A local IFS path has a certificate loaded into file MAS2004, which may<br />
represent a specific person's 2004 certificate. In this case, the RQD indicates<br />
that the certificate is required <strong>for</strong> processing to be per<strong>for</strong>med. In addition,<br />
this certificate is a private key certificate, so the export password is necessary<br />
<strong>for</strong> the public key portion to be extracted from it.<br />
• *db;EM= (or CN= <strong>for</strong> common name) may be used to locate a public key<br />
certificate from within the local certificate store database. Private key<br />
certificates may also be stored in the database, in which case the correct<br />
private key passwords are required to access them.<br />
• *MBRSET demonstrates how to enter only the file name. The path will come<br />
from the store defined in the enterprise security configuration file. Since the<br />
4A item has a password entered, the private store will be used. The 4B item<br />
contains no password there<strong>for</strong>e the public store will be used.<br />
104
SecureZIP Encryption Using a Recipients List<br />
A. PKZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')<br />
FILES('/pkzshare/aV80Test/recp/Test cases.txt')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO)<br />
ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12)<br />
ENTPREC((*DB 'EM=Bill.Somebody@pkware.com' *N *RQD)<br />
(*FILE '/pkzshare/CStores/pkware_testcerts/pktestdb3.crt')<br />
(*MBRSET 'pktestdb3.crt'))<br />
Notice there were three inputted recipient requests, and there were four recipients<br />
used <strong>for</strong> the archive.<br />
First, the CN=PKWCADMIN was added because the enterprise security settings<br />
defined a master recipient that will be added when doing strong encryption.<br />
Second, the EM=Bill.Somebody, found two certificates in the database locator.<br />
Third, since the pktestdb3.crt file was found two times using two different access<br />
methods, we only used it once <strong>for</strong> the process.<br />
Displayed output from example A.<br />
Scanning files in *IFS <strong>for</strong> match ...<br />
Total Recipients processed 4<br />
Archive Recipient List:<br />
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com<br />
CN=PKWCADMIN EMail=none<br />
CN=BILL SOMEBODY EMAIL=BILL.SOMEBODY@PKWARE.COM<br />
CN=William Somebody EMail=bill.Somebody@pkware.com<br />
Found 1 matching files<br />
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode<br />
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)<br />
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test010.zip<br />
Store<br />
B. PKZIP ARCHIVE('/pkzshare/aV80Test/test011.zip')<br />
FILES('/pkzshare/aV80Test/recp/Test cases.txt')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO)<br />
ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12)<br />
ENTPREC((*DB 'CN=Bill Somebody' *N *RQD)<br />
(*FILE '/pkzshare/CStores/pkware_testcerts/pktestdb3.crt')<br />
(*MBRSET 'pktestdb4.crt') )<br />
In this example, notice the request is <strong>for</strong> CN= and not EM=. This resulted in only one<br />
certificate to process from this database request.<br />
Displayed output from example B.<br />
Scanning files in *IFS <strong>for</strong> match ...<br />
Total Recipients processed 4<br />
Archive Recipient List:<br />
CN=PKWARE Test2 EMail=PKTESTDB3@nowhere.com<br />
CN=PKWARE Test1 EMail=PKTESTDB1@nowhere.com<br />
CN=PKWCADMIN EMail=none<br />
CN=Bill Somebody EMail=bill.somebody@pkware.com<br />
Found 1 matching files<br />
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode<br />
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)<br />
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test011.zip<br />
SecureZIP Completed Successfully<br />
105
Store<br />
C. PKZIP ARCHIVE('/pkzshare/aV80Test/test012.zip')<br />
FILES('/pkzshare/aV80Test/recp/Test cases.txt')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPLISTFL(*IFS)<br />
STOREPATH(*NO) ADVCRYPT(AES256) PASSWORD(pkware12)<br />
VPASSWORD(pkware12)<br />
ENTPREC((*DB 'CN=Bill Somebody' *N *RQD)<br />
(*INLIST '/inlist/tstpubl2.inlist'))<br />
This example used the Inlist option to read in a list of recipients:<br />
INLIST file '/inlist/tstpubl2.inlist':<br />
************Beginning of data**************<br />
{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD}<br />
{RECIPIENT=DB;CN=PKWARE Test4;;OPT}<br />
************End of Data********************<br />
Displayed output from example C.<br />
Scanning files in *IFS <strong>for</strong> match ...<br />
Total Recipients processed 4<br />
Archive Recipient List:<br />
CN=PKWCADMIN EMail=none<br />
CN=Bill Somebody EMail=bill.Somebody@pkware.com<br />
CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com<br />
CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com<br />
Found 1 matching files<br />
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode<br />
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)<br />
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test012.zip<br />
SecureZIP Completed Successfully<br />
SecureZIP Encryption using LDAP search <strong>for</strong> Recipients<br />
D. PKZIP ARCHIVE('/pkzshare/aV80Test/test013.zip')<br />
FILES('/pkzshare/aV80Test/recp/Test cases.txt')<br />
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPLISTFL(*IFS)<br />
STOREPATH(*NO) ADVCRYPT(AES256)<br />
ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' *N *RQD))<br />
Displayed output from example D.<br />
Scanning files in *IFS <strong>for</strong> match ...<br />
Total Recipients processed 2<br />
Archive Recipient List:<br />
CN=PKWCADMIN EMail=none<br />
CN=William Somebody EMail=bill.Somebody@pkware.com<br />
Found 1 matching files<br />
Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode<br />
Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key)<br />
SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test013.zip<br />
SecureZIP Completed Successfully<br />
UNZIP Compressed File(s) from an Archive File Using Recipients<br />
Since we will be extracting/testing files that were encrypted with our public keys, we<br />
will need the private key to decrypt the file. Below are several examples with one<br />
106
eing correct and the others showing possible errors with bad certificates or wrong<br />
password <strong>for</strong> the private key.<br />
Unzip Output using Recipients<br />
To decrypt a file with recipients, a valid password <strong>for</strong> the certificate is required.<br />
Below is a valid test of example A.<br />
A PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')<br />
TYPARCHFL(*IFS) TYPE(*TEST)<br />
ENTPREC((*MBRSET 'pktestdb3.p12' 'PKWARE') )<br />
Displayed output from test of example A.<br />
Total Recipients processed 1<br />
UNZIP Archive: /pkzshare/aV80Test/test010.zip<br />
Searching Archive /pkzshare/aV80Test/test010.zip <strong>for</strong> files to extract<br />
Testing: Test cases.txt<br />
Test cases.txt tested OK<br />
No errors detected in compressed data of /pkzshare/aV80Test/test010.zip.<br />
SecureUNZIP Completed Successfully<br />
B PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')<br />
TYPARCHFL(*IFS) TYPE(*TEST)<br />
ENTPREC((*MBRSET 'pktestdb3.cer'))<br />
Displayed output from test of example B.<br />
Required Recipient failed selection process<br />
Recipient Requires Password <strong>for</strong> Private Key<br />
Required Recipient Failed<br />
C PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')<br />
TYPARCHFL(*IFS) TYPE(*TEST)<br />
ENTPREC((*MBRSET 'pktestdb1.p12' 'PKWAREXX'))<br />
Displayed output from test example C with a bad password <strong>for</strong> the private key.<br />
Required Recipient failed selection process<br />
Inputted Recipient Listing<br />
Rqrd *MbrSet Cert Open Failure pktestdb3.p12<br />
Required Recipient Failed<br />
View the Contents of an Archive File<br />
When a file has been encrypted, one of the following indicators describing the<br />
strength of encryption is displayed be<strong>for</strong>e the file name.<br />
A PKUNZIP ARCHIVE('/pkzshare/aV80Test/test013.zip')<br />
TYPARCHFL(*IFS) TYPE(*view)<br />
Displayed output from example A.<br />
Archive: /pkzshare/aV80Test/test010.zip 2024 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
107
4234 Defl:F 1722 59% 03-23-04 14:04 11cc5542 !Test cases.txt<br />
-------- ------- ---- -------<br />
4234 1722 59% 1 file<br />
Notice the “!” in front of the file in archive name. This indicates that this file is<br />
encrypted with strong encryption. A “+” would indicate that only 96-bit encryption<br />
was used.<br />
View Detail Display<br />
The view detail option not only shows the encryption algorithm used to encrypt but<br />
will also display any certificate in<strong>for</strong>mation that is available.<br />
B PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip')<br />
TYPARCHFL(*IFS) TYPE(*view) VIEWOPT(*ALL)<br />
Displayed output from example B.<br />
Archive: /pkzshare/aV80Test/test010.zip 2024 bytes 1 file<br />
Filename: Test cases.txt<br />
Detected File type: Binary Encrypt=Strong Encrypted<br />
Created by: PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) 8.1<br />
Zip Spec to Extract: 6.1 Or Greater<br />
Compression method: Deflated [Fast]<br />
Date and Time 2004 Mar 23 14:04:06<br />
Compressed size: 1722 bytes<br />
Uncompressed size: 4234 bytes<br />
32-bit CRC value (hex): 11cc5542<br />
Unix file attributes (100777 octal):<br />
-rwxrwxrwx<br />
MS-DOS file attributes (00 hex):<br />
none<br />
Extended attributes: yes, [Length = 138]<br />
Strong Encryption AES 256 Key (BSAFE).<br />
Algorithm Key 256, Security type Password and Certificate Key<br />
Number Certifcate Recipients 4<br />
Recipient List:<br />
CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com<br />
CN=PKWCADMIN, EM=(none)<br />
CN=Bill Somebody, EM=bill.Somebody@pkware.com<br />
CN=William Somebody, EM=bill.Somebody@pkware.com<br />
IFS: Creation Time Wed Mar 24 17:23:44 2004<br />
IFS: Access Time Thu Sep 16 19:41:11 2004<br />
IFS: Modification Time Tue Mar 23 19:04:06 2004<br />
IFS: Code Page 1252<br />
File Comment:"none"<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Found 1 file, 4234 bytes uncompressed, 1722 bytes compressed: 59%<br />
C PKUNZIP ARCHIVE('/pkzshare/aV80Test/test013.zip')<br />
TYPARCHFL(*IFS) TYPE(*view) VIEWOPT(*ALL)<br />
Displayed output from example C.<br />
Archive: /pkzshare/aV80Test/test013.zip 1660 bytes 1 file<br />
Filename: Test cases.txt<br />
Detected File type: Binary Encrypt=Strong Encrypted<br />
Created by: PKZIP <strong>for</strong> <strong>iSeries</strong>(tm) 8.1<br />
Zip Spec to Extract: 6.1 Or Greater<br />
Compression method: Deflated [Fast]<br />
Date and Time 2004 Mar 23 14:04:06<br />
Compressed size: 1398 bytes<br />
Uncompressed size: 4234 bytes<br />
32-bit CRC value (hex): 11cc5542<br />
Unix file attributes (100777 octal):<br />
-rwxrwxrwx<br />
MS-DOS file attributes (00 hex):<br />
none<br />
108
Extended attributes: yes, [Length = 98]<br />
Strong Encryption AES 256 Key (BSAFE).<br />
Algorithm Key 256, Security type Certificate Key<br />
Number Certifcate Recipients 2<br />
Recipient List:<br />
CN=PKWCADMIN, EM=(none)<br />
CN=William Somebody, EM=bill.Somebody@pkware.com<br />
IFS: Creation Time Wed Mar 24 17:23:44 2004<br />
IFS: Access Time Thu Sep 16 20:10:44 2004<br />
IFS: Modification Time Tue Mar 23 19:04:06 2004<br />
IFS: Code Page 1252<br />
File Comment:"none"<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Found 1 file, 4234 bytes uncompressed, 1398 bytes compressed: 67%<br />
SecureUNZIP extracted 0 files<br />
109
11 PKZIP Command<br />
PKZIP Command Summary with Parameter Keyword Format<br />
If the OS/400 command prompt screen is to be used, the command <strong>for</strong>mat is simply:<br />
PKZIP. There also is a command PKZSPOOL which is the same command as PKZIP,<br />
but has the parameter TYPFL2ZP set to *SPL <strong>for</strong> spool files. The parameters are also<br />
re-sequenced to give preference to parameters dealing specifically with spool files.<br />
The command prompt screen is displayed when Enter or PF4 is pressed. The<br />
parameter keywords are displayed on this screen, together with the available<br />
keyword options. The required options can be selected be<strong>for</strong>e PF4 is pressed to<br />
accept the selections. If the command and parameter keywords are entered together<br />
on the command line the required <strong>for</strong>mat is:<br />
PKZIP keyword1(option) keyword2(option) . . . keywordn(option)<br />
Keywords are demarcated by spaces. The keyword “ARCHIVE” is the only positional<br />
keyword where the keyword is not required. Whenever the word “path” is used, its<br />
meaning depends on the file system that is being used. If IFS is used, path refers to<br />
the open system true path type. If the library systems or *DB is used, path means<br />
library/file and then the file name refers to the member name.<br />
TYPE( *ADD )<br />
{*UPDATE}<br />
{*FRESHEN}<br />
{*MOVEA}<br />
{*MOVEF}<br />
{*MOVEU}<br />
{*DELETE}<br />
ADVCRYPT( {ZIPSTD} )<br />
{AES128}<br />
{AES192}<br />
{AES256}<br />
{3DES}<br />
{DES}<br />
{RC4_128}<br />
ARCHIVE( Archive Zip File name with path )<br />
ARCHTEXT( {*NONE} )<br />
Archive File Text description<br />
110
AUTHCHK( Authenticators )<br />
Authenticate Type<br />
{*FILE}<br />
{*ARCHIVE}<br />
{*ALL}<br />
Lookup Type {*DB }<br />
{*LDAP}<br />
{*FILE}<br />
{*MBRSET}<br />
{*INLIST}<br />
Recipient<br />
Password (if Private)<br />
Required {*RQD }<br />
{*OPT}<br />
{Recipient String}<br />
{Certificate password}<br />
AUTHPOL ( Authenticate Filters: )<br />
Validate Level { *SYSTEM }<br />
{*WARN }<br />
{*VALIDATE}<br />
Validate Level { *NONE }<br />
{*ARCHIVE }<br />
Filters {*SYSTEM }<br />
{*ALL}<br />
{*NONE}<br />
{*TAMPER}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTAMPER}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
COMPAT( {*NONE} )<br />
{*PK400}<br />
COMPRESS( {*FAST} )<br />
{*MAX}<br />
{*STORE}<br />
{*TERSE)<br />
CRTLIST( {*NONE} )<br />
path/filename<br />
{*SIMULATE}<br />
CVTDATA(<br />
External Pgm Conversion Extended Data)<br />
CVTFLAG( {*NONE} )<br />
External Pgm Conversion Flags<br />
CVTTYPE( {*NONE} )<br />
{*DROP}<br />
{*SUFFIX}<br />
DATEAB( mmddyyyy )<br />
DATETYPE( {*NO} )<br />
{*BEFORE}<br />
{*AFTER}<br />
DBSERVICE( ({*NO} )<br />
{*YES)<br />
DELIM ( ({CRLF} )<br />
{CR }<br />
{LF }<br />
{LFCR }<br />
111
DFTARCHREC( {132} )<br />
{decimal number}<br />
DIRNAMES( {*YES} )<br />
{*NO}<br />
DIRRECRS( {*NONE} )<br />
{*FULL}<br />
{*NAMEONLY}<br />
ENTPREC( Lookup Type; Recipient; Password; Required )<br />
Lookup Type {*DB }<br />
{*LDAP}<br />
{*FILE}<br />
{*MBRSET}<br />
{*INLIST}<br />
Recipient<br />
{Recipient String}<br />
Password (if Private) {Certificate password}<br />
Required {*RQD }<br />
{*OPT}<br />
ENCRYPOL ( Encryption Filters: )<br />
Validate Level {*SYSTEM }<br />
{*WARN }<br />
{*VALIDATE}<br />
Filters {*SYSTEM }<br />
{*ALL}<br />
{*NONE}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
EXCLFILE( {*NONE} )<br />
path/filename<br />
EXCLUDE( file_specification 1, )<br />
file_specification 2,<br />
file_specification n<br />
EXTRAFLD( {*YES} )<br />
{*NO}<br />
{*CENTRAL}<br />
{*LOCAL}<br />
{*BOTH same as *YES}<br />
ERROPT( {*END} )<br />
{*SKIP}<br />
FILES( file_specification 1, )<br />
file_specification 2,<br />
file_specification n<br />
FILESTEXT( {*NO} )<br />
{*ALL}<br />
{*NEW}<br />
{*UPDATE}<br />
FILETYPE( {*TEXT} )<br />
{*BINARY}<br />
{*EBCDIC}<br />
{*FIXTEXT}<br />
{*DETECT}<br />
112
FNE( {*YES | *NO} )<br />
{*YES | *NO}<br />
FTRAN( {*INTERNAL} )<br />
Member Name<br />
GZIP( {*YES} )<br />
{*NO}<br />
IFSCDEPAGE( {*NO} )<br />
Code-page<br />
INCLFILE( {*NONE} )<br />
path/filename<br />
MSGTYPE( {*PRINT} )<br />
{*SEND<br />
{*BOTH}<br />
PASSWORD( Archive Password )<br />
SELFXTRACT ( {*MAINTAIN} )<br />
{*REMOVE}<br />
(WINDOWS}<br />
{AIX}<br />
{HP_UNIX}<br />
{SUN_UNIX}<br />
{LINUXINTEL}<br />
SFUSER ( {*CURRENT} )<br />
{user id 1}<br />
{user id 2}<br />
{user id 5)<br />
SFQUEUE ( {*ALL} )<br />
{Library/OUTQ }<br />
SFFORM ( {*ALL} )<br />
{*STD}<br />
{Spool File Form Type }<br />
SFUSRDTA ( {*ALL} )<br />
{Spool File User data}<br />
SFSTATUS ( {*ALL} )<br />
{*READY}<br />
(*HELD }<br />
{*CLOSED}<br />
{*SAVED }<br />
{*PENDING}<br />
{*DEFERRED}<br />
SFJOBNAM ( {blanks } )<br />
{*}<br />
{Job-name//Userr-Name/Job Number}<br />
SFTARGET ( {*SPLF} )<br />
{*TEXT}<br />
{*TEXT1}<br />
{*TEXT2}<br />
{*TEXTFC}<br />
{*PDF}<br />
{*PDFLETTER}<br />
{*PDFLEGAL}<br />
113
SFTGFILE ( {*GEN1} )<br />
{*GEN2}<br />
{*GEN1P}<br />
{path/filename }<br />
SIGNERS( Signer )<br />
Signing Type<br />
{*FILE}<br />
{*ARCHIVE}<br />
{*ALL}<br />
Lookup Type {*DB }<br />
{*LDAP}<br />
{*FILE}<br />
{*MBRSET}<br />
{*INLIST}<br />
Recipient<br />
Password (if Private)<br />
Required {*RQD }<br />
{*OPT}<br />
SIGNPOL ( Signing Filters: )<br />
Validate Level {*SYSTEM }<br />
{*WARN }<br />
{*VALIDATE}<br />
Filters {*SYSTEM }<br />
{*ALL}<br />
{*NONE}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
{Recipient String}<br />
{Certificate password}<br />
STOREPATH( {*NO} )<br />
{*YES}<br />
SPLFILE ( {*ALL} )<br />
{Spool File Name }<br />
SPLNBR ( {*ALL} )<br />
{*LAST}<br />
{Spool File Number 1-9999}<br />
STOREPATH( {*NO} )<br />
{*YES}<br />
TMPPATH( {*CURRENT} )<br />
Temporary Path<br />
TRAN( {*INTERNAL} )<br />
Member Name<br />
TYPARCHFL( {*DB} )<br />
{*IFS}<br />
TYPFL2ZP( {*DB} )<br />
{*IFS}<br />
{*IFS2}<br />
{*DBA}<br />
{*SPL}<br />
TYPLISTFL( {*DB} )<br />
{*IFS}<br />
VERBOSE( {*NORMAL} )<br />
{*NONE}<br />
114
{*ALL}<br />
{*MAX}<br />
VPASSWORD( Archive Verify Password )<br />
115
PKZIP Command Keyword Details<br />
TYPE<br />
TYPE(ADD|DELETE|EXTRACT|FRESHEN|MOVEA|MOVEF|MOVEU|UPDATE |VIEW)<br />
The TYPE keyword specifies the type of action PKZIP should per<strong>for</strong>m on the ZIP<br />
archive.<br />
The possible actions are:<br />
*ADD<br />
*UPDATE<br />
*FRESHEN<br />
*MOVEA<br />
*MOVEF<br />
*MOVEU<br />
*DELETE<br />
The *ADD option is the default and adds a selection of<br />
files to the archive file. If an archive is already present,<br />
it will be written over by the new archive file.<br />
The *UPDATE option updates files which are already in<br />
the archive file with a newer version and will also add<br />
newly selected files that are not present in the archive<br />
file.<br />
The *FRESHEN option updates ONLY the files which<br />
already exist in an archive file. If the date/time of the<br />
file is newer than the date/time of the file in the archive,<br />
the file will be compressed and replace the one in the<br />
archive.<br />
The *MOVEA (Move and Add option) option per<strong>for</strong>ms the<br />
*ADD option, and upon completion of a successful PKZIP<br />
command, the actual file will be deleted.<br />
The *MOVEF (Move and Freshen option) option per<strong>for</strong>ms<br />
the *FRESHEN option, and upon completion of a<br />
successful PKZIP command, the actual file will be<br />
deleted.<br />
The *MOVEU (Move and Update option) option per<strong>for</strong>ms<br />
the *UPDATE option, and upon completion of a<br />
successful PKZIP command, the actual file will be<br />
deleted.<br />
The *DELETE option removes entries from the archive<br />
file based upon the selection of FILES and EXCLUDE<br />
parameters. The <strong>for</strong>mat of the FILES and EXCLUDE<br />
parameters should be in the <strong>for</strong>mat of the files as seen<br />
in the archive.<br />
ADVCRYPT<br />
ADVCRYPT(ZIPSTD|ASE128|AES192|AES256|DES|3DES|RC4_128 PKWARE|BSAFE)<br />
When a ZIP action is requested to save a file in an archive, and a password is<br />
provided, SecureZIP <strong>for</strong> <strong>iSeries</strong> will use an encryption method to protect the data.<br />
116
This command value specifies which algorithm to employ. There are two modes of<br />
encryption: RSA BSAFE and PKWARE. See Chapter 2.<br />
Possible encryptions are:<br />
ZIPSTD<br />
*NONE<br />
AES128<br />
AES192<br />
AES256<br />
DES<br />
3DES<br />
RC4_128<br />
This algorithm is the original algorithm used in PKZIP<br />
2.x products and is compatible with other PKZIP 2.04g<br />
products that support standard encryption. Unless the<br />
installation defaults module has been tailored differently,<br />
this is the default value <strong>for</strong> PKZIP <strong>for</strong> <strong>iSeries</strong> if you<br />
choose to encrypt a file.<br />
No Encryption<br />
Advanced Encryption Standard 128-bit key algorithm,<br />
also known as Rijndael.<br />
Advanced Encryption Standard 192-bit key algorithm,<br />
also known as Rijndael.<br />
Advanced Encryption Standard 256-bit key algorithm,<br />
also known as Rijndael. This is the default value <strong>for</strong><br />
SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
Data Encryption Standard.<br />
Triple Data Encryption Standard.<br />
RC4 is a stream cipher created by RSA.<br />
Usage Notes:<br />
PKUNZIP will detect automatically which encryption method was specified during the<br />
ZIP process and operate accordingly.<br />
During a PKZIP (ZIP) run, only one encryption method may be specified, and that<br />
method will be used <strong>for</strong> each file that is operated on.<br />
By executing PKZIP at different times, various files within the archive may be saved<br />
with differing levels (and types) of encryption. That is, some files may not be<br />
protected at all, while others may have different methods and/or passwords.<br />
A “+” character is shown in a view to indicate standard encryption protection is used<br />
<strong>for</strong> a file.<br />
A “!” character is shown in a View to indicate advanced encryption (AES) protection<br />
is used <strong>for</strong> a file.<br />
ARCHIVE<br />
ARCHIVE(archive ZIP file name with path)<br />
Specifies the path/file name or the library/file name of the SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
archive to be processed. If the file exists, PKZIP will overwrite the file, otherwise<br />
PKZIP will create the file <strong>for</strong> you. Depending on which file system you choose, the<br />
path or library must exist. This is a required parameter.<br />
The <strong>for</strong>mat depends on whether you will be using the archive file in the library file<br />
system, or the IFS (Integrated File System).<br />
117
See parameter TYPARCHFL <strong>for</strong> file system type in<strong>for</strong>mation.<br />
Library File System<br />
Format is library/file(member). If member is omitted, it<br />
will be created with the file name. If the file is not<br />
found, it will be created with a default length specified in<br />
parameter DFTARCHREC (which has a default of 132).<br />
If you want to create a file manually to use a larger<br />
record length, create it with no members and with the<br />
parameter MAXMBRS with *NOMAX, or with a high<br />
excepted limit. If the Library is not specified, the file<br />
name will be searched using *LIBL. If the file name is<br />
not found, the file will be created in the users *CURLIB.<br />
If a library is specified and does not exist, PKZIP will<br />
create the library.<br />
Integrated File System (IFS)<br />
Open system path followed by the archive file name.<br />
The path and file name can up to 256 characters and<br />
may contain embedded spaces.<br />
ARCHTEXT<br />
ARCHTEXT(*NONE| Archive File Text description)<br />
Specifies text that will be stored in the archive as the archive's file comment.<br />
*NONE<br />
*DEFAULT<br />
*CLEAR<br />
No new archive comment will be stored.<br />
The default PKWARE comment will be stored.<br />
Clear any comment that may be stored in an archive.<br />
Archive File Text description<br />
Up to 255 characters that are stored as the archive's file<br />
comments.<br />
AUTHCHK<br />
Authenticator Certificates:<br />
File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL<br />
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE, *MBRSET...<br />
Authenticator . . . . . . . ______________________________<br />
Password (If Private) . . . ______________________________<br />
Required . . . . . . . . . . *RQD *RQD, *OPT<br />
+ <strong>for</strong> more values _<br />
Or<br />
AUTHCHK((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))<br />
AUTHCHK((*ALL *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
AUTHCHK((*FILE *DB ‘EM=bill.somebody@pkware.com' () *OPT))<br />
AUTHCHK((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)<br />
118
This parameter specifies that digital signature authentication processing should be<br />
per<strong>for</strong>med <strong>for</strong> specific signers. Separate authentication processing may be specified<br />
<strong>for</strong> either the archive central directory or files by using multiple commands.<br />
Optionally, specific signers may be specified to authenticate against. This parameter<br />
is used in conjunction with the AUTHPOL parameters and its settings.<br />
It is possible that more than one certificate may be returned <strong>for</strong> a single common<br />
name or email search. As a result, each one will be added to the list of validating<br />
sources.<br />
When no specific certificates are requested, any signatories found in the archive are<br />
validated in accordance with the systems or current AUTHPOL Filters policy settings.<br />
There are five options <strong>for</strong> AUTHCHK.<br />
Authenticator Type File/Archive<br />
(*FILE |*ARCHIVE |*ALL)<br />
This designates the type of authentication that is to be per<strong>for</strong>med. Either ARCHIVE,<br />
FILE or ALL may be specified on each item, but by using ALL or archive with the<br />
*RQD option will result in error since the archive can only have one signatory. If the<br />
lookup type is *INLIST, then this option will be ignored and will pickup from the<br />
records in the inlist file.<br />
• *FILE – The signed files will be authenticated with this authenticator.<br />
• *ARCHIVE - The archive directory will be authenticated with this<br />
authenticator.<br />
• *ALL – Both the signed files and the archive directory will be authenticated<br />
with this authenticator.<br />
Lookup Type<br />
(*DB |*FILE |*LDAP |*MBRSET |*INLIST)<br />
The lookup type would be the type of authenticator search to be used <strong>for</strong> the<br />
authenticator string to look up the public key.<br />
• *DB - The authenticator string is defined to search using the certificate<br />
locator database to access the digital certificate.<br />
• *FILE - The authenticator string is defined to read a specific file in a specific<br />
path in the IFS in order to access the digital certificate.<br />
• *LDAP - The recipient string is defined to search using the LDAP server to<br />
access the digital certificate.<br />
• *MBRSET - The authenticator string is defined to read this specific file from<br />
the enterprise public certificate store to access the digital certificate.<br />
• *INLIST- The authenticator string defines a specific file that will contain one<br />
to many AUTHCHK. The TYPLISTFL parameter must specify the file type <strong>for</strong><br />
the inlist.<br />
Authenticator<br />
(The authenticator string name)<br />
The authenticator string <strong>for</strong>mat depends on what was specified <strong>for</strong> the lookup type.<br />
• If lookup type is *DB, the authenticator string will either be an email address<br />
or the common name of the certificate. This depends on the configuration<br />
setting in PKCFGSEC parameter CERTDB. To override the default selection<br />
119
mode, you can prefix the string with EM= <strong>for</strong> email, or CN= <strong>for</strong> the common<br />
name.<br />
For example:<br />
AUTHCHK((*FILE *DB ‘bill.somebody@pkware.com' () *RQD)<br />
(*ARCHIVE *DB ‘CN=bill somebody' () *RQD)<br />
(FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))<br />
• If lookup type is *FILE, the authenticator string is defined to read a specific<br />
file in a specific path of the IFS. This file should be a public key X.509 file or<br />
public key X.509 certificate with a private key file.<br />
For example:<br />
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' ()<br />
*RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path<br />
'/pkzshare/CStores/public’.<br />
• If type is *LDAP, the authenticator string will either be an email address or<br />
the common name of the certificate depending on the search mode<br />
configuration setting in PKCFGSEC parameter LDAP. To override the default<br />
selection mode, you can prefix the string with EM= <strong>for</strong> email address, or CN=<br />
<strong>for</strong> the common name.<br />
For example:<br />
AUTHCHK ((*ARCHIVE *LDAP ‘bill.somebody@pkware.com' () *RQD)<br />
(*FILE *LDAP ‘CN=bill somebody' () *OPT)<br />
(*FILE *LDAP ‘EM=bill.somebody@pkware.com' () *RQD))<br />
• If lookup type is *MBRSET, the authenticator string is defined to read a<br />
specific file from the public certificate store and/or the private certificate store<br />
of the IFS. This file should be a public key X.509 file or public key X.509<br />
certificate with a private key file.<br />
For example:<br />
AUTHCHK((*ALL *MBRSET 'pkwareCertAdmin04.cer' () *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of<br />
the public certificate store defined in the enterprise security configuration<br />
public store (parameter CSPUB). If a password is included, the file is searched<br />
<strong>for</strong> in the enterprise security configuration private store (parameter CSPRIV).<br />
• If lookup type is *INLIST, the authenticator string defines a full file name of<br />
an input list file that contains records of AUTHCHK shortcut parameters. The<br />
type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set<br />
and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The <strong>for</strong>mat<br />
of the AUTHCHK shortcut parameters are defined below in the *INLIST usage<br />
section.<br />
Password<br />
This designates the password that is required <strong>for</strong> a private key certificate with a<br />
private key (PKCS#12 file). When a value is specified, the target must be an X.509<br />
PKCS#12 public key certificate with the private key.<br />
120
The PASSWORD value may contain blanks and is delimited by the closing right<br />
parenthesis ")" of the signing command.<br />
Required<br />
(*RQD|*OPT|*SAME)<br />
If *RQD, then this authenticator must be found during the selection, and the<br />
certificate must be a valid certificate with a private key, or the ZIP/UNZIP run will<br />
fail.<br />
Usage Notes:<br />
Passwords are masked out in all output displays.<br />
A local certificate store configuration is required to complete the TRUST processing of<br />
this command.<br />
Processing is terminated if none of the requested certificates can be accessed,<br />
regardless of the “R” required flag. If multiple requests are made and at least one<br />
signature is found, processing continues normally.<br />
For inlist that contains a password to open a private certificate, make sure that the<br />
security is sufficient to only allow the owner of the certificate to have read access.<br />
Otherwise this would leave a security hole where other users could browse the<br />
password.<br />
*INLIST Usage:<br />
If *INLIST is defined on the AUTHCHK parameter, then the authenticator filed will be<br />
a file that SecureZIP will read to include the authenticator. The <strong>for</strong>mat is very similar<br />
to the AUTHCHK parameter described above except that each line authenticator<br />
starts with “{AUTHCHK=” and is terminated by the “}” character, with the semicolon<br />
“;” as a separator <strong>for</strong> each entry.<br />
{AUTHCHK=Authenticator Type, Lookup Type; Authenticator; Password; Required}<br />
Authenticator Type<br />
Lookup Type<br />
Authenticator<br />
Password<br />
Required<br />
Examples:<br />
See Authenticator Type in AUTHCHK<br />
See Lookup Type in AUTHCHK excluding the INLIST<br />
See Authenticator in AUTHCHK.<br />
See Password in AUTHCHK.<br />
See Required in AUTHCHK, but use RDQ <strong>for</strong> *RQD and OPT <strong>for</strong><br />
*OPT.<br />
Sample 1: tstauth_db1.inlist.<br />
{AUTHCHK=FILE;DB;EM=PKTESTDB4@nowhere.com;;RQD}<br />
Sample 2: tstauth_mb2.inlist.<br />
{AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
121
Sample 3: tstauth_mb3.inlist.<br />
{AUTHCHK=ALL;MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
AUTHPOL<br />
Authenticate Filters:<br />
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...<br />
Validate Type . . . . . *ARCHIVE *ARCHIVE, *NONE<br />
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or<br />
AUTHPOL(*WARN *ARCHIVE (*SYSTEM) )<br />
AUTHPOL(*WARN *FILE (*NOTTRUSTED) )<br />
AUTHPOL(*SYSTEM *ALL (*ALL *NOTEXPIRED) )<br />
This parameter defines the processing options and filters that should apply if a<br />
signed file or signed archive is encountered.<br />
Validate Level (*VALIDATE |*WARN |*SYSTEM)<br />
The validate level specifies the type of authentication processing that should take<br />
place if a file or archive is encountered. The default is *SYSTEM and, unless it is<br />
modified, SecureZIP will use the enterprise setting from PKCFSEC.<br />
• *VALIDATE – Indicates that when authentication takes place and a failure<br />
occurs based on the filters, the run will be considered a failure and the<br />
message issued at the end will indicate one or more errors during the run.<br />
• *WARN - Indicates that when authentication place and a failure occurs, the<br />
failure is only considered a warning. The messages at the end of the run will<br />
not consider any failed authentications as errors.<br />
• *SYSTEM – Indicates the authentication processing that is set in the<br />
environmental setting will be used.<br />
Validate Type (*ARCHIVE |*NONE)<br />
The validate type specifies that archive authentication should take place if an archive<br />
has been signed. The default is *NONE and anything other than *NONE requires the<br />
Enhanced Encryption Feature..<br />
• *ARCHIVE - Indicates that only a signed archive will be authenticated.<br />
• *NONE - Indicates no authentication will take place even though a file or<br />
archive has been signed.<br />
Filters (*SYSTEM |*ALL |*NONE |*TAMPER |*TRUSTED |*EXPIRED |*REVOKED<br />
|*NOTAMPER |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED )<br />
The authentication filter policies settings are defined in the enterprise security file<br />
supplied by the SecureZIP administrator (See PKCFGSEC). These global policy<br />
122
settings can be revised with sub-parameter values. The variables are cumulative<br />
from the global setting.<br />
• *SYSTEM – All filter policies are from the global settings.<br />
• *ALL - This sub-parameter activates all levels of authentication. If followed<br />
by negating sub-levels, then all but those negating levels are activated. For<br />
example: *ALL NOTEXPIRED means that expired certificates will not cause an<br />
authentication error, but TRUST and TAMPERCHECK must both be satisfied.<br />
• *NONE – Will negate all the policies.<br />
• *TAMPER – This sub-parameter signifies that a verification of the data<br />
stream should be done against the digital signature.<br />
• *TRUSTED – This sub-parameter signifies that the entire certificate authority<br />
chain must be validated. This includes locating the root (self-signed)<br />
certificate on the local system.<br />
• *EXPIRED – This sub-parameter signifies that certificate date range<br />
validation should be per<strong>for</strong>med on the certificates (including the certificate<br />
authority chain). Although the term “expired” is used, a certificate that has<br />
not yet reached its valid data range specification will fail.<br />
• *REVOKED - A certificate owner may request that the issuing certificate<br />
authority declare a certificate to be revoked and thereby no longer consider<br />
that certificate to be valid. The authentication operation will fail if any of the<br />
certificates in the trust chain are found to have been revoked, or if the<br />
revocation status could not be determined<br />
• *NOTAMPER – Negates the *TAMPER filter.<br />
• *NOTTRUSTED – Negates the *TRUSTED filter.<br />
• *NOTEXPIRED - Negates the *EXPIRED filter.<br />
• *NOTREVOKED – Negates the *REVOKED filter.<br />
COMPAT<br />
COMPAT(*NONE|*PK400)<br />
Specifies that PKZIP will create and store extended data field in<strong>for</strong>mation in another<br />
supported <strong>for</strong>mat or previous version. At this time, only “PKZIP Version 4.0 <strong>for</strong><br />
OS/400” is supported.<br />
The allowable values are:<br />
*NONE<br />
*PK400<br />
The extended data fields will be in SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> Versions 5.0 and above <strong>for</strong>mats.<br />
The extended data fields will output to the archive in the<br />
<strong>for</strong>mat used by “PKZIP Version 4.0 <strong>for</strong> OS/400” product.<br />
This option should be used if the archive file will be<br />
extracted by “PKZIP Version 4.0 <strong>for</strong> OS/400” and the<br />
attributes are required to create the files. The files can<br />
be extracted without this option, but the files may have<br />
123
to be manually created in order to have the proper<br />
attributes (such as record length and text descriptions).<br />
COMPRESS<br />
COMPRESS(*FAST|*SUPERFAST|*MAX|*STORE|*TERSE)<br />
Specifies the compression method or level to be used during a run of PKZIP. This is<br />
used to specify the amount and speed of compression that is required <strong>for</strong> any<br />
updated files.<br />
The allowable values are:<br />
*FAST<br />
*SUPERFAST<br />
*MAX<br />
*NORMAL<br />
*STORE<br />
*TERSE<br />
This selection provides ample compression at a fast rate.<br />
This is the default selection. This will compress in the<br />
fastest time, but will compress the files by the least<br />
amount.<br />
This level provides the maximum compression possible,<br />
but will also take the longest in time to process.<br />
The normal compression level provides good<br />
compression amount at a reasonable speed.<br />
No compression. Store will also be used if the other<br />
methods tried result in a file larger than the original.<br />
This selection provides a terse compression algorithm<br />
provided with the <strong>iSeries</strong> by IBM as an API. This is<br />
much faster but is less efficient than FASTEST, and can<br />
only be decompressed on the <strong>iSeries</strong>. Do not use this<br />
option if you wish to unzip the archive on another<br />
plat<strong>for</strong>m.<br />
CRTLIST<br />
CRTLIST(*NONE| path/filename | *SIMULATE)<br />
Specifies that PKZIP will create an output file with a list of entries that would have<br />
been compressed based upon the selection criteria in the FILES and EXCLUDE<br />
parameters.<br />
See parameter TYPLISTFL <strong>for</strong> file system type.<br />
*NONE<br />
Default. No list file will be created.<br />
path/filename<br />
Enter the file path and name of the file to create. The<br />
layout depends on which file system you want to create<br />
the file in.<br />
Library File System: The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
124
*SIMULATE<br />
Will simulate the file selection and show the selection as<br />
a printed or message list instead of writing to a list file.<br />
CVTDATA<br />
CVTDATA(External Program Conversion Extended Data)<br />
Specifies the extended data that is passed to the external program CVTNAME. When<br />
CVTFLAG is not *NONE, the contents of the parameter are passed to provide<br />
extended flexibility in controlling how the <strong>iSeries</strong> names are stored in the archive.<br />
See Appendix D <strong>for</strong> more details on the external program.<br />
External Program Conversion Extended Data<br />
Specify up to 255 bytes of unedited data which is passed<br />
to the exit program CVTNAME to assist in controlling the<br />
program logic.<br />
CVTFLAG<br />
CVTFLAG(*NONE| Conversion Flags)<br />
Specifies the flags passed to the external program CVTNAME. These are used to<br />
control how the <strong>iSeries</strong> names are stored in the archive. See Appendix D <strong>for</strong> more<br />
details on the external program.<br />
*NONE<br />
Conversion Flags<br />
Conversion exit is not active.<br />
Specify a five-byte flag that is passed to the exit<br />
program CVTNAME to control the program logic. If the<br />
name passed back is blank, then conversion is referred<br />
back to the setting of the CVTTYPE parameter.<br />
CVTTYPE<br />
CVTTYPE(*NONE|*DROP|*SUFFIX)<br />
Specifies how the <strong>iSeries</strong> library and file names are stored in the archive. Since the<br />
length of the library name, file name, and member name can each be up to 10<br />
characters, and MS/DOS <strong>for</strong>mat requires a maximum of 8 characters with an optional<br />
extension, this option allows name compatibility.<br />
The allowable values are:<br />
*SUFFIX This <strong>for</strong>ces any <strong>iSeries</strong> name with more than 8<br />
characters to create a name of 8 characters and a<br />
period(.), followed by characters 9 and 10 to be<br />
considered an extension to suffix.<br />
*NONE<br />
This leaves the <strong>iSeries</strong> name as the archive name.<br />
*DROP This <strong>for</strong>ces any <strong>iSeries</strong> name with more than 8<br />
characters, to drop characters 9 thru 19.<br />
125
DATEAB<br />
DATEAB(mmddyyyy)<br />
Used with DATETYPE parameter, DATEAB specifies the date to be used to compare<br />
with the files latest modification date <strong>for</strong> file selection. The <strong>for</strong>mat is mmddyyyy,<br />
where “mm” is a valid month (01-12), “dd” is valid day of the month, and “yyyy” is<br />
the four digits of the year (2001).<br />
DATETYPE<br />
DATETYPE(*NO|*BEFORE|*AFTER)<br />
Specifies if PKZIP should select files based upon a file modification date.<br />
The allowable values are:<br />
*NO<br />
*BEFORE<br />
*AFTER<br />
No date selection will take place.<br />
Files with a modification date be<strong>for</strong>e the date in<br />
DATETYPE will be selected.<br />
Files with a modification date on or after the date in<br />
DATETYPE will be selected.<br />
DBSERVICE<br />
DBSERVICE (*NO|*YES)<br />
Specifies if the <strong>iSeries</strong> special database extended file attributes describing the<br />
database file, fields and keys are to be store in the archives. This will <strong>for</strong>ce the<br />
option EXTRAFLD(*YES). The database will also be stored in binary mode. This mode<br />
can produce larger archive files.<br />
The allowable values are:<br />
*NO<br />
*YES<br />
Does not store database extended services attributes.<br />
Stores the database extended service attributes in the<br />
archive file and treat non-SAVF as a database.<br />
DFTARCHREC<br />
DFTARCHREC(132|Record Length)<br />
Specifies the record length to use when creating an archive file in the QSYS library<br />
system. If the TYPARCHFL parameter is *DB, and the archive file does not exist, the<br />
archive file will be created with the record length specified in this parameter.<br />
Note: A large record length will leave a high residual number if only one byte is use<br />
in the last record.<br />
The allowable values are:<br />
126
132 Default is record length of 132 to match previous<br />
versions.<br />
Record Length A decimal number from 50 to 32000.<br />
DELIM<br />
DELIM(CRLF |CR |LF |LFCR)<br />
When compressing a text file (not binary), the DELIM parameter specifies what<br />
characters are to be appended at the end of records to serve as delimiters. The<br />
delimiter is removed from the record when it is decompressed.<br />
The allowable values are:<br />
CRLF<br />
CR<br />
LF<br />
LFCR<br />
This is the default selection. Specifies <strong>for</strong> SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> to use the default delimiter CR-LF (x’0D0A’)<br />
at the end of each text record.<br />
Appends an ASCII carriage return (hex 0D).<br />
Appends an ASCII line feed character (hex 0A).<br />
Appends an ASCII line feed character (hex 0A0D).<br />
Note that transfers of MS-DOS records uses a CRLF <strong>for</strong> a delimiter,<br />
while UNIX records use a LF.<br />
DIRNAMES<br />
DIRNAMES(*YES|*NO)<br />
Specifies to store directories as an entry. This is valid only <strong>for</strong> files in IFS.<br />
*YES<br />
*NO<br />
Store the directories as entries in the archive.<br />
Do not store directories as an archive entry.<br />
DIRRECRS<br />
DIRRECRS(*NONE|*FULL|*NAMEONLY)<br />
IFS only. Specifies whether to search recursively through directories <strong>for</strong> file selection,<br />
or only search the current, specified directory.<br />
The allowable values are:<br />
*NONE<br />
*FULL<br />
Search only the current, specified directory.<br />
Search through all directories by starting with the<br />
current, specified directory <strong>for</strong> selected files. If *FULL is<br />
used, and * is <strong>for</strong> file selections, all files found in all<br />
directories below the current directory will be selected.<br />
127
*NAMEONLY<br />
To be considered a hit, the full path and file name must<br />
match the selection statements exactly.<br />
ENTPREC<br />
Encryption Recipients :<br />
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE...<br />
Recipient . . . . . . . . . ______________________________________<br />
Password (If Private) . . . ______________________________________<br />
Required . . . . . . . . . . *RQD *RQD, *OPT<br />
+ <strong>for</strong> more values _<br />
Or<br />
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))<br />
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.pfx'<br />
(‘mypassword’) *RQD))<br />
ENTPREC((*DB ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
ENTPREC((*INLIST 'ATEST/INLIST(ENGNEER1)' *N)<br />
The encryption/decryption recipient parameter defines one to many Recipients which<br />
is to be included <strong>for</strong> the ZIP and UNZIP process. This parameter allows 1-4 types of<br />
certificate searches to take place along with providing the ability <strong>for</strong> an include file<br />
that may contain the recipients.<br />
The specification of this recipient ENTPREC parameter, triggers encryption to take<br />
place during ZIP processing utilizing the found recipients along with any password<br />
that may be entered.<br />
There are four entries <strong>for</strong> the ENTPREC parameter (lookup type, recipient, password,<br />
and required).<br />
Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)<br />
The Lookup type would be the type of recipient search that will be used <strong>for</strong> the<br />
recipient string.<br />
• *DB - The recipient string is defined to search using the Certificate Locator<br />
Database to access the digital certificate.<br />
• *LDAP - The recipient string is defined to search using the LDAP server to<br />
access the digital certificate.<br />
• *FILE - The recipient string is defined to read a specific file in a specific path<br />
in the IFS in order to access the digital certificate.<br />
• *MBRSET - The recipient string is defined to read this specific file from the<br />
enterprise public certificate store to access the digital certificate.<br />
• *INLIST - The recipient string defines a specific file that will contain 1 to<br />
many recipients.<br />
Recipient (The recipient string name)<br />
The recipient string <strong>for</strong>mat depends on what was specified <strong>for</strong> the Lookup type.<br />
128
• If type is *DB: The recipient string will either be an email address or the<br />
common name of the certificate. This depends on the configuration setting in<br />
PKCFGSEC parameter CERTDB. To override the default selection mode, you<br />
can prefix the string with EM= <strong>for</strong> email address or CN= <strong>for</strong> the common<br />
name.<br />
For example:<br />
ENTPREC((*DB ‘bill.Somebody@pkware.com' () *RQD)<br />
(*DB ‘CN=bill Somebody' () *RQD)<br />
(*DB ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
• If type is *LDAP: The recipient string will either be an email address or the<br />
common name of the certificate depending on the search mode configuration<br />
setting in PKCFGSEC parameter LDAP. To override the default selection mode,<br />
you can prefix the string with EM= <strong>for</strong> email address or CN= <strong>for</strong> the common<br />
name.<br />
For example:<br />
ENTPREC((*LDAP ‘bill.Somebody@pkware.com' () *RQD)<br />
(*LDAP ‘CN=bill Somebody' () *OPT)<br />
(*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
• If type is *FILE: The recipient string is defined to read a specific file in a<br />
specific path of the IFS. This file should be public-key X.509 file or privatekey<br />
X.509 certificate file.<br />
For example:<br />
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path<br />
‘/pkzshare/CStores/public’.<br />
• If type is *MBRSET: The recipient string is defined to read a specific file from<br />
public certificate store / private certificate store of the IFS. This file should be<br />
public-key X.509 file or private-key X.509 certificate file.<br />
For example:<br />
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of the<br />
public certificate store defined in the Enterprise Security Configuration public<br />
store(parameter CSPUB). If a password was included, the file would be searched <strong>for</strong><br />
in the Enterprise Security Configuration private store (parameter CSPRIV).<br />
• If the type is *INLIST: The recipient string defines a full file name of an input<br />
list file that contains records of ENTPREC shortcut parameters. The type of file<br />
will in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path<br />
file name in the IFS if TYPLISTFL(*IFS) is set. The <strong>for</strong>mat of the ENTPREC<br />
shortcut parameters are define below in the *INLIST usage section.<br />
Password<br />
(Private Cert Password)<br />
The password is required only if the certificate that is being selected is a private<br />
certificate. This option should be omitted if a public certificate will be utilized.<br />
129
Required<br />
(*RQD|*OPT|*SAME)<br />
If *RQD, then this recipient must be found during the selection, and the certificate<br />
must be valid, or the ZIP/UNZIP run will fail.<br />
Usage Notes:<br />
The ZIP process only requires a X.509 public-key <strong>for</strong>mat certificate to encrypt files.<br />
The UNZIP process requires X.509 private-key <strong>for</strong>mat certificate file to decrypt files<br />
and this will the input of a password.<br />
For inlist that contains a password to open a private certificate, make sure that the<br />
security is sufficient to only allow the owner of the certificate to have read access.<br />
Otherwise this would leave a security hole where other users could browse the<br />
password.<br />
*INLIST Usage:<br />
If *INLIST is defined on the ENTPREC parameter, then the recipient field will be a file<br />
that SecureZIP will read to include recipients. The <strong>for</strong>mat is very similar to the<br />
ENTPREC parameter describe above except each line recipient starts with<br />
“{RECIPIENT=” and is terminated by the “}” character with the semi-colon “;” as a<br />
separator <strong>for</strong> each entry.<br />
{RECIPIENT=Lookup Type; Recipient; Password; Required}<br />
Lookup Type See Lookup Type in ENTREC excluding the INLIST<br />
Recipient<br />
Password<br />
Required<br />
*OPT.<br />
Examples:<br />
See Recipient in ENTREC.<br />
See Password in ENTREC.<br />
{RECIPIENT=MBRSETEM; mypassword;RQD}<br />
See Required in ENTREC, but use RDQ <strong>for</strong> *RQD and OPT <strong>for</strong><br />
Sample 1: tstpriv_db4.inlist.<br />
{RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}<br />
Sample 2: tstpriv_mb3.inlist.<br />
{RECIPIENT=MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
Sample 3: tstpubl1.inlist.<br />
{RECIPIENT=MBRSET;pktestdb3.crt;;RQD}<br />
{RECIPIENT=MBRSET;pktestdb4.crt;;OPT}<br />
130
Sample 4: tstpubl2.inlist.<br />
{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD}<br />
{RECIPIENT=DB;CN=PKWARE Test4;;OPT}<br />
ENCRYPOL<br />
Encryption Filters:<br />
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...<br />
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or<br />
ENCRYPOL(*WARN (*SYSTEM) )<br />
ENCRYPOL(*WARN (*ALL *NOTTRUSTED) )<br />
ENCRYPOL(*SYSTEM (*ALL *NOTEXPIRED) )<br />
This parameter defines the processing options and filters that should apply when the<br />
ENTPREC is used to encrypt files with certificate keys.<br />
Validate Level (*VALIDATE |*WARN |*SYSTEM)<br />
The validate level specifies the type of encryption certificate error processing that is<br />
used if certificates are specified in ENTPREC. If *SYSTEM is specified, the enterprise<br />
setting from PKCFSEC is used. If the enterprise setting is defined as lockdown, then<br />
this parameter cannot be revised and a warning will be issued if a change is<br />
detected.<br />
• *SYSTEM - Indicates the authentication processing that is set in the<br />
environmental setting will be used.<br />
• *VALIDATE – Indicates that when encryption with certificates (ENTPREC<br />
parm) takes place and a failure based on the filters occurs, the run will be<br />
considered a failure and the message issued at the end will indicate one or<br />
more errors during the run.<br />
• *WARN - Indicates that when encryption with certificates (ENTPREC parm)<br />
takes place and a failure based on the filters occurs, the failure is only<br />
considered a warning. The messages at the end of the run will not consider<br />
any failed filters <strong>for</strong> encryption certificates as errors.<br />
Filters (*SYSTEM |*ALL |*NONE |*TRUSTED |*EXPIRED |*REVOKED |*NOTTRUSTED<br />
|*NOTEXPIRED |*NOTREVOKED)<br />
The ENTPREC certificate filter policies settings are defined in the enterprise security<br />
file supplied by the SecureZIP administrator (see PKCFGSEC). These global policy<br />
settings can be revised with sub-parameter values, but if the enterprise setting is<br />
defined as lockdown, this parameter cannot be revised and a warning will be issued if<br />
a change is detected. The variables are cumulative from the global setting.<br />
• *SYSTEM – All filter policies are from the global settings.<br />
131
• *ALL - This sub-parameter activates all levels of authentication. If followed<br />
by negating sub-levels, then all but those negating levels are activated. For<br />
example: *ALL, NOTEXPIRED means that expired certificates will not cause an<br />
authentication error, but TRUST and REVOKE must both be satisfied.<br />
• *NONE – Will negate all the policies.<br />
• *TRUSTED – This sub-parameter signifies that the entire certificate authority<br />
chain must be validated. This includes locating the root (“self-signed”)<br />
certificate on the local system.<br />
• *EXPIRED – This sub-parameter signifies that certificate date range<br />
validation should be per<strong>for</strong>med on the certificates (including the certificate<br />
authority chain). Although the term “expired” is used, a certificate that has<br />
not yet reached its valid data range specification will fail.<br />
• *REVOKED - A certificate owner may request that the issuing certificate<br />
authority declare a certificate to be revoked and thereby no longer consider<br />
that certificate to be valid. The encryption certificate request will fail if any of<br />
the certificates in the trust chain are found to have been revoked or if the<br />
revocation status could not be determined.<br />
• *NOTTRUSTED – Negates the *TRUSTED filter.<br />
• *NOTEXPIRED - Negates the *EXPIRED filter.<br />
• *NOTREVOKED – Negates the *REVOKED filter.<br />
ERROPT<br />
ERROPT(*END|*SKIP)<br />
Specifies what action to take if an error occurs while processing (selecting or<br />
compressing) a spool file.<br />
The allowable values are:<br />
*END<br />
*SKIP<br />
The PKZIP will end without completing the compression<br />
of the file. The archive is not updated.<br />
The program will skip the file with the input error and<br />
continue to process all other files to completion.<br />
Message AQZ0022 will be issued at the end to indicate<br />
that an error occurred.<br />
EXCLFILE<br />
EXCLFILE(*NONE| path/filename)<br />
This parameter specifies the file containing the list of files to be excluded. This can<br />
be used with or without the EXCLUDE parameter. See parameter TYPLISTFL <strong>for</strong> file<br />
system type in<strong>for</strong>mation.<br />
*NONE<br />
No list file will be processed.<br />
132
path/filename<br />
Enter the file path and name of the file to process. The<br />
layout depends on which file system you want the file<br />
created.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
EXCLUDE<br />
EXCLUDE(file_specification1, file_specification2,... file_specification n )<br />
Specifies the files and file specification patterns that will be excluded from the PKZIP<br />
run. One or more names can be specified. Each name should be in the OS/400 file<br />
system <strong>for</strong>mat, such as, QSYS is library/file(member) and IFS is directory/file, and<br />
can include wildcards “*” and “?.”<br />
Note: If TYPE(*VIEW) is being used, then the <strong>for</strong>mat <strong>for</strong> these names is the<br />
MS/DOS <strong>for</strong>mat.<br />
The PKZIP program can also exclude file specifications by using the list file<br />
parameter EXCLFILE with a list of names to exclude.<br />
Please refer to Chapter 5 <strong>for</strong> details of file specification <strong>for</strong>matting.<br />
The valid parameter values <strong>for</strong> the FILES keyword are as follows:<br />
'file_specification1'<br />
'file_specification2'<br />
'file_specification n'<br />
EXTRAFLD<br />
EXTRAFLD(*YES|*NO)<br />
Specifies if the basic SecureZIP <strong>for</strong> <strong>iSeries</strong> extended file attributes should be<br />
stored in the archive. Some basic file attributes are record size, library text<br />
description, file text description, etc.<br />
The allowable values are:<br />
*YES<br />
*NO<br />
*CENTRAL<br />
*LOCAL<br />
Store the basic normal <strong>iSeries</strong> file attributes. See<br />
Appendix K <strong>for</strong> more definitions. This is the default and<br />
will be the same as coding *BOTH.<br />
Do not store any extended attributes.<br />
Stores the basic normal <strong>iSeries</strong> file attributes in only the<br />
archive’s central directory. This will reduce the overall<br />
archive size by only storing the attributes in the Central.<br />
Stores the basic normal <strong>iSeries</strong> file attributes in only the<br />
archive’s local directory. Warning: PKUNZIP only<br />
133
*BOTH<br />
utilizes the central directory <strong>for</strong> extended data<br />
attributes.<br />
Stores the basic normal <strong>iSeries</strong> file attributes in both the<br />
archive’s central directory and local directory.<br />
Migration consideration: if the archive will be processed by an earlier<br />
release of PKZIP <strong>for</strong> OS/400 and the attributes are required, then<br />
*BOTH should be coded.<br />
FILES<br />
FILES(file_specification1, file_specification2,... file_specification n)<br />
Specifies the files and file specification patterns that will be selected in the PKZIP<br />
process. One or more names can be specified. Each name should be in the OS/400<br />
file system <strong>for</strong>mat, such as, QSYS is library/file(member) and IFS is directory/file,<br />
and can include wildcard “*” and “?.” For the IFS, the path and file name can up to<br />
256 characters and can contain embedded spaces.<br />
Note: If TYPE(*VIEW) or TYPE(*DELETE) is being used, then the <strong>for</strong>mat <strong>for</strong> these<br />
names is the MS/DOS <strong>for</strong>mat.<br />
The PKZIP program can also have file specifications selections to include by using the<br />
list file parameter INCLFILE with a list of names to select.<br />
Files may also be excluded. See the EXCLUDE parameter.<br />
Please refer to Chapter 5 <strong>for</strong> details of file specification <strong>for</strong>matting.<br />
The valid parameter values <strong>for</strong> the FILES keyword are as follows:<br />
'file_specification1'<br />
'file_specification2'...<br />
'file_specification n'<br />
FILESTEXT<br />
FILESTEXT(*NO|*ALL|*NEW|*UPDATE)<br />
Specifies if PKZIP allows the editing (and the type of editing per<strong>for</strong>med) of a file’s<br />
text comments that are stored in an archive.<br />
The allowable values are:<br />
*NO<br />
*ALL<br />
*NEW<br />
No comment editing (the default).<br />
Add comments or edit comments <strong>for</strong> all files in the<br />
archive.<br />
Add comments only <strong>for</strong> new files that are added to the<br />
archive.<br />
134
*UPDATE<br />
Add or edit the comments of files that are added,<br />
updated, or freshened in the archive. Only file<br />
comments of files that are affected by a change are<br />
eligible <strong>for</strong> editing.<br />
FILETYPE<br />
FILETYPE(*BINARY|*DETECT|*EBCDIC|*FIXTEXT|*TEXT)<br />
Specifies whether the files selected are treated as text or binary data. For text files<br />
added to an archive, trailing spaces in each line are removed, the text is converted<br />
to ASCII (based on the translation tables) by default, and a carriage return and line<br />
feed (CR/LF) are added to each line be<strong>for</strong>e the data is compressed into the archive.<br />
Binary files are not converted.<br />
The default is *DETECT; where PKZIP attempts to make a determination based on<br />
the nature of the data itself. The program will read in a portion of the data, evaluate<br />
it, and determine the appropriate process.<br />
Note: This will lower per<strong>for</strong>mance time. A message will display the type used when<br />
compressing.<br />
Use of text file option is usually faster because PKZIP has to process less data than<br />
with *BINARY, but more processing may also take place to per<strong>for</strong>m the translation.<br />
If the file is a SAVF or a database file (with DBSERVICE(*YES)), then the file will be<br />
processed as binary regardless of what option is specified.<br />
*BINARY<br />
*DETECT<br />
*EBCDIC<br />
*FIXTEXT<br />
*TEXT<br />
Specifies that the files selected are binary files and no<br />
translation should be per<strong>for</strong>med.<br />
The PKZIP program will try to determine the data type<br />
of text or binary.<br />
Specifies that the files selected are text files and leaves<br />
it in EBCDIC without per<strong>for</strong>ming any translation. This is<br />
good only if the files are to be used on an <strong>iSeries</strong> or<br />
IBM-type mainframe. If they will be unzipped to a PC<br />
file, then a translation from EBCDIC to ASCII is required.<br />
Specifies that the files selected are text files with a fixed<br />
record length based on the <strong>iSeries</strong> file’s record length<br />
and translation will be per<strong>for</strong>med using the translate<br />
tables specified in the TRAN option. This means the<br />
compressed file will contain records with trailing spaces<br />
followed by a CR and LF. This is only valid <strong>for</strong> QSYS<br />
library file types as files in the IFS do not contain a<br />
record length.<br />
Specifies that the files selected are text files and<br />
translation will be per<strong>for</strong>med using the translate tables<br />
specified in the TRAN option.<br />
135
FND<br />
FNE(*YES|*NO<br />
*YES|*NO<br />
File Name Encryption :<br />
Create FNE Archive . . . . . *NO *NO, *YES<br />
Overwrite In FNE . . . . . . *NO *NO, *YES<br />
FNE(*NO *NO)<br />
Specifies the activation and use of the file name encryption feature.<br />
The first option controls the creation of an archive with file name encryption.<br />
*NO<br />
*YES<br />
Do not create the new/updated archive as filenameencrypted<br />
archive.<br />
Create the new or updated archive into a filenameencrypted<br />
archive. If the archive exist, then the security<br />
features will be defined by the inputted FnE archive. If<br />
no archive exist, the new filename-encrypted archive will<br />
use the encryption method define with ADVCRYPT<br />
parameter and the PASSWORD and/or ENTPREC<br />
parameters.<br />
The second option controls the overwriting of a filename-encrypted input<br />
archive to remove the filename encryption. This option is used with the first<br />
option of *NO (do not create an filename-encrypted archive), and with an<br />
existing filename-encrypted archive is input <strong>for</strong> update. Coding this option to<br />
*NO indicates that you know that the input archive is filename-encrypted and<br />
you want overwrite it to produce an archive that is not filename-encrypted.<br />
*NO<br />
*YES<br />
Do not allow an existing filename-encrypted archive to<br />
be changed to a non-filename-encrypted archive.<br />
Allow an existing filename-encrypted archive to be<br />
changed to a non-filename-encrypted archive when<br />
archive is updated.<br />
FTRAN<br />
FTRAN(*INTERNAL| Member Name)<br />
Specifies the translation table <strong>for</strong> use in translating "file names, comments, and<br />
password" from the <strong>iSeries</strong> EBCDIC character set to the character set used in the<br />
archive file (normally ASCII character set). A default internal table is predefined. See<br />
Appendix F <strong>for</strong> additional in<strong>for</strong>mation.<br />
*INTERNAL<br />
Use the predefined internal table <strong>for</strong> translation. Using<br />
this is initially faster because PKZIP does not have to<br />
parse the override table.<br />
136
membername<br />
Specify the member name in the file PKZTABLES that<br />
will be parsed and used to translate "file names and<br />
comments" files to the archive character set. The<br />
member should have the exact <strong>for</strong>mat of member<br />
UKASCII in file PKZTABLES. See Appendix F <strong>for</strong><br />
in<strong>for</strong>mation on defining translation tables.<br />
GZIP<br />
GZIP(*YES|*NO)<br />
If this option is set to *YES, PKZIP will create a compressed archive in the GZIP<br />
<strong>for</strong>mat. The GZIP <strong>for</strong>mat only allows <strong>for</strong> one file or member per archive and all text<br />
data is stored in ISO 8859- 1 (LATIN- 1) character set. The GZIP <strong>for</strong>mat is very<br />
different from the SecureZIP <strong>for</strong> <strong>iSeries</strong> archive <strong>for</strong>mat, a program that can<br />
process PKZIP ® archives will not necessarily process a GZIP archive correctly. The<br />
GZIP archive created con<strong>for</strong>ms to the GZIP specifications RFC1951 and RFC1952.<br />
Do not use this option if the archive is to be unzipped on another plat<strong>for</strong>m where<br />
GZIP compatibility is not confirmed.<br />
The allowable values are:<br />
*YES<br />
The PKZIP program will create a compressed archive in<br />
the GZIP <strong>for</strong>mat.<br />
*NO The PKZIP program will create an archive in the PKZIP ®<br />
<strong>for</strong>mat. This is the default.<br />
IFSCDEPAGE<br />
IFSCDEPAGE(*NO| Code-Page)<br />
If this option is set to *NO, PKZIP will read IFS files using the code page that is<br />
registered <strong>for</strong> the file. Otherwise, PKZIP will read IFS files with the specified code<br />
page.<br />
This parameter also controls the spool file ASCII conversion <strong>for</strong> *TEST and *PDF<br />
documents. When *NO is specified <strong>for</strong> spool Files, the conversion will use code page<br />
819.<br />
The allowable values are:<br />
*NO<br />
Code-Page<br />
The PKZIP program will read IFS files with the code page<br />
registered <strong>for</strong> the file. If the file is a spool file, the code<br />
page 819 will be used. This is the default.<br />
The PKZIP program will read IFS files with the specified<br />
code page value. If the file is a spool file, it is the code<br />
page that a spool file will use <strong>for</strong> ASCII translation.<br />
137
INCLFILE<br />
INCLFILE(*NONE| path/filename)<br />
This parameter specifies the file containing the list of files to be selected <strong>for</strong><br />
inclusion. This can be used with or without the FILES parameter. See parameter<br />
TYPLISTFL <strong>for</strong> file system type in<strong>for</strong>mation.<br />
*NONE<br />
path/filename<br />
No Include list file will be processed. This is the default.<br />
Enter the file path and name of the file to process. The<br />
layout depends on which file system you want to create<br />
the file in.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
MSGTYPE<br />
MSGTYPE(*PRINT|*SEND|*BOTH)<br />
Specifies where the display of messages and in<strong>for</strong>mation should be shown. The<br />
PKZIP program has the ability to send messages that appear on the log and/or the<br />
ability to print to stdout and stderr. If working interactively, stdout and stderr will<br />
show upon the dynamic screen. If submitted via batch, you can override them to<br />
print in an OUTQ or build a CL and save them to an outfile.<br />
*SEND<br />
*PRINT<br />
*BOTH<br />
Send the in<strong>for</strong>mation to the log with send message<br />
commands.<br />
Send the in<strong>for</strong>mation to stdout and stderr.<br />
Send the in<strong>for</strong>mation to the log with send message<br />
commands and also to stdout and stderr.<br />
PASSWORD<br />
PASSWORD(Archive Password)<br />
Specifies a password <strong>for</strong> files being added to an archive. This password may be up to<br />
64 characters in length and is case sensitive. All files selected <strong>for</strong> archiving will be<br />
encrypted using the specified password.<br />
Note: There is no way to extract the password used from the archive data. If the<br />
password is <strong>for</strong>gotten, the file will become inaccessible. If files in an archive need to<br />
have different passwords, PKZIP must be run <strong>for</strong> each password required.<br />
Since the password is entered in EBCDIC, the translation table referenced in the<br />
FTRAN parameter is used to translate it to ASCII. Care should be take when using<br />
the FTRAN override and when using a password. To use password-protected files, the<br />
same FTRAN override option is required.<br />
138
SELFXTRACT<br />
SELFXTRACT (*MAINTAIN| WINDOWS| UNIX| LINUX| *REMOVE)<br />
This licensed feature specifies the action to take concerning self extracting archives.<br />
The actions are to maintain the current archive as is, create the new archive with a<br />
self extracting preamble, or to remove the self extracting preamble if one exist in the<br />
archive.<br />
The self extracting programs are held as binary entities in the SecureZIP <strong>for</strong><br />
<strong>iSeries</strong> library in the file PKZIPSFX. The appropriate member is loaded and the<br />
executable data copied to the beginning of the archive as a preamble when<br />
requested.<br />
The resulting archive can still be processed by SecureZIP <strong>for</strong> <strong>iSeries</strong> as a normal<br />
ZIP archive.<br />
The allowable values are:<br />
MAINTAIN<br />
WINDOWS<br />
AIX<br />
HP_UNIX<br />
SUN_UNIX<br />
LINUXINTEL<br />
*REMOVE<br />
If the current archive contains a self extracting<br />
preamble, it will be maintained at the beginning of the<br />
updated archive.<br />
The Windows version of the self extracting preamble will<br />
be installed to archive. (Microsoft Windows 95 and later)<br />
The AIX version of the self extracting preamble will be<br />
installed to archive. (IBM AIX Version 4.0 and later)<br />
The HP UNIX version of the self extracting preamble will<br />
be installed to archive. (HP/UX Version 9.0 and later)<br />
The Sun UNIX version of the self extracting preamble<br />
will be installed to archive. (Sun Solaris 2.3 (SunOS 53)<br />
and later)<br />
The Linux version of the self extract preamble (if<br />
available) will be installed to archive. (LINUX Kernel 2.x<br />
<strong>for</strong> Intel Note:libc-5 must be installed on the target<br />
system.)<br />
If the current archive contains a self extracting<br />
preamble, it will be removed.<br />
SFUSER<br />
SFUSER (*CURRENT|*ALL |User Name List)<br />
Specifies the user names that created spool files that will be selected. This value is<br />
ignored if SFJOBNAM is coded.<br />
The allowable values are:<br />
*CURRENT<br />
Only files created by the user running this command are<br />
selected.<br />
139
*ALL<br />
User Name<br />
Files created by all users are selected.<br />
Specify up to 10 user names. Only files created by<br />
those users are selected.<br />
SFQUEUE<br />
SFQUEUE (*ALL |Name|*LIBS)<br />
Specifies the output queue that will be searched <strong>for</strong> the spool file selections. If no<br />
OUTQ library is specified, it will default to *LIBL.<br />
The allowable values are:<br />
*ALL<br />
OUTQ<br />
OUTQ Library<br />
*LIBS<br />
Files on any device-created or user-created output<br />
queue are selected.<br />
The OUTQ that will be searched.<br />
The library where the OUTQ resides. Defaults to *LIBL.<br />
*LIBS will search all OUTQ that exist in the specified<br />
OUTQ Library. If *LIBS is selected then the library<br />
cannot be blank, nor contain *LIBL nor *CURRENT.<br />
SFFORM<br />
SFFORM (*ALL | *STD| Form Type)<br />
Specifies the spool file <strong>for</strong>m type that is on the spool files that will be selected.<br />
The allowable values are:<br />
*ALL<br />
*STD<br />
Form Type<br />
Files <strong>for</strong> all <strong>for</strong>m types are selected.<br />
Only files that specify the standard <strong>for</strong>m type are<br />
selected.<br />
Only spool files with this specific <strong>for</strong>m type will be<br />
selected.<br />
SFUSRDTA<br />
SFUSRDTA (*ALL| User Data)<br />
The user data tag associated with the spool file to select.<br />
The allowable values are:<br />
*ALL<br />
User Data<br />
Files with any user data tag specified are selected.<br />
Only spool files with this specific user data tag will be<br />
selected.<br />
140
SFSTATUS<br />
SFSTATUS (*ALL |*READY|*HELD|*CLOSED|*SAVED|*PENDING|*DEFERRED)<br />
Specifies the statuses of the spool files to be selected. Up to four statuses can be<br />
selected <strong>for</strong> one run.<br />
The allowable values are:<br />
*ALL<br />
*READY<br />
*HELD<br />
*CLOSED<br />
*SAVED<br />
*PENDING<br />
*DEFERRED<br />
All spool file status will be considered <strong>for</strong> selection.<br />
Only spool files with a status of *READY will be selected.<br />
Only spool files with a status of *HELD will be selected.<br />
Only spool files with a status of *CLOSED will be<br />
selected.<br />
Only spool files with a status of *SAVED will be selected.<br />
Only spool files with a status of *PENDING will be<br />
selected.<br />
Only spool files with a status of *DEFERRED will be<br />
selected.<br />
SFJOBNAM<br />
SFJOBNAM(Blank|*|Spool File Jobname/User/Job Number)<br />
Specifies the job name, user name, and job number that will be used to select spool<br />
files. If anything other than blanks is in SFJOBNAM parameter, it will be used as the<br />
primary selection criteria. If any of the three fields (job name, user name, and job<br />
number) are specified, then all three fields must be entered and be valid.<br />
The allowable values are:<br />
Blank<br />
This is the default selection. This will cause all other<br />
selection criteria to be used <strong>for</strong> spool files.<br />
* The * will cause the current job-name/user-name/job<br />
number to be used to select spool files.<br />
Job-name<br />
User-Name<br />
Job-Number<br />
Specify the name of the job to be selected. If no job<br />
qualifier is given, all of the jobs currently in the system<br />
are searched <strong>for</strong> the simple job name.<br />
Specify the name that identifies the user profile under<br />
which the job is run.<br />
Specify the job number assigned by the system.<br />
SFTARGET<br />
SFTARGET (*SPLF|*TEXT|*PDF|*TEXT1|*TEXT2)<br />
Specifies the <strong>for</strong>mat of the file that will be stored in the archive.<br />
141
The allowable values are:<br />
*SPLF<br />
*TEXT<br />
*TEXT1<br />
*TEXT2<br />
*TEXTFC<br />
*PDF<br />
*PDFLETTER<br />
*PDFLEGAL<br />
This is the default selection. This will compress the<br />
spool file in a spool file <strong>for</strong>mat with all of the spool file<br />
attributes. This <strong>for</strong>mat is only valid on an AS/400. If<br />
the archive is extracted, it will take on the latest spool<br />
file settings, such as, job name, user, job number, spool<br />
file number, etc. The suffix <strong>for</strong> this selection is SPLF.<br />
Parameter SFTGFILE is required to be *GEN1 <strong>for</strong><br />
SFTARGET(*SPLF).<br />
The spool file will be saved in the archived as an ASCII<br />
text document. The suffix <strong>for</strong> this selection is .TXT.<br />
each new page will have a <strong>for</strong>m feed control character.<br />
The spool file will be saved in the archived as an ASCII<br />
text document. The suffix <strong>for</strong> this selection is .TXT.<br />
Each new page will have a carriage control and line feed<br />
control characters.<br />
The spool file will be saved in the archived as an ASCII<br />
text document. The suffix <strong>for</strong> this selection is .TXT.<br />
Each page will have a carriage control and line feed<br />
control characters <strong>for</strong> blanks lines to fill out a page with<br />
the number lines required by the spool file attribute.<br />
The spool file will be saved in the archive as an ASCII<br />
Text document. The suffix <strong>for</strong> this selection is .TXT.<br />
Each new page will have a <strong>for</strong>m feed control character.<br />
The spool file will be saved in the archived as a PDF text<br />
document. The suffix <strong>for</strong> this selection is .PDF. The size<br />
will be adjusted based upon the width and length of the<br />
spool file.<br />
The spool file will be saved in the archived as a PDF text<br />
document. The suffix <strong>for</strong> this selection is .PDF. The size<br />
will be adjusted based upon the width and length of the<br />
spool file.<br />
The spool file will be saved in the archived as a PDF text<br />
document. The suffix <strong>for</strong> this selection is .PDF. The size<br />
will be adjusted based upon the width and length of the<br />
spool file.<br />
SFTGFILE<br />
SFTGFILE (|*GEN1|*GEN2|*GEN1P|File Name)<br />
Specifies the how the file name will be stored in the archive.<br />
The allowable values are:<br />
*GEN1<br />
GEN1 is the default selection. This generates a very<br />
specific name using most of the spool file name<br />
attributes to <strong>for</strong>m the file name so that it will not be<br />
142
*GEN1P<br />
*GEN2<br />
File Name<br />
duplicated. *GEN1 is required if SFTRAGET is *SPLF.<br />
The name will be built as follows:<br />
“Job-Name/User-Name/#Job-Number/Spool-File-<br />
Name/Fspool-File-Number.Suffix”<br />
”MYJOB/BILLS#152681/INVOICE/F0021.SPLF”<br />
The suffix is dependent on the SFTARGET setting.<br />
*GEN1P generates the same file name as *GEN1 except<br />
instead of a '/' separator, *GEN1P will use a '.' as name<br />
separator.<br />
*GEN2 uses the spool file name and appends the spool<br />
file number followed by the suffix that is depended on<br />
the SFTARGET setting. Caution should be taken in that<br />
a duplicate file name in the archive could be created. An<br />
example of GEN2 is a spool file INVOICE with spool file<br />
number of 21 that will be converted to a text file will<br />
generate a file name of INVOICE21.TXT.<br />
This parameter should only be used when selecting one<br />
specific spool file where you want a specific file name.<br />
SPLFILE<br />
SPLFILE (*ALL| Spool File Name)<br />
Specifies the spool file name that will be selected. This parameter is used along with<br />
all the other spool file selection parameters to determine the spool files to select.<br />
The allowable values are:<br />
*ALL<br />
Spool File Name<br />
This is the default setting. *ALL indicates that spool file<br />
name is not important.<br />
A specific spool file name that will be searched <strong>for</strong> and<br />
selected.<br />
SPLNBR<br />
SPLFILE (*ALL|*LAST| Spool File Number)<br />
Specifies the number of the spool file from the job whose data records are to be<br />
selected. If *ALL is coded then all file numbers are considered. This parameter is<br />
only valid when the SFJOBNAM parameter or SPLFILE is used. This parameter is used<br />
along with all the other spool file selection parameters to determine the spool files to<br />
select.<br />
The allowable values are:<br />
*ALL<br />
*LAST<br />
This is the default setting. *ALL indicates that spool file<br />
number is not important.<br />
The spooled file with the highest number is used.<br />
143
Spool File Number A number 1-9999 to specify the number of the spooled<br />
file whose data records are to be selected.<br />
SIGNERS<br />
Signing Certificates :<br />
File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL<br />
LookUp Type . . . . . . . . *DB *DB, *FILE, *MBRSET, *INLIST<br />
Signer . . . . . . . . . . . _____________________________________________<br />
Password (If Private) . . . _________________________________________<br />
Required . . . . . . . . . . *RQD *RQD, *OPT<br />
Or<br />
SIGNERS((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))<br />
SIGNERS((*FILE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (password)<br />
*RQD))<br />
SIGNERS((*FILE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx'<br />
(‘mypassword’) *RQD))<br />
SIGNERS((*FILE *DB ‘EM=bill.somebody@pkware.com' (password) *RQD))<br />
SIGNERS((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)<br />
This parameter identifies the public key certificate with private key that is to be used<br />
to digitally sign files to be added to the archive and/or the archive directory. Multiple<br />
signing certificates may be applied to the files but only one signer is allowed to sign<br />
the archive directory. Signing an archive by signing its central directory enables<br />
people who receive the archive to confirm that the archive as a whole is not<br />
changed. By contrast, signing only individual files in an archive enables people to<br />
confirm that the particular signed files are unchanged but leaves open the possibility<br />
that the archive has had files added or removed.<br />
There are five options <strong>for</strong> SIGNERS.<br />
Signing Type File/Archive<br />
(*FILE |*ARCHIVE |*ALL)<br />
The File/Archive selection determines whether the files, archive or both are to be<br />
signed during the ZIP run. Only one signer can be specified <strong>for</strong> an archive. If the<br />
lookup type is *INLIST, then this option will be ignored and will pickup from the<br />
records in the inlist file.<br />
• *FILE – All new files being compressed in the run will be signed by this<br />
private key and a signature entry will be added to the archive.<br />
• *ARCHIVE – The archive directory will be signed by this private key and a<br />
signature entry will be added to the archive.<br />
• *ALL – Both *FILE and *ARCHIVE <strong>for</strong> the signer will be used.<br />
Lookup Type<br />
(*DB |*FILE |*MBRSET |*INLIST)<br />
The lookup type would be the type of signer search that will be used <strong>for</strong> the signer<br />
string to lookup the private key.<br />
• *DB - The signer string is defined to search using the Certificate Locator<br />
Database to access the digital certificate and private key.<br />
144
• *FILE - The signer string is defined to read a specific file in a specific path in<br />
the IFS in order to access the digital certificate and private key.<br />
• *MBRSET - The signer string is defined to read this specific file from the<br />
enterprise private certificate store to access the digital certificate and private<br />
key.<br />
• *INLIST- The signer string defines a specific file that will contain one to many<br />
signers. The TYPLISTFL parameter must specify the file type <strong>for</strong> the inlist.<br />
Signer<br />
(The signer string name)<br />
The signer string <strong>for</strong>mat depends on what was specified <strong>for</strong> the lookup type.<br />
• If lookup type is *DB, the signer string will either be an email address or the<br />
common name of the certificate. This depends on the configuration setting in<br />
PKCFGSEC parameter CERTDB. To override the default selection mode, you<br />
can prefix the string with EM= <strong>for</strong> email, or CN= <strong>for</strong> the common name.<br />
For example:<br />
SIGNERS((*FILE *DB ‘bill.somebody@pkware.com' (password) *RQD)<br />
(*ARCHIVE *DB ‘CN=bill somebody' (password) *RQD)<br />
(FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))<br />
• If lookup type is *FILE, the signer string is defined to read a specific file in a<br />
specific path of the IFS. This file should be public key X.509 with the private<br />
key X.509 certificate file.<br />
For example:<br />
SIGNERS((*ARCHIVE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (password)<br />
*RQD))<br />
The digital certificate file with the private key ‘pkwareCertAdmin04.pfx’ will be<br />
in the full path '/pkzshare/CStores/private’.<br />
• If lookup type is *MBRSET, the signer string is defined to read a specific file<br />
from the public certificate store and/or the private certificate store of the IFS.<br />
This file should be public key X.509 with the private key X.509 certificate file.<br />
For example:<br />
SIGNERS((*ALL *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.pfx’ will be in the full path of<br />
the private certificate store defined in the enterprise security configuration<br />
private store (parameter CSPRV). Since the password was included, the file<br />
will be searched <strong>for</strong> in the enterprise security configuration private store<br />
(parameter CSPRIV).<br />
• If lookup type is *INLIST the signer string defines a full file name of an input<br />
list file that contains records of SIGNERS shortcut parameters. The type of file<br />
will exist in the QSYS library file system if TYPLISTFL(*DB) is set and will be a<br />
path file name in the IFS if TYPLISTFL(*IFS) is set. The <strong>for</strong>mat of the<br />
SIGNERS shortcut parameters are defined below in the *INLIST usage<br />
section.<br />
145
Password<br />
This designates the password that is required <strong>for</strong> a private key (PKCS#12 file). When<br />
a value is specified, the target must be an X.509 PKCS#12 private key certificate.<br />
The PASSWORD value may contain blanks and is delimited by the closing right<br />
parenthesis ")" of the signing command.<br />
Required<br />
(*RQD|*OPT|*SAME)<br />
If *RQD then this signer MUST be found during the selection and the certificate<br />
MUST be a valid certificate with a private key or the run will fail.<br />
Usage Notes:<br />
A NULL file (binary file having zero bytes of data) will be signed. However, note that<br />
the digital signature is based on a fixed hash value.<br />
The entire data stream of each file is run through the hash algorithm be<strong>for</strong>e<br />
compression or encryption. However, file text data is translated be<strong>for</strong>e hashing so<br />
that the receiving system is able to hash the identical stream after<br />
decryption/decompression.<br />
The processor requirement <strong>for</strong> a file signature is directly related to the size of the<br />
file(s) being signed and/or authenticated (see SIGN_HASHALG). There<strong>for</strong>e, when<br />
processing costs are a consideration, the decision whether to use SIGNERS to sign<br />
large files should be based on the business case. Sometimes signers <strong>for</strong> the archive<br />
may be more appropriate. (The directory size is proportional to the number of files in<br />
the archive, not the physical size of the file data.)<br />
A separate signing operation is per<strong>for</strong>med <strong>for</strong> each supplied certificate, <strong>for</strong> each file.<br />
Processor and elapsed time will be impacted in proportion to the number of<br />
signatories and files selected.<br />
The number of file signatures that can be held <strong>for</strong> each file is constrained by a<br />
number of factors. These include EXTRAFLD(*YES) and DBSERVICE(*NO), the size of<br />
the signatures generated (based on the size of the certificate in<strong>for</strong>mation), the<br />
number of certificates in the authenticating certificate authority chain, the number of<br />
different certificate authorities used in association with the signing certificates, if<br />
FNE(*YES) is specified, and the number of recipients <strong>for</strong> certificate-based encryption<br />
of files. For planning purposes, typical ZIP operations will support up to 10 file<br />
signatories as a rule, although more or fewer may be achieved in practice.<br />
It is important that the password is entered in the correct case. Any variation in case<br />
or misspelling will result in a public key certificate access attempt (which will fail <strong>for</strong><br />
a private key PKCS#12 certificate). Please note that passwords will be masked out in<br />
all output displays.<br />
A local certificate store configuration is required to complete the processing of this<br />
command. Even when a direct FILE specification is made to locate the private key<br />
certificate, the CS and ROOT certificate store components must be accessible to<br />
complete the certificate signing chain within the archive. This in<strong>for</strong>mation is required<br />
to complete authentication processing on the target system when the local certificate<br />
store on that system does not contain the certificate authority chain required to<br />
validate TRUST (see PKCFGSEC).<br />
146
Processing will be terminated if none of the requested certificates can be accessed,<br />
regardless of the “R” required flag. If multiple requests are made and at least one<br />
signature is found, processing will continue normally.<br />
Signed files are tolerated by prior releases of PKZIP and SecureZIP <strong>for</strong> <strong>iSeries</strong> but<br />
are not processed <strong>for</strong> authentication.<br />
For inlist that contains a password to open a private certificate, make sure that the<br />
security is sufficient to only allow the owner of the certificate to have read access.<br />
Otherwise this would leave a security hole where others could browse the password.<br />
*INLIST Usage:<br />
If *INLIST is defined on the SIGNERS parameter, then the signer filed will be a file<br />
that SecureZIP will read to include the signer. The <strong>for</strong>mat is very similar to the<br />
SIGNERS parameter described above except each line signer starts with<br />
“{SIGNERS=” and is terminated by the “}” character with the semi-colon “;” as a<br />
separator <strong>for</strong> each entry.<br />
{SIGNERS=Signing Type, Lookup Type; Signer; Password; Required}<br />
Signing Type<br />
Lookup Type<br />
Signer<br />
Password<br />
Required<br />
Examples:<br />
See Signing Type in SIGNERS<br />
See Lookup Type in SIGNERS excluding the INLIST<br />
See Signer in SIGNERS.<br />
See Password in SIGNERS.<br />
See Required in SIGNERS, but use RDQ <strong>for</strong> *RQD and OPT <strong>for</strong><br />
*OPT.<br />
Sample 1: tstsign_db1.inlist.<br />
{SIGNERS=File;DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}<br />
Sample 2: tstsign_mb2.inlist.<br />
{SIGNERS=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
SIGNPOL<br />
Signing Filters:<br />
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...<br />
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or<br />
SIGNPOL(*WARN (*SYSTEM) )<br />
SIGNPOL(*WARN (*ALL *NOTTRUSTED) )<br />
SIGNPOL(*SYSTEM (*ALL *NOTEXPIRED) )<br />
147
This parameter defines the processing options and filters that should take place if the<br />
SIGNERS parameter is used to define the file or archive signing certificates.<br />
Validate Level (*VALIDATE |*WARN |*SYSTEM)<br />
The validate level specifies the type of signing processing that should take place if<br />
the signer requests encounter an error. If *SYSTEM is specified, the enterprise<br />
setting from PKCFSEC is used. If the enterprise setting is defined as Lockdown, then<br />
this parameter cannot be revised and a warning will be issued if a change is<br />
detected.<br />
• *SYSTEM - Indicates the authentication processing that is set in the<br />
environmental setting will be used.<br />
• *VALIDATE - Indicates that when authentication takes place and a failure<br />
occurs based on the filters, the run will be considered a failure, and the<br />
message issued at the end will indicate one or more errors during the run.<br />
• *WARN - Indicates that when authentication takes place and a failure occurs,<br />
the failure is only considered a warning. The messages at the end of the run<br />
will not consider any failed filters <strong>for</strong> signer certificates as errors.<br />
Filters (*SYSTEM |*ALL |*NONE |*TRUSTED |*EXPIRED |*REVOKED |*NOTTRUSTED<br />
|*NOTEXPIRED |*NOTREVOKED)<br />
The signing filter policies settings are defined in the enterprise security file supplied<br />
by the SecureZIP administrator (see PKCFGSEC). These global policy settings can be<br />
revised with sub-parameter values, but if the enterprise setting is defined as<br />
lockdown, this parameter cannot be revised and a warning will be issued if a change<br />
is detected. The variables are cumulative from the global setting. The setting of<br />
these filters defines what certificates are acceptable <strong>for</strong> signing.<br />
• *SYSTEM - All filter policies are from the global settings.<br />
• *ALL - This sub-parameter activates all levels of authentication. If followed<br />
by negating sub-levels, then all but those negating levels are activated. For<br />
example: *ALL, NOTEXPIRED means that expired certificates will not cause an<br />
authentication error, but TRUST and REVOKE must both be satisfied.<br />
• *NONE - Will negate all the policies.<br />
• *TRUSTED - Each end-entity certificate used in the signature must be traced<br />
back to a trusted root certificate. The CACA and CSROOT stores on the local<br />
system per<strong>for</strong>ming the authentication check will be accessed to determine if<br />
the entire certificate chain can be trusted. Although the root (“self-signed”)<br />
certificate may be included within the archive, it MUST also exist in the<br />
CSROOT store to complete the TRUSTED state.<br />
• *EXPIRED - The digital certificates used to originally per<strong>for</strong>m the signing<br />
operation contain internal date ranges of validity. The signer operation will fail<br />
if any of the certificates in the trust chain are not found to be within their<br />
stated data range. Note that an end-entity certificate may have expired at the<br />
time that the archive is being accessed, and NOTEXPIRED may be used to<br />
continue processing.<br />
• *REVOKED - A certificate owner may request that the issuing certificate<br />
authority declare a certificate to be revoked and thereby no longer consider<br />
that certificate to be valid. The signer operation will fail if any of the<br />
148
certificates in the trust chain are found to have been revoked or if the<br />
revocation status could not be determined.<br />
• *NOTTRUSTED - Negates the *TRUSTED filter.<br />
• *NOTEXPIRED - Negates the *EXPIRED filter.<br />
• *NOTREVOKED - Negates the *REVOKED filter.<br />
STOREPATH<br />
STOREPATH(*NO|*YES)<br />
Specifies whether to store the full path and file name in the archive, or to just save<br />
the file name. If the file is an IFS file type, the path is all directories, from the<br />
current directory, to the directory of the file. In the library system, the path is the<br />
library and the file name. The member name is considered to be the archive name.<br />
The allowable values are:<br />
*YES<br />
*NO<br />
Store all paths and the filename in the PKZIP archive.<br />
Store only the filename in the PKZIP archive.<br />
TMPPATH<br />
TMPPATH(*CURRENT| pathname)<br />
Specifies a directory or library/file in which to build the temporary archive file. While<br />
PKZIP is compressing data into an archive, a temporary archive file name is used.<br />
The temporary file name is a 10-character name with a prefix of “PZ” followed by a<br />
time stamp (PZtttttttt). If this option is *CURRENT, the temporary file is built in the<br />
same directory (<strong>for</strong> library file systems it is same library/file with temporary<br />
member) in which the new archive will be stored and is then renamed at the end of<br />
the run to the archive name. If an override path is specified, the temporary archive<br />
file is built into that specified path, and the file is then copied to its final archive path<br />
at the end of the run. The temporary file name and path type will be the same as<br />
specified <strong>for</strong> ARCHIVE. See parameter TYPARCHFL <strong>for</strong> file system type in<strong>for</strong>mation.<br />
Special libraries (such as QTEMP) are used frequently.<br />
*CURRENT<br />
pathname<br />
NOTE 1:<br />
Specifies that the current archive path will be used (see<br />
ARCHIVE) to build the temporary archive file<br />
PZxxxxxxxx.<br />
Specifies a path name (if using IFS such as<br />
/PKZIP/tempdir) or a library/file (if using the library<br />
system).<br />
When using the QSYS library file system and specifying<br />
“qtemp” as the TMPPATH, a dynamic file name and<br />
member name is created in the library qtemp. At the<br />
end of the run, the file and member are removed. If<br />
any other combination of names is used, then a dynamic<br />
member name is created and only the member is<br />
removed.<br />
149
NOTE 2:<br />
When using the QSYS library file system and specifying<br />
a TMPPATH, there may be a slight per<strong>for</strong>mance<br />
degradation because the archive file will have to be<br />
copied from one library/file to another library/file.<br />
Otherwise, if *CURRENT is used, the file member name<br />
will only be renamed.<br />
TRAN<br />
TRAN(*INTERNAL| Member Name)<br />
Specifies the translation table <strong>for</strong> use with translating data from the <strong>iSeries</strong> EBCDIC<br />
character set to the character set used in the archive file (normally the ASCII<br />
character set). A default internal table is predefined (see Appendix F).<br />
*INTERNAL<br />
Member Name<br />
Use the predefined internal table <strong>for</strong> translation. Using<br />
this is initially faster because PKZIP does not have to<br />
parse the override table.<br />
Specifies the member name in the file PKZTABLES that<br />
will be parsed and used to translate data files to the<br />
archive character set. The member should have the<br />
exact <strong>for</strong>mat of member UKASCII in file PKZTABLES (see<br />
Appendix F <strong>for</strong> in<strong>for</strong>mation on defining translation<br />
tables).<br />
TYPARCHFL<br />
TYPARCHFL(*DB|*IFS)<br />
Specifies the type of file system in which the archive file will exist (see parameters<br />
ARCHIVE and TMPPATH <strong>for</strong> additional in<strong>for</strong>mation).<br />
*DB<br />
*IFS<br />
Archive files are to be in the QSYS library file system.<br />
Archive files are to be in the integrated files system<br />
(IFS).<br />
TYPFL2ZP<br />
TYPFL2ZP(*DB|*IFS)<br />
Specifies the type of file system that contains files to be zipped. Reflected <strong>for</strong> files in<br />
parameters FILES and EXCLUDE.<br />
*DB<br />
*IFS<br />
*IFS2<br />
Files to be zipped are in the QSYS library file system.<br />
Files to be zipped are in the IFS (integrated files system)<br />
- Case sensitive selection.<br />
Files to be zipped are in the IFS (integrated files system)<br />
– Non-case-sensitive selection.<br />
150
*DBA<br />
*SPL<br />
Files to be compressed are database files in the QSYS<br />
library file system with database mode<br />
"DBSERVICE(*YES)", and the records are to processed<br />
in arrival sequence. This is only pertinent <strong>for</strong> database<br />
files containing keys and when it is important to retain<br />
the arrival sequence of the data.<br />
Files to be zipped are spool files.<br />
TYPLISTFL<br />
TYPLISTFL(*DB|*IFS)<br />
Specifies the “type of files system” that will be used <strong>for</strong> the input list file and/or the<br />
output list file of selected items.<br />
To use input list files, see parameters INCLFILE (file section list) or EXCLFILE (file<br />
exclude list). To create an output list file of the selected file items, see parameter<br />
CRTLIST.<br />
*DB<br />
*IFS<br />
Files are in the QSYS library file system.<br />
Files are in the IFS(integrated files system).<br />
VERBOSE<br />
VERBOSE(*NORMAL|*NONE| *ALL|*MAX )<br />
Specifies how the detail will be displayed during a PKZIP run.<br />
The allowable values are:<br />
*NORMAL<br />
*NONE<br />
*ALL<br />
*MAX<br />
Displays most in<strong>for</strong>mative message to show PKZIP is<br />
processing.<br />
Displays only major exception in<strong>for</strong>mation.<br />
Displays all messages.<br />
Used only <strong>for</strong> debugging purposes.<br />
VPASSWORD<br />
VPASSWORD(Archive Verify Password)<br />
Specifies a verification password against the entered password since the PASSWORD<br />
is not visible. This parameter is required <strong>for</strong> all encryption methods except ZIPSTD.<br />
VPASSWORD follows all the rules of PASSWORD and must match exactly to the<br />
archive password entered in PASSWORD parameter or the run will be terminated.<br />
151
12 PKUNZIP Command<br />
PKUNZIP Command Summary with Parameter Keyword Format<br />
If the OS/400 command prompt screen is to be used, the command <strong>for</strong>mat is simply:<br />
PKUNZIP.<br />
The command prompt screen is displayed when ENTER or PF4 is pressed. The<br />
parameter keywords are displayed on this screen together with the available<br />
keyword options. The required options can be selected be<strong>for</strong>e PF4 is pressed to<br />
accept the selections. If the command and parameter keywords are entered together<br />
on the command line, the required <strong>for</strong>mat is:<br />
PKUNZIP keyword1(option) keyword2(option) . . . keywordn(option)<br />
Keywords are delimited by spaces. The keyword “ARCHIVE” is the only positional<br />
keyword where the keyword itself is not required. Whenever the word “path” is used,<br />
its meaning depends on the file system that is being used. If IFS is used, path refers<br />
to the openness true path type. If the library systems or *DB is used, path means<br />
library/file, and then the file name refers to the member name.<br />
152
TYPE( *VIEW )<br />
(*EXTRACT}<br />
{*NEWER}<br />
{*TEST}<br />
ARCHIVE( Archive Zip File name with path )<br />
AUTHCHK( Authenticators )<br />
Authenticate Type<br />
{*FILE}<br />
{*ARCHIVE}<br />
{*ALL}<br />
Lookup Type {*DB }<br />
{*LDAP}<br />
{*FILE}<br />
{*MBRSET}<br />
{*INLIST}<br />
Recipient<br />
Password (if Private)<br />
Required {*RQD }<br />
{*OPT}<br />
{Recipient String}<br />
{Certificate password}<br />
AUTHPOL ( Authenticate Filters: )<br />
Validate Level {*SYSTEM }<br />
{*WARN }<br />
{*VALIDATE}<br />
Validate Type {*NONE }<br />
{*ALL }<br />
{*ARCHIVE}<br />
{*FILE}<br />
Filters {*SYSTEM }<br />
{*ALL}<br />
{*NONE}<br />
{*TAMPER}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTAMPER}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
CRTLIST( {*NONE} )<br />
path/filename<br />
CVTDATA(<br />
External Pgm Conversion Extended Data)<br />
CVTFLAG( {*NONE} )<br />
External Pgm Conversion Flags<br />
CVTTYPE( {*NONE} )<br />
{*DROP}<br />
{*SUFFIX}<br />
DFTDBRECLN( {132} )<br />
{decimal number}<br />
DROPPATH( {*NONE} )<br />
{*ALL}<br />
{*LIB}<br />
ENTPREC( Decryption Recipients )<br />
Lookup Type {*DB }<br />
{*LDAP}<br />
{*FILE}<br />
153
{*MBRSET}<br />
{*INLIST}<br />
Recipient<br />
{Recipient String}<br />
Password (if Private) {Certificate password}<br />
Required {*RQD }<br />
{*OPT}<br />
EXCLFILE( {*NONE} )<br />
path/filename<br />
EXCLUDE( file_specification1, )<br />
file_specification2,<br />
file_specificationn<br />
EXDIR( {*CURRENT} )<br />
path<br />
FILES( file_specification1, )<br />
file_specification2,<br />
file_specificationn<br />
FILETYPE( {*TEXT} )<br />
{*BINARY}<br />
{*EBCDIC}<br />
{*DETECT}<br />
FTRAN( {*INTERNAL} )<br />
Member Name<br />
IFSCDEPAGE( {*NO} )<br />
Code-page<br />
INCLFILE( {*NONE} )<br />
path/filename<br />
MSGTYPE( {*PRINT} )<br />
{*SEND}<br />
{*BOTH}<br />
OVERWRITE( {*NO} )<br />
{*YES}<br />
{*PROMPT}<br />
PASSWORD( Archive Password )<br />
SFQUEUE ( {*DFT} )<br />
{Library/Outq }SPLUSRID (<br />
SPLUSRID {*DFT} )<br />
{User ID }<br />
TRAN( {*INTERNAL} )<br />
Member Name<br />
TYPARCHFL( {*DB} )<br />
{*IFS}<br />
TYPFL2ZP( {*DB} )<br />
{*IFS}<br />
TYPLISTFL( {*DB} )<br />
{*IFS}<br />
VERBOSE( {*NORMAL} )<br />
{*NONE}<br />
154
{*ALL}<br />
{*MAX}<br />
VIEWOPT( {*NORMAL} )<br />
{*DETAIL}<br />
{*BRIEF}<br />
{*COMMENT }<br />
{*FNE}<br />
{*FNEALL}<br />
VIEWSORT( {*ASIS} )<br />
{*DATE}<br />
{*DATER}<br />
{*NAME}<br />
{*NAMER}<br />
{*PERCENT}<br />
{*PERCENTR}<br />
{*SIZE}<br />
{*SIZER}<br />
155
PKUNZIP Command Keyword Details<br />
TYPE<br />
TYPE(*EXTRACT|*NEWER|*TEST |*VIEW)<br />
The TYPE keyword specifies the type of action PKUNZIP should per<strong>for</strong>m on the ZIP<br />
archive.<br />
The possible actions are:<br />
*VIEW<br />
*EXTRACT<br />
*NEWER<br />
*TEST<br />
Display output in<strong>for</strong>mation about all files or selected files<br />
contained in an archive. This option is per<strong>for</strong>med using<br />
PKUNZIP. The sequence (see *VIEWSORT) and type of<br />
list (*VIEWOPT) determines what in<strong>for</strong>mation is<br />
displayed.<br />
Extracts files from the archive (please refer to the<br />
DROPPATH, CVTTYPE, TO, and EXDIR parameters <strong>for</strong><br />
controlling the conversion of file names extracted from<br />
the archive).<br />
Extracts files in the archive that have a more recent<br />
date and time than the corresponding file on disk. If the<br />
files do not exist on disk, they will be extracted as<br />
newer. All other files will be skipped.<br />
Tests the integrity of files in the archive by extracting<br />
files without writing the data. As each file is extracted,<br />
a CRC is calculated. At the end of the file the calculated<br />
CRC is compared against the stored CRC in the archive<br />
file header to confirm that the data has not been<br />
corrupted.<br />
ARCHIVE<br />
ARCHIVE(Archive Zip File name with path)<br />
Specifies the path/file name or the library/file name of the PKUNZIP archive to be<br />
processed.<br />
This is a required parameter.<br />
The <strong>for</strong>mat depends on whether you will be using the archive file in the library file<br />
system or the IFS.<br />
See parameter TYPARCHFL <strong>for</strong> file system type in<strong>for</strong>mation.<br />
Library File System: Format is library/file(member). If member is<br />
omitted, it will use the file name <strong>for</strong> the member.<br />
156
Integrated File System (IFS): Open system path followed by the archive<br />
file name. The path and file name can up to 256<br />
characters and may contain embedded spaces.<br />
AUTHCHK<br />
Authenticator Certificates:<br />
File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL<br />
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE, *MBRSET...<br />
Authenticator . . . . . . . ______________________________<br />
Password (If Private) . . . ______________________________<br />
Required . . . . . . . . . . *RQD *RQD, *OPT<br />
+ <strong>for</strong> more values _<br />
Or<br />
AUTHCHK((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))<br />
AUTHCHK((*ALL *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
AUTHCHK((*FILE *DB ‘EM=bill.somebody@pkware.com' () *OPT))<br />
AUTHCHK((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)<br />
This parameter specifies that digital signature authentication processing should be<br />
per<strong>for</strong>med <strong>for</strong> specific signers. Separate authentication processing may be specified<br />
<strong>for</strong> either the archive central directory or files by using multiple commands.<br />
Optionally, specific signers may be specified to authenticate against. This parameter<br />
is used in conjunction with the AUTHPOL parameters and its settings.<br />
It is possible that more than one certificate may be returned <strong>for</strong> a single common<br />
name or email search. As a result, each one will be added to the list of validating<br />
sources.<br />
When no specific certificates are requested, any signatories found in the archive are<br />
validated in accordance with the systems or current AUTHPOL Filters policy settings.<br />
There are five options <strong>for</strong> AUTHCHK.<br />
Authenticator Type File/Archive<br />
(*FILE |*ARCHIVE |*ALL)<br />
This designates the type of authentication that is to be per<strong>for</strong>med. Either ARCHIVE,<br />
FILE or ALL may be specified on each item, but by using ALL or archive with the<br />
*RQD option will result in error since the archive can only have one signatory. If the<br />
lookup type is *INLIST, then this option will be ignored and will pickup from the<br />
records in the inlist file.<br />
• *FILE – The signed files will be authenticated with this authenticator.<br />
• *ARCHIVE - The archive directory will be authenticated with this<br />
authenticator.<br />
• *ALL – Both the signed files and the archive directory will be authenticated<br />
with this authenticator.<br />
Lookup Type<br />
(*DB |*FILE |*LDAP |*MBRSET |*INLIST)<br />
The lookup type would be the type of authenticator search to be used <strong>for</strong> the<br />
authenticator string to look up the public key.<br />
157
• *DB - The authenticator string is defined to search using the certificate<br />
locator database to access the digital certificate.<br />
• *FILE - The authenticator string is defined to read a specific file in a specific<br />
path in the IFS in order to access the digital certificate.<br />
• *LDAP - The recipient string is defined to search using the LDAP server to<br />
access the digital certificate.<br />
• *MBRSET - The authenticator string is defined to read this specific file from<br />
the enterprise public certificate store to access the digital certificate.<br />
• *INLIST- The authenticator string defines a specific file that will contain one<br />
to many AUTHCHK. The TYPLISTFL parameter must specify the file type <strong>for</strong><br />
the inlist.<br />
Authenticator<br />
(The authenticator string name)<br />
The authenticator string <strong>for</strong>mat depends on what was specified <strong>for</strong> the lookup type.<br />
• If lookup type is *DB, the authenticator string will either be an email address<br />
or the common name of the certificate. This depends on the configuration<br />
setting in PKCFGSEC parameter CERTDB. To override the default selection<br />
mode, you can prefix the string with EM= <strong>for</strong> email, or CN= <strong>for</strong> the common<br />
name.<br />
For example:<br />
AUTHCHK((*FILE *DB ‘bill.somebody@pkware.com' () *RQD)<br />
(*ARCHIVE *DB ‘CN=bill somebody' () *RQD)<br />
(FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))<br />
• If lookup type is *FILE, the authenticator string is defined to read a specific<br />
file in a specific path of the IFS. This file should be a public key X.509 file or<br />
public key X.509 certificate with a private key file.<br />
For example:<br />
AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' ()<br />
*RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path<br />
'/pkzshare/CStores/public’.<br />
• If type is *LDAP, the authenticator string will either be an email address or<br />
the common name of the certificate depending on the search mode<br />
configuration setting in PKCFGSEC parameter LDAP. To override the default<br />
selection mode, you can prefix the string with EM= <strong>for</strong> email address, or CN=<br />
<strong>for</strong> the common name.<br />
For example:<br />
AUTHCHK ((*ARCHIVE *LDAP ‘bill.somebody@pkware.com' () *RQD)<br />
(*FILE *LDAP ‘CN=bill somebody' () *OPT)<br />
(*FILE *LDAP ‘EM=bill.somebody@pkware.com' () *RQD))<br />
• If lookup type is *MBRSET, the authenticator string is defined to read a<br />
specific file from the public certificate store and/or the private certificate store<br />
of the IFS. This file should be a public key X.509 file or public key X.509<br />
certificate with a private key file.<br />
158
For example:<br />
AUTHCHK((*ALL *MBRSET 'pkwareCertAdmin04.cer' () *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of<br />
the public certificate store defined in the enterprise security configuration<br />
public store (parameter CSPUB). If a password is included, the file is searched<br />
<strong>for</strong> in the enterprise security configuration private store (parameter CSPRIV).<br />
• If lookup type is *INLIST, the authenticator string defines a full file name of<br />
an input list file that contains records of AUTHCHK shortcut parameters. The<br />
type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set<br />
and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The <strong>for</strong>mat<br />
of the AUTHCHK shortcut parameters are defined below in the *INLIST usage<br />
section.<br />
Password<br />
This designates the password that is required <strong>for</strong> a private key certificate with a<br />
private key (PKCS#12 file). When a value is specified, the target must be an X.509<br />
PKCS#12 public key certificate with the private key.<br />
The PASSWORD value may contain blanks and is delimited by the closing right<br />
parenthesis ")" of the signing command.<br />
Required<br />
(*RQD|*OPT|*SAME)<br />
If *RQD, then this authenticator must be found during the selection, and the<br />
certificate must be a valid certificate with a private key, or the ZIP/UNZIP run will<br />
fail.<br />
Usage Notes:<br />
Passwords are masked out in all output displays.<br />
A local certificate store configuration is required to complete the TRUST processing of<br />
this command.<br />
Processing is terminated if none of the requested certificates can be accessed,<br />
regardless of the “R” required flag. If multiple requests are made and at least one<br />
signature is found, processing continues normally.<br />
For inlist that contains a password to open a private certificate, make sure that the<br />
security is sufficient to only allow the owner of the certificate to have read access.<br />
Otherwise this would leave a security hole where other users could browse the<br />
password.<br />
*INLIST Usage:<br />
If *INLIST is defined on the AUTHCHK parameter, then the authenticator filed will be<br />
a file that SecureZIP will read to include the authenticator. The <strong>for</strong>mat is very similar<br />
to the AUTHCHK parameter described above except that each line authenticator<br />
starts with “{AUTHCHK=” and is terminated by the “}” character, with the semicolon<br />
“;” as a separator <strong>for</strong> each entry.<br />
{AUTHCHK=Authenticator Type, Lookup Type; Authenticator; Password; Required}<br />
159
Authenticator Type<br />
Lookup Type<br />
Authenticator<br />
Password<br />
Required<br />
Examples:<br />
See Authenticator Type in AUTHCHK<br />
See Lookup Type in AUTHCHK excluding the INLIST<br />
See Authenticator in AUTHCHK.<br />
See Password in AUTHCHK.<br />
See Required in AUTHCHK, but use RDQ <strong>for</strong> *RQD and OPT <strong>for</strong><br />
*OPT.<br />
Sample 1: tstauth_db1.inlist.<br />
{AUTHCHK=FILE;DB;EM=PKTESTDB4@nowhere.com;;RQD}<br />
Sample 2: tstauth_mb2.inlist.<br />
{AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
Sample 3: tstauth_mb3.inlist.<br />
{AUTHCHK=ALL;MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
AUTHPOL<br />
Authenticate Filters:<br />
Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE...<br />
Validate Type . . . . . *ARCHIVE *ARCHIVE, *NONE<br />
Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or<br />
AUTHPOL(*WARN *ARCHIVE (*SYSTEM) )<br />
AUTHPOL(*WARN *FILE (*NOTTRUSTED) )<br />
AUTHPOL(*SYSTEM *ALL (*ALL *NOTEXPIRED) )<br />
This parameter defines the processing options and filters that should apply if a<br />
signed file or signed archive is encountered.<br />
Validate Level (*VALIDATE |*WARN |*SYSTEM)<br />
The validate level specifies the type of authentication processing that should take<br />
place if a file or archive is encountered. The default is *SYSTEM and, unless it is<br />
modified, SecureZIP will use the enterprise setting from PKCFSEC.<br />
• *VALIDATE – Indicates that when authentication takes place and a failure<br />
occurs based on the filters, the run will be considered a failure and the<br />
message issued at the end will indicate one or more errors during the run.<br />
• *WARN - Indicates that when authentication place and a failure occurs, the<br />
failure is only considered a warning. The messages at the end of the run will<br />
not consider any failed authentications as errors.<br />
160
• *SYSTEM – Indicates the authentication processing that is set in the<br />
environmental setting will be used.<br />
Validate Type (*ALL |*ARCHIVE |*FILE |*NONE)<br />
The validate type specifies whether the file, archive, all or no authentication will take<br />
place if a file or archive has been signed. The default is *NONE, and anything other<br />
than *NONE requires the Enhanced Encryption module.<br />
• *ALL - Indicates that authentication will take place <strong>for</strong> both files and/or the<br />
archive has been signed.<br />
• *ARCHIVE - Indicates that only a signed archive will be authenticated.<br />
• *FILE - Indicates that only the signed files will authenticated.<br />
• *NONE - Indicates no authentication will take place even though a file or<br />
archive has been signed.<br />
Filters (*SYSTEM |*ALL |*NONE |*TAMPER |*TRUSTED |*EXPIRED |*REVOKED<br />
|*NOTAMPER |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED )<br />
The authentication filter policies settings are defined in the enterprise security file<br />
supplied by the SecureZIP administrator (See PKCFGSEC). These global policy<br />
settings can be revised with sub-parameter values. The variables are cumulative<br />
from the global setting.<br />
• *SYSTEM – All filter policies are from the global settings.<br />
• *ALL - This sub-parameter activates all levels of authentication. If followed<br />
by negating sub-levels, then all but those negating levels are activated. For<br />
example: *ALL NOTEXPIRED means that expired certificates will not cause an<br />
authentication error, but TRUST and TAMPERCHECK must both be satisfied.<br />
• *NONE – Will negate all the policies.<br />
• *TAMPER – This sub-parameter signifies that a verification of the data<br />
stream should be done against the digital signature.<br />
• *TRUSTED – This sub-parameter signifies that the entire certificate authority<br />
chain must be validated. This includes locating the root (self-signed)<br />
certificate on the local system.<br />
• *EXPIRED – This sub-parameter signifies that certificate date range<br />
validation should be per<strong>for</strong>med on the certificates (including the certificate<br />
authority chain). Although the term “expired” is used, a certificate that has<br />
not yet reached its valid data range specification will fail.<br />
• *REVOKED - A certificate owner may request that the issuing certificate<br />
authority declare a certificate to be revoked and thereby no longer consider<br />
that certificate to be valid. The authentication operation will fail if any of the<br />
certificates in the trust chain are found to have been revoked, or if the<br />
revocation status could not be determined<br />
• *NOTAMPER – Negates the *TAMPER filter.<br />
• *NOTTRUSTED – Negates the *TRUSTED filter.<br />
• *NOTEXPIRED - Negates the *EXPIRED filter.<br />
• *NOTREVOKED – Negates the *REVOKED filter.<br />
161
CRTLIST<br />
CRTLIST(*NONE| path/filename )<br />
Specifies that PKUNZIP will create an output file with a list of entries that will be<br />
compressed based upon the selection criteria in the FILES and EXCLUDE parameters.<br />
This parameter only works with the TYPE set to *VIEW.<br />
See parameter TYPLISTFL <strong>for</strong> file system type in<strong>for</strong>mation.<br />
*NONE<br />
path/filename<br />
No list file will be created.<br />
Enter the file path and name of the file to create. The<br />
layout depends on which file system you want to create<br />
the file in.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
CVTDATA<br />
CVTDATA(External Program Conversion Extended Data)<br />
Specifies the extended data that is passed to the external program CVTNAME. When<br />
CVTFLAG is not *NONE, the contents of the parameter are passed to provide<br />
extended flexibility in controlling how the <strong>iSeries</strong> names are stored in the archive.<br />
See Appendix D <strong>for</strong> more details on the external program.<br />
External Program Conversion Extended Data<br />
Specify up to 255 bytes of unedited data which is passed<br />
to the exit program CVTNAME to assist in controlling the<br />
program logic.<br />
CVTFLAG<br />
CVTFLAG(*NONE|Conversion Flags)<br />
Specifies the flags passed to the external program CVTNAME. These are used to<br />
control how the <strong>iSeries</strong> names are stored in the archive. See Appendix D <strong>for</strong> more<br />
details on the external program.<br />
The allowable values are:<br />
*NONE<br />
Conversion Flags<br />
Conversion exit is not active.<br />
Specify a 5-byte flag that is passed to the exit program<br />
CVTNAME to control the program logic. If the name<br />
passed back is blank, then conversion is referred back to<br />
the setting of the CVTTYPE parameter.<br />
162
CVTTYPE<br />
CVTTYPE(*NONE|*DROP|*SUFFIX)<br />
Specifies how the files names in the archive will be converted to a file name in the<br />
<strong>iSeries</strong> library, file, and Member <strong>for</strong>mat. In the <strong>iSeries</strong> QSYS library system, the<br />
length of each name in the QSYS <strong>for</strong>mat can only be up to 10 characters. In other<br />
plat<strong>for</strong>ms, the file name <strong>for</strong>mats (including MS/DOS) may have an extension with a<br />
period (.) separator which is not valid in the <strong>iSeries</strong> DB name. The file names in<br />
some cases may even exceed the 10-character limit. This parameter gives control<br />
over the file name conversion process.<br />
Note: The conversion of file names may result in duplicate file names on the <strong>iSeries</strong><br />
system. In this case, the rules <strong>for</strong> overwriting the files are in effect <strong>for</strong> duplicates<br />
(see the OVERWRITE option). If this is the case, using specific file inclusion and<br />
exclusion with multiple runs may be required to extract all of the files.<br />
The allowable values are:<br />
*SUFFIX<br />
*NAMEFILE<br />
*DROP<br />
This <strong>for</strong>ces the removal of the period(.) extension and<br />
stores name truncating characters over 10 characters.<br />
The extensions are considered to be file names or<br />
treated as a slash (/).<br />
Drops all characters after the period(.) extension<br />
separator, and stores the name truncating characters<br />
over 10.<br />
DFTDBRECLN<br />
DFTDBRECLN (132|Record Length)<br />
Specifies the record length to use when creating a file in the QSYS library system. If<br />
TYPFL2ZP parameter is *DB, and the file being extracted does not exist nor does<br />
extended attribute <strong>for</strong> the record length exist, the file will be created with the record<br />
length specified in this parameter.<br />
The allowable values are:<br />
132 Default is record length of 132 to match previous<br />
versions.<br />
Record Length A decimal number from 50 to 32000.<br />
DROPPATH<br />
DROPPATH(*NONE|{*ALL| *LIB)<br />
Used to drop the path(s) or libraries of files that are stored in the archives, there<strong>for</strong>e<br />
only using the file names in the archive. This is used along with the keyword EXDIR<br />
where the default paths are defined when dropping the paths on files in the archive.<br />
For example, if the file in the archive is “path1/path2/filename” (IFS) or<br />
“library/file/member” (QSYS), and if DROPPATH is *ALL, the file being extracted<br />
163
would be “filename” or “member”. If *LIB was used, the file being extracted would<br />
be path1/filename” or “file/member”.<br />
See “Example 1 - PKUNZIP Files to a New or Different Library” in Appendix B <strong>for</strong> an<br />
example of using EXDIR and DROPPATH together.<br />
The allowable values are:<br />
*NONE<br />
*ALL<br />
*LIB<br />
Do not remove paths and/or libraries in the archive.<br />
Remove all paths that are stored in the archive, leaving<br />
only an IFS file name or member name.<br />
Remove only the first path (which in most cases could<br />
be the library).<br />
ENTPREC<br />
Encryption Recipients :<br />
LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE...<br />
Recipient . . . . . . . . . ______________________________________<br />
Password (If Private) . . . ______________________________________<br />
Required . . . . . . . . . . *RQD *RQD, *OPT<br />
+ <strong>for</strong> more values _<br />
Or<br />
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))<br />
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.pfx'<br />
(‘mypassword’) *RQD))<br />
ENTPREC((*DB ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
ENTPREC((*INLIST 'ATEST/INLIST(ENGNEER1)' *N)<br />
The encryption/decryption recipient parameter defines one to many recipients which<br />
is to be included <strong>for</strong> the ZIP and UNZIP process. This parameter allows 1-4 types of<br />
certificate searches to take place along with providing the ability <strong>for</strong> an include file<br />
that may contain the recipients.<br />
The specification of this recipient ENTPREC parameter, triggers encryption to take<br />
place during ZIP processing utilizing the found recipients along with any password<br />
that may be entered.<br />
There are four options.<br />
Lookup Type<br />
(*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)<br />
The Lookup type would be the type of recipient search that will be used <strong>for</strong> the<br />
recipient string.<br />
• *DB - The Recipient string is defined to search using the Certificate Locator<br />
Database to access the digital certificate.<br />
• *LDAP - The recipient string is defined to search using the LDAP server to<br />
access the digital certificate.<br />
164
• *FILE - The recipient string is defined to read a specific file in a specific path<br />
in the IFS in order to access the digital certificate.<br />
• *MBRSET - The recipient string is defined to read this specific file from the<br />
enterprise public certificate store to access the digital certificate.<br />
• *INLIST- The recipient string defines a specific file that will contain one to<br />
many recipients.<br />
Recipient<br />
(The recipient string name)<br />
The recipient string <strong>for</strong>mat depends on what was specified <strong>for</strong> the Lookup type.<br />
• If type is *DB - The recipient string will either be an email address or the<br />
common name of the certificate. This depends on the configuration setting in<br />
PKCFGSEC parameter CERTDB. To override the default selection mode, you<br />
can prefix the string with EM= <strong>for</strong> email or CN= <strong>for</strong> the common name.<br />
For example:<br />
ENTPREC((*DB ‘bill.Somebody@pkware.com' () *RQD)<br />
(*DB ‘CN=bill Somebody' () *RQD)<br />
(*DB ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
• If type is *LDAP - The recipient string will either be an email address or the<br />
common name of the certificate depending on the search mode configuration<br />
setting in PKCFGSEC parameter LDAP. To override the default selection mode,<br />
you can prefix the string with EM= <strong>for</strong> email or CN= <strong>for</strong> the common name.<br />
For example:<br />
ENTPREC((*LDAP ‘bill.Somebody@pkware.com' () *RQD)<br />
(*LDAP ‘CN=bill Somebody' () *OPT)<br />
(*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))<br />
• If type is *FILE - The recipient string is defined to read a specific file in a<br />
specific path of the IFS. This file should be Public-key X.509 file or private-key<br />
X.509 certificate file.<br />
For example:<br />
ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path<br />
'/pkzshare/CStores/public’.<br />
• If type is *MBRSET - The recipient string is defined to read a specific file from<br />
public certificate store / private certificate store of the IFS. This file should be<br />
public-key X.509 file or private-key X.509 certificate file.<br />
For example:<br />
ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))<br />
The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of<br />
the public certificate store defined in the enterprise security configuration<br />
public store(parameter CSPUB). If a password was included, the file would be<br />
searched <strong>for</strong> in the enterprise security configuration private store (parameter<br />
CSPRIV).<br />
• If type is *INLIST- The recipient string defines a full file name of an input list<br />
file that contains records of ENTPREC shortcut parameters. The type of file<br />
165
will in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path<br />
file name in the IFS if TYPLISTFL(*IFS) is set. The <strong>for</strong>mat of the ENTPREC<br />
shortcut parameters are define below in the *INLIST Usage section.<br />
Password (Private Cert Password)<br />
The password is only required if the certificate that is being selected is a private<br />
certificate. This option should be omitted if a public certificate will be utilized.<br />
Required<br />
(*RQD|*OPT|*SAME)<br />
If *RQD, then this recipient MUST be found during the selection and the certificate<br />
MUST be valid or the ZIP/UNZIP run will fail.<br />
Usage Notes:<br />
The ZIP process only requires a X.509 public-key <strong>for</strong>mat certificate to encrypt files.<br />
The UNZIP process requires X.509 private-key <strong>for</strong>mat certificate file to decrypt files<br />
and this will the input of a password.<br />
For inlist that contains a password to open a private certificate, make sure that the<br />
security is sufficient to only allow the owner of the certificate to have read access.<br />
Otherwise this would leave a security hole where other users could browse the<br />
password.<br />
*INLIST Usage:<br />
If *INLIST is defined on the ENTPREC parameter, then the recipient filed will be a file<br />
that SecureZIP will read to include recipient. The <strong>for</strong>mat is very similar to the<br />
ENTPREC parameter describe above except each line recipient starts with<br />
“{RECIPIENT=” and is terminated by the “}” character with the semi-colon “;” as a<br />
separator <strong>for</strong> each entry.<br />
Examples:<br />
{RECIPIENT=Lookup Type; Recipient; Password; Required}<br />
Lookup Type<br />
Recipient<br />
Password<br />
Required<br />
{RECIPIENT=MBRSE;EM; mypassword;RQD}<br />
See Lookup Type in ENTREC excluding the INLIST<br />
See Recipient in ENTREC.<br />
See Password in ENTREC.<br />
See Required in ENTREC, but use RDQ <strong>for</strong> *RQD and<br />
OPT <strong>for</strong> *OPT.<br />
Sample 1: tstpriv_db4.inlist.<br />
{RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}<br />
Sample 2: tstpriv_mb3.inlist.<br />
{RECIPIENT=MBRSET;pktestdb3.pfx;PKWARE;RQD}<br />
166
Sample 3: tstpubl.inlist.<br />
{RECIPIENT=MBRSET;pktestdb3.crt;;RQD}<br />
{RECIPIENT=MBRSET;pktestdb4.crt;;OPT}<br />
Sample 4: tstpubl2.inlist.<br />
{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD}<br />
{RECIPIENT=DB;CN=PKWARE Test4;;OPT}<br />
EXCLFILE<br />
EXCLFILE(*NONE| path/filename)<br />
This parameter specifies the file containing the list of files to be excluded. This can<br />
be used with or without the EXCLUDE parameter. See parameter TYPLISTFL <strong>for</strong> file<br />
system type in<strong>for</strong>mation.<br />
*NONE<br />
path/filename<br />
No list file will be processed.<br />
Enter the file path and the name of the file to process.<br />
The layout depends on which file system you want the<br />
file created.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
EXCLUDE<br />
EXCLUDE(file_specification1, file_specification2,... file_specification n )<br />
Specifies the files and file specification patterns that will be excluded from the<br />
PKUNZIP run. One or more names can be specified. Each name should be in the<br />
OS/400 file system <strong>for</strong>mat, such as, QSYS is library/file(member) and IFS is<br />
directory/file, and can include wildcards “*” and “?”.<br />
Note: If TYPE(*VIEW) is being used, then the <strong>for</strong>mat <strong>for</strong> these names is the<br />
MS/DOS <strong>for</strong>mat.<br />
The PKUNZIP program can also exclude file specifications by using the list file<br />
parameter EXCLFILE with a list of names to exclude.<br />
Please refer to Chapter 5 <strong>for</strong> details of file specification <strong>for</strong>matting.<br />
The valid parameter values <strong>for</strong> the FILES keyword are as follows:<br />
'file_specification 1'<br />
'file_specification 2'...<br />
'file_specification n'<br />
167
EXDIR<br />
EXDIR(*CURRENT| path)<br />
If there are no paths stored in the archive file name, EXDIR specifies the default path<br />
to store the files being extracted. The path definition depends on the “file system<br />
type” in parameter TYPFL2ZP. This will happen when the files come from a PC or if<br />
the files were compressed with SecureZIP <strong>for</strong> <strong>iSeries</strong> using the STOREPATH(*NO)<br />
parameter.<br />
If the “file system type” is IFS, EXDIR will be the paths defined <strong>for</strong> your <strong>iSeries</strong> open<br />
systems and the default path will be the current directory settings (issue the<br />
command DSPCURDIR to see the current directory settings).<br />
If the “file system type” is the library file system, the path will be either a library or a<br />
library/filename. The default is *CURLIB/UNZIPPED and if the file UNZIPPED does not<br />
exist, then it is created with a record length of 132. It is best to create a default file<br />
with the record length of your choice, because if a text file is extracted with a record<br />
length greater than the file’s record length, the record will be truncated to fit the<br />
record length.<br />
If EXDIR is coded with keyword MBR and the file system is the QSYS library system,<br />
PKUNZIP will use the member name <strong>for</strong> the file name. For example:<br />
EXDIR('newlib/MBR') and DROPPATH(*ALL) parameters are coded and the file name<br />
in archive is "mylib/myfile/mymbr", the file will be extract to the file<br />
"newlib/mymbr(mymbr)". This is only valid <strong>for</strong> TYPFL2ZP(*DB) files.<br />
EXDIR is also used when the archive file is a GZIP archive and there is no file name<br />
stored in the archive. In this case, EXDIR becomes a required field.<br />
*CURRENT<br />
path<br />
Current directory <strong>for</strong> IFS or *CURLIB/UNZIPPED <strong>for</strong> the<br />
QSYS library file system.<br />
Enter the path or path/path/.. in which to extract. The<br />
layout depends on the file system in which the file is to<br />
be created.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn".<br />
FILES<br />
FILES(file_specification1, file_specification2,... file_specification n)<br />
Specifies the files and file specification patterns that will be selected in the PKUNZIP<br />
process. One or more names can be specified. Each name should be in the OS/400<br />
file system <strong>for</strong>mat, such as, QSYS is library/file(member), and IFS is directory/file,<br />
and can include wildcard “*” and “?”.<br />
Note: If TYPE(*VIEW) is being used then the <strong>for</strong>mat <strong>for</strong> these names is the<br />
MS/DOS <strong>for</strong>mat.<br />
The PKUNZIP program can also have file specification selections to include by using<br />
the list file parameter INCLFILE with a list of names to select.<br />
168
Files may also be excluded. See the EXCLUDE parameter.<br />
Please refer to Chapter 5 <strong>for</strong> details of file specification <strong>for</strong>matting.<br />
The valid parameter values <strong>for</strong> the FILES keyword are as follows:<br />
'file_specification 1'<br />
'file_specification 2'<br />
'file_specification n'<br />
FILETYPE<br />
FILETYPE(*TEXT|*BINARY|*EBCDIC|*DETECT)<br />
Specifies whether the files selected are treated as text or binary data. For text files<br />
added to an archive, trailing spaces in each line are removed, the text is converted<br />
to ASCII (based on the translation tables) by default, and a carriage return and line<br />
feed (CR/LF) are added to each line be<strong>for</strong>e the data is compressed into the archive.<br />
Binary files are not converted at all.<br />
There are attributes which indicate how a file was compressed (TEXT, BINARY, or a<br />
SAVF) in the archive headers. The default setting (and recommended) is *DETECT,<br />
which analyzes the header to determine the file type. To view the attribute settings<br />
of a file, use the VIEWOPT( *DETECT).<br />
If the file is a SAVF, then it will be processed as BINARY, regardless of any option<br />
that you select.<br />
*DETECT<br />
*TEXT<br />
*BINARY<br />
*EBCDIC<br />
Uses the attribute setting that is stored in the archive to<br />
determine the file type.<br />
Specifies that the files selected are text files and<br />
translation will be per<strong>for</strong>med using the translate tables<br />
specified in the TRAN option.<br />
Specifies that the files selected are binary files and no<br />
translation should be per<strong>for</strong>med.<br />
Specifies that the files selected are text files and leaves<br />
it in EBCDIC without per<strong>for</strong>ming any translation. This is<br />
good only if the files are to be used on an <strong>iSeries</strong> or<br />
IBM-type mainframe. If they are unzipped to a PC file,<br />
then a translation from EBCDIC to ASCII is required.<br />
FTRAN<br />
FTRAN(*INTERNAL| Member Name )<br />
Specifies the translation table <strong>for</strong> use with translating "file names, comments, and<br />
password" from the <strong>iSeries</strong> EBCDIC character set to the character set used in the<br />
archive file (normally ASCII character set). A default internal table is predefined. See<br />
Appendix F - Translation Tables <strong>for</strong> additional in<strong>for</strong>mation.<br />
169
*INTERNAL<br />
membername<br />
Use the predefined internal table <strong>for</strong> translation. Using<br />
this is initially faster because PKUNZIP does not have to<br />
parse the override table.<br />
Specify the member name in the file PKZTABLES that<br />
will be parsed and used to translate "File names and<br />
comments" files to the archive character set. The<br />
member should have the exact <strong>for</strong>mat of member<br />
UKASCII in file PKZTABLES. See Appendix F <strong>for</strong><br />
in<strong>for</strong>mation on defining translation tables.<br />
IFSCDEPAGE<br />
IFSCDEPAGE(*NO | Code-Page)<br />
If this option is set to *NO, PKUNZIP will write IFS files with the code page that is<br />
registered <strong>for</strong> the file, or will use the default job code page if no code page is set in<br />
the file attributes. Otherwise, PKUNZIP will write IFS files with the specified code<br />
page.<br />
Note: If files are to be extracted to a case sensitive file system, the case sensitive<br />
<strong>for</strong>mat of file names must be used be<strong>for</strong>e they can be selected.<br />
The allowable values are:<br />
*NO<br />
Code-Page<br />
The PKUNZIP program will read IFS files with the code<br />
page registered <strong>for</strong> the file. This is the default.<br />
The PKUNZIP program will write the IFS files with the<br />
specified code page value.<br />
INCLFILE<br />
INCLFILE(*NONE| path/filename)<br />
This parameter specifies the file containing the list of files to be selected <strong>for</strong><br />
including. This can be used with or without the FILES parameter. See parameter<br />
TYPLISTFL <strong>for</strong> file system type in<strong>for</strong>mation.<br />
*NONE<br />
No include list file will be processed. This is the default.<br />
path/filename Enter the file path and name of the file to process. The<br />
layout depends on which file system you want the file<br />
created.<br />
Library File System:<br />
The <strong>for</strong>mat is "library/file(member)".<br />
Integrated File System (IFS):<br />
The <strong>for</strong>mat is "path1/path2/../pathn/filename".<br />
170
MSGTYPE<br />
MSGTYPE(*PRINT|*SEND|*BOTH)<br />
Specifies where the display of messages and in<strong>for</strong>mation should be shown. The<br />
PKUNZIP program can send messages which appear on the log, and also may print<br />
to stdout and stderr. If working interactively, stdout and stderr will display upon the<br />
dynamic screen. If submitted via batch, you can override them to print in an OUTQ,<br />
or you can build a CL and save them to an outfile.<br />
*SEND<br />
*PRINT<br />
*BOTH<br />
Send the in<strong>for</strong>mation to the log with send message<br />
commands.<br />
Send the in<strong>for</strong>mation to stdout and stderr.<br />
Send the in<strong>for</strong>mation to the log with send message<br />
commands and also to stdout and stderr.<br />
OVERWRITE<br />
OVERWRITE(*NO|*YES|*PROMPT}<br />
Controls how PKUNZIP reacts to files that are being extracted and the file already<br />
exists. To help prevent accidental overwriting of files, the default is *PROMPT.<br />
The allowable values are:<br />
*YES<br />
*NO<br />
*PROMPT<br />
Always overwrite files. If the file exists, the file will be<br />
overwritten with no message or prompting.<br />
Never overwrite files. If the file already exists then the<br />
archive file will be skipped and not extracted. This is the<br />
default.<br />
When a file being extracted already exists, PKUNZIP will<br />
issue the warning message AQZ0262 and prompt the<br />
user <strong>for</strong> the required action.<br />
PASSWORD<br />
PASSWORD(Archive Password)<br />
Specifies a password to be used <strong>for</strong> files that were added to the archive with a<br />
password. This password may be up to 64 characters in length and is case-sensitive.<br />
All files selected <strong>for</strong> archiving will be checked <strong>for</strong> encryption using the specified<br />
password. Files in the archive may have different passwords. If so, PKUNZIP must be<br />
run once <strong>for</strong> each password.<br />
Since the password in entered in EBCDIC, the translation table referenced in the<br />
FTRAN parameter is used to translate it to ASCII. Care should be take when using<br />
the FTRAN override when using a password. To use password-protected files, the<br />
same FTRAN override option is required.<br />
171
SFQUEUE<br />
SFQUEUE (*DFT |Name)<br />
Specifies the output queue that will be used as an override when extracting spool<br />
files. If no OUTQ library is specified, it will default to *LIBL.<br />
The allowable values are:<br />
*DFT<br />
OUTQ<br />
OUTQ Library<br />
The output queue that are in the spool file attributes will<br />
be used when extracting files.<br />
The specific OUTQ that will used when the spool file is<br />
extracted. It must be a valid output queue.<br />
The library where the OUTQ resides.<br />
SPLUSRID<br />
SPLUSRID (*DFT| User ID)<br />
The user ID to use when extracting a spool file. If *DFT is used the user ID belonging<br />
to the spool file will be used when building the spool file.<br />
The allowable values are:<br />
*DFT<br />
User ID<br />
Use user ID associated with spool file in the archive.<br />
Specify a valid user ID that the new extracted spool file<br />
will belong to. It must be a valid user ID on the<br />
OS/400.<br />
Note on extracting Spool Files: To create or extract a spool file with PKUNZIP,<br />
the user must have *USE authority to the API QSPCRTSP. The normal setting <strong>for</strong> the<br />
API QSPCRTSP is authority PUBLIC(*EXCLUDE). The API authority is set this way so<br />
that system administrators can control the use of this API. This API has security<br />
implications because you can create a spooled file from the data of another spooled<br />
file. To allow user to extract spool files change the API authority on a need basis.<br />
TRAN<br />
TRAN(*INTERNAL| Member Name)<br />
Specifies the translation table <strong>for</strong> use with translating data from the <strong>iSeries</strong> EBCDIC<br />
character set to the character set used in the archive file (normally the ASCII<br />
character set). A default internal table is predefined (see Appendix F).<br />
*INTERNAL<br />
Member Name<br />
Use the predefined internal table <strong>for</strong> translation. Using<br />
this is initially faster because PKUNZIP does not have to<br />
parse the override table.<br />
Specifies the member name in the file PKZTABLES that<br />
will be parsed and used to translate data files to the<br />
archive character set. The member should have the<br />
172
exact <strong>for</strong>mat of member UKASCII in file PKZTABLES (see<br />
Appendix F <strong>for</strong> in<strong>for</strong>mation on defining translation<br />
tables).<br />
TYPARCHFL<br />
TYPARCHFL(*DB|*IFS)<br />
Specifies the type of file system in which the archive file will exist (see parameters<br />
ARCHIVE and TMPPATH <strong>for</strong> additional in<strong>for</strong>mation).<br />
*DB<br />
*IFS<br />
Archive files are to be in the QSYS library file system.<br />
Archive files are to be in the integrated files system<br />
(IFS).<br />
TYPFL2ZP<br />
TYPFL2ZP(*DB|*IFS)<br />
Specifies the type of file system that contains the files to be unzipped. Reflected <strong>for</strong><br />
files in parameters FILES and EXCLUDE.<br />
*DB<br />
*IFS<br />
Files to be unzipped are in the QSYS library file system.<br />
Files to be unzipped are in the IFS (integrated files<br />
system).<br />
TYPLISTFL<br />
TYPLISTFL(*DB|*IFS)<br />
Specifies the “type of files system” that will be used <strong>for</strong> the input list file and/or the<br />
output list file of selected items.<br />
To use input list files, see parameters INCLFILE (file section list) or EXCLFILE (file<br />
exclude list). To create an output list file of the selected files items, see parameter<br />
CRTLIST.<br />
*DB<br />
*IFS<br />
Files are in the QSYS library file system.<br />
Files are in the IFS(integrated file system).<br />
VERBOSE<br />
VERBOSE(*NORMAL|*NONE| *ALL|*MAX )<br />
Specifies how the detail will be displayed during a PKUNZIP run.<br />
The allowable values are:<br />
*NORMAL<br />
Displays most in<strong>for</strong>mative messages to show PKUNZIP is<br />
processing.<br />
173
*NONE<br />
*ALL<br />
*MAX<br />
Displays only major exception in<strong>for</strong>mation.<br />
Displays all messages.<br />
Used only <strong>for</strong> debugging purposes.<br />
VIEWOPT<br />
VIEWOPT(*NORMAL|*DETAIL|*BRIEF|*COMMENT|*FNE|*FNEALL)<br />
Specifies the level of in<strong>for</strong>mation produced when viewing the archive.<br />
The allowable values are:<br />
*NORMAL<br />
*DETAIL<br />
*BRIEF<br />
*COMMENT<br />
*FNE<br />
*FNEALL<br />
Shows the original file length, compression method,<br />
compressed size, compression ratio, file date and time,<br />
32-bit CRC value, and file name <strong>for</strong> each file in the<br />
archive.<br />
Shows very detailed technical in<strong>for</strong>mation about each<br />
file in the archive. It will also show all extended<br />
attribute (extra data fields) in<strong>for</strong>mation that was stored<br />
in the archive produced by PKZIP (only if the PKZIP<br />
keywords EXTRAFLD(*YES) or DBSERVICE(*YES) were<br />
specified).<br />
Shows the original file length, file date and time, and file<br />
name <strong>for</strong> each file in the archive.<br />
Same as the *NORMAL option, but also shows any file<br />
comments stored on a separate line after its details.<br />
Shows the archive’s file name encryption properties.<br />
Shows the archive’s file name encryption detail<br />
properties including the allowable recipients.<br />
VIEWSORT<br />
VIEWSORT(*ASIS|*DATE|*DATER|*NAME|*NAMER|*PERCENT|*PERCENTR| *SIZE|*SIZER))<br />
Specifies the sequence of the viewing display.<br />
The allowable values are:<br />
*ASIS<br />
*DATE<br />
*DATER<br />
*NAME<br />
List the files in the sequence in which they are stored in<br />
the archive, such as, as is.<br />
List the files in ascending order of the file’s date & time<br />
as stored in the archive.<br />
List the files in descending order of the file’s date & time<br />
as stored in the archive.<br />
List the files in ascending order of the file name as<br />
stored in the archive.<br />
174
*NAMER<br />
*PERCENT<br />
*PERCENTR<br />
*SIZE<br />
*SIZER<br />
List the files in descending order of the file name as<br />
stored in the archive.<br />
List the files in ascending order of the compression<br />
percentage as stored in the archive.<br />
List the files in descending order of the compression<br />
percentage as stored in the archive.<br />
List the files in ascending order of the uncompressed file<br />
size as stored in the archive.<br />
List the files in descending order of the uncompressed<br />
file size as stored in the archive.<br />
175
13 PKCFGSEC “Configure Security<br />
Parameters” Command<br />
PKCFGSEC Command Summary with Parameter Keyword<br />
Format<br />
The PKCFGSEC command updates and views the SecureZIP security configuration<br />
file. This configuration file is where the enterprise security options and defaults<br />
reside.<br />
Keywords are demarcated by spaces. In many case there are multiple entries <strong>for</strong> a<br />
parameter where each entry is again demarcated by spaces. For more in<strong>for</strong>mation<br />
about the command process, reference the IBM home page <strong>for</strong> your version of the<br />
operating system.<br />
Usage Notes<br />
It is recommended that you define your standard enterprise options in a CL using the<br />
PKCFGSEC command. Then as changes occur or new versions are upgraded the CL<br />
can be run to reset the parameters. This will also help if you need to temporarily<br />
change one or more settings, as the CL can provide a quick means to reset the<br />
configuration back to the enterprise setting.<br />
TYPE ( ({*INSTALL} )<br />
{IVIEW }<br />
SECTYPE ( ZIP Secure Settings: )<br />
SecureZIP Active {*SAME|*NO|*YES}<br />
AES 3DES Keys {*SAME|*NO|*YES }<br />
Password {*SAME|*NO|*RQD}<br />
Recipient Secure {*SAME|*NO|*RQD }<br />
File Signing 1 {*SAME|*NO }<br />
Archive Signing1 1 {*SAME|*NO}<br />
File Authentication 1 {*SAME|*NO }<br />
Archive Authentication 1 {*SAME|*NO}<br />
File Name Encrypton {*SAME|*NO|*RQD| *OPT}<br />
ADVCRYPT ( Freeze Method )<br />
{*SAME }<br />
{*NONE }<br />
{AES}<br />
{AES128}<br />
1 Not Active. Future Releases<br />
176
{AES192}<br />
{AES256}<br />
{3DES }<br />
{DES }<br />
{RC4_128}<br />
{ADVANCE}<br />
Mode {*SAME }<br />
{BSAFE }<br />
{PKWARE}<br />
Hash {*SAME }<br />
{*SHA1 }<br />
PASSWORD ( Min Length {1-200} )<br />
Min Length {1-200}<br />
Hardening Options{0} 1<br />
SIGNPOL ( Signing Settings: )<br />
Signing Hash {*SAME }<br />
{*SHA1}<br />
{*MD5}<br />
Validate Level {*SAME }<br />
{*VALIDATE}<br />
{*WARN }<br />
{*VALIDATELOCK}<br />
{*WARNLOCK}<br />
Lockdown {*SAME }<br />
{*NO}<br />
{*YES}<br />
Filters {*SAME }<br />
{*ALL}<br />
{*NONE}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
AUTHPOL ( Authenticate Filters: )<br />
Validate Level {*SAME }<br />
{*NONE }<br />
{*VALIDATE}<br />
{*WARN }<br />
{*VALIDATELOCK}<br />
{*WARNLOCK}<br />
Lockdown {*SAME }<br />
{*NO}<br />
{*YES}<br />
Filters {*SAME }<br />
{*ALL}<br />
{*NONE}<br />
{*TAMPER}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTAMPER}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
ENCRYPOL ( Encryption Filters: )<br />
Validate Level {*SAME }<br />
{*VALIDATE}<br />
{*WARN }<br />
{*VALIDATELOCK}<br />
{*WARNLOCK}<br />
Lockdown {*SAME }<br />
177
{*NO}<br />
{*YES}<br />
Filters {*SAME }<br />
{*ALL}<br />
{*NONE}<br />
{*TRUSTED}<br />
{*EXPIRED}<br />
{*REVOKED}<br />
{*NOTTRUSTED}<br />
{*NOTEXPIRED}<br />
{*NOTREVOKED}<br />
DECRYPOL ( DecryptionFilters: ) 1<br />
Validate Level {*SAME }<br />
REVKEPOL ( Revocation Settings: )<br />
CRL Type {*SAME }<br />
{*NONE }<br />
{*STATICCRL}<br />
Revoke Level {*SAME } 1<br />
{*NONE}<br />
CERTSELT ( Certificate Validation Level: )<br />
Cert. Best Fit {*SAME }<br />
{*NONE }<br />
{*LATESTVALID}<br />
{*LASTVALID}<br />
{*FIRSTVALID}<br />
{*LATEST}<br />
{*LAST }<br />
{*FIRST }<br />
Cert. Secure Type{*SAME } 1 {*NONE }<br />
{*ENCRYPTION}<br />
{*SIGNING}<br />
CERTDB (Certificate DataBase Locator: )<br />
Active? {*SAME }<br />
{*YES }<br />
{*NO }<br />
Store Type {*SAME }<br />
{*NONE }<br />
{*LIB}<br />
Sequence {*SAME }<br />
{0-9 }<br />
Library {*SAME }<br />
{Library Name string }<br />
Search Mode {*SAME }<br />
{*EMAIL }<br />
{*CN}<br />
CSPUB ( Certificate PUBLIC Store: )<br />
Store Type {*SAME }<br />
{*NONE }<br />
{*PATH}<br />
Sequence {*SAME }<br />
{0-9 }<br />
Store Location {*SAME }<br />
{Path Name string }<br />
CSPRVT ( Certificate PRIVATE Store: )<br />
Store Type {*SAME }<br />
{*NONE }<br />
{*PATH}<br />
Sequence {*SAME }<br />
178
{0-9 }<br />
Store Location {*SAME }<br />
{Path Name string }<br />
CSCA ( Certificate CA Store: )<br />
Store Type { *SAME }<br />
{*NONE }<br />
{*FILE}<br />
Sequence { *SAME }<br />
{0-9 }<br />
Store Location { *SAME }<br />
{Path/File Name string }<br />
CSROOT ( Certificate ROOT Store: )<br />
Store Type { *SAME }<br />
{*NONE }<br />
{*FILE}<br />
Sequence { *SAME }<br />
{0-9 }<br />
Store Location { *SAME }<br />
{Path/File Name string }<br />
CSCRL ( Certificate CRL Store: )<br />
Store Type { *SAME }<br />
{*NONE }<br />
{*FILE}<br />
Sequence { *SAME }<br />
{0-9 }<br />
Store Location { *SAME }<br />
{Path/File Name string }<br />
CWRKPATH ( Certificate Work Path: )<br />
Path Location { *SAME }<br />
{*NONE }<br />
{Path Name string }<br />
ENTPREC ( Enterprise Encrypt Recipient: )<br />
LookUp Type { *SAME }<br />
{*NONE}<br />
{*DB }<br />
{*LDAP }<br />
{*FILE }<br />
{*MBRSET }<br />
{*INLIST }<br />
Recipient {Recipient Name string }<br />
Required { *SAME }<br />
{*RQD }<br />
{*OPT }<br />
LDAPACTV ( LDAP Definitions: )<br />
Nbr Active LDAPs { *SAME }<br />
{Number of Active LDAPs }<br />
179
LDAP1 (Primary LDAP: )<br />
1 Network Name { *SAME }<br />
{Network IP address or server Name }<br />
1 Port {1-9999 }<br />
1 Sequence {0-9 }<br />
1 TimeOut {0-9999 }<br />
1 Access User {LDAP User <strong>for</strong> Access }<br />
1 Access Password {User Password }<br />
1 Search Mode {*EMAIL }<br />
{*CN }<br />
1 Start Node {Start Node Text String }<br />
1 Test {N }<br />
{Y }<br />
PKCFGSEC Command Keyword Details<br />
By using the *SAME as an option no changes will take place to the current security<br />
configuration file.<br />
TYPE<br />
TYPE(*UPDATE|*VIEW)<br />
The type processing parameter indicates whether the security configuration should<br />
update the configuration file or view the current settings.<br />
SECTYPE<br />
ZIP Secure Settings:<br />
SecureZIP Active . . . . . *YES<br />
*NO, *YES, *SAME<br />
AES 3DES Keys . . . . . . . *YES<br />
*NO, *YES, *SAME<br />
Password . . . . . . . . . *NO<br />
*NO, *RQD, *SAME<br />
Recipient Secure . . . . . *NO<br />
*NO, *RQD, *SAME<br />
File Signing . . . . . . . *NO<br />
*NO, *SAME<br />
Archive Signing . . . . . *NO *NO, *SAME<br />
File Authentication . . . *NO *NO, *SAME<br />
Archive Authentication . . *NO<br />
*NO, *SAME<br />
File Name Encryption . . . *OPT<br />
*NO, *RQD, *OPT, *SAME<br />
Or SECTYPE(*YES *YES *NO *NO *NO *NO *NO *OPT)<br />
SECTYPE or PKZIP Secure Settings are the base security settings <strong>for</strong> ZIP and UNZIP<br />
processing and currently consist of six options:<br />
SecureZIP Active (*NO|*YES|*SAME)<br />
By setting this option to *YES activates the security configuration file. This is<br />
required to utilize the security features in SecureZIP. .<br />
AES 3DES Keys (*NO|*YES|*SAME)<br />
The purpose of this switch is to maintain compatibility with Windows (pre-XP)<br />
systems where the private key certificate was not imported with "Mark the private<br />
180
key as exportable". This has importance when sharing AES-encrypted files with<br />
recipients. See the section on Windows compatibility <strong>for</strong> more in<strong>for</strong>mation.<br />
Password (*NO|*RQD|*SAME)<br />
The Password option if coded *YES, will <strong>for</strong>ce the ZIP process to always require a<br />
password when compressing a file.<br />
Recipient Secure (*NO|*RQD|*SAME)<br />
The Recipient Secure option if coded *YES, will <strong>for</strong>ce the ZIP process to always<br />
require at least one valid recipient when compressing a file.<br />
File Signing (*NO |*YES |*SAME)<br />
Allows SecureZIP to digitally sign the files in the archive.<br />
Archive Signing (*NO |*YES |*SAME)<br />
Allows SecureZIP to Digitally sign the archive’s central directory.<br />
File Authentication (*NO |*YES |*SAME)<br />
Allows SecureZIP to authenticate the files in the archive that has been digitally<br />
signed.<br />
Archive Authentication (*NO |*YES |*SAME)<br />
Allows SecureZIP to authenticate the archive’s directory that has been digitally<br />
signed.<br />
File Name Encryption (*NO |*RQD |*OPT |*SAME)<br />
The file name encryption option allows the user to mask the names of files in the<br />
archive <strong>for</strong> added security.<br />
*NO – The ZIP process is not allowed to create filename-encrypted archives<br />
(that is, FNE(*NO) is required).<br />
*RQD – All ZIP runs must specify the FNE(*YES) to create filenameencrypted<br />
archives.<br />
*OPT – Creating filename-encrypted archives is optional <strong>for</strong> ZIP runs (that is,<br />
FNE(*YES) is allowed in the ZIP jobs).<br />
ADVCRYPT<br />
Advance Encryption:<br />
Freeze Method . . . . . . > AES128<br />
Mode . . . . . . . . > BSAFE<br />
*SAME, *NONE, AES, AES128...<br />
PKWARE, BSAFE, *SAME<br />
Or ADVCRYPT(AES128 BSAFE )<br />
181
The Advanced encryption parameter controls the enterprise settings <strong>for</strong> encryption<br />
when zipping or compressing files. There are the following option settings <strong>for</strong><br />
ADVCRYPT:<br />
Method (AES|AES128|AES192|AES256|3DES|DES RC4_128| Advance|*SAME|*NONE)<br />
The Method option if coded other than *NONE, will <strong>for</strong>ce the ZIP process to always<br />
require the encryption algorithm selected. If AES is selected then all AES algorithms<br />
are allowed. If Advance is selected then encryption is required with any algorithm<br />
except ZIPSTD.<br />
Mode (PKWARE|BSAFE |*SAME)<br />
The advanced encryption mode selects which algorithm modes to use. PKWARE use<br />
the SecureZIP/PKZIP exclusive implementation of the AES. BSAFE use the<br />
SecureZIP/PKZIP implementation of the RSA Security, Inc. CERT-C <strong>for</strong> AES, 3DES,<br />
DES and RC4 128 key.<br />
Hash (*SHA1 |*SAME)<br />
A hash calculation is involved as part of the key manipulation <strong>for</strong> the encryption<br />
process. At this time only the SHA1 algorithm is supported.<br />
Usage Notes<br />
If the mode is MODE(PKWARE) and METHOD(*NONE) or ADVANCE, then if on the<br />
ZIP process the 3DES, DES, or RC4 is selected <strong>for</strong> the algorithm, the BSAFE<br />
implementation is used.<br />
PASSWORD<br />
Archive Password Specs:<br />
Min Length . . . . . . . . > 1<br />
1-200, *SAME<br />
Max Length . . . . . . . . > 200<br />
1-200, *SAME<br />
Hardening Options . . . . . > 0 *SAME, 0, 1, 2<br />
Or PASSWORD(1 200 0) or PASSWORD(1 200)<br />
The Password parameter defines the enterprise settings when the ZIP process<br />
provides a password. There are three options.<br />
Min Length (1-200|*SAME)<br />
The minimum length option is the enterprises required minimum length when a<br />
password is provided in the ZIP process. The default is 1. The windows version<br />
requires the minimum password length to be 8 or more.<br />
Max Length (1-200|*SAME)<br />
The maximum length option is the enterprises required maximum length when a<br />
password is provided in the ZIP process. The default is 200.<br />
182
Hardening Options (0,1,2|*SAME)<br />
The password hardening option is reserved <strong>for</strong> future releases of SecureZIP.<br />
SIGNPOL<br />
Signing Settings:<br />
Signing Hash . . . . . . . . *SAME *SAME, *SHA1, *MD5<br />
Validate Level . . . . . *SAME<br />
Lockdown Filters . . . . *SAME *NO, *YES, *SAME<br />
Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or<br />
SIGNPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) )<br />
SIGNPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )<br />
When signing a file or archive, SIGNPOL will define the HASH ALGORITHM, the error<br />
validation levels, and the CERTIFICATE filters <strong>for</strong> the signers certificates selected.<br />
Signing Hash (*SHA1 | *MD5 |*SAME)<br />
Specifies the hashing algorithm that is used to generate a digital signature. It applies<br />
to the active Signing files and archives during a ZIP run.<br />
Options:<br />
*SHA1 The default algorithm generates a 20-byte hash value. This algorithm<br />
is supported by all SecureZIP products.<br />
The in<strong>for</strong>mation below is from FIPS 180-1:<br />
This Standard specifies a Secure Hash Algorithm, SHA-1, <strong>for</strong> computing a<br />
condensed representation of a message or a data file. When a message of<br />
any length < 2 64 bits is input, the SHA-1 produces a 160-bit output called a<br />
message digest. The message digest can then be input to the Digital<br />
Signature Algorithm (DSA) which generates or verifies the signature <strong>for</strong> the<br />
message. Signing the message digest rather than the message often<br />
improves the efficiency of the process because the message digest is usually<br />
much smaller in size than the message. The same hash algorithm must be<br />
used by the verifier of a digital signature as was used by the creator of the<br />
digital signature.<br />
The SHA-1 is called secure because it is computationally infeasible to find a<br />
message which corresponds to a given message digest, or to find two<br />
different messages which produce the same message digest. Any change to a<br />
message in transit will, with very high probability, result in a different<br />
message digest, and the signature will fail to verify.<br />
*MD5<br />
This algorithm generates a 16-byte hash value. It is<br />
included <strong>for</strong> compatibility with older releases of PKZIP on<br />
other plat<strong>for</strong>ms, which previously supported this<br />
algorithm.<br />
183
Processing Notes<br />
The entire data stream (archive central directory or file data) is run through the hash<br />
algorithm be<strong>for</strong>e compression or encryption. However, file text data is translated<br />
be<strong>for</strong>e hashing so that the receiving system is able to hash the identical stream after<br />
decryption/decompression.<br />
During authentication operations, SecureZIP <strong>for</strong> <strong>iSeries</strong> will dynamically detect<br />
which algorithms had been used <strong>for</strong> signing and per<strong>for</strong>m the necessary processing to<br />
validate the signature.<br />
Validation Level (*VALIDATE | *WARN | *VALIDATELOCK | *WARNLOCK |*SAME)<br />
The validation level defines the error level <strong>for</strong> failure, if an error occurs with the<br />
selection of a certificate <strong>for</strong> signing fails the filters.<br />
Options:<br />
*VALIDATE<br />
*WARN<br />
*VALIDATELOCK<br />
*WARNLOCK<br />
If an error occurs then the ZIP job will issue that a<br />
failure occurred and will not continue.<br />
If an error occurs then the ZIP will continue and will not<br />
issue that an error occurred at the end of the ZIP<br />
process.<br />
Same as *VALIDATE, but will also not allow a ZIP to run<br />
with an option <strong>for</strong> SIGNPOL other than what is defined<br />
<strong>for</strong> the enterprise system. A warning message will be<br />
issued and the run will continue using the enterprise<br />
settings.<br />
Same as *WARN, but will also not allow a ZIP to run<br />
with an option <strong>for</strong> SIGNPOL other than what is defined<br />
<strong>for</strong> the enterprise system. A warning message will be<br />
issued and the run will continue using the enterprise<br />
settings.<br />
Lockdown Filters (*NO | *YES | *SAME)<br />
Provides the ability to lockdown the filters so they can not be changed at run time.<br />
By specifying *YES, the enterprise settings will be in lockdown mode. If the SIGNPOL<br />
in the PKZIP command is other than *SYSTEM, a warning message will be issued and<br />
the enterprise settings will be used <strong>for</strong> the run.<br />
Filters (*ALL | *NONE | * TRUSTED | *EXPIRED | *REVOKED | *NOTTRUSTED |<br />
*NOTEXPIRED | *NOTREVOKED |*SAME)<br />
The signing filter defines the level of processing that Signing Files and Signing<br />
Archives certificate selection will per<strong>for</strong>m during SECZIP execution.<br />
Options:<br />
*ALL<br />
*NONE<br />
*TRUSTED, *EXPIRED, and *REVOKED are used.<br />
*NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are<br />
used<br />
184
*TRUSTED<br />
*EXPIRED<br />
*REVOKED<br />
*NOTTRUSTED<br />
*NOTEXPIRED<br />
*NOTREVOKED<br />
Each end-certificate used in the signature must be<br />
traced back to a trusted root certificate. The CSCA and<br />
CSROOT stores on the local system per<strong>for</strong>ming the<br />
authentication check will be accessed to determine if the<br />
entire certificate chain can be trusted. Although the Root<br />
(“self-signed”) certificate may be included within the<br />
archive, it MUST also exist in the CSROOT store to<br />
complete the TRUSTED state.<br />
The digital certificates used <strong>for</strong> the signing operation<br />
contains internal date ranges of validity. The certificate<br />
selection operation will fail if any of the certificates in<br />
the trust chain are not found to be within their stated<br />
data range. Note that an end-certificate may have<br />
expired at the time that the archive is being accessed,<br />
and NOTEXPIRED may be used to continue processing.<br />
A certificate owner may request that the issuing<br />
certificate authority declare a certificate to be revoked<br />
and thereby no longer consider that certificate to be<br />
valid. The signing certificate selection operation will fail<br />
if any of the certificates in the trust chain are found to<br />
have been revoked or if the revocation status could not<br />
be determined.<br />
*TRUSTED is not validated <strong>for</strong> signing certificates.<br />
*EXPIRED is not validated <strong>for</strong> signing certificates.<br />
*REVOKED is not validated <strong>for</strong> signing certificates.<br />
AUTHPOL<br />
Authenticate Filters:<br />
Validate Level . . . . . *SAME<br />
Lockdown Filters . . . . *SAME *NO, *YES, *SAME<br />
Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or:<br />
AUTHPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) )<br />
AUTHPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )<br />
AUTHPOL defines the level of processing that authentication process will per<strong>for</strong>m.<br />
AUTHPOL fully defines the signature authentication elements to be verified in both<br />
PKZIP and PKUNZIP. If not locked down the default settings may be changed by the<br />
SecureZIP run.<br />
Validation Level (*VALIDATE | *WARN | *NONE | *VALIDATELOCK | *WARNLOCK<br />
|*SAME)<br />
The validation level defines the error level <strong>for</strong> failure, if an error occurs with the<br />
selection of a certificate <strong>for</strong> authenticating fails the filters.<br />
185
Options:<br />
*VALIDATE<br />
*WARN<br />
*NONE<br />
*VALIDATELOCK<br />
*WARNLOCK<br />
If an error occurs, then the ZIP job will issue that a<br />
failure occurred and will not continue.<br />
If an error occurs, then the ZIP will continue and will not<br />
issue that an error occurred at the end of the ZIP<br />
process.<br />
If an error occurs then the ZIP will continue and will not<br />
issue that an error occurred at the end of the ZIP<br />
process.<br />
Same as *VALIDATE, but will also not allow a ZIP to run<br />
with an option <strong>for</strong> AUTHPOL other than what is defined<br />
<strong>for</strong> the enterprise system. A warning message will be<br />
issued and the run will continue using the enterprise<br />
settings.<br />
Same as *WARN, but will also not allow a ZIP to run<br />
with an option <strong>for</strong> AUTHPOL other than what is defined<br />
<strong>for</strong> the enterprise system. A warning message will be<br />
issued and the run will continue using the enterprise<br />
settings.<br />
Lockdown Filters (*NO | *YES | *SAME)<br />
Provides the ability to lockdown the filters so they can not be changed at run time.<br />
By specifying *YES, the enterprise settings will be in lockdown mode. If the AUTHPOL<br />
in the PKZIP command is other than *SYSTEM, a warning message will be issued and<br />
the enterprise settings will be used <strong>for</strong> the run.<br />
Filters (*ALL | *NONE | *TAMPER | *TRUSTED | *EXPIRED | *REVOKED | *NOTAMPER |<br />
*NOTTRUSTED | *NOTEXPIRED | *NOTREVOKED |*SAME)<br />
The authentication filter defines the level of processing that authenticating Files and<br />
authenticating Archives certificate selection will per<strong>for</strong>m during SECZIP execution.<br />
Options:<br />
*ALL<br />
*NONE<br />
*TAMPER<br />
*TRUSTED<br />
*TAMPER, *TRUSTED, *EXPIRED, and *REVOKED are<br />
used.<br />
*NOTAMPER, *NOTTRUSTED, *NOTEXPIRED, and<br />
*NOTREVOKED are used.<br />
The signature associated with the archive or file(s)<br />
involved will be used to verify that the content has not<br />
been altered since the archive was built.<br />
Each end-certificate used in the signature must be<br />
traced back to a trusted root certificate. The CSCA and<br />
CSROOT stores on the local system per<strong>for</strong>ming the<br />
authentication check will be accessed to determine if the<br />
entire certificate chain can be trusted. Although the Root<br />
(“self-signed”) certificate may be included within the<br />
186
*EXPIRED<br />
*REVOKED<br />
*NOTAMPER<br />
*NOTTRUSTED<br />
*NOTEXPIRED<br />
*NOTREVOKED<br />
archive, it MUST also exist in the CSROOT store to<br />
complete the TRUSTED state.<br />
The digital certificates used <strong>for</strong> the signing operation<br />
contains internal date ranges of validity. The certificate<br />
selection operation will fail if any of the certificates in<br />
the trust chain are not found to be within their stated<br />
data range. Note that an end-certificate may have<br />
expired at the time that the archive is being accessed,<br />
and NOTEXPIRED may be used to continue processing.<br />
A certificate owner may request that the issuing<br />
certificate authority declare a certificate to be revoked<br />
and thereby no longer consider that certificate to be<br />
valid. The signing certificate selection operation will fail<br />
if any of the certificates in the trust chain are found to<br />
have been revoked or if the revocation status could not<br />
be determined.<br />
The signature associated with the archive or file(s)<br />
involved will NOT verify.<br />
*TRUSTED is not validated <strong>for</strong> signing certificates.<br />
*EXPIRED is not validated <strong>for</strong> signing certificates.<br />
*REVOKED is not validated <strong>for</strong> signing certificates.<br />
ENCRYPOL<br />
Encryption Filters:<br />
Validate Level . . . . . *SAME<br />
Lockdown Filters . . . . *SAME *NO, *YES, *SAME<br />
Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE...<br />
+ <strong>for</strong> more values<br />
Or:<br />
ENCRYPOL (*WARN *NO (*ALL *NOTREVOKED) )<br />
ENCRYPOL (*VALIDATELOCK *YES (*ALL *REVOKED) )<br />
When encrypting a file with digital certificate, the certificates must meet a certain<br />
standard. ENCRYPOL defines the error validation levels and the certificate filters <strong>for</strong><br />
the encrypting certificates selected.<br />
Validation Level (*VALIDATE | *WARN | *VALIDATELOCK | *WARNLOCK |*SAME)<br />
The validation level defines the error level <strong>for</strong> failure, if an error occurs with the<br />
selection of a certificate <strong>for</strong> signing fails the filters.<br />
Options:<br />
*VALIDATE<br />
*WARN<br />
If an error occurs, then the ZIP job will issue that a<br />
failure occurred and will not continue.<br />
If an error occurs, then the ZIP will continue and will not<br />
issue that an error occurred at the end of the ZIP<br />
process.<br />
187
*VALIDATELOCK<br />
*WARNLOCK<br />
Same as *VALIDATE, but will also not allow a ZIP to run<br />
with an option <strong>for</strong> ENCRYPOL other than what is defined<br />
<strong>for</strong> the enterprise system. A warning message will be<br />
issued and the run will continue using the enterprise<br />
settings.<br />
Same as *WARN, but will also not allow a ZIP to run<br />
with an option <strong>for</strong> ENCRYPOL other than what is defined<br />
<strong>for</strong> the enterprise system. A warning message will be<br />
issued and the run will continue using the enterprise<br />
settings.<br />
Lockdown Filters (*NO | *YES | *SAME)<br />
Provides the ability to lockdown the filters so they can not be changed at run time.<br />
By specifying *YES, the enterprise settings will be in lockdown mode. If the<br />
ENCRYPOL in the PKZIP command is other than *SYSTEM, a warning message will be<br />
issued and the enterprise settings will be used <strong>for</strong> the run.<br />
Filters (*ALL | *NONE | * TRUSTED | *EXPIRED | *REVOKED | *NOTTRUSTED |<br />
*NOTEXPIRED | *NOTREVOKED |*SAME)<br />
The encryption filters defines the level of processing that encrypting certificate<br />
selection will per<strong>for</strong>m during SECZIP execution.<br />
Options:<br />
*ALL<br />
*NONE<br />
*TRUSTED<br />
*EXPIRED<br />
*REVOKED<br />
*TRUSTED, *EXPIRED, and *REVOKED are used.<br />
*NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are<br />
used<br />
Each end-certificate used in the signature must be<br />
traced back to a trusted root certificate. The CSCA and<br />
CSROOT stores on the local system per<strong>for</strong>ming the<br />
authentication check will be accessed to determine if the<br />
entire certificate chain can be trusted. Although the Root<br />
(“self-signed”) certificate may be included within the<br />
archive, it MUST also exist in the CSROOT store to<br />
complete the TRUSTED state.<br />
The digital certificates used <strong>for</strong> the signing operation<br />
contains internal date ranges of validity. The certificate<br />
selection operation will fail if any of the certificates in<br />
the trust chain are not found to be within their stated<br />
data range. Note that an end-certificate may have<br />
expired at the time that the archive is being accessed,<br />
and NOTEXPIRED may be used to continue processing.<br />
A certificate owner may request that the issuing<br />
certificate authority declare a certificate to be revoked<br />
and thereby no longer consider that certificate to be<br />
valid. The signing certificate selection operation will fail<br />
if any of the certificates in the trust chain are found to<br />
have been revoked or if the revocation status could not<br />
be determined.<br />
188
*NOTTRUSTED<br />
*NOTEXPIRED<br />
*NOTREVOKED<br />
*TRUSTED is not validated <strong>for</strong> encrypting certificates.<br />
*EXPIRED is not validated <strong>for</strong> encrypting certificates.<br />
*REVOKED is not validated <strong>for</strong> encrypting certificates.<br />
REVKEPOL<br />
Revocation Settings:<br />
CRL Type . . . . . *SAME *STATICCRL, *NONE, *SAME<br />
Revoke Level . . . . . . *SAME *SAME, *NONE<br />
Or:<br />
REVKEPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) )<br />
REVKEPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )<br />
REVKEPOL defines the type and level of CRL processing, if any, that will take place.<br />
Currently only a static CRL is available.<br />
CRL Type (*STATICCRL | *NONE |*SAME)<br />
Defines type CRL processing that will take place with certificate analysis.<br />
Options:<br />
*STATICCRL<br />
*NONE<br />
Specifies CRL processing only on a static store that is<br />
updated with the PKSTORADM command. The timeliness<br />
of updates depends on the customer’s policies and the<br />
updating of the CRL store. This option requires that the<br />
CRL must be defined.<br />
No CRL processing check will take place. With the option<br />
*NONE , no certificates will ever have the revoke status.<br />
Revoke Level (*NONE | *SAME)<br />
Currently not used. Reserved <strong>for</strong> future use.<br />
*NONE<br />
To be defined.<br />
CERTSELT<br />
Certificate Validation Level:<br />
Cert. Best Fit . . . . . . . > *NONE<br />
Cert. Secure Type . . . . . > *NONE<br />
*NONE, *LATESTVALID...<br />
*NONE, *ENCRYPTION...<br />
Or CERTSELT(*NONE *NONE )<br />
The certificate validation level defines how SecureZIP will select a digital certificate<br />
when there is more than one certificate available from an LDAP or database<br />
selection. There are two options.<br />
189
Cert. Best Fit<br />
(*NONE|*LATESTVALID|*LASTVALID|*FIRSTVALID|*FIRST|*LAST|*LATEST|*SAME)<br />
This command assists in restricting the number or type of certificates being used to<br />
represent a user or organization <strong>for</strong> each encrypted file.<br />
When using LDAP or the database to locate public-key certificates <strong>for</strong> recipients, it is<br />
possible to locate more than one certificate <strong>for</strong> a target recipient. For example, if a<br />
user obtains a new certificate each year, then multiple certificates may represent<br />
that user within the LDAP. It may also be possible <strong>for</strong> a user to have certificates from<br />
multiple certificate authorities (e.g. Verisign, Thawte), or multiple certificates <strong>for</strong><br />
different purposes (encryption vs. signing).<br />
In any of the above conditions, a ZIP process may result in multiple recipient<br />
certificates being processed <strong>for</strong> the same target recipient (person or organization).<br />
Some organizations may desire to restrict the type or quantity of certificates being<br />
used <strong>for</strong> encryption. This can save processing resources and ZIP archive space.<br />
Options:<br />
*NONE<br />
*FIRST<br />
*LAST<br />
*LATEST<br />
*FIRSTVALID<br />
No matching will be per<strong>for</strong>med. Every certificate located<br />
in an LDAP server or database matching the search<br />
criteria will be added as a viable recipient.<br />
For each LDAP or database entry matching the search<br />
criteria, only the first certificate stored in that entry will<br />
be included, regardless of use type designated in the<br />
certificate or its valid date period. This use case<br />
depends on the certificate loading order used in the<br />
LDAP or database.<br />
For each LDAP or database entry matching the search<br />
criteria, only the last certificate stored in that entry will<br />
be included, regardless of use type designated in the<br />
certificate or its valid date period. This use case depends<br />
on the certificate loading order used in the LDAP or<br />
Database.<br />
For each LDAP or database entry matching the search<br />
criteria, the most recent certificate stored in that entry<br />
will be included, regardless of use type designated in the<br />
certificate. Note that if multiple certificates are found<br />
within an LDAP entry, certificates with their validity<br />
period not yet starting will be excluded unless they are<br />
the only certificates within the entry. In that case, the<br />
first certificate found will be selected.<br />
For each LDAP or database entry matching the search<br />
criteria, the first certificate found with a use type set <strong>for</strong><br />
encryption stored in that entry will be included,<br />
regardless of its valid date period. This use case<br />
depends on the certificate loading order used in the<br />
LDAP. If no entries are found with the use type set to<br />
encryption, then the first certificate found in the LDAP or<br />
database entry will be selected.<br />
190
*LASTVALID<br />
*LATESTVALID<br />
For each LDAP or database entry matching the search<br />
criteria, the last certificate found with a use type set <strong>for</strong><br />
encryption stored in that entry will be included,<br />
regardless of its valid date period. This use case<br />
depends on the certificate loading order used in the<br />
LDAP. If no entries are found with the use type set to<br />
encryption, then the first certificate found in the LDAP or<br />
database entry will be selected.<br />
For each LDAP entry matching the search criteria, the<br />
most recent certificate found with a use type set <strong>for</strong><br />
encryption also having the “best” date range <strong>for</strong> its<br />
validity period. This use case depends on the certificate<br />
loading order used in the LDAP. If no entries are found<br />
with the use type set to encryption, then the most<br />
recent certificate found in the LDAP entry will be<br />
selected. Note that if multiple certificates are found<br />
within an LDAP entry, certificates with their validity<br />
period not yet starting will be excluded unless they are<br />
the only certificates within the entry. In that case, the<br />
first certificate found will be selected.<br />
Note: Regardless of the option selected, at least one certificate will be selected from<br />
an LDAP or database entry. Each certificate selected must be in valid X.509 publickey<br />
<strong>for</strong>mat.<br />
Cert. Secure Type (*NONE| *ENCRYPTION| *SIGNING| |*SAME)<br />
The certificate secure type <strong>for</strong>ces the strict en<strong>for</strong>cement of digital certificate based<br />
upon on their purpose. An example would be if a certificate was <strong>for</strong> signing only and<br />
did not allow encryption then by specifying *ENCRYPTION, the certificate would not<br />
be valid.<br />
CERTDB<br />
Certificate DataBase Locator:<br />
Active? . . . . . . . . . . > *YES<br />
*NO, *YES, *SAME<br />
Store Type . . . . . . . . > *LIB<br />
*LIB, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Library . . . . . . . . . . > PKW81051S DB Library<br />
Search Mode . . . . . . . . > *EMAIL *EMAIL, *CN, *SAME<br />
Or<br />
CERTDB(*YES *LIB 0 PKW81051S *EMAIL)<br />
The certificate locator database parameter activates and defines the location and<br />
defaults of the certificate locator database files. There are five options.<br />
Active? (*YES|*NO|*SAME)<br />
To utilize the certificate locator database you must set this option to *YES. If this is<br />
*NO then all attempts to use the *DB option on recipients parameter in ZIP and<br />
UNZIP will fail.<br />
191
Store Type (*LIB|*SAME)<br />
The store type specifies what type of database store. At this time only *LIB <strong>for</strong><br />
library is allowed.<br />
Sequence (1-9*SAME)<br />
The sequence defines the sequence of the database search when using the *SYSTEM<br />
option. This is reserved <strong>for</strong> future releases<br />
Library (Library name|*SAME)<br />
This defines where the database store exist and is used in combination with the<br />
“Store Type”. At this time only *LIB is allowed, so this option will define the library<br />
where the SecureZIP databases exist.<br />
Search Mode Default<br />
(*EMAIL|*CN|*SAME)<br />
The Search Mode default defines what type of search should be used when<br />
per<strong>for</strong>ming a database search and the search string prefix is not ‘CN=’ nor ‘EM=’.<br />
*EMAIL will use the email address contained in the certificate and *CN will use the<br />
common name of the certificate.<br />
CSPUB<br />
Certificate PUBLIC Store:<br />
Store Type . . . . . . . . > *PATH<br />
*PATH, *SAME<br />
Sequence . . . . . . . . . > 1 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/public'<br />
Or<br />
CSPUB(*PATH 1 '/pkzshare/CStores/public')<br />
The certificate public store parameter defines the location and defaults <strong>for</strong> the public<br />
certificate store. A store location is required <strong>for</strong> certificate processing. Currently<br />
there are three options.<br />
Store Type (*PATH|*SAME)<br />
The store type specifies the type of store. At this time only *PATH is allowed and<br />
defines the “store Location” as a path in the integrated file system (IFS).<br />
Sequence (1-9|*SAME)<br />
The Sequence option defines the sequence of the public search when using the<br />
*SYSTEM option. This is reserved <strong>for</strong> future releases.<br />
Store Location (location name|*SAME)<br />
This defines the IFS path where the certificate store <strong>for</strong> individual public-key X.509<br />
certificates resides on the local system.<br />
192
CSPRVT<br />
Certificate PRIVATE Store:<br />
Store Type . . . . . . . . > *PATH<br />
*PATH, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/private'<br />
Or CSPRVT(*PATH 0 '/pkzshare/CStores/private')<br />
The private certificate store parameter defines the location and defaults <strong>for</strong> the<br />
private certificate store. A store location is required <strong>for</strong> certificate processing.<br />
Currently there are three options.<br />
Store Type (*PATH|*SAME)<br />
The store type specifies the type of store. At this time only *PATH is allowed and<br />
defines the “Store Location” as a path in the IFS.<br />
Sequence (1-9 |*SAME)<br />
The Sequence defines the sequence of the private search when using the *SYSTEM<br />
option. This is reserved <strong>for</strong> future releases.<br />
Store Location (location name|*SAME)<br />
This defines the IFS path where the certificate store <strong>for</strong> individual private-key X.509<br />
certificates resides on the local system.<br />
Usage Notes<br />
Private keys require a password to use or open.<br />
CSCA<br />
Certificate CA Store:<br />
Store Type . . . . . . . . > *FILE<br />
*FILE, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/CA/pkwareCA.store'<br />
Or:<br />
CSCA(*FILE 0 '/pkzshare/CStores/CA/ pkwareCA.store')<br />
The certificate authority store parameter defines the location and defaults <strong>for</strong> the<br />
certificate authority store. A certificate authority store location is required to validate<br />
the certificate <strong>for</strong> trust and certificate revocation. Currently there are three options.<br />
Store Type (*FILE|*SAME)<br />
The store type specifies the type of store. At this time only *FILE is allowed to define<br />
the “Store Location” as a path/file in the IFS.<br />
193
Sequence (1-9 |*SAME)<br />
The Sequence defines the sequence of the private search when using the *SYSTEM<br />
option. This is reserved <strong>for</strong> future releases.<br />
Store Location (location name|*SAME)<br />
This defines the IFS full path and file name where the certificate authority store <strong>for</strong><br />
public-key X.509 certificates reside on the local system. This store file is a file with a<br />
PKCS#7 <strong>for</strong>mat.<br />
CSROOT<br />
Certificate ROOT Store:<br />
Store Type . . . . . . . . > *FILE<br />
*FILE, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/Root/pkwareRoot.store'<br />
Or<br />
CSROOT(*FILE 0 '/pkzshare/CStores/Root/ pkwareRoot.store')<br />
The certificate root store parameter defines the location and defaults <strong>for</strong> the trusted<br />
root public store. A root store location is required to validate the certificate <strong>for</strong> trust<br />
and certificate revocation. Currently there are three options.<br />
Store Type (*FILE|*SAME)<br />
The store type specifies the type of store. At this time only *FILE is allowed to define<br />
the “Store Location” as a path/file in the IFS.<br />
Sequence (1-9 |*SAME)<br />
The sequence defines the sequence <strong>for</strong> the private search when using the *SYSTEM<br />
option. This is reserved <strong>for</strong> future releases.<br />
Store Location (location name|*SAME)<br />
This defines the IFS full path and file name where the trusted root public store <strong>for</strong><br />
trusted root public-key X.509 certificates resides on the local system. This store file<br />
is a file with a PKCS#7 <strong>for</strong>mat.<br />
CSCRL<br />
Certificate CRL Store:<br />
Store Type . . . . . . . . > *FILE<br />
*FILE, *SAME<br />
Sequence . . . . . . . . . > 0 0-9<br />
Store Location . . . . . . > '/pkzshare/CStores/CRL/pkwareCRL.store'<br />
Or<br />
CSCRL(*FILE 0 '/pkzshare/CStores/ pkwareCRL.store')<br />
The certificate CRL store parameter defines the location and defaults <strong>for</strong> the<br />
Certificate Revocation Store. A CRL store location is required to per<strong>for</strong>m certificate<br />
revocation which is set in REVKEPOL parameter. Currently only a Static CRL is<br />
available and has three options.<br />
194
Store Type (*FILE|*SAME)<br />
The store type specifies the type of store. At this time only *FILE is allowed to define<br />
the “Store Location” as a path/file in the IFS.<br />
Sequence (1-9 |*SAME)<br />
The sequence defines the sequence of the private search when using the *SYSTEM<br />
option. This is reserved <strong>for</strong> future releases.<br />
Store Location (location name|*SAME)<br />
This defines the IFS full path and file name where the CRL (Certificate Revocation<br />
List) store resides on the local system. This store file is a file with a PKCS#7 <strong>for</strong>mat.<br />
CWRKPATH<br />
Certificate Work Path:<br />
Path Location . . . . . . > '/pkzshare/CStores/CTemp'<br />
Or<br />
CWRKPATH ('/pkzshare/CStores/CTemp')<br />
The certificate administration tools and certificate utility tools require the use of a<br />
temporary area in order to write temporary files during a process. CWRKPATH<br />
defines the path where the utilities can create and destroy temporary files. This area<br />
should give *PUBLIC full rights.<br />
Path Location (Path name |*NONE |*SAME)<br />
Specify the full path name <strong>for</strong> the certificate working path. If no changes are<br />
required, use *SAME. If the current path is to be cleared, use *NONE. Note by not<br />
defining a working path certain certificate utilities may operate correctly.<br />
ENTPREC<br />
Enterprise Encrypt Recipient:<br />
LookUp Type . . . . . . . . > *MBRSET *NONE, *DB, *LDAP, *FILE...<br />
Recipient . . . . . . . . . > 'pkwareCertAdmin04.cer'<br />
Required . . . . . . . . . . > *RQD *RQD *OPT, *SAME<br />
Or ENTPREC(*MBRSET 'pkwareCertAdmin04.cer' *RQD)<br />
The enterprise encrypt recipient (contingency key) parameter defines the enterprise<br />
or corporate defined recipient which should be included as a global or administrative<br />
access recipient. This enables the enterprise to decrypt and access the file(s) when<br />
other Recipients are no longer able or eligible.<br />
The specification of this recipient does not trigger encryption to take place during ZIP<br />
processing in the same way as – ENTPREC parameter in the ZIP command. However,<br />
once strong encryption is specified, the value of this parameter is implicitly included<br />
in the run as if a - ENTPREC command had been invoked. This parameter follows the<br />
syntax of the ENTPREC in the PKZIP and PKUNZIP commands.<br />
195
Currently there are three options.<br />
Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)<br />
The lookup type would be the type of recipient search that will be used <strong>for</strong> the<br />
recipient string.<br />
• *NONE - Indicates no enterprise recipient is supplied.<br />
• *DB - The recipient string is defined to search using the certificate locator<br />
database to access the enterprise certificate.<br />
• *LDAP - The recipient string is defined to search using the LDAP server to<br />
access the enterprise certificate.<br />
• *FILE - The recipient string is defined to search using a specific path and file<br />
in the IFS to access the enterprise certificate.<br />
• *MBRSET - The recipient string is defined to search using a file in the<br />
enterprise public certificate store to access the enterprise certificate.<br />
Recipient (The recipient file or name)<br />
The common name (CN=) or email address (EM=) of the recipient(s). Also, the<br />
location on the Inlist file containing the recipient name(s).<br />
Required (*RQD|*OPT|*SAME)<br />
If *RQD, then anytime the ENTPREC is evoked in the PKZIP command, the recipient<br />
defined here is required <strong>for</strong> the ZIP process to complete successfully.<br />
LDAPACTV<br />
LDAP Definitions:<br />
Nbr Active LDAPs . . . . . > 3<br />
1-3, *NONE, *SAME<br />
Or<br />
LDAPACTV(3)<br />
LDAPACTV define how many active LDAPS will be defined <strong>for</strong> SecureZIP. Currently<br />
the maximum is three.<br />
LDAP1<br />
Primary LDAP:<br />
1 Network Name . . . . . . > '192.168.111.28'<br />
1 Port . . . . . . . . . . > 389 1-9999<br />
1 Sequence . . . . . . . . > 1 0-9<br />
1 TimeOut . . . . . . . . . > 0 0-9999<br />
1 Access User . . . . . . . > 'PKWAREADDEV\test'<br />
1 Access Password . . . . . > 'xxxx'<br />
1 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN<br />
1 Start Node . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'<br />
196
Or<br />
1 Test . . . . . . . . . . > N N, Y<br />
LDAP1('192.168.111.28' 389 1 0 'PKWAREADDEV\test' 'xxxx' *EMAIL<br />
'cn=users,dc=pkwareaddev,dc=com' N)<br />
The LDAP1, LDAP2 and LDAP3 parameters define from 1 to 3 LDAP server<br />
configurations. To access the LDAP, see your directory services administrator <strong>for</strong> the<br />
LDAP servers. Currently there are nine options <strong>for</strong> each LDAP.<br />
Network Name (LDAP Server |*SAME)<br />
The LDAP network name can be either the TCP/IP address of the LDAP server or if<br />
name resolution is supported this can be the server’s name.<br />
Port (1-9999 |389)<br />
Specifies the TCP port number the LDAP server is listening on. The standard LDAP<br />
port is 389, but each installation may vary, especially if it is a secured port.<br />
Sequence (0-9|*SAME)<br />
Specifies the search sequence of databases and LDAP servers. This is reserved <strong>for</strong><br />
future releases.<br />
Timeout (0-9999|*SAME)<br />
Specifies the maximum number of seconds to wait <strong>for</strong> search results. 0 will use the<br />
default defined <strong>for</strong> the LDAP server.<br />
Access User (Name of User|*SAME)<br />
The distinguished name of the entry user that will be used to bind.<br />
Access Password (Password |*SAME)<br />
The credentials with which to authenticate the access user. Arbitrary credentials can<br />
be passed using this parameter. In most cases, this is the password <strong>for</strong> the access<br />
user.<br />
Search Mode (*CN|*EMAIL|*SAME)<br />
Specifies the default LDAP search mode that will be used if neither CN= nor EM= are<br />
prefixed on the recipient selection string.<br />
Start Node (Distinguished name of where to start|*SAME)<br />
Specifies the distinguished name of the entry at which to start the search (at what<br />
potion of the LDAP structure should the search begin)<br />
Test (Y|N)<br />
Specify whether to Test the current LDAP. By coding this option to a Y <strong>for</strong> YES, then<br />
after the command has updated the security configuration file, a verification test will<br />
197
e per<strong>for</strong>med <strong>for</strong> this LDAP. For more in<strong>for</strong>mation on the results see the PKLDAPTST<br />
(Test LDAP) command.<br />
LDAP Usage Notes:<br />
Please be aware that the LDAP may not contain any encryption certificate validation<br />
policies. If the end user specifies only the LDAP, without a local CA and root stores<br />
<strong>for</strong> the environment, then the SecureZIP default validation settings of TRUSTED and<br />
REVOKED will be en<strong>for</strong>ced <strong>for</strong> the run. This will cause the run to fail during<br />
validation of the trusted certificate path because there are no CA and Root<br />
certificates available <strong>for</strong> processing. If you wish to execute the SecureZIP with the<br />
LDAP only, then you will need to set your security environment policies or run policy<br />
<strong>for</strong> the authentication and encryption validation policies in the run <strong>for</strong> to exclude<br />
trust and revoke filters:<br />
AUTHPOL(*WARN *NONE (*ALL *NOTTRUSTED *NOTREVOKED))<br />
ENCRYPOL(*WARN (*ALL *NOTTRUSTED *NOTREVOKED))<br />
Windows Compatibility<br />
When using BSAFE AES encryption with recipients, there is a cross-system<br />
compatibility issue to be addressed by the user community. Windows operating<br />
systems running pre-Win/XP may experience a decryption problem depending on the<br />
state of the private-key certificate on the workstation. During the Windows certificate<br />
import process, a dialog check-box "Mark the private key as exportable" may be<br />
selected. If this option was not selected, then Windows will not allow an AES<br />
encrypted file to be decrypted unless the master session key was wrapped with<br />
3DES.<br />
The security configuration parameter SECTYPE option "AES 3DES Keys" is introduced<br />
with RECIPIENT processing which allows the SecureZIP user to create AES-encrypted<br />
files that are compatible with older Windows workstations. When turned on, the<br />
MSK3DES flag is set in the NDH/DIB; indicating that the master session key<br />
in<strong>for</strong>mation is protected with 3DES when recipients are specified.<br />
PKZIP <strong>for</strong> Windows has a variance in processing between 6.0 and 7.x due to OAEP<br />
processing. PKZip <strong>for</strong> Windows 5.0 through 6.0 used OAEP processing. However, that<br />
was found to be incompatible with smartcards, so 6.1 and above began setting the<br />
NO_OAEP flag in the NDH/DIB flags and stopped creating OAEP encryption-mode<br />
files.<br />
198
14 PKLDAPTST “LDAP Test” Command<br />
PKLDAPTST Command Summary with Parameter Keyword<br />
Format<br />
PKLDAPTST is a utility command to assist in testing the LDAP servers that SecureZIP<br />
will use. This command is included to assist with the LDAP parameters and to verify<br />
LDAP access along with time access.<br />
Keywords are demarcated by spaces. In many cases there are multiple entries <strong>for</strong> a<br />
parameter where each entry is again demarcated by spaces. For more in<strong>for</strong>mation<br />
about command process reference the IBM Home page <strong>for</strong> your version of the<br />
operating system.<br />
ACTION ( ({*SUMMARY} )<br />
{*DETAILS }<br />
SNAME ( Server Name or IP )<br />
{Network IP address or server Name }<br />
PORT ( Port Number )<br />
{389 }<br />
{1-9999 }<br />
USER ( Access User )<br />
{LDAP User <strong>for</strong> Access }<br />
PASSWORD ( Access Password )<br />
{User Password }<br />
STRNODE ( Start Node )<br />
{Start Node Text String }<br />
SEARCHFT ( Search Filter )<br />
{'(cn=*)(userCertificate=*)'}<br />
{ valid LDAP Search String }<br />
199
MAXI ( Max Item )<br />
{0-9999 }<br />
PKLDAPTST Command Keyword Details<br />
ACTION - Action Type<br />
ACTION (*SUMMARY|*DETAILS)<br />
Specifies how much to display.<br />
*SUMMARY will show the times and the count of items returned.<br />
*DETAILS will show the common name of all LDAP items selected.<br />
SNAME - Server Name or IP<br />
SNAME (LDAP Server)<br />
The LDAP Server name can be either the TCP IP address of the LDAP server or if<br />
name resolution is supported this can be the server’s name.<br />
PORT - Port Number<br />
PORT (389 | 1-9999)<br />
Specifies the TCP port number the LDAP server is listening on. The standard LDAP<br />
ports is 389 but each installation may vary, especially if it is a secured port.<br />
USER - Access User<br />
USER (Distinguish name of an authorized user <strong>for</strong> access)<br />
Specifies the distinguished name of the entry user that will be used to bind the LDAP<br />
server.<br />
200
PASSWORD - Access Password<br />
PASSWORD (Password of the Access User if available)<br />
Specifies the credentials with which to authenticate the access user. Arbitrary<br />
credentials can be passed using this parameter. In most cases, this is the password<br />
<strong>for</strong> the access user.<br />
STRNODE - Start Node<br />
STRNODE (Start Node Text String)<br />
Specifies the distinguished name of the entry at which to start the search (at what<br />
potion of the LDAP structure should the search begin).<br />
SEARCHFT - Search Filter<br />
SEARCHFT ('(cn=*)(userCertificate=*)'| valid LDAP Search String)<br />
Specifies the LDAP search string <strong>for</strong> the Test. The text must be a valid LDAP search<br />
string. The default string is '(CN=*)(userCertificate=*)', which will search <strong>for</strong> all<br />
common names that have a user certificate.<br />
MAXI - Max Item<br />
MAXI (100| 0-9999)<br />
Specifies the maximum numbers of LDAP items to return <strong>for</strong> the test run. If this<br />
value exceeds the value defined <strong>for</strong> the LDAP server, it will take president over the<br />
MAXI value.<br />
Sample Test:<br />
SecureZIP LDAP Test<br />
8.1 (PKLDAPTST)<br />
Type choices, press Enter.<br />
Action Type . . . . . . . . . . *SUMMARY *SUMMARY, *DETAIL<br />
Server Name or IP . . . . . . . > '192.168.132.25'<br />
Port Number . . . . . . . . . . 389 Character value<br />
Access User . . . . . . . . . . > 'PKWAREADDEV\test'<br />
Access Password . . . . . . . .<br />
Start Node . . . . . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'<br />
Search Filter . . . . . . . . . '(cn=*)(userCertificate=*)'<br />
Max Item . . . . . . . . . . . . > 100<br />
Character value<br />
Or:<br />
PKLDAPTST SNAME('192.168.132.25') USER('PKWAREADDEV\test')<br />
PASSWORD() STRNODE('cn=users,dc=pkwareaddev,dc=com') MAXI(100)<br />
201
Results:<br />
PKLDAPTEST LDAP Test Starting 2004/07/22 06:23:34<br />
PKLDAPTESTT Parameters:Action<br />
- Server Port<br />
- User Password<br />
- Start Node<br />
- Search Filter<br />
- Max Items to Search ,100<br />
LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - --SizeLimit=100 TimeLimit=0<br />
LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - --LDAP Search ...... 21 entries found<br />
LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds<br />
LDAP_intialTest - Total Entries=21<br />
PKLDAPTESTT LDAP Testing Ending RC=0<br />
Or:<br />
LDAP1('192.168.111.28' 389 1 0 'PKWAREADDEV\test' 'xxxx'<br />
*EMAIL'cn=users,dc=pkwareaddev,dc=com' N)<br />
202
15 PKBLDCDB “Build Certificate<br />
Database” Command<br />
PKBLDCDB Command Summary with Parameter Keyword<br />
Format<br />
PKBLDCDB is a utility command to build the certificate locator database files and set<br />
the security of the certificate file in the IFS.<br />
NOTE: In order to use PKBLDCDB, the user must have the proper authority <strong>for</strong> the<br />
path/file and <strong>for</strong> the CHGAUT command.<br />
Keywords are demarcated by spaces. In many cases there are multiple entries <strong>for</strong> a<br />
parameter where each entry is again demarcated by spaces. For more in<strong>for</strong>mation<br />
about the command process, reference the IBM home page <strong>for</strong> your version of the<br />
operating system.<br />
MAINT ( Processing Type )<br />
{*UPDATE }<br />
{*TEST }<br />
{*VERIFY }<br />
MTYPE ( Maint. Type )<br />
{*FILE }<br />
{*DIRECTORY }<br />
CTYPE ( Certificate Type )<br />
{*PUBLIC }<br />
{*PRIVATE }<br />
FNAME ( Path/File Name )<br />
{Path and/or file name }<br />
PASSWORD ( Cert Password )<br />
{Certificate Private Key Password }<br />
DUPOPT ( Replace Duplicates )<br />
{*REPLACE}<br />
{*NOREPLACE}<br />
203
LOGLVL ( Logging Level )<br />
{*LOG }<br />
{*NOLOG }<br />
{*MAXLOG }<br />
OWNER ( Cert. Owner )<br />
{QPGMR }<br />
{*NONE }<br />
{Vaild User Id }<br />
PUBAUTH ( PUBLIC Authority Settings: )<br />
New data authorities {*SAME }<br />
{*RWX}<br />
{*RX}<br />
{*RW}<br />
{*WX}<br />
{*R }<br />
{*W }<br />
{*X }<br />
{*EXCLUDE}<br />
New object authorities {*SAME }<br />
{*ALL }<br />
{*OBJEXIST}<br />
{*OBJMGT}<br />
{*OBJALTER}<br />
{*OBJREF}<br />
{*NONE}<br />
UIDAUTH ( New ID Authority Settings: )<br />
New User ID {*CURRENT }<br />
{Valid User Id }<br />
New data authorities {*SAME }<br />
{*RWX}<br />
{*RX}<br />
{*RW}<br />
{*WX}<br />
{*R }<br />
{*W }<br />
{*X }<br />
{*EXCLUDE}<br />
New object authorities {*SAME }<br />
{*ALL }<br />
{*OBJEXIST}<br />
{*OBJMGT}<br />
{*OBJALTER}<br />
{*OBJREF}<br />
{*NONE}<br />
PKBLDCDB Command Keyword Details<br />
MAINT - Processing Type<br />
MAINT (*UPDATE |*TEST |*VERIFY)<br />
The processing type determines the action that PKBLDCDB.<br />
204
*UPDATE will update the certificate locator database.<br />
*VERIFY will scan the certificate locator database and validate that all the files in the<br />
database still exist in their store. If the DUPOPT parameter is *REPLACE and the file<br />
in the database does not exist, that database record will be removed.<br />
*TEST will simulate updating the certificate locator database, but will not per<strong>for</strong>m<br />
any posting. This command is helpful to review <strong>for</strong> errors and/or counts.<br />
MTYPE - Maintenance Type<br />
MTYPE (*FILE|*DIRECTORY)<br />
The maintenance type determines the type of path/file name in the parameter<br />
FNAME. If *FILE, then FNAME should be a specific certificate file (fully qualified path<br />
included). If *DIRECTORY, the FNAME should be the fully qualified path that will be<br />
scanned <strong>for</strong> the certificate file.<br />
CTYPE - Certificate Type<br />
CTYPE (*PUBLIC|*PRIVATE)<br />
CTYPE specifies the type of certificates (private or public) will be processed in this<br />
run.<br />
*PUBLIC specifies that only a public certificate should be processed. No password<br />
should be supplied.<br />
*Private indicates that only private-key certificates should be processed and requires<br />
a password be entered.<br />
FNAME - Path/File Name<br />
FNAME (Path and/or file name )<br />
The contents of FNAME contain the IFS file or directory that will be used to update<br />
the certificate locator database. To use a specific file, code MTYPE(*FILE) and enter<br />
the full path and file name of the specific certificate file. If MTYPE(*DIRECTORY),<br />
then enter the IFS fully qualified directory that PKBLDCDB will scan <strong>for</strong> certificates.<br />
If you have all your public certificates in one store, it is easy to use *DIRECTORY to<br />
update the database in one run. For the most part, the private key processing will<br />
usually use *FILE <strong>for</strong> the run since private key certificates require a unique<br />
password.<br />
If you want to use the path to the system store <strong>for</strong> public or private key certificates,<br />
and you want to enter only the file name, prefix the file name with {SP}. This inserts<br />
the appropriate system path <strong>for</strong> the path of the file name.<br />
For example: FNAME('{SP}myfile.cer'). If CTYPE(*PUBLIC), the path of the<br />
enterprise store will be something like '/myroot/cstore/public/myfile.cer'.<br />
205
PASSWORD - Certificate Password<br />
PASSWORD (Certificate Private Key Password)<br />
To access the contents of a private key certificate, processing requires the password<br />
assigned when the certificate was exported. When entering this password, note that<br />
it is used only to open the certificate to gather the database data and is not stored or<br />
saved. The certificate is not altered in any way.<br />
DUPOPT - Replace Duplicates<br />
DUPOPT (*REPLACE|*NOREPLACE)<br />
The DUPOPT is used with MAINT(*UPDATE) and MAINT(*VERIFY). When using<br />
MAINT(*UPDATE), DUPOPT(*REPLACE) will replace the database entry with new data<br />
when a duplicate entry is encountered. *NOREPLACE will only occur if a duplicate<br />
was not found.<br />
When using MAINT(*VERIFY) and a file in the certificate locator database cannot be<br />
found, PKBLCDB will remove the database entry <strong>for</strong> that file with<br />
DUPOPT(*REPLACE). With *NOREPLACE only an error message will be displayed.<br />
LOGLVL - Logging Level<br />
LOGLVL (*LOG|*NOLOG |*MAXLOG)<br />
Specifies the level of logging (printing/viewing) during a PKBLDCDB run.<br />
LOGLVL(*NOLOG) will only show a minimal amount of in<strong>for</strong>mation.<br />
LOGLVL(*MAXLOG) will show more details, with some of the detail useful only <strong>for</strong><br />
problem determination.<br />
OWNER - Cert. Owner<br />
OWNER (*NONE | New Object Owner ID)<br />
OWNER transfers object ownership <strong>for</strong> the IFS certificate files processed during a<br />
PKBLDCDB run from the current owner to the specified owner. The authority that<br />
other users have to the object does not change. Using *NONE will make no<br />
ownership changes.<br />
Note: In order <strong>for</strong> this change to work, the user running PKBLDCDB must have the<br />
authority to execute the CHGOWN command and must have the authority to change<br />
the files ownership. Otherwise an error will occur. The database will be updated but<br />
the ownership will not be changed.<br />
206
PUBAUTH - PUBLIC Authority Settings<br />
PUBLIC Authority Settings:<br />
New data authorities . . . . . *SAME *SAME, *RWX, *RX, *RW, *WX...<br />
New object authorities . . . . *SAME *SAME, *ALL, *OBJEXIST...<br />
+ <strong>for</strong> more values<br />
New data authorities {*SAME |*RWX |*RX |*RW |*WX |*R |*W |*X |*EXCLUDE}<br />
New object authorities {*SAME | *ALL | *OBJEXIST | *OBJMGT | *OBJALTER | *OBJREF<br />
| *NONE}<br />
The PUBAUTH allows the PKBLDCDB run to change the PUBLIC authorities on the IFS<br />
files that are processed. By specifying “PUBAUTH(*SAME (*SAME))”, PKBLDCDB will<br />
not alter the file authority <strong>for</strong> PUBLIC.<br />
The rules <strong>for</strong> the PUBAUTH parameter are the same as the CHGAUT command. For<br />
more in<strong>for</strong>mation about changing PUBLIC authorities and the explanation of the data<br />
and object authorities, see the CHGAUT command.<br />
Note: In order <strong>for</strong> this change work, the user running PKBLDCDB must have the<br />
authority to execute the CHGAUT command and must have the authority to change<br />
the IFS file authorities. Otherwise an error will occur. The database will be updated<br />
but the authorities will not be changed.<br />
For details of the new data authorities and new object authorities, see the UIDAUTH<br />
parameter where the user would specify *PUBLIC.<br />
UIDAUTH - New ID Authority Settings<br />
New ID Authority Settings:<br />
New User ID . . . . . . . . . *NONE User Id, *CURRENT, *NONE<br />
New data authorities . . . . . *SAME *SAME, *NONE, *RWX, *RX...<br />
New object authorities . . . . *SAME *SAME, *NONE, *ALL...<br />
+ <strong>for</strong> more values<br />
New User ID {*NONE |*CURRENT | Valid User ID}<br />
New data authorities {*SAME |*RWX |*RX |*RW |*WX |*R |*W |*X |*EXCLUDE}<br />
New object authorities {*SAME | *ALL | *OBJEXIST | *OBJMGT | *OBJALTER | *OBJREF<br />
| *NONE}<br />
The UIDAUTH allows the PKBLDCDB run to add/change a user’s authorities on the<br />
IFS files that are processed. Specifying UIDAUTH(*NONE) , no user authorities will<br />
be changed.<br />
The rules <strong>for</strong> UIDAUTH parameter are the same as the CHGAUT command. For more<br />
in<strong>for</strong>mation about changing object authorities and the explanation of the data and<br />
object authorities see the CHGAUT command.<br />
Note: In order <strong>for</strong> this change work, the user running PKBLDCDB must have the<br />
authority to execute the CHGAUT command and must have the authority to change<br />
207
the IFS file authorities. Otherwise an error will occur. The database will be updated<br />
but the authorities will not be changed.<br />
UIDAUTH options are:<br />
New User ID:<br />
Specifies the user ID to whom authorities <strong>for</strong> the named file object are being given.<br />
If user ID is not *NONE, the authorities are given specifically to that user. The user<br />
ID must be a valid <strong>iSeries</strong> user ID. *CURRENT will use the ID of the user that is<br />
running the PKBLDCDB command.<br />
New Data Authorities <strong>for</strong> the file:<br />
Specifies the data authorities being given to the user specified in the new user ID<br />
parameter. If a value other than *SAME is specified, the value replaces any data<br />
authorities (*OBJOPR, *READ, *ADD, *UPD, *DLT, and *EXECUTE) that the user<br />
currently has to the objects.<br />
The possible values are:<br />
*SAME<br />
*NONE<br />
*RWX<br />
*RX<br />
*RW<br />
*WX<br />
The user’s data authorities to the objects do not change.<br />
The user does not have any of the data authorities to<br />
the objects.<br />
The user is given *RWX authority to the objects. The<br />
user is given *RWX authority to per<strong>for</strong>m all operations<br />
on the object except those limited to the owner or<br />
controlled by object existence, object management,<br />
object alter, and object reference authority. The user<br />
can change the object and per<strong>for</strong>m basic functions on<br />
the object. *RWX authority provides object operational<br />
authority and all the data authorities.<br />
The user is given *RX authority to per<strong>for</strong>m basic<br />
operations on the object, such as run a program or<br />
display the contents of a file. The user is prevented<br />
from changing the object. *RX authority provides object<br />
operational authority and read and execute authorities.<br />
The user is given *RW authority to view the contents of<br />
an object and change the contents of an object. *RW<br />
authority provides object operational authority and data<br />
read, add, update, and delete authorities.<br />
The user is given *WX authority to change the contents<br />
of an object and run a program or search a library or<br />
directory. *WX authority provides object operational<br />
authority and data add, update, delete, and execute<br />
authorities.<br />
*R The user is given *R authority to view the contents of an<br />
object. *R authority provides object operational<br />
authority and data read authority.<br />
208
*W The user is given *W authority to change the contents of<br />
an object. *W authority provides object operational<br />
authority and data add, update, and delete authorities.<br />
*X The user is given *X authority to run a program or<br />
search a library or directory. *X authority provides<br />
object operational authority and data execute authority.<br />
*EXCLUDE<br />
Exclude authority prevents the user from accessing the<br />
object.<br />
New Object Authorities <strong>for</strong> the file(s):<br />
Specifies the object authorities being given to the user specified in the user<br />
parameter. If a value other than *SAME is specified, the value replaces any object<br />
authorities (*OBJEXIST, *OBJMGT, *OBJALTER, and *OBJREF) that the user<br />
currently has to the objects.<br />
The possible values are:<br />
*SAME<br />
*NONE<br />
*ALL<br />
*OBJEXIST<br />
*OBJMGT<br />
*OBJALTER<br />
*OBJREF<br />
The user's object authorities to the objects do not<br />
change.<br />
The user does not have any other object authorities<br />
(existence, management, alter, or reference). If<br />
*EXCLUDE or *AUTL is specified <strong>for</strong> the DTAAUT<br />
parameter, this value must be specified.<br />
All of the other object authorities (existence,<br />
management, alter, and reference) are given to the<br />
users. Or specify up to four (4) of the following values:<br />
The user is given object existence authority to the<br />
object.<br />
The user is given object management authority to the<br />
object.<br />
The user is given object alter authority to the object.<br />
The user is given object reference authority to the<br />
object.<br />
209
16 PKQRYCDB “Query Cert Database”<br />
Command<br />
PKQRYCDB Command Summary with Parameter Keyword<br />
Format<br />
PKQRYCDB is a utility command to query the certificate locator database files or a<br />
certificate file in the IFS.<br />
Keywords are demarcated by spaces. In many cases there are multiple entries <strong>for</strong> a<br />
parameter where each entry is again demarcated by spaces. For more in<strong>for</strong>mation<br />
about the command process reference the IBM home page <strong>for</strong> your version of the<br />
operating system.<br />
SecureZIP Query Cert Db 8.1 (PKQRYCDB)<br />
Type choices, press Enter.<br />
Processing Type . . . . . . . . *SUMMARY *SUMMARY, *LEVEL1, *ALL<br />
File Type . . . . . . . . . . . *DB *FILE, *DB, *P7B<br />
Certificate Type . . . . . . . . *ALL *PUBLIC, *PRIVATE, *ALL<br />
Selection Name . . . . . . . . . __________________________________________<br />
_____________________________<br />
Cert Password . . . . . . . . .<br />
Logging Level . . . . . . . . . *LOG *NOLOG, *LOG, *MAXLOG<br />
PKQRYCDB Command Keyword Details<br />
RUNTYPE - Processing Type<br />
RUNTYPE (*SUMMARY|*LEVEL1 |*SELECT|*ALL)<br />
The processing type determines the amount of details that PKQRYCDB will display.<br />
The possible type codes are:<br />
*SUMMARY - Shows only one line per selected item and is based on the<br />
selection type (CN= or EM=)<br />
*LEVEL1 - Displays the common name, email address and the certificate path<br />
and file name<br />
210
*SELECT - Displays a display file of certificates based on the selection type.<br />
The items can be browsed or selected <strong>for</strong> a detail display of the certificates. If<br />
the certificate dates have expired, the dates will be highlighted.<br />
*ALL - Displays a complete set of details <strong>for</strong> each certificate; could be 20-40<br />
lines per file<br />
FTYPE - File Type<br />
FTYPE (*FILE| *DB | *P7B)<br />
The file type determines the type of path/file name in the parameter FNAME.<br />
If *DB is selected, PKQRYCDB will search the database based on the contents<br />
of the FNAME. For example, CN=Bill* will search <strong>for</strong> all certificates with a<br />
common name that starts with Bill regardless of upper case or lower case.<br />
If *FILE is selected, then FNAME should be a very specific certificate file (full<br />
path included).<br />
*P7B will read a specific file that should be in a P7B <strong>for</strong>mat. It will then do a<br />
detailed display <strong>for</strong> the contents of the P7B certificate store.<br />
CTYPE - Certificate Type<br />
CTYPE (*ALL| *PUBLIC | *PRIVATE)<br />
CTYPE specifies the type of certificates, private or public, that will be processed in<br />
this run.<br />
*ALL will process both public and private certificates.<br />
*PUBLIC specifies that only public certificates should be processed. No<br />
password should be supplied.<br />
*PRIVATE indicates that only private-key certificates should be processed and<br />
requires that a password be entered.<br />
FNAME - File Name<br />
FNAME (Path/File name)<br />
If FTYPE is *DB, the FNAME contents will be the selection criteria <strong>for</strong> the certificate<br />
locator database. It should contain the prefix of the field to select, such as CN= <strong>for</strong><br />
common name and EM= <strong>for</strong> email address. Selection is not case-sensitive. If the<br />
selection ends in an asterisk (*), a generic selection is made <strong>for</strong> all certificates<br />
starting with the selection criteria.<br />
If FTYPE is *FILE, the contents of FNAME contains the IFS file that will used to query<br />
the certificate contents. Specify the full path and file name of the specific certificate<br />
file.<br />
211
PASSWORD - Certificate Password<br />
PASSWORD (Certificate Private Key Password)<br />
Processing the private key certificate with RUNTYPE(*ALL) requires the password<br />
used when the certificate was exported to open and gather the contents. The<br />
password is used only to open the certificate to gather the database data; it is not<br />
stored or saved. The certificate is not altered in any way.<br />
LOGLVL - Logging Level<br />
LOGLVL (*LOG|*NOLOG |*MAXLOG)<br />
Specifies the level of logging (printing/viewing) used during a PKQRYCDB run.<br />
LOGLVL(*NOLOG) shows only a minimal amount of in<strong>for</strong>mation. LOGLVL(*MAXLOG)<br />
shows more details, with some of detail useful only <strong>for</strong> problem determination.<br />
Sample Displays<br />
Request RUNTYPE(*SUMMARY) to generate and display a report containing additional<br />
in<strong>for</strong>mation about the certificate.<br />
PKQRYCDB RUNTYPE(*SUMMARY) FNAME('cn=will*')<br />
PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:37:28<br />
PKQRYCDB Start Search Summary <strong>for</strong> <br />
Public Key CN=William S. Somebody<br />
Public Key CN=William Somebody<br />
Public Key CN=William Somebody<br />
Private Key CN=William Somebody<br />
Public Key CN=William Somebody<br />
PKQRYCDB Run Totals:<br />
Total Records In Error =0<br />
Total Records Processed =5<br />
PKQRYCDB Scan ending------<br />
Request RUNTYPE(*Level1) to generate and display a report containing additional<br />
in<strong>for</strong>mation about the certificate.<br />
PKQRYCDB RUNTYPE(*LEVEL1) FNAME('cn=will*')<br />
212
PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:39:34<br />
PKQRYCDB Start Search Level 1 <strong>for</strong> <br />
Public Key CN=William S. Somebody<br />
EM=sombody@worldnet.att.net<br />
FN=William S. Somebody<br />
File <br />
Public Key CN=William Somebody<br />
EM=bill.Somebody@pkware.com<br />
FN=William Somebody<br />
File <br />
Public Key CN=William Somebody<br />
EM=bill.Somebody@pkware.com<br />
FN=William Somebody<br />
File <br />
Private Key CN=William Somebody<br />
EM=bill.Somebody@pkware.com<br />
FN=William Somebody<br />
File <br />
Public Key CN=William Somebody<br />
EM=bSomebody@pkware.com<br />
FN=William Somebody<br />
File <br />
PKQRYCDB Run Totals:<br />
Total Records In Error =0<br />
Total Records Processed =5<br />
PKQRYCDB Scan ending------<br />
Request RUNTYPE(*ALL) to generate and display a report containing additional<br />
in<strong>for</strong>mation about the certificate.<br />
PKQRYCDB RUNTYPE(*ALL) FTYPE(*FILE)<br />
FNAME('/pkzshare/CStores/public/billSomebody03.cer')<br />
PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:43:50<br />
---------------------------------------------------------<br />
Public Key Found File <br />
CN=William Somebody<br />
EM=bill.Somebody@pkware.com<br />
FN=William Somebody<br />
--- Certificate ---<br />
William Somebody<br />
Subject:<br />
O=VeriSign, Inc.<br />
OU=VeriSign Trust Network<br />
OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98<br />
OU=Persona Not Validated<br />
OU=Digital ID Class 1 - Microsoft Full Service<br />
CN=William Somebody<br />
E=bill.Somebody@pkware.com<br />
Issuer:<br />
O=VeriSign, Inc.<br />
OU=VeriSign Trust Network<br />
OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98<br />
CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated<br />
SerialNumber:<br />
3F55 2A91 2B5A 9F9B 46E0 D8A0 96DB DDAB<br />
NotBe<strong>for</strong>e:<br />
Mon Jul 21 19:00:00 2003<br />
NotAfter:<br />
Wed Jul 21 18:59:59 2004<br />
213
SHA-1 Hash of Certificate:<br />
D5 CE FF A5 72 EF B6 53 EA 75 F7 CA 2E 01 85 7B<br />
65 7C B8 E7<br />
Public Key Hash:<br />
6E 16 CF EF FA A0 99 25 2B 79 DE E6 23 C7 D7 42<br />
80 82 F3 E4<br />
End Entity<br />
PKQRYCDB Run Totals:<br />
Total Records In Error =0<br />
Total Records Processed =1<br />
PKQRYCDB Scan ending------<br />
The following table explains the fields of the certificate details in the display.<br />
Heading<br />
Subject<br />
Issuer<br />
SerialNumber<br />
NotBe<strong>for</strong>e/NotAfter<br />
SHA-1 Hash of Certificate<br />
Public Key Hash<br />
Key Usage<br />
Description<br />
In<strong>for</strong>mation about the entity to whom the certificate was<br />
issued<br />
In<strong>for</strong>mation about the entity that issued the certificate<br />
Serial number of the certificate<br />
Date range <strong>for</strong> which the certificate is valid<br />
The SHA-1 algorithm hash, or “thumbprint,” of the<br />
certificate<br />
The hash, or “thumbprint,” of the public key<br />
Key usage flags that determine how the certificate was<br />
intended to be used<br />
The public key hash value is the prime key used in the local certificate store index.<br />
The Issuer fields are composed of several x.509 subfields. The exact set varies. The<br />
following table describes some of the most commonly used.<br />
Code<br />
O<br />
OU<br />
CN<br />
E or EM<br />
C<br />
ST<br />
L<br />
Description<br />
Organization<br />
Organizational Unit<br />
Common Name<br />
Email address<br />
Country<br />
State or Province<br />
Locality or City<br />
The common name (CN) and email (E) fields can be searched to identify recipients.<br />
214
17 PKSTORADM “Certificate Store<br />
Administration” Command<br />
PKSTORADM Command Summary with Parameter Keyword<br />
Format<br />
PKSTORADM is a certificate store administration utility command to maintain the<br />
certificate authority (CA), trusted root, and certificate revocation list (CRL) stores.<br />
Be<strong>for</strong>e using this utility, define the three stores and their location with PKCFGSEC<br />
command.<br />
X.509 certificates may be imported to the local certificate store through the<br />
SecureZIP local certificate store administration tool PKSTORADM. These certificates<br />
are frequently obtained through another plat<strong>for</strong>m and (binary) transferred to the<br />
operational <strong>iSeries</strong> system <strong>for</strong> installation.<br />
Important Note: All X.509 certificates should be transferred to the local <strong>iSeries</strong><br />
environment in binary mode with no translation.<br />
When certificates are imported, you may either define which store a certificate<br />
should be placed in or let the certificate administration tool determine the<br />
appropriate store location based on the certificate type. You must tell the<br />
PKSTORADM what certificate file type and key type to import.<br />
<strong>iSeries</strong> UPDATE authority (or equivalent) must be granted to the system<br />
administrator responsible <strong>for</strong> altering the certificate store.<br />
PKSTORADM can import certificates to be added to your CA and/or to your TRUSTED<br />
ROOT STORES. It can also be used to import a CRL into your static CRL store. When<br />
building your stores, you should first install the trusted roots, followed by the CA<br />
certificates. Be<strong>for</strong>e importing a CRL file, its CA must be in the CA store.<br />
Usage Notes<br />
If a certificate is designated to be an end-entity certificate, it can be ignored, or a<br />
.cer file will be created in the public store path.<br />
It’s important that only known trusted roots be allowed to be added to your trusted<br />
root store. You should install a certificate to your root store only when you have<br />
confirmed its authenticity. To do this, contact the certificate authority listed in the<br />
candidate root certificate file. If you install a certificate to your root without<br />
confirming its authenticity, you may be creating a security risk. Once you install the<br />
215
certificate to your root store, SecureZIP will use it to complete future certificate trust<br />
chain validation processing associated with the certificate authority.<br />
PKSTORADM uses the SecureZIP utility PKCAADMN and most of the message issued<br />
will be from that utility. Messages that start with prefix ZPCA are from the<br />
PKCAADMN utility and be found in the message section. If there are no error<br />
messages, AQZ0049 will be issued and can be monitored. If an error is encountered,<br />
the escape message AQZ0050 will be issued and can be monitored.<br />
Keywords are demarcated by spaces. In many cases there are multiple entries <strong>for</strong> a<br />
parameter, with each entry again demarcated by spaces. For more in<strong>for</strong>mation about<br />
the command process, refer to the IBM home page <strong>for</strong> your version of the operating<br />
system.<br />
Type choices, press Enter.<br />
SecureZIP CA Store Admin 8.1 (PKSTORADM)<br />
Processing Type . . . . . . . . _________ *IMPORT, *LIST, *BROWSE...<br />
Preferred Store . . . . . . . .<br />
*CA, *ROOT, *CRL,*DETECT<br />
File Type . . . . . . . . . . . *CER *CER, *P7B, *CRL<br />
End Entities:<br />
Process End Entities? . . . . *NO *YES, *NO<br />
File Mode . . . . . . . . . . *UNIQUE *UNIQUE, *OVERWRITE<br />
Selection Name . . . . . . . . . ____________________________________________<br />
Cert Password . . . . . . . . . ____________________________________________<br />
Logging Level . . . . . . . . . *LOG *NOLOG, *LOG, *MAXLOG<br />
Temporary Controls . . . . . . . ____________ *SIMULATE<br />
PKSTORADM Command Keyword Details<br />
RUNTYPE - Processing Type<br />
RUNTYPE (*IMPORT |* LIST |*BROWSE |*VERIFY |*DELETE |*INITIALIZE)<br />
Specifies the processing type or action that PKSTORADM will per<strong>for</strong>m:<br />
*IMPORT<br />
*LIST<br />
*BROWSE<br />
*VERIFY<br />
Reads the input file (defined in the FNAME) with the file<br />
type (FTYPE) and add the certificates to the appropriate<br />
store defined with the preferred store STYPE.<br />
Provides a complete, detailed listing of all the certificates<br />
in the store defined in the STYPE parameter. No<br />
updating takes place.<br />
Provides a short display of all the certificates in the store<br />
defined in the STYPE parameter. No updating takes<br />
place.<br />
Tests the store defined with the STYPE parameter and<br />
verifies the condition of your store. No updating takes<br />
place.<br />
216
*DELETE<br />
*INITIALIZE<br />
Delete a certificate from either the CA or root store.<br />
First a browse list similar to the browse list <strong>for</strong> the short<br />
list will be displayed. Enter a ‘4’ <strong>for</strong> the option of the<br />
certificate to be deleted and press the ENTER key to<br />
display a confirmation message window. To complete<br />
the deletion, press F5 to delete or F12 to cancel. If<br />
*DETECT or *ALL is entered both stores will be<br />
displayed. Only one delete option of ‘4’ can be entered.<br />
Clears and initializes the store defined in the STYPE<br />
parameter. For this command to work, you must also<br />
type the word ‘Initialize’ in the FNAME parameter. Note:<br />
Take care when using the option because it clears all of<br />
your store’s current content.<br />
FTYPE - File Type<br />
FTYPE (*CER | *P7B | *CRL)<br />
Defines the <strong>for</strong>mat or package type that the input file contains:<br />
Format<br />
*CER (PEM)<br />
* P7B<br />
(PKCS#7)<br />
*CRL<br />
Description<br />
Contains a single public-key certificate. It may be in Base-64<br />
encoded (ASCII text with ASCII headers) or DER-encoded binary<br />
<strong>for</strong>mat.<br />
Common file extensions: .pem, .cer, .key<br />
Contains one or more CA (and or root) certificates or could also<br />
contain one or more CRL in a PKCS#7 <strong>for</strong>mat.<br />
Common file extension: .p7b<br />
Contains certificate revocation list in a CRL <strong>for</strong>mat issued by a<br />
certificate authority.<br />
Common file extension: .crl<br />
STYPE - Certificate Store<br />
STYPE (*DETECT | *CA |*ROOT |*CRL)<br />
STYPE specifies the type of certificates, private or public, to be processed in this run.<br />
*DETECT<br />
*CA<br />
*ROOT<br />
Detect will try to determine which store the certificate<br />
will be imported into. If *DETECT is used with<br />
RUNTYPE(*LIST) or RUNTYPE(*VERIFY), it is assumed to<br />
per<strong>for</strong>m on all stores.<br />
Certificate authority store defined in the CSCA<br />
parameter of PKCFGSEC.<br />
Trusted root store defined in the CSROOT parameter of<br />
PKCFGSEC.<br />
217
*CRL<br />
Static CRL (Certificate Revocation List) store defined in<br />
the CSCRL parameter of PKCFGSEC.<br />
ENDENTITY - End Entities<br />
End Entities:<br />
Process End Entities? . . . . *NO *YES, *NO<br />
File Mode . . . . . . . . . . *UNIQUE *UNIQUE, *OVERWRITE<br />
Or<br />
ENDENTITY(*YES *OVERWRITE)<br />
ENDENTITY specifies whether to automatically update end entity certificates when<br />
found through the PKBLDCDB process by building X.509 files in a DER-encoded<br />
binary <strong>for</strong>mat and placing the files in the public store path. The file name will be the<br />
name of the inputted file with a _EEx.cer suffixed at the end, where x is a sequence<br />
number. After adding you should run PKBLDCDB to record the latest public<br />
certificates.<br />
Process End Entities? (*YES|*NO)<br />
Specifies whether to build the end entity certificates in the public store path.<br />
*YES<br />
*NO<br />
If a p7b type file is being read that contains end entity<br />
certificates, the end entity certificates will have a file<br />
created <strong>for</strong> each certificate in the public store path, and<br />
a PKBLDCDB will be launched to update the database.<br />
Ignore end entity certificates.<br />
File Mode? (*UNIQUE|*OVERWRITE)<br />
Specifies action to take if a duplicate file is found in the public store path.<br />
* UNIQUE If a file is being generated and a duplicate name is<br />
found in the public store path, then the number will be<br />
incremented until no duplicate is found.<br />
*OVERWRITE<br />
If a duplicate file is found in the public store path, the<br />
file will be written over with the new file. If a duplicate is<br />
written over, then you should run a PKBLDCDB with<br />
*VERIFY to correct the locator database.<br />
FNAME - File Name<br />
FNAME (Path/File name)<br />
FNAME is the inputted IFS path and file name that will be used to import with the<br />
RUNTYPE(*IMPORT). If you specify RUNTYPE(INITIALIZE), then you must enter<br />
‘Initialize’ to initialize a store.<br />
218
PASSWORD - Certificate Password<br />
PASSWORD (Certificate Private Key Password)<br />
Reserved <strong>for</strong> future use. To process password protected P7B files that may contain a<br />
private key.<br />
LOGLVL - Logging Level<br />
LOGLVL (*LOG|*NOLOG |*MAXLOG)<br />
Specifies the level of logging (printing/viewing) used during a PKSTORADM run.<br />
LOGLVL(*NOLOG) shows a minimal amount of in<strong>for</strong>mation. LOGLVL(*MAXLOG)<br />
shows more details, with some of detail useful only <strong>for</strong> problem determination.<br />
CNTRLS - Logging Level<br />
CNTRLS (*NONE |*SIMULATE )<br />
Specifies special process controls <strong>for</strong> the run. At this time only *SIMULATE exits.<br />
*NONE<br />
*SIMULATE<br />
No special controls.<br />
Only valid with the RTYPE(*IMPORT). Simulates the run<br />
process and does not update the stores. Provides a way<br />
to see how and what would be added if an input file is<br />
added to the stores.<br />
Sample Displays<br />
The following example shows a simulation of adding an inputted CER type file to the<br />
root store.<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT)<br />
FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')<br />
CNTRLS(*SIMULATE)<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:35:57<br />
ZPCA000I SUCCESS: Added certificate to store<br />
'/myroot/pkware/CStore/Root/pkwareRT.store'.<br />
DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;FN=PKTESTDB<br />
Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBRoot@nowhere.com<br />
;ROOT<br />
ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store.<br />
ZPCA000I SUCCESS: Saved certificate store<br />
'/myroot/pkware/CStore/Root/pkwareRT.store' to disk.<br />
ZPCA000I Added 0 of a possible 1 certificates to the ROOT store.<br />
ZPCA000I 0 certificates in the ROOT store be<strong>for</strong>e the Add command.<br />
ZPCA000I 0 certificates in the ROOT store after the Add command.<br />
ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store.<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
219
The following example shows adding an inputted CER type file to the root store.<br />
Since a CER type file only has one certificate, one of a possible one certificate(s) was<br />
added. Since the store was initially empty, the number of certificates in the store<br />
be<strong>for</strong>e adding was zero, and the number after the add is one.<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT)<br />
FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:47:55<br />
ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/<br />
pkwareRT.store'.<br />
DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;FN=PKTESTDB<br />
Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBRoot@nowhere.com<br />
;ROOT<br />
ZPCA000I SUCCESS: Saved certificate store<br />
'/myroot/pkware/CStore/Root/pkwareRT.store' to disk.<br />
ZPCA000I Added 1 of a possible 1 certificates to the ROOT store.<br />
ZPCA000I 0 certificates in the ROOT store be<strong>for</strong>e the Add command.<br />
ZPCA000I 1 certificates in the ROOT store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
This example also adds a certificate, but this time the file is destined <strong>for</strong> the CA<br />
store.<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA)<br />
FNAME('/myroot/pkware/CStore/Testzips/pkwareCA.cer')<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:51:22<br />
ZPCA000I SUCCESS: Added certificate to store<br />
'/myroot/pkware/CStore/CA/pkwareCA.store'.<br />
DSN=/myroot/pkware/CStore/Testzips/pkwareCA.cer;CER=1;FN=PKWARE Test Intermediate<br />
Cert;TP=2B3C27C30067690EFB77A8A84DAB1D39A1368906;SN=01;E=PKTESTDBIC@nowhere.com;C<br />
A<br />
ZPCA000I SUCCESS: Saved certificate store<br />
'/myroot/pkware/CStore/CA/pkwareCA.store' to disk.<br />
ZPCA000I Added 1 of a possible 1 certificates to the CA store.<br />
ZPCA000I 0 certificates in the CA store be<strong>for</strong>e the Add command.<br />
ZPCA000I 1 certificates in the CA store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
This example shows the verification action. Since the store type is STYPE(*DETECT),<br />
it verifies all of the stores.<br />
PKSTORADM RUNTYPE(*VERIFY) FTYPE(*CER) STYPE(*DETECT)<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:53:41<br />
ZPCA000I SUCCESS: CA Store '/myroot/pkware/CStore/CA/pkwareCA.store' verified<br />
successfully. 1 certificates found.<br />
ZPCA000I SUCCESS: Root Store '/myroot/pkware/CStore/Root/pkwareRT.store' verified<br />
successfully. 1 certificates found.<br />
220
ZPCA000I SUCCESS: CRL store '/myroot/pkware/CStore/CRL/pkwareCRL.store'<br />
successfully verified. 0 revocation lists found.<br />
PKSTORADM Store Admin ending------0<br />
The following example does a detail list. Since the store type is STYPE(*DETECT), all<br />
of the stores are listed. The list can get quite lengthy but may be needed to verify<br />
your store contents.<br />
PKSTORADM RUNTYPE(*LIST) FTYPE(*CER) STYPE(*DETECT)<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:57:38<br />
CA Store<br />
--------<br />
--- Certificate 1 ---<br />
PKWARE Test Intermediate Cert<br />
Subject:<br />
C=US<br />
S=Wisconsin<br />
L=Milwaukee<br />
O=PKWARE, Inc.<br />
OU=PKWARE, Inc. -- <strong>for</strong> test and evaluation purposes only<br />
CN=PKWARE Test Intermediate Cert<br />
E=PKTESTDBIC@nowhere.com<br />
Issuer:<br />
C=US<br />
S=Wisconsin<br />
L=Milwaukee<br />
O=PKWARE, Inc.<br />
OU=PKWARE, Inc. -- <strong>for</strong> test and evaluation purposes only<br />
CN=PKTESTDB Root<br />
E=PKTESTDBRoot@nowhere.com<br />
SerialNumber:<br />
01<br />
NotBe<strong>for</strong>e:<br />
Mon Dec 20 08:54:09 2004<br />
NotAfter:<br />
Sat Dec 14 08:54:09 2024<br />
SHA-1 Hash of Certificate(Thumbprint):<br />
2B 3C 27 C3 00 67 69 0E FB 77 A8 A8 4D AB 1D 39 A1 36 89 06<br />
Public Key Hash:<br />
72 C0 6D 05 C9 3E A9 6C 34 9C AD D0 8F 14 C0 8E 04 B0 E5 CF<br />
Certificate Authority<br />
--- Certificate 2 ---<br />
PKWARE Test Intermediate Cert A<br />
Subject:<br />
C=US<br />
S=Wisconsin<br />
L=Milwaukee<br />
O=PKWARE, Inc.<br />
OU=PKWARE, Inc. -- <strong>for</strong> test and evaluation purposes only<br />
CN=PKWARE Test Intermediate Cert A<br />
E=PKTESTDBICA@nowhere.com<br />
Issuer:<br />
C=US<br />
S=Wisconsin<br />
L=Milwaukee<br />
O=PKWARE, Inc.<br />
OU=PKWARE, Inc. -- <strong>for</strong> test and evaluation purposes only<br />
CN=PKTESTDB Root<br />
E=PKTESTDBRoot@nowhere.com<br />
SerialNumber:<br />
221
02<br />
NotBe<strong>for</strong>e:<br />
Tue Feb 8 11:38:17 2005<br />
NotAfter:<br />
Sun Dec 15 11:38:17 2024<br />
SHA-1 Hash of Certificate(Thumbprint):<br />
C4 05 A5 BC 36 94 21 49 D5 C2 12 CB 6C 21 3C 4F 1F E8 93 E6<br />
Public Key Hash:<br />
08 3B E9 79 78 15 E7 BA E9 00 90 00 D5 AC 92 BD 83 7A 8D 57<br />
Certificate Authority<br />
Root Store<br />
----------<br />
--- Certificate 1 ---<br />
PKTESTDB Root<br />
Subject:<br />
C=US<br />
S=Wisconsin<br />
L=Milwaukee<br />
O=PKWARE, Inc.<br />
OU=PKWARE, Inc. -- <strong>for</strong> test and evaluation purposes only<br />
CN=PKTESTDB Root<br />
E=PKTESTDBRoot@nowhere.com<br />
Issuer:<br />
C=US<br />
S=Wisconsin<br />
L=Milwaukee<br />
O=PKWARE, Inc.<br />
OU=PKWARE, Inc. -- <strong>for</strong> test and evaluation purposes only<br />
CN=PKTESTDB Root<br />
E=PKTESTDBRoot@nowhere.com<br />
SerialNumber:<br />
00<br />
NotBe<strong>for</strong>e:<br />
Mon Dec 20 08:21:34 2004<br />
NotAfter:<br />
Thu Dec 19 08:21:34 2024<br />
SHA-1 Hash of Certificate(Thumbprint):<br />
A9 1C D3 12 EF FE F5 1C 8A BF EF D9 2C 23 FF 67 FB DB EB E3<br />
Public Key Hash:<br />
9A C2 BA 79 76 20 64 5E 12 79 D9 74 4C A8 59 66 71 E9 C2 DD<br />
Self Signed<br />
Certificate Authority<br />
CRL Store<br />
---------<br />
PKSTORADM Store Admin ending------0<br />
The following example adds a CRL to the CRL store.<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CRL) STYPE(*CRL)<br />
FNAME('/myroot/pkware/CStore/Testzips/crl1.crl')<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 14:16:48<br />
ZPCA000I SUCCESS: Added certificate '/myroot/pkware/CStore/Testzips/crl1. crl' to<br />
store '/myroot/pkware/CStore/CRL/pkwareCRL.store'.<br />
ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CRL/pkwa<br />
reCRL.store' to disk.<br />
222
ZPCA000I Added 1 out of 1 certificates to the CRL store.<br />
ZPCA000I 0 entries in the CRL store be<strong>for</strong>e the Add command.<br />
ZPCA000I 1 entries in the CRL store after the Add command.<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
The following example displays a CRL listing.<br />
PKSTORADM RUNTYPE(*LIST) STYPE(*CRL)<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 14:20:59<br />
CRL Store<br />
---------<br />
--- CRL 1 ---<br />
PKWARE Test Intermediate Cert A<br />
Issuer:<br />
C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- <strong>for</strong> test and<br />
evaluation purposes only;CN=PKWARE Test Intermediate Cert<br />
A;E=PKTESTDBICA@nowhere.com<br />
LastUpdate:<br />
Unknown<br />
NextUpdate:<br />
Unknown<br />
Revoked Serial Numbers (1):<br />
SerialNumber=01;<br />
IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED;<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
The following example demonstrates a *BROWSE display browse.<br />
PKSTORADM RUNTYPE(*BROWSE) STYPE(*ALL)<br />
3/23/05 08:17:01 Certificate Store Admin PKQCD01D<br />
Store Review Query<br />
Option Document<br />
CA 1 FN=Class 1 Public Primary Certification Authority<br />
CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor<br />
CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor<br />
CA 4 FN=PKWARE Test Intermediate Cert E<br />
CA 5 FN=VeriSign Class 2 CA - Individual Subscriber<br />
CA 6 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated<br />
CA 7 FN=Thawte Server CA<br />
CA 8 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated<br />
CA 9 FN=Thawte Premium Server CA<br />
CA 10 FN=PKWARE Test Intermediate Cert<br />
CA 11 FN=PKWARE Test Intermediate Cert A<br />
CA 12 FN=PKWARE Test Intermediate Cert F<br />
CA 13 FN=VeriSign, Inc.,VeriSign International Server CA - Class 3,www.v<br />
Root 1 FN=VeriSign Commercial Software Publishers CA<br />
Root 2 FN=VeriSign Individual Software Publishers CA +<br />
F3-Exit F9-Fold F12-Return<br />
223
F9 to Unfold:<br />
3/23/05 08:17:01 Certificate Store Admin PKQCD01D<br />
Store Review Query<br />
Option Document<br />
CA 1 FN=Class 1 Public Primary Certification Authority<br />
SN=00CDBA7F56F0DFE4BC54FE22ACB372AA55<br />
CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor<br />
. By Ref.,LIAB. LTD. (c) 97 VeriSign<br />
SN=1E47DBE0434AFB7AE84ABEF2EC2C7A6F<br />
CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor<br />
. By Ref.,LIAB. LTD. (c) 97 VeriSign<br />
SN=5C1CD1200795F810DE576AC1FCCBF8C6410E0812<br />
+<br />
F3-Exit F9-Fold F12-Return<br />
The following example demonstrates the importing of certificates from a p7b file that<br />
has the end entity certificate with the full path of CA and root certificates. If the CA<br />
and root already exist, the number of certificates in the stores will not increase. Note<br />
the file created in the public store <strong>for</strong> the end entity certificate. See the message<br />
(End Entity File created) where<br />
the suffix _EEx.cer was attached and the file written in the public store path.<br />
PKBLDCDB should now be run to add the certificate to the locator database. You<br />
should run with CNTRLS(*SIMULATE) first to make sure what you are adding to your<br />
CA and root stores is acceptable and trusted.<br />
PKSTORADM RUNTYPE(*IMPORT) FTYPE(*P7B) STYPE(*DETECT)<br />
ENDENTITY(*YES *UNIQUE)<br />
FNAME('/pkzshare/cstores/Inputs/carolineF2004.p7b')<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/23 09:11:14<br />
ZPCA000I SUCCESS: Added certificate to store<br />
'/pkzshare/CStores/Root/pkwareRT.store'.<br />
DSN=/pkzshare/cstores/Inputs/carolineF2004.p7b;CER=2;FN=Class 1 Publi c Primary<br />
Certification Authority;TP=90AEA26985FF14804C434952ECE9608477AF556F<br />
;SN=00CDBA7F56F0DFE4BC54FE22ACB372AA55;ROOT<br />
ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/Root/pkwareRT.store'<br />
to disk.<br />
ZPCA000I SUCCESS: Added certificate to store '/pkzshare/CStores/CA/pkwareCA.store<br />
'. DSN=/pkzshare/cstores/Inputs/carolineF2004.p7b;CER=3;FN=VeriSign Class 1 CA I<br />
ndividual Subscriber-Persona Not Validated;TP=12519AE9CD777A560184F1FBD542152<br />
22E95E71F;SN=0D8B4FEEAAD2185BF4756A9D29E17FFB;CA<br />
ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/CA/pkwareCA.store' t<br />
o disk.<br />
ZPCA000I Added 1 of a possible 3 certificates to the stores.<br />
ZPCA000I Added 0 certificates to the CA store.<br />
ZPCA000I 12 certificates in the CA store be<strong>for</strong>e the Add command.<br />
ZPCA000I 12 certificates in the CA store after the Add command.<br />
ZPCA000I Added 0 certificates to the ROOT store.<br />
224
ZPCA000I 27 certificates in the ROOT store be<strong>for</strong>e the Add command.<br />
ZPCA000I 27 certificates in the ROOT store after the Add command.<br />
ZPCA000I 1 end entities written to the<br />
'/pkzshare/cstores/CWrkPath/SZdbfbecc7.tmp' output file.<br />
End Entity File created.<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
Now add the public certificate to the locator database with the PKBLDCDB command:<br />
PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PUBLIC)<br />
FNAME('/pkzshare/CStores/public/carolineF2004_EE1.cer')<br />
PKBLDCDB Update SecureZIP Cert DataBase starting------2005/03/23 09:32:25<br />
PKBLDCDB Running Update Mode--Replace Duplicates---<br />
PKBLDCDB Adding <br />
PKBLDCDB Run Totals:<br />
Total Records Added =1<br />
Total Records Updated =0<br />
Total Duplicateds Found =0<br />
Total Records In Error =0<br />
Total Records Processed =1<br />
PKBLDCDB Scan ending------<br />
PKBLDCDB Completed Successfully<br />
The following example demonstrates the certificate deletion process:<br />
PKSTORADM RUNTYPE(*DELETE) STYPE(*CA)<br />
3/23/05 08:23:02 Certificate Store Admin PKQCD01D<br />
Store Review Query<br />
Type option - Press Enter. ONLY 1 Delete Selection Valid<br />
4-Delete<br />
Option Document<br />
CA 1 FN=Class 1 Public Primary Certification Authority<br />
CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor<br />
CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor<br />
CA 4 FN=PKWARE Test Intermediate Cert E<br />
CA 5 FN=VeriSign Class 2 CA - Individual Subscriber<br />
CA 6 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated<br />
CA 7 FN=Thawte Server CA<br />
CA 8 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated<br />
CA 9 FN=Thawte Premium Server CA<br />
CA 10 FN=PKWARE Test Intermediate Cert<br />
CA 11 FN=PKWARE Test Intermediate Cert A<br />
4 CA 12 FN=PKWARE Test Intermediate Cert F<br />
CA 13 FN=VeriSign, Inc.,VeriSign International Server CA - Class 3,www.v<br />
F3-Exit F9-Fold F12-Return<br />
+<br />
Enter 4 on the certificate line to delete, and press the ENTER key. This will cause the<br />
following window to appear <strong>for</strong> confirmation.<br />
3/23/05 08:23:02 Certificate Store Admin PKQCD01D<br />
Store Review Query<br />
Type option - Press Enter. ONLY 1 Delete Selection Valid<br />
225
4-D ......................................................................<br />
Optio : Confirm Certificate to be deleted from CA Store :<br />
CA : Location: 12 :<br />
CA : FN= PKWARE Test Intermediate Cert F : or<br />
CA : SN= 01 : or<br />
CA : :<br />
CA : Note: :<br />
CA : Certificates that are issued by the certification : ed<br />
CA : authorities or any lower level certification authorities :<br />
CA : will no longer be trusted. Press PF5 to Continue with : ed<br />
CA : the deletions or PF12 to exit without deleting the :<br />
CA : certificate. :<br />
CA : Press F5 to Delete Certificate :<br />
4 CA : Press PF12 to exit Without Delete :<br />
CA : F5=Delete F12=Cancel : .v<br />
: :<br />
:....................................................................: +<br />
To delete the certificate, press the PF5 key.<br />
PKSTORADM SecureZIP CA Store Administration starting------2005/03/23 08:30:18<br />
ZPCA000I SUCCESS: Deleted certificate from store.<br />
ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/CA/pkwareCA.store'<br />
to disk.<br />
ZPCA000I Deleted 1 certificates from the CA store.<br />
ZPCA000I 13 certificates in the CA store be<strong>for</strong>e the Delete command.<br />
ZPCA000I 12 certificates in the CA store after the Delete command.<br />
Certificate Deleted From CA Store<br />
PKSTORADM Store Admin ending------0<br />
PKSTORADM Completed Successfully<br />
Message AQZ0528 is issued to the log <strong>for</strong> the deletion.<br />
226
18 Processing with GZIP<br />
Introduction to GZIP (GNU zip)<br />
GZIP (GNU zip) is a compression utility designed to use a different standard <strong>for</strong><br />
handling compressed data in an archive. Its main advantages over other<br />
compression utilities are much better compression and freedom from patented<br />
algorithms. It has been adopted by the GNU project and is now relatively popular on<br />
the Internet. GZIP was written by Jean-Loup Gailly (jloup@gzip.org) and Mark Adler<br />
(the decompression code).<br />
GZIP (GNU zip) utility program (available on a number of plat<strong>for</strong>ms including MVS,<br />
UNIX, and PC) can be used like SecureZIP <strong>for</strong> <strong>iSeries</strong> to compress and extract<br />
data. SecureZIP <strong>for</strong> <strong>iSeries</strong> in producing GZIP archives implements two GZIP<br />
standard specifications:<br />
RFC 1952: GZIP file <strong>for</strong>mat specification Version 4.3, which documents the GZIP<br />
specifications and the <strong>for</strong>mat of a GZIP archive file.<br />
RFC 1951: DEFLATE Compressed Data Format Specification Version 1.3, which<br />
documents the compression algorithm used by GZIP processing.<br />
The RFC is a process to promote specifications and standards throughout the<br />
Internet community and can be found at www.faqs.org/rfcs. Both RFC 1952 and RFC<br />
1951 specifications are plat<strong>for</strong>m-independent; there<strong>for</strong>e, data that was compressed<br />
on one plat<strong>for</strong>m, <strong>for</strong> example, UNIX, may be decompressed on another plat<strong>for</strong>m, <strong>for</strong><br />
example, <strong>iSeries</strong> or MVS.<br />
The one significant advantage of GZIP archive files over ZIP archive files is the ability<br />
to handle larger (greater than 4 GB) file sizes. The standard ZIP archive <strong>for</strong>mat<br />
restricts processing to uncompressed files that are less than 4 GB and cannot create<br />
an archive containing multiple files that would meet or exceed the 4 GB limit. These<br />
restrictions are due to the size of the specified fields (4 byte fields) that contain the<br />
file size in<strong>for</strong>mation within the archive. The GZIP archive <strong>for</strong>mat (see RFC 1952) can<br />
process files of any size. This <strong>for</strong>mat does not maintain a 'directory’ of in<strong>for</strong>mation<br />
<strong>for</strong> individual files and allows sizes to 'wrap' at 4 GB, so it does not suffer a size<br />
restriction.<br />
227
GZIP Archive Files Used By SecureZIP <strong>for</strong> <strong>iSeries</strong><br />
The term GZIP archive file is used to describe the file that holds data that has been<br />
compressed by one of the GZIP programs and meets the specifications of RFC 1952.<br />
At the end of the GZIP archive is a trailer that contains the file’s compressed size,<br />
uncompressed size, and a CRC value <strong>for</strong> the file (which is used to verify that the<br />
decompressed data is identical to the data that was originally compressed).<br />
A GZIP archive file can be transferred from one plat<strong>for</strong>m to another and can be<br />
decompressed by a GZIP-compatible application which is running on that plat<strong>for</strong>m.<br />
The internal <strong>for</strong>mat of a GZIP archive is identical, no matter what plat<strong>for</strong>m<br />
compressed the file.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (by default) creates new archives as members of PF-DTA<br />
files with 132-byte records. The archive file is given a text field of 'file created by<br />
PKZIP <strong>iSeries</strong>.' The archive member is given a text field of 'Member created by<br />
PKZIP <strong>iSeries</strong>.' If you wish to create your own archive (perhaps because a larger<br />
record size would be convenient), then you can do so, but consider the following:<br />
When creating the file, do not create any members in it.<br />
After creating the file, change the MAXMBRS parameter <strong>for</strong> the file from 1 to<br />
*NOMAX.<br />
A GZIP archive holds files internally in either text or binary <strong>for</strong>mat, both of which are<br />
compatible with other plat<strong>for</strong>ms supported by GZIP. Because in<strong>for</strong>mation held in a<br />
GZIP archive is defaulted <strong>for</strong> binary processing, SecureZIP <strong>for</strong> <strong>iSeries</strong> uses the<br />
parameter FILETYPE <strong>for</strong> text or binary processing. When transporting archives<br />
between machines that use different character sets <strong>for</strong> text, <strong>for</strong> example, EBCDIC<br />
and ASCII, the binary <strong>for</strong>mat may not be appropriate. Specifying that the file is to be<br />
compressed as FILETYPE(*TEXT) will allow SecureZIP <strong>for</strong> <strong>iSeries</strong> to per<strong>for</strong>m<br />
EBCDIC-to-ASCII conversion, as required. Specifying FILETYPE(*TEXT) may also be<br />
useful when PKUNZIP is used on the <strong>iSeries</strong> to extract data that has been<br />
compressed on an ASCII system.<br />
A GZIP archive is similar to a ZIP archive but normally only contains one compressed<br />
file or member. GZIP archives, like ZIP archives, use the Lempel-Ziv algorithm<br />
(inflate) to compress and decompress data. Unlike a ZIP archive, GZIP archives do<br />
not hold a lot of in<strong>for</strong>mation in various in<strong>for</strong>mation blocks throughout the archive.<br />
Instead, they contain only one in<strong>for</strong>mation block at the beginning of the archive and<br />
locates size in<strong>for</strong>mation at the end of the archive. Some GZIP text data, <strong>for</strong> example,<br />
file name and comments, use the ISO 8859-1 (LATIN-1) character set and there<strong>for</strong>e<br />
will be converted to and from LATIN-1 as required. When a GZIP archive is created,<br />
an in<strong>for</strong>mation block is placed in the archive be<strong>for</strong>e the compressed version of the<br />
file. This in<strong>for</strong>mation block includes the following in<strong>for</strong>mation about the file:<br />
228
• The compression method used on the file.<br />
• The date and time of the last update to the file.<br />
• A flag to indicate optional extended data exists (these fields are usually<br />
operating system-dependant and may be ignored if identification code is<br />
unrecognized).<br />
• The name of the file that was compressed.<br />
• An archive text comment.<br />
• Compressed data followed by the GZIP trailer at the end of the archive. The<br />
trailer includes a CRC value and the original size of the uncompressed file.<br />
Cross Plat<strong>for</strong>m Compatibility<br />
Since GZIP archive files adhere to RFC 1952, the files are compatible across all GZIPsupported<br />
plat<strong>for</strong>ms. If executable files and other plat<strong>for</strong>m-dependent objects are<br />
compressed on one plat<strong>for</strong>m and then decompressed on another, it is unlikely that<br />
they will work on the new plat<strong>for</strong>m. The same can be said about EBCDIC vs. ASCII.<br />
Because the extra in<strong>for</strong>mation is plat<strong>for</strong>m dependent, most likely it will be ignored by<br />
another plat<strong>for</strong>m.<br />
A major consideration <strong>for</strong> cross plat<strong>for</strong>m processing is when building the archive in<br />
the QSYS library file system you may end up with pad bytes at the end of the archive<br />
due to files have record lengths and the end of the archive will be padded to the<br />
record length. Some GZIP products cannot handle the extra pad bytes at the end of<br />
the archive. In this case, the archive should be stored in the IFS where the archive<br />
will be a true stream file with no pad bytes at the end of the archive.<br />
GZIP Restrictions<br />
Filename encryption can not be used with GZIP.<br />
Special Note on GZIP Passwords<br />
GZIP standard processing (RFC 1952) does not normally allow a password to be<br />
placed on a GZIP archive. SecureZIP <strong>for</strong> <strong>iSeries</strong> does allow this feature, but its use<br />
may cause compatibility issues with other plat<strong>for</strong>ms. PKZIP <strong>for</strong> MVS does use the<br />
same password standard, so GZIP archives with passwords can be exchanged<br />
between SecureZIP <strong>for</strong> <strong>iSeries</strong> , PKZIP <strong>for</strong> VSE, and PKZIP <strong>for</strong> MVS. Because<br />
GZIP archives that are created with a password with SecureZIP <strong>for</strong> <strong>iSeries</strong> or<br />
PKZIP <strong>for</strong> MVS are not part of the GZIP standards, these files will probably<br />
appear to be corrupt on other plat<strong>for</strong>ms.<br />
Processing GZIP Archives<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> can create and extract in<strong>for</strong>mation from GZIP <strong>for</strong>mat<br />
archives similar to how it can be used to create and extract in<strong>for</strong>mation from a ZIP<br />
archive. The creation of a GZIP archive and other parameters is exactly like all other<br />
processes in SecureZIP <strong>for</strong> <strong>iSeries</strong> , including use of extended attributes. To create<br />
a GZIP archive file, code the parameter GZIP(*YES). The difference is that the<br />
229
archive can only have one (1) file, and the archive cannot be updated. The PKUNZIP<br />
program will identify the GZIP archive and process it accordingly.<br />
The following are the specific GZIP Restrictions that pertain to the PKZIP and<br />
PKUNZIP programs:<br />
GZIP Compressing<br />
The code used by SecureZIP <strong>for</strong> <strong>iSeries</strong> follows the standards specified in the two<br />
applicable RFC's. Specifically, these are RFC 1952 (GZIP file <strong>for</strong>mat specification<br />
Version 4.3) and RFC 1951 (DEFLATE Compressed Data Format Specification Version<br />
1.3). SecureZIP <strong>for</strong> <strong>iSeries</strong> should always be able to create a GZIP compatible<br />
compressed file and extract data from a GZIP compressed file where the GZIP utility<br />
matches these two specifications.<br />
• Parameter COMPRESS(*NO) cannot be used because all GZIP archives must<br />
contain compressed data.<br />
• Parameter COMPRESS(*TERSE) cannot be used because terse compression is<br />
a non-standard compression method <strong>for</strong> GZIP.<br />
• Parameter FTRAN is not valid <strong>for</strong> GZIP because filenames have to be held in<br />
the ISO 8859-1(LATIN-1) character set.<br />
• Parameter TYPE (type of processing to be per<strong>for</strong>med) cannot be specified<br />
because *DELETE, *UPDATE, *FRESHEN, *MOVEF, or *MOVEU as a GZIP<br />
archive cannot be updated once created.<br />
Only one file is supported per GZIP archive. When creating an archive, this means<br />
that only one file or member can be identified <strong>for</strong> inclusion in the archive.<br />
If SecureZIP <strong>for</strong> <strong>iSeries</strong> is used to create and encrypt a GZIP archive using a<br />
password, other plat<strong>for</strong>ms may not be able to decrypt the data. The encryption<br />
algorithm used by SecureZIP <strong>for</strong> <strong>iSeries</strong> in a GZIP archive is similar to that used<br />
by PKZIP, but it is not supported as part of the specifications <strong>for</strong> GZIP.<br />
Once an <strong>iSeries</strong> SAVF has been zipped into a GZIP archive, the archive will extract on<br />
another plat<strong>for</strong>m but will not be available as a SAVF. It will just be a binary file and<br />
of no use on another plat<strong>for</strong>m.<br />
The file name stored in an archive created by SecureZIP <strong>for</strong> <strong>iSeries</strong> will typically<br />
contain library, file, and member names (directory components) which relate to the<br />
qualifiers of the original <strong>iSeries</strong> name. According to the GZIP specifications, the file<br />
name stored should be the original name of the file being compressed, with any<br />
directory components removed. Most GZIP utilities support directory components,<br />
and the default SecureZIP <strong>for</strong> <strong>iSeries</strong> processing will include library, file, and<br />
member names in the output file name. Note: It is not possible to create a GZIP<br />
archive using SecureZIP <strong>for</strong> <strong>iSeries</strong> that does not have the file name stored in the<br />
archive.<br />
GZIP Extracting<br />
If a file name is present in the GZIP archive, it will be held in the ISO 8859-1<br />
(LATIN-1) character set.<br />
If there is no file name in the archive, one will use the default paths defined in the<br />
EXDIR parameter.<br />
230
If there is more than one compressed file in the archive, only the first file can be<br />
processed.<br />
When zipping a file into an archive, the archive cannot already exist. It is not<br />
possible to merge or update a GZIP archive.<br />
VIEW processing may not show all of the details from the archive, since some<br />
in<strong>for</strong>mation is not stored (or not stored in convenient locations) in the GZIP archive.<br />
For example, the compressed and uncompressed file sizes will typically be shown as<br />
zero.<br />
To match the GZIP specifications, the time stored in the archive header will be in<br />
universal time <strong>for</strong>mat (seconds since 01/01/1970). Because of manipulation during<br />
processing, this time will have only a two-second accuracy (will always be divisible<br />
by 2) and there<strong>for</strong>e could be one second off from the original file time.<br />
There is no standard <strong>iSeries</strong> method to set the creation date of a file. As a result, the<br />
time in the GZIP archive is ignored when creating the <strong>iSeries</strong> output file. It may be<br />
viewed by specifying the parameter TYPE(*VIEW).<br />
Sample GZIP Processing<br />
Compressing a file<br />
The following example shows how to compress a file into a GZIP archive. The PKZIP<br />
command is used to compress data into an archive. To select the GZIP <strong>for</strong>mat <strong>for</strong> the<br />
resulting archive, you must use the GZIP(*YES) option with the PKZIP command:<br />
PKZIP ARCHIVE(‘MYLIB1/MYARCHFIL(GZ01)’) FILES('TESTLIB1/FILE1TXT') TYPE(*ADD)<br />
GZIP(*YES)<br />
The command above will compress the text file TESTLIB1/FILE1TXT into the archive<br />
MYLIB1/MYARCHFIL(GZ01) in GZIP <strong>for</strong>mat. The archive must not already exist or an<br />
error message will be generated and the operation will fail.<br />
The output from the above command should look like the following:<br />
File MYARCHFIL created in library MYLIB1.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Data Compression Version 8.1, 2003/05/01<br />
Copyright. 2004 PKWARE, Inc. All rights reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
EVALUATION Running<br />
EVALUATION, Warning - This license will expire in 29 days on 2003/06/02<br />
Contact your dealer with the following in<strong>for</strong>mation<br />
Machine ID = 0107X8WT, Processor Group = P10<br />
Scanning files <strong>for</strong> match ...<br />
File MYARCHFIL in library MYLIB1 with member GZ01 not found.<br />
Found 1 matching files<br />
Member GZ01 added to file MYARCHFIL in MYLIB1.<br />
Member GZ01 removed from file MYARCHFIL in MYLIB1.<br />
Member PZ3AF2447F added to file MYARCHFIL in MYLIB1.<br />
Compressing TESTLIB1/FILE1TXT(FILE1TXT) in TEXT mode<br />
Add TESTLIB1/FILE1TXT/FILE1TXT -- Deflating (31%)<br />
Member PZ3AF2447F renamed to member GZ01.<br />
Member GZ01 file MYARCHFIL in MYLIB1 changed.<br />
PKZIP Compressed 1 files in GZIP Archive MYLIB1/MYARCHFIL(GZ01)<br />
PKZIP Completed Successfully<br />
231
19 Messages<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> messages are broken down into three types. When using<br />
*VIEW type, all displays of the archive and files in<strong>for</strong>mation use messages AQZ0800<br />
thru AQZ0899. The licensing install and licensing validation use messages that start<br />
with AQZ9nnnn. All other messages start with AQZ0001 through AQZ0799.<br />
There are two messages that are issued as escape messages, and because they are<br />
issued as an escape message, they can be monitored with the MONMSG command in<br />
CL programs. Escape messages indicates a condition causing PKZIP or PKUNZIP to<br />
end abnormally, without completing its work. By monitoring <strong>for</strong> escape messages,<br />
you can take corrective actions or clean up and end your procedure or program. To<br />
see the actual condition that may have caused the problem, you should review all<br />
previous messages from the job log. If PKZIP or PKUNZIP issues one of these escape<br />
messages, and the messages are not being monitored, then the <strong>iSeries</strong> will issue an<br />
inquiry message requiring a reply (normal <strong>iSeries</strong> processing).<br />
The message numbers that are issued as escapes are:<br />
• AQZ0022 - PKZIP completed with errors.<br />
• AQZ0038 - PKUNZIP completed with errors.<br />
There are four messages that are issued as completion message types and are also<br />
issued as a status message type. Because the messages are issued as a status type,<br />
they can be monitored with the MONMSG command in CL programs. The message<br />
numbers that are issued as status message types are:<br />
• AQZ0012 - PKZIP ending with nothing to do <strong>for</strong> .<br />
• AQZ0020 - PKZIP completed successfully.<br />
• AQZ0024 - PKZIP completing with a warning. No files selected.<br />
• AQZ0037 - PKUNZIP completed successfully.<br />
EXAMPLE:<br />
Msg ID<br />
| Severity<br />
| Code<br />
| | Message Text<br />
| | |<br />
AQZ0109-00: Compressing &1 in &2 mode<br />
232
Explanation: In<strong>for</strong>mational. Compressing has started <strong>for</strong> the file with a specified<br />
mode. The modes are: 1) SAVF, 2) DATABASE, 3) BINARY, 4) TEXT, and 5) Text in<br />
EBCDIC.<br />
The message text &1 will be the file name and &2 will be the mode such as:<br />
Compressing TESTLIB/TESTFILE(TESTFILE) in TEXT mode<br />
Messages from Certificate Store Administration<br />
From the PKSTORADM command, messages are displayed from the Certificate Store<br />
Administration program. These message all start with the prefix ZPCA followed by a<br />
three digit number with a suffix of E (Error), W (warning) or I (In<strong>for</strong>mational). For<br />
example: “ZPCA815E Cannot Continue. Unable to close CA Store.”<br />
See standard messages AQZ0049-00 "PKSTORADM Completed Successfully" and<br />
AQZ0050-40 "PKSTORADM Completed with Errors" <strong>for</strong> PKSTROADM-monitored<br />
completion messages.<br />
233
AQZ0001 - AQZ0799 Messages<br />
AQZ0001-00<br />
Explanation:<br />
PKZIP: &1 &2.<br />
This message is used in conjunction with other messages to provide extended<br />
in<strong>for</strong>mation. See the following messages.<br />
AQZ0002-40<br />
Explanation:<br />
Unexpected End of File: &1 &2.<br />
While reading an archive file in PKZIP, an unexpected end of file was encountered.<br />
The file may not have been created properly or copied to completion. Try running the<br />
TYPE(*TEST) to see it can identify more in<strong>for</strong>mation and review all other messages.<br />
AQZ0003-40<br />
Explanation:<br />
Archive file Structure Error: &1 &2.<br />
This message is associated with the previous message <strong>for</strong> exact cause. This<br />
indicates a major archive failure <strong>for</strong> PKZIP to process. Review all messages and run<br />
PKUNZIP with TYPE(*TEST) to see if there are more details. This may indicate that<br />
current archive is incomplete or corrupted.<br />
AQZ0004-40<br />
Explanation:<br />
Out Of Memory: &1 &2.<br />
While trying to allocate memory in PKZIP or PKUNZIP, a failure occurred and no<br />
memory was granted. Check other messages in the job log <strong>for</strong> possible causes and<br />
refer to Appendix C about memory errors. If this continues, please contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0005-40<br />
Explanation:<br />
Logic Error: &1 &2.<br />
This message should never occur. If it does it may be due to a corrupted archive file.<br />
Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0006-40<br />
Explanation:<br />
Error opening temp archive file:.<br />
While trying to process PKZIP, a failure occurred while opening the temporary archive<br />
file. Review other messages with PKZIP and the <strong>iSeries</strong> <strong>for</strong> more details of why<br />
the failure occurred. Attributes used were=&2'.<br />
234
AQZ0009-40<br />
Explanation:<br />
User interrupt or termination: &1 &2.<br />
PKZIP encountered a request to terminate. If it continues to be unknown, please<br />
contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0010-40<br />
Explanation:<br />
Error using temp file: &1 &2.<br />
While trying to process PKZIP, a failure occurred with the temporary archive file.<br />
Review other messages with PKZIP and the <strong>iSeries</strong> <strong>for</strong> more details of why the failure<br />
occurred.<br />
AQZ0011-40<br />
Explanation:<br />
Read or Seek error: &1 &2.<br />
While reading an archive file in PKZIP, an unexpected error was encountered. The<br />
file may not have been created properly, or copied to completion. Try running the<br />
TYPE(*TEST) to see it can identify more in<strong>for</strong>mation and review all other messages.<br />
AQZ0012-40<br />
Explanation:<br />
PKZIP ending with Nothing to do <strong>for</strong> .<br />
PKZIP found no files to process. Review the FILES EXCLUDE keywords <strong>for</strong> the<br />
selections. This message can be monitored using MONMSG.<br />
AQZ0013-40<br />
Explanation:<br />
Missing or empty archive file: &1 &2.<br />
An archive file to process *UPDATE, *FRESHEN, or *DELETE is empty. No TYPE<br />
was processed.<br />
AQZ0014-40<br />
Explanation:<br />
Error writing to a file: &1 &2.<br />
An unexpected error was encountered while writing the archive file. PKZIP is<br />
terminated and the temporary archive file is corrupted. Review other PKZIP message<br />
and <strong>iSeries</strong> messages in order to interpret why this message occurred.<br />
AQZ0015-40<br />
Explanation:<br />
Could not open to write: &1 &2.<br />
PKZIP could not create a list file or ARCHIVE file. PKZIP has terminated. Review<br />
<strong>iSeries</strong> messages <strong>for</strong> cause of error.<br />
235
AQZ0018-40<br />
Explanation:<br />
Could not open a specified file to read: &1 &2.<br />
An archive, list, or extracted file could not be opened <strong>for</strong> reading. Review PKZIP<br />
messages and <strong>iSeries</strong> messages that occurred in run.<br />
AQZ0019-00<br />
Explanation:<br />
PKZIP Compressed &1 files in Archive &2.<br />
&1 is the number of files that were compressed in this run of PKZIP storing them in<br />
the archive file &2.<br />
AQZ0020-00<br />
Explanation:<br />
PKZIP Completed Successfully.<br />
PKZIP completed successfully. This message can be monitored using MONMSG.<br />
AQZ0021-10<br />
Explanation:<br />
There are no files to select from: Zip ending.<br />
Either no files were selected with files parameters <strong>for</strong> all actions or no files qualified<br />
<strong>for</strong> selection with *FRESHEN or *UPDATE TYPE. Review archive and selection<br />
parameters.<br />
AQZ0022-40<br />
Explanation:<br />
PKZIP Completed with Errors.<br />
See job log <strong>for</strong> previous errors messages. An error occurred that caused PKZIP to<br />
complete unsuccessfully. AQZ0022 message will be issued as an Escape message<br />
type. Escape messages indicate a condition causing PKZIP to end abnormally<br />
without completing its work. This message can be monitored using MONMSG.<br />
AQZ0023-10<br />
Explanation:<br />
Invalid date {&1} <strong>for</strong> date select option &2.<br />
DATETYPE with *BEFORE or *AFTER was selected in PKZIP, but has an invalid<br />
date in DATEAB. Format must be mmddyyyy or yyyymmdd. The mm must be 1 thru<br />
12. The dd must be 1 thru 31.<br />
AQZ0024-00<br />
Explanation:<br />
PKZIP Completing with a Warning. No Files Selected <strong>for</strong><br />
compression.<br />
PKZIP selected 0 files <strong>for</strong> compression and there were no other actions (such as<br />
*DELETE, archive comment update) to revise the archive. This message can be<br />
monitored using MONMSG.<br />
236
AQZ0025-40<br />
Explanation:<br />
File name contains special characters.<br />
The file contains characters not valid <strong>for</strong> a file name.<br />
AQZ0026-30<br />
Invalid option(s) used with DELETE; ignored.<br />
Explanation: This message should never occur. Please contact the Product Services Division at 1-<br />
937-847-2687 <strong>for</strong> assistance.<br />
AQZ0027-30<br />
Explanation:<br />
Archive file is empty, cannot make it as old as latest entry.<br />
PKZIP run with archive file in the IFS file type. Cannot set date and time of the<br />
archive to latest time of files because the archive file is empty.<br />
AQZ0028-30<br />
Explanation:<br />
Archive file has only directories, cannot make it as old as<br />
latest entry.<br />
PKZIP run with archive file in the IFS file type. Cannot set date and time of the<br />
archive to latest time of files. The archive file is OK.<br />
AQZ0029-40<br />
Explanation:<br />
Name Not match: &1.<br />
A file in the FILES selection keyword could not be found or matched with a pattern.<br />
PKZIP will not process.<br />
AQZ0030-00<br />
Explanation:<br />
Scanning files <strong>for</strong> match...<br />
In<strong>for</strong>mation only. The search has started <strong>for</strong> file selections.<br />
AQZ0031-00<br />
Explanation:<br />
Found &1 matching files.<br />
In<strong>for</strong>mation only. The number of selection files that was found is considered <strong>for</strong><br />
processing.<br />
237
AQZ0032-00<br />
Explanation:<br />
Copying temp &1 to &2.<br />
Copies a temporary archive file to the requested archive name.<br />
AQZ0034-00<br />
Explanation:<br />
Searching Archive &1 <strong>for</strong> files to extract.<br />
In<strong>for</strong>mational only. PKUNZIP has started searching the archive <strong>for</strong> files that meet the<br />
selection and excluding parameters.<br />
AQZ0035-00<br />
Explanation:<br />
Extracting file &1.<br />
In<strong>for</strong>mational only. PKUNZIP is in the process of extracting file &1.<br />
AQZ0036-00<br />
Explanation:<br />
PKUNZIP extracted &1 files.<br />
In<strong>for</strong>mational only. PKUNZIP reports the number of files that were extracted in this<br />
run.<br />
AQZ0037-00.<br />
Explanation:<br />
PKUNZIP Completed Successfully.<br />
In<strong>for</strong>mational only. PKUNZIP completed with no errors. This message can be<br />
monitored using MONMSG.<br />
AQZ0038-40<br />
Explanation:<br />
PKUNZIP Completed with Errors.<br />
During a run of PKUNZIP, errors were encountered. Some processing may or may<br />
not have completed. Review the preceding messages <strong>for</strong> further details. AQZ0038<br />
message will be issued as an escape message type. Escape messages indicates a<br />
condition causing PKUNZIP to end abnormally without completing its work. This<br />
message can be monitored using MONMSG.<br />
AQZ0039-00<br />
Explanation:<br />
PKUNZIP found &1 file(s) in Error.<br />
The run of PKUNZIP found &1 files with some type of error resulting in these files not<br />
being processed. Consult the job log to discover why these files were in error.<br />
238
AQZ0040-10<br />
Explanation:<br />
PKUNZIP skipped &1 file(s).<br />
PKUNZIP skipped the files due to target files already existing on the system and the<br />
parameter to OVERWRITE was set to *NO, which in<strong>for</strong>ms the system not to overwrite<br />
any file that already exists.<br />
AQZ0041-00<br />
Explanation:<br />
Searching GZIP Archive &1 <strong>for</strong> files to extract.<br />
In<strong>for</strong>mational only. PKZIP is searching <strong>for</strong> the files to process with GZIP option.<br />
AQZ0042-00<br />
Explanation:<br />
Scanning Archive &1 <strong>for</strong> &2 files in archive.<br />
PKZIP is scanning the input archive <strong>for</strong> files. In<strong>for</strong>mational only when VERBOSE is<br />
set. For large archive with tens of thousands of files it may take a while <strong>for</strong> this<br />
process.<br />
AQZ0043-00.<br />
Explanation:<br />
PKCFGSEC Completed Successfully.<br />
In<strong>for</strong>mational only. PKCFGSEC completed with no errors. This message can be<br />
monitored using MONMSG.<br />
AQZ0044-40<br />
Explanation:<br />
PKCFGSEC Completed with Errors.<br />
During a run of PKCFGSEC, errors were encountered. Some processing may or may<br />
not have completed. Review the preceding messages <strong>for</strong> further details. AQZ0044<br />
message will be issued as an escape message type. Escape messages indicates a<br />
condition causing PKCFGSEC to end abnormally without completing its work. This<br />
message can be monitored using MONMSG.<br />
AQZ0045-00.<br />
Explanation:<br />
PKBLDCDB Completed Successfully.<br />
In<strong>for</strong>mational only. PKBLDCDB completed with no errors. This message can be<br />
monitored using MONMSG.<br />
AQZ0046-40<br />
Explanation:<br />
PKBLDCDB Completed with Errors.<br />
During a run of PKBLDCDB, errors were encountered. Some processing may or may<br />
not have completed. Review the preceding messages <strong>for</strong> further details. AQZ0046<br />
message will be issued as an escape message type. Escape messages indicates a<br />
239
condition causing PKBLDCDB to end abnormally without completing its work. This<br />
message can be monitored using MONMSG.<br />
AQZ0047-00.<br />
Explanation:<br />
PKBQRYCDB Completed Successfully.<br />
In<strong>for</strong>mational only. PKBQRYCDB completed with no errors. This message can be<br />
monitored using MONMSG.<br />
AQZ0048-40<br />
Explanation:<br />
PKBQRYCDB Completed with Errors.<br />
During a run of PKBQRYCDB, errors were encountered. Some processing may or<br />
may not have completed. Review the preceding messages <strong>for</strong> further details.<br />
AQZ0048 message will be issued as an escape message type. Escape messages<br />
indicates a condition causing PKBQRYCDB to end abnormally without completing its<br />
work. This message can be monitored using MONMSG.<br />
AQZ0049-00<br />
Explanation:<br />
PKSTORADM Completed Successfully.<br />
In<strong>for</strong>mational only. PKSTORADM completed with no errors. This message can be<br />
monitored using MONMSG.<br />
AQZ0050-40<br />
Explanation:<br />
PKSTORADM Completed with Errors.<br />
During a run of PKSTORADM, errors were encountered. Some processing may or<br />
may not have completed. Review the preceding messages <strong>for</strong> further details.<br />
AQZ0050 message will be issued as an escape message type. Escape messages<br />
indicates a condition causing PKSTORADM to end abnormally without completing its<br />
work. This message can be monitored using MONMSG.<br />
AQZ0051-00<br />
Explanation:<br />
End Entity File created.<br />
End Entity File certificate file was created. PKBLDCDB should be run to add the<br />
certificate data to locator database.<br />
AQZ0097-10<br />
Input Archive was found to be Digitally Signed..<br />
Explanation: The archive was digitally signed. This PKZIP update will destroy the signature.<br />
240
AQZ0101-00<br />
Explanation:<br />
Add &1 -- &2.<br />
In<strong>for</strong>mation providing the file and the type of compression method (deflate, terse, or<br />
store) along with the percent of compression.<br />
AQZ0102-00<br />
Explanation:<br />
Freshening: &1 with &2.<br />
In<strong>for</strong>mational: PKZIP running with TYPE(*FRESHEN) is processing the file with<br />
compression method (deflate, terse, or store) and the percent of compression.<br />
AQZ0103-00<br />
Explanation:<br />
Updating: &1 with &2.<br />
In<strong>for</strong>mational: PKZIP running with TYPE(*UPDATE) is processing file with<br />
compression method (deflate, terse, or store) and the percent of compression.<br />
AQZ0104-00<br />
Explanation:<br />
Deleting: &1.<br />
In<strong>for</strong>mational: Delete file &1 from the archive.<br />
AQZ0105-00<br />
Explanation:<br />
Translating to ASCII.<br />
In<strong>for</strong>mational with VERBOSE(*max) indicating that data will translated to ASCII.<br />
AQZ0106-00<br />
Explanation:<br />
Zip diagnostic: &1 .<br />
File in the archive is up to date with date & time or the file in the archive is now<br />
missing. Only when Verbose(*max).<br />
AQZ0107-40<br />
Explanation:<br />
Attempting to restore &1 to its previous state.<br />
A failure occurred while running PKZIP with an existing archive. An attempt is being<br />
made to set the archive to a previous state prior to the original processing start time.<br />
241
AQZ0108-00<br />
Explanation:<br />
Excluding .<br />
In run PKZIP, a file found in the selection process was excluded due to a match<br />
excluding file parameter.<br />
AQZ0109-00<br />
Explanation:<br />
Compressing &1 in &2 mode.<br />
In<strong>for</strong>mational: Compressing has started <strong>for</strong> the file with a specified mode. The<br />
modes are: 1) SAVF, 2) DATABASE, 3) BINARY, 4) TEXT and 5) Text in EBCDIC.<br />
AQZ0110-00<br />
Explanation:<br />
The Output List file is being created.<br />
In<strong>for</strong>mational: to indicate that file &1 is being created, and will also be used to add list<br />
records selected in the run. See Keyword-CRTLIST <strong>for</strong> more details.<br />
AQZ0111-00<br />
Explanation:<br />
&1 Records written to the Output List file &2.<br />
In<strong>for</strong>mational: indicates that &1 records were outputted to the list file &2. See<br />
keyword-CRTLIST <strong>for</strong> more details.<br />
AQZ0112-00<br />
Explanation:<br />
&1 records read from Include File &2.<br />
INCLFILE parameter was optioned in PKZIP or PKUNZIP. This message displays<br />
how many records were in the file.<br />
AQZ0113-00<br />
Explanation:<br />
Include parameters supplied &1.<br />
In<strong>for</strong>mational: How many include items found in FILES and INCLFILE.<br />
AQZ0114-00<br />
Explanation:<br />
&1 records read from Exclude File &2.<br />
EXCLFILE parameter was optioned in PKZIP or PKUNZIP. This message displays<br />
how many records were in the file.<br />
242
AQZ0115-00<br />
Explanation:<br />
Exclude parameters supplied &1.<br />
In<strong>for</strong>mational: How many include items found in EXCLUDE and EXCLFILE.<br />
AQZ0116-00<br />
Explanation:<br />
Zip diagnostic: &1cluding .<br />
In<strong>for</strong>mational PKZIP: Display of file being included or excluded.<br />
AQZ0117-00<br />
Explanation:<br />
File matches archive file – skipping.<br />
PKZIP running with a file selected, which is the current file, requested as the archive.<br />
This file is skipped from the selection process.<br />
AQZ0118-40<br />
Explanation:<br />
Replace: cannot open &1.<br />
PKZIP is trying to copy the temporary archive file to the archive file. The archive file<br />
cannot be opened. Check the job log <strong>for</strong> messages as to why the open failed. If<br />
specifying parameter TMPPATH in the library file system, verify that both library and<br />
file name are specified (<strong>for</strong> example, MPPATH(‘MYLIB/TEMPARCH’).<br />
AQZ0119-40<br />
Explanation:<br />
Fcopy: Write error.<br />
PKZIP is trying to copy the temporary archive e file to the archive file. The archive<br />
encountered an error while writing the new archive file. Check the job log <strong>for</strong><br />
messages to determine why the write failed.<br />
AQZ0120-40<br />
Explanation:<br />
Fatal: Incorrect compressed size - &1.<br />
A failure occurred while compressing. The size reported by the compression engine<br />
is different from the offset determined in the archive file. This should never happen.<br />
Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0121-00<br />
Explanation:<br />
Stats: &1 &2.<br />
In<strong>for</strong>mation in PKZIP with verbose on. Shows the size of the file being compressed<br />
and the size of the compressed file.<br />
243
AQZ0122-00<br />
Explanation:<br />
Enter new Zip file Comment <strong>for</strong> file &1.<br />
FILESTEXT was set to edit a new comment <strong>for</strong> files being added to the archive.<br />
Enter the file’s comment and press the Enter key.<br />
AQZ0123-00<br />
Explanation:<br />
Enter Zip file Comment <strong>for</strong> file &1.<br />
An unexpected error was encountered while writing the archive file. PKZIP is<br />
terminated, and the FILESTEXT was set to edit comments <strong>for</strong> files being added or<br />
updated to the archive. Enter the file's comment, and press the Enter key.<br />
AQZ0124-00<br />
Explanation:<br />
Zip Info: &1 &2.<br />
In<strong>for</strong>mational PKZIP files when processing with enhanced DEBUG options.<br />
AQZ0125-00<br />
Explanation:<br />
Zip: reading &1.<br />
In<strong>for</strong>mational PKZIP: reading the file & in the current archive. Only displays with<br />
Verbose(*MAX) during fix option. This option is not available at this time.<br />
AQZ0126-00<br />
Explanation:<br />
Zip Info: &1 <strong>for</strong> &2.<br />
In<strong>for</strong>mational PKZIP: Compression statistic of file &2. Only displays with<br />
Verbose(*MAX) during fix option. This option is not available at this time.<br />
AQZ0127-00<br />
Explanation:<br />
Global settings are “No wildcard selection”, but FILES contains<br />
an *.<br />
The files parameter contains a wildcard selection , but the wildcard global setting<br />
is coded <strong>for</strong> NO wildcards selections. Correct and rerun or see your administrator <strong>for</strong><br />
the PKZIP settings.<br />
AQZ0129-40<br />
Explanation:<br />
Local header not found <strong>for</strong> &1.<br />
The current, loaded archive file is corrupted. The local header cannot be found <strong>for</strong><br />
the compressed file &1. Processing of PKZIP will not continue. Review other<br />
messages. If file was created using PKZIP, please contact the Product Services<br />
Division at 1-937-847-2687 <strong>for</strong> assistance. If the file came from another source,<br />
review the creation of the file to verify if it was transferred properly to <strong>iSeries</strong>.<br />
244
AQZ0130-00<br />
Explanation:<br />
Self Extracting code <strong>for</strong> &1 found in archive file.<br />
In<strong>for</strong>mational PKZIP: Adjusting offsets in the archive file &1 <strong>for</strong> local headers. Only<br />
displays with Verbose(*max).<br />
AQZ0131-00<br />
Explanation:<br />
Zip diagnostic: Deleting file &1.<br />
In<strong>for</strong>mational PKZIP with TYPE(*DELETE): The file &1 was found in the archive and<br />
removed.<br />
AQZ0132-00<br />
Explanation:<br />
Error in Deleting file &1.<br />
PKZIP with TYPE(*DELETE) could not delete the file &1 from the archive. Review job<br />
log and other message that occurred during the PKZIP run to determine the cause.<br />
AQZ0133-40<br />
Explanation:<br />
Deleting directory &1 (if empty).<br />
PKZIP with TYPE(*DELETE) found a match and it was an empty directory. The<br />
directory is being removed from the archive file.<br />
AQZ0134-00<br />
Explanation:<br />
Zip Info: &1 &2.<br />
In<strong>for</strong>mational PKZIP about archive files when processing with enhanced debug turned<br />
on.<br />
AQZ0135-10<br />
Explanation:<br />
Zero-length name <strong>for</strong> entry # &1.<br />
An error occurred reading the archive file <strong>for</strong> entry # &1. The name of the file has a<br />
zero length. If processing continues, unpredictable results may occur. The source of<br />
the archive file and its history of reaching it current state should be reviewed. Other<br />
files in the archive should be valid.<br />
AQZ0136-00<br />
Explanation:<br />
Bad extended local header <strong>for</strong>.<br />
An archive file indicated it contained an extended local header. The header is<br />
corrupted. Processing will be terminated. Run PKUNZIP with TYPE(*View) and<br />
VIEWOPT(*Detail) to see if more in<strong>for</strong>mation is available.<br />
245
AQZ0137-10<br />
Explanation:<br />
Extended local header not found <strong>for</strong> &1.<br />
An archive indicated it contained an extended local header <strong>for</strong> file &1. The extended<br />
header could not be found nor processed. Run PKUNZIP with TYPE(*View) and<br />
VIEWOPT(*Detail) to see if more in<strong>for</strong>mation is available.<br />
AQZ0138-00<br />
Explanation:<br />
Missing end signature -- probably not a archive file (did you<br />
remember to use binary mode when you transferred it?).<br />
The archive file did not have an end signature, which usually indicates it is not an<br />
archive file or it is an incomplete archive file.<br />
AQZ0139-00<br />
Explanation:<br />
Multiple disk in<strong>for</strong>mation ignored.<br />
PKZIP and PKUNZIP do not support multiple disk functionality.<br />
AQZ0140-00<br />
Explanation:<br />
Name lengths in local and central differ <strong>for</strong> &1.<br />
The archive file is corrupted. The name lengths of the file name in the local directory<br />
are different than the name length in the central directory.<br />
AQZ0141-00<br />
Explanation:<br />
Names in local and central differ <strong>for</strong> &1.<br />
The archive file is corrupted. The file name & in the local directory is different than<br />
the file name in the central directory. This is an invalid archive. Contact the Product<br />
Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0143-00<br />
Explanation:<br />
Rename failure: New archive file left as: &1.<br />
PKZIP is trying to rename the temporary name <strong>for</strong> a requested archive and has failed.<br />
Review the job log <strong>for</strong> cause. The archive file &1 is still valid but is saved using the<br />
temporary name. Rename the temporary file manually to the requested archive<br />
name.<br />
AQZ0144-40<br />
Rename failure: Tried to rename to &1.<br />
Explanation: Part 2 of previous message AQZ0143-00.<br />
246
AQZ0145-40<br />
Explanation:<br />
PKZIP could not open file <strong>for</strong> reading: &1.<br />
PKZIP could not open file &1 <strong>for</strong> reading to compress. Review the job log and other<br />
messages <strong>for</strong> cause.<br />
AQZ0146-40<br />
Explanation:<br />
Archive file and directory with the same name: &1.<br />
PKZIP found a file and directory to be selected with the same name. &1 will be<br />
bypassed and the job terminated.<br />
AQZ0147-00<br />
Explanation:<br />
will just copy entry over: &1.<br />
PKZIP will copy the archive over the current archive file &1.<br />
AQZ0148-40<br />
Explanation:<br />
Archive file empty.<br />
PKZIP process ended with no files in the archive file. Review selection process and<br />
preceding messages. The archive is not valid and cannot be used to extract files.<br />
AQZ0149-10<br />
Explanation:<br />
File is being skipped due to previous error.<br />
An error occurred processing file &1 and the parameter ERROPT was set to *SKIP<br />
the file.<br />
AQZ0150-40<br />
Explanation:<br />
Archive File is not found or empty without ADD TYPE.<br />
PKZIP process is running without TYPE(*ADD); cannot find the specified archive file,<br />
or the archive file is empty. For Actions other than *ADD, a valid archive must exist.<br />
AQZ0151-00<br />
Explanation:<br />
include pattern or file could not find a match in search<br />
path.<br />
The Include pattern in the FILES or INCLFILE could not find a match during the<br />
PKZIP run. Review selection parameters, the library list, or the current directory.<br />
247
AQZ0152-20<br />
Explanation:<br />
Cannot have duplicate names in Zip Include.<br />
PKZIP found entries in the FILES or INCLFILE that result in duplicate entries. Correct<br />
and rerun.<br />
AQZ0153-00<br />
Explanation:<br />
Duplicates: 1st=, 2nd=.<br />
Part 2 of message AQZ0152 showing the duplicate files.<br />
AQZ0154-20<br />
Explanation:<br />
Cannot read Archive file <strong>for</strong> *FRESHEN or *UPDATE.<br />
PKZIP is running with TYPE *FRESHEN or *UPDATE and could not read the archive<br />
file. Review the job log <strong>for</strong> other messages to determine cause.<br />
AQZ0155-30<br />
Explanation:<br />
No files found <strong>for</strong> in archive file <strong>for</strong> *DELETE TYPE.<br />
The file pattern specified <strong>for</strong> a PKZIP run with *DELETE found no files that matched in<br />
the archive.<br />
AQZ0156-00<br />
Explanation:<br />
Searching <strong>for</strong> files to include...<br />
PKZIP searching <strong>for</strong> files that match entered file specifications.<br />
AQZ0157-40<br />
Explanation:<br />
Library cannot not be found.<br />
PKZIP, in an attempt to find file selections, could not find a specified Library. Review<br />
selection criteria in FILES and INCLFILE. Run is terminated.<br />
AQZ0158-40<br />
Explanation:<br />
File not found in Library &1.<br />
PKZIP, in an attempt to find file selections, could not find a specified file in a specific<br />
Library. Review selection criteria in FILES and INCLFILE. Run is terminated.<br />
248
AQZ0160-40<br />
Explanation:<br />
SFX File &1 Cannot be opened. Run Terminated.<br />
SELFXTRACT was coded to build an archive with a self extracting preamble. While<br />
trying to open that SFX file &1, an error occurred. See previous detail job log <strong>for</strong><br />
more details on the failure. Contact the Product Services Division at 1-937-847-2687<br />
<strong>for</strong> assistance.<br />
AQZ0161-40<br />
Explanation:<br />
Error occurred while reading SFX file &1.<br />
SELFXTRACT was coded to build an archive with a self extracting preamble. While<br />
trying to read that SFX file &1, an error occurred. See previous detail job log <strong>for</strong> more<br />
details on the failure. Contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
AQZ0162-40<br />
Explanation:<br />
Error Occurred while copying SFX file &1 to archive file.<br />
SELFXTRACT was coded to build an archive with a self extracting preamble. While<br />
trying to copy SFX file &1 to the archive, an error occurred. See previous detail job<br />
log <strong>for</strong> more details on the failure. Contact the Product Services Division at 1-937-<br />
847-2687 <strong>for</strong> assistance.<br />
AQZ0163-00<br />
Explanation:<br />
Self Extracting code was added to archive with &2 bytes<br />
SELFXTRACT(&1) was coded to build an archive with a self extracting preamble.<br />
This is in<strong>for</strong>mational only on the addition of the preamble &1 to the archive.<br />
AQZ0164-00<br />
Explanation:<br />
Removing &1 bytes preamble code from Archive File &2.<br />
SELFXTRACT(*REMOVE) was coded to remove the self extracting preamble from<br />
the archive. This is in<strong>for</strong>mational only on the removal of the preamble.<br />
AQZ0165-00<br />
Explanation:<br />
File &1 exceeds 4 Gig and PKZIP is not running with GZIP(*YES).<br />
File bypassed.<br />
PKZIP is trying to compress file &1 in a standard archive (parameter GZIP is *NO)<br />
and the sizes exceed 4 gigabytes. Use GZIP(YES) to compress.<br />
249
AQZ0166-40<br />
Explanation:<br />
Self Extraction Creation cannot be per<strong>for</strong>med with Encryption.<br />
SELFXTRACT was coded to create a self extracting archive with advanced<br />
encryption. Advanced encryption is not supported with self extracting archives.<br />
AQZ0167-40<br />
Explanation:<br />
Self Extraction Creation cannot be per<strong>for</strong>med with Large File<br />
Support.<br />
SELFXTRACT was coded to create a self extracting archive and it was determined<br />
that ZIP64 <strong>for</strong>mat will be required <strong>for</strong> large file support. ZIP64 large file support is not<br />
provided <strong>for</strong> self extracting archives.<br />
AQZ0168-40<br />
Explanation:<br />
Self Extraction preamble &1 is not supported.<br />
SELFXTRACT was coded to create a self extracting archive with &1. It is not<br />
available on your current environment. The job will be terminated. Contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0169-00<br />
Explanation:<br />
Inputted Recipient Listing.<br />
In<strong>for</strong>mational heading <strong>for</strong> ZIP and UNZIP. The recipient list that was inputted will<br />
follow.<br />
AQZ0170-00<br />
Explanation:<br />
&1 &2.<br />
In<strong>for</strong>mational. A message <strong>for</strong> each inputted recipient list when Verbose(*all). This will<br />
show the optional/required, lookup type, and lookup string.<br />
Example: Rqrd *LDAP EM=robb.ervin@pkware.com<br />
Opt'l *File /pkzshare/CStores/public/suegantt04.cer<br />
AQZ0171-00<br />
Explanation:<br />
Simulated List:&1.<br />
CRTLIST(*SIMLUATE) was specified to simulate the selection list with the ZIP<br />
process and each file selected is shown with this message.<br />
250
AQZ0172-40<br />
Explanation:<br />
Recipient Processing Fail due to error code &1.<br />
An internal error occurred with certificate processing. This should not occur. The<br />
message detail contains diagnostic in<strong>for</strong>mation of this occurrence. Please contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance. Control data .<br />
AQZ0173-00<br />
Explanation:<br />
No Private Certificate found <strong>for</strong> decryption.<br />
No valid private certificates were found. At least one private key required <strong>for</strong><br />
decryption. Control data .<br />
AQZ0174-40<br />
Explanation:<br />
Recipient Encryption process failed.<br />
An internal error occurred with recipient encryption processing. This should not<br />
occur. The message detail contains diagnostic in<strong>for</strong>mation of this occurrence.<br />
Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
Control data .<br />
AQZ0175-00<br />
Explanation:<br />
Required Recipient Failed.<br />
An inputted recipient was coded to be required, but either the recipient string could<br />
not be found or the certificate was invalid. Review the inputted recipient shown in the<br />
message<br />
AQZ0176-40<br />
Explanation:<br />
Invalid &1 Store <strong>for</strong> Recipient Processing.<br />
Either the public store, private store or LDAP definitions in the configuration security<br />
file are invalid. Run PKCFGSEC *VIEW and review the store definitions.<br />
AQZ0177-40<br />
Explanation:<br />
No Recipients were selected <strong>for</strong> Encryption process.<br />
Recipient encryption was requested, but no valid recipients were found. Review<br />
inputted recipients and verify their existence.<br />
AQZ0178-40<br />
Explanation:<br />
Required Recipient failed selection process.<br />
Inputted recipient that was coded as “required” failed to be found or contained an<br />
invalid certificate.<br />
251
AQZ0179-00<br />
Explanation:<br />
Total Recipients processed &1.<br />
In<strong>for</strong>mation only. Displays the total number of recipients that were selected <strong>for</strong><br />
processing.<br />
AQZ0180-40<br />
Explanation:<br />
Recipient Requires Password <strong>for</strong> Private Key.<br />
UNZIP recipients require a certificate password <strong>for</strong> each recipient. This is required to<br />
access the private key <strong>for</strong> decryption. Re-run with password <strong>for</strong> each recipients<br />
certificate.<br />
AQZ0181-00<br />
Explanation:<br />
Could Not Process Recipient In File .<br />
While trying to parse an INLIST recipients file, an error was found. Review the<br />
<strong>for</strong>mat, separators, beginning character and ending character.<br />
AQZ0182-00<br />
Explanation:<br />
Invalid Recipient InFile Record Nbr &2.<br />
While trying to parse an INLIST recipients file, an error was found. Review the<br />
<strong>for</strong>mat, separators, beginning character and ending character. This shows the record<br />
number that caused the error in the INLIST file.<br />
AQZ0183-00<br />
Explanation:<br />
Archive Recipient List:<br />
In<strong>for</strong>mational Heading. The recipient list messages AQZ0184 follows.<br />
AQZ0184-00<br />
Explanation:<br />
CN=&1 EMail=&2.<br />
In<strong>for</strong>mational. Each recipient that is included in the process will be listed showing the<br />
common name and email address.<br />
AQZ0185-00<br />
Explanation:<br />
Certificate Database is not Active.<br />
A recipient was authorized to use the certificate locator database (*DB) but the<br />
certificate database is not set to active in the security configuration file. Use<br />
PKCFGSEC *VIEW to view settings. And then use PKCFGSEC to set the database<br />
settings.<br />
252
AQZ0186-40<br />
Explanation:<br />
Security Configuration Turned Off to disallow Certifcate<br />
Processing.<br />
A recipient was coded in the ENTPREC parameter, but the security configuration file<br />
is either missing or is not active (ZIP Secure Settings/ SecureZIP Active=NO). Use<br />
PKCFGSEC *VIEW to view settings. Use PKCFGSEC to set it active.<br />
AQZ0187-40<br />
Explanation:<br />
No Private Key(s) provided to per<strong>for</strong>m Decryption.<br />
Recipients supplied <strong>for</strong> decryption, but there were no recipients with a password (<strong>for</strong><br />
private keys) that was selected. To do decryption, at least one valid private key is<br />
required.<br />
AQZ0188-40<br />
Explanation:<br />
Recipient INLIST file &1 cannot be opened.<br />
The recipient list contains a lookup type of *INLIST <strong>for</strong> Inlist file processing. The file<br />
string supplied could not be found or opened. Verify the file and the file system<br />
where it resides. See TYPLISTFL parameter.<br />
AQZ0189-40<br />
Explanation:<br />
No Signers were selected <strong>for</strong> Digital Signing processing.<br />
Digital signing was requested, but no valid signers were found. Review inputted<br />
signers and verify existence of certificates.<br />
AQZ0190-40<br />
Explanation:<br />
Signing Processing Fail due to error code &1.<br />
An Internal error occurred with certificate processing. This should not occur. The<br />
message detail contains diagnostic in<strong>for</strong>mation of this occurrence. Please contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance. Control data .<br />
AQZ0191-40<br />
Explanation:<br />
More Than one (1) Archive Signer was submitted..<br />
Only one archive signer is permitted. Change the SIGNERS parameter and resubmit<br />
with one archive signer.<br />
AQZ0192-40<br />
Explanation:<br />
Required Signer or Authenticator failed selection process.<br />
Inputted signer or authenticator that was coded as "Required" failed to be found or<br />
contained an invalid certificate.<br />
253
AQZ0193-40<br />
Explanation: T.<br />
Authenticating processing Failed due to error code &1.<br />
AQZ0194-40<br />
Explanation:<br />
Request <strong>for</strong> Specific Authenticator was not found.<br />
Post &1.<br />
AQZ0195-40<br />
Explanation:<br />
File Authentication check unsuccessful.<br />
Based on the authentication filters, one or more archive authentications failed.<br />
Failure codes (&1).<br />
AQZ0196-30<br />
Explanation: x.<br />
Archive Has been Tampered with: Archive Authentication has been<br />
removed.<br />
AQZ0197-40<br />
Explanation:<br />
Archive Authentication check unsuccessful.<br />
Based on the authentication filters, one or more archive authentications failed.<br />
Failure Codes (&1).<br />
AQZ0198-40<br />
Explanation:<br />
Request <strong>for</strong> Optional Authenticators were not found.<br />
Post &1.<br />
AQZ0199-40<br />
Explanation: T.<br />
Run being terminated <strong>for</strong> Authentication failure.<br />
AQZ0200-40<br />
Signers Requires password.<br />
Explanation: Control data .<br />
254
AQZ0201-00<br />
Explanation:<br />
PKUNZIP Archive: &1.<br />
PKUNZIP In<strong>for</strong>mational: Currently processing archive file &1.<br />
AQZ0203-10<br />
Explanation:<br />
Caution: File name not matched: &1.<br />
PKUNZIP could not find the specified file name in the FILES and/or INCLFILE<br />
parameters. File is not extracted.<br />
AQZ0204-10<br />
Explanation:<br />
Caution: Excluded file name not matched: &1.<br />
Based upon entered EXCLUDE and EXCLFILE parameters, PKUNZIP did not find<br />
any names to exclude. This is in<strong>for</strong>mational only.<br />
AQZ0205-00<br />
Explanation:<br />
Please check that you have transferred or created the Archive<br />
File in the appropriate BINARY mode.<br />
PKUNZIP displays this message as a reminder of a common cause of an invalid<br />
archive file. This message appears with invalid archive messages.<br />
AQZ0206-40<br />
Explanation:<br />
Archive name contains invalid characters.<br />
The archive name contains characters that are invalid and will cause the archive to<br />
fail to be created. Correct archive and execute the job again.<br />
AQZ0208-00<br />
Explanation:<br />
Skipping: &1 unsupported compression method &2.<br />
PKUNZIP, while trying to extract file &1, found an unsupported compression method.<br />
The file is unable to be extracted. Run PKUNZIP with TYPE(*VIEW) and<br />
VIEWOPT(*Detail) <strong>for</strong> more in<strong>for</strong>mation about the file and its compression method.<br />
This file is skipped in this extraction run<br />
AQZ0209-40<br />
Explanation:<br />
Signing is not activated.<br />
The signing of files and/or archives are set to No in the enterprise configuration file.<br />
(See PKCFGSEC)..<br />
255
AQZ0210-40<br />
Explanation:<br />
Authentication is not activated.<br />
The authentication of files and/or archives are set to No in the enterprise configuration<br />
file. (See PKCFGSEC)..<br />
AQZ0211-00<br />
Explanation:<br />
&1 appears to use backslashes as path separators.<br />
The selection file &1 appears to have double \\ in the name <strong>for</strong> path separators. Run<br />
will continue processing with normal separators. Review results to verify.<br />
AQZ0212-00<br />
Explanation:<br />
Error: Invalid response [&1].<br />
An Invalid response was received <strong>for</strong> a reply message. Review the reply message<br />
request <strong>for</strong> a valid response, and once located, enter a valid response.<br />
AQZ0213-00<br />
Explanation:<br />
At least one error was detected in &1.<br />
PKUNZIP encountered at least one error while processing. Review job log <strong>for</strong><br />
messages.<br />
AQZ0214-00<br />
Explanation:<br />
Caution: Zero files tested in &1.<br />
PKUNZIP found no files to test while processing with TYPE(*TEST). Review job log<br />
<strong>for</strong> other messages and review selection criteria. Run PKUNZIP with TYPE(*VIEW)<br />
and VIEWOPT(*Detail) to verify archive file.<br />
AQZ0215-00<br />
Explanation:<br />
Skipping: &1 unable to get password.<br />
PKUNZIP is processing file &1 and it is encrypted, but no password was entered <strong>for</strong><br />
this run. Re-run PKUNZIP with a correct password <strong>for</strong> file &1. Processing continues<br />
with other files.<br />
AQZ0216-00<br />
Explanation:<br />
Skipping: &1 incorrect password.<br />
PKUNZIP is trying to process file &1 that is encrypted, but the password entered <strong>for</strong><br />
this run was incorrect <strong>for</strong> this file. Processing continues. Execute the job again with<br />
the correct password.<br />
256
AQZ0217-00<br />
Explanation:<br />
&1 file(s) skipped because of incorrect password.<br />
During this run of PKUNZIP, &1 file(s) were not processed due to incorrect passwords<br />
or missing passwords.<br />
AQZ0218-00<br />
Explanation:<br />
(May instead be incorrect password).<br />
Part 2 of message AQZ0226 to remind that the failure may be due to an incorrect<br />
password. Review to see if file is encrypted by running PKUNZIP with TYPE(*VIEW)<br />
and VIEWOPT(*Detail) <strong>for</strong> the file and verify that encryption is on <strong>for</strong> the file.<br />
AQZ0219-00<br />
Explanation:<br />
No errors detected in compressed data of &1.<br />
PKUNZIP encountered errors with archive file &1 during run. Review job log <strong>for</strong><br />
messages.<br />
AQZ0220-00<br />
Explanation:<br />
No errors detected in &1 <strong>for</strong> &2 file(s) tested.<br />
PKUNZIP was run with TYPE(*TEST). No errors were found in testing the selected<br />
files in the archive file &2.<br />
AQZ0221-00<br />
Explanation:<br />
&1 file(s) skipped because of unsupported compression or<br />
encoding.<br />
PKUNZIP encountered &1 files that were bypassed due to unsupported compression<br />
methods. Review the job log <strong>for</strong> details.<br />
AQZ0224-00<br />
Explanation:<br />
Warning: &1 is probably truncated.<br />
While trying to extract file &1, some type of write error occurred, <strong>for</strong>cing an incomplete<br />
extraction. The file has probably been truncated. Review the job log <strong>for</strong> more<br />
in<strong>for</strong>mation about why this message occurred.<br />
AQZ0225-20<br />
Explanation:<br />
&1: Unknown compression method.<br />
Compression method number &2 was found in the archive <strong>for</strong> file &1. This<br />
compression is unknown and is not supported by this PKUNZIP version. PKUNZIP<br />
will skip this file and then will attempt to extract the next file within the archive.<br />
257
AQZ0226-00<br />
Explanation:<br />
&1: Bad CRC &2.<br />
While extracting file &1, the CRC calculated <strong>for</strong> the file was not the same as the CRC<br />
stored in the archive <strong>for</strong> the file.<br />
AQZ0227-00<br />
Explanation:<br />
&1: Compressed EA data missing (&2 bytes).<br />
In extracting file &1, it was identified to be created as an EF NTSD file. The EA data<br />
is missing and the file will be not be extracted.<br />
AQZ0228-00<br />
Explanation:<br />
Field entry: EF block length (&1 bytes) exceeds remaining EF<br />
data (&2 bytes).<br />
Inconsistent extra field data was found, which will be ignored. The extracted file data<br />
should be valid.<br />
AQZ0231-00<br />
Explanation:<br />
&1: Bad CRC <strong>for</strong> extended attributes.<br />
A bad CRC was found in the extended attributes <strong>for</strong> an archive created by an OS/2<br />
system. Extended Attributes are ignored.<br />
AQZ0232-00<br />
Explanation:<br />
&1: Unknown compression method <strong>for</strong> EAs (&2).<br />
An unknown compression method found <strong>for</strong> an archive created by an OS/2 system.<br />
File is not extracted. Run PKUNZIP with TYPE(*VIEW) and VIEWOPT(*ALL) to see<br />
archive details.<br />
AQZ0234-00<br />
Explanation:<br />
&1 archive&2 successfully processed.<br />
In<strong>for</strong>mational: &1 is the number of files that were processed successfully in the<br />
archives.<br />
AQZ0235-00<br />
Explanation:<br />
&1 archive&2 had warnings but no fatal error.<br />
In<strong>for</strong>mational: &1 is the number of files processed in the archives that issued a<br />
warning. Review job log <strong>for</strong> their warnings.<br />
258
AQZ0236-00<br />
Explanation:<br />
&1 archive&2 had fatal errors.<br />
There were &1 files in the archives that had a fatal error and could not be processed.<br />
Review job log <strong>for</strong> messages of the files that failed.<br />
AQZ0240-00<br />
Explanation:<br />
No Archive files found.<br />
While searching <strong>for</strong> an archive to extract from, no archive file was found. Review to<br />
see that the archive exists.<br />
AQZ0241-00<br />
Explanation:<br />
Cannot find archive file internal end directory in one of &1 or<br />
&2%s.zip, and cannot find %s, period.<br />
The archive file may not be an archive or it may be corrupted.<br />
AQZ0242-40<br />
Explanation:<br />
Cannot find archive file &1, &2.<br />
The archive file could not be found. Review command parameters.<br />
AQZ0246-00<br />
Explanation:<br />
Note: &1 may be a plain executable, not an archive.<br />
The archive file &1 is not an archive. Either it is corrupted, or it could be an<br />
executable object.<br />
AQZ0247-00<br />
Explanation:<br />
Warning [&1]: &2 extra bytes at beginning or within Archive<br />
File (attempting to process anyway).<br />
The archive &1 contains extra bytes within the archive. Will attempt continued<br />
extraction. Verify other messages within the job log and review source of archive file.<br />
If no failing message occurs, the extract file should be valid.<br />
AQZ0250-00<br />
Testing: &1.<br />
Explanation: PKUNZIP In<strong>for</strong>mational: TYPE(*TEST) is in the processing of testing file &1.<br />
259
AQZ0251-00<br />
Explanation:<br />
Extracting: &1 &2.<br />
PKUNZIP In<strong>for</strong>mational: TYPE(*EXTRACT) is in the process of extracting a stored<br />
file &1 with mode of empty, binary, text, text in EBCDIC, SAVF, or database file.<br />
AQZ0252-00<br />
Explanation:<br />
Unshrinking: &1 &2.<br />
PKUNZIP In<strong>for</strong>mational: TYPE(*EXTRACT) is in the process of extracting file &1 that<br />
was compressed with the shrink method, and with either a mode of empty, binary,<br />
text, text in EBCDIC, SAVF, or database file.<br />
AQZ0253-00<br />
Explanation:<br />
Exploding: &1 &2.<br />
PKUNZIP In<strong>for</strong>mational: TYPE(*EXTRACT) is in the process of extracting file &1 that<br />
was compressed with the implode method, with either a mode of empty, binary, text,<br />
text in EBCDIC, SAVF, or database file.<br />
AQZ0254-00<br />
Explanation:<br />
Inflating: &1 &2.<br />
PKUNZIP In<strong>for</strong>mational: TYPE(*EXTRACT) is in the process of extracting file &1 that<br />
was compressed with the Deflate method, with either a mode of empty, binary, text,<br />
text in EBCDIC, SAVF, or database file.<br />
AQZ0255-10<br />
Explanation:<br />
Member truncated to 10 characters.<br />
The member name of a file being extracted exceeds the ten-character limitation <strong>for</strong> an<br />
<strong>iSeries</strong> file member name. The name is truncated to ten characters.<br />
AQZ0256-10<br />
Explanation:<br />
Warning: Cannot set times <strong>for</strong> &1.<br />
After extracting a file to the integrated file system, PKUNZIP failed to reset the date<br />
and time from the archive file to the file extracted to IFS. The file data is correct.<br />
AQZ0257-00<br />
Explanation:<br />
When Creating an out list file, TYPE must be *VIEW with *NORMAL<br />
view.<br />
PKUNZIP has keyword CRTLIST specified and can only be used with TYPE(*VIEW)<br />
and VIEWOPT(*NORMAL). Correct the TYPE value and execute the job again.<br />
260
AQZ0258-10<br />
Explanation:<br />
Overriding Library is invalid.<br />
Parameter EXDIR was specified in PKUNZIP with TYPE(*EXTRACT) and<br />
TYPFL2ZP(*DB). The first path in EXDIR contains an invalid Library due to the name<br />
exceeding 10 characters. Run is aborted. Correct the command and execute the job<br />
again.<br />
AQZ0259-00<br />
Explanation:<br />
Target file exists. Skipping &1.<br />
Warning: PKUNZIP was extracting file &1, but the file already exists. Parameter<br />
OVERWRITE was either set to *NO or it was set to *PROMPT and the response on<br />
the prompt was N.<br />
AQZ0260-00<br />
Explanation:<br />
Target file newer. Skipping &1.<br />
Warning: PKUNZIP was extracting file &1 with TYPE(*NEWER). The current file is<br />
newer than the file in the archive and will be skipped.<br />
AQZ0261-00<br />
Explanation:<br />
File: &1 tested OK.<br />
In<strong>for</strong>mational: PKUNZIP with TYPE(*TEST) tested file &1 and found no problems.<br />
AQZ0262-20<br />
Explanation:<br />
Warning! &1 already exists. Reply Y, N, A, R, y, n, or r.<br />
Y = Overwrite this file with the file extracted from the archive. N = The file will not be<br />
extracted from the archive. A = All files in the archive will be extracted and will<br />
overwrite any existing files of the same name. R = you will be prompted <strong>for</strong> a new file<br />
name. The default is N. If you wish to change this default then use the CHGMSGD<br />
command.<br />
AQZ0263-00<br />
Explanation:<br />
Enter in the new File Name <strong>for</strong> &1.<br />
PKUNZIP issued message AQZ0262 <strong>for</strong> prompt <strong>for</strong> the over writing of file &1. The<br />
response received was "R" to rename the file. Enter in a valid name <strong>for</strong> the new file.<br />
261
AQZ0264-20<br />
Explanation:<br />
Warning: EBCDIC Translation code x’15’ must convert to x’0a’<br />
in &1(&2) override.<br />
Keyword TRAN (Data EBCDIC Translation Mbr) was selected with an override<br />
member. EBCDIC code x’15’ must translate to x’0A’ <strong>for</strong> <strong>iSeries</strong> EOL(end of line)<br />
character. Correct and execute the job again.<br />
AQZ0265-00<br />
Explanation:<br />
Warning: The password has embedded blanks.<br />
A password was entered <strong>for</strong> PKZIP keyword PASSWORD() and was found to have<br />
blanks embedded. Some systems do not accept embedded blanks in the password.<br />
Run continues with the entered password.<br />
AQZ0266-00<br />
Explanation:<br />
Tersing &1 in &2 mode.<br />
PKZIP In<strong>for</strong>mational: File &1 is being compressed with the TERSE compression<br />
method with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database<br />
file.<br />
AQZ0267-00<br />
Explanation:<br />
unTersing &1 &2<br />
PKUNZIP In<strong>for</strong>mational: TYPE(*EXTRACT) is in the process of extracting file &1 that<br />
was compressed by the TERSE method, with either a mode of empty, binary, text,<br />
text in EBCDIC, SAVF, or database file.<br />
AQZ0268-10<br />
Explanation:<br />
Warning! Record length mismatch. Archived file record length<br />
= &1, output file record length = &2.<br />
PKUNZIP has detected that the output file and the file in the archive have different<br />
record lengths. PKUNZIP will still try to extract the data, but the <strong>for</strong>mat and<br />
appearance of the data is not guaranteed. Please consult the manual <strong>for</strong> more<br />
in<strong>for</strong>mation.<br />
AQZ0269-40<br />
Explanation:<br />
Password Failed Enterprise Security Settings.<br />
The security configuration defines the password settings, and the password entered<br />
does not con<strong>for</strong>m to the enterprise settings. Do a PKCFGSEC *VIEW to view the<br />
Password configuration.<br />
262
AQZ0270-40<br />
Explanation:<br />
Password does not match the Verify Password. Re-enter and try<br />
again.<br />
The password entered in the VPASSWORD parameter does not match than the<br />
password entered in the PASSWORD parameter or VPASSWORD is missing when<br />
advanced encryption was selected. The run will be terminated. Re-issue the<br />
command and verify both PASSWORD and VPASSWORD contains the same values.<br />
AQZ0271-40<br />
Explanation:<br />
Compressed Size Invalid <strong>for</strong> Advance Encryption.<br />
File &1 requires advanced encryption but has an invalid compress size of &2. Do a<br />
PKUNZIP TYPE(*VIEW) VIEWOPTION(*DETAIL) <strong>for</strong> more in<strong>for</strong>mation about file.<br />
extract or test will continue.<br />
AQZ0272-40<br />
Explanation:<br />
Advance Encryption is invalid <strong>for</strong> GIZP Archive.<br />
PKZIP is running with GZIP(*YES) and the option ADVCRYPT is specifying advanced<br />
encryption (other than *NONE and ZIPSTD), GZIP only supports ZIP standard <strong>for</strong><br />
<strong>iSeries</strong> and zSeries. Note: Standard GZIP on plat<strong>for</strong>ms other than <strong>iSeries</strong> and<br />
zSeries do not support encryption.<br />
AQZ0273-40<br />
Explanation:<br />
Major Error Occurred with Advanced Encryption with New File<br />
size. Will Try to continue.<br />
PKUNZIP failed while extracting a file with invalid advanced encryption controls. The<br />
extracted size exceeds the uncompressed size &1 by &2 bytes. Contact the Product<br />
Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0274-40<br />
Explanation:<br />
Encryption Method is not Supported.<br />
PKUNZIP cannot extract file due to the encryption method indicated on the archive.<br />
Per<strong>for</strong>m PKZIP TYPE(*VIEW) VIEWOPT(*ALL) to check encryption method on<br />
message AQZ0872. Only valid encryption methods supported are: Zip standard, AES<br />
128, AES 192, and AES 256.<br />
AQZ0275-40<br />
Explanation:<br />
A File in the Archive coded <strong>for</strong> Adavnced Encryption was found<br />
to be Invalid.<br />
PKUNZIP was extracting a file coded as being archived with advanced encryption.<br />
The file is invalid due to invalid encryption data. Per<strong>for</strong>m PKZIP TYPE(*VIEW)<br />
VIEWOPT(*ALL) and check other messages in the job log <strong>for</strong> possible causes. If this<br />
continues, please contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
263
AQZ0276-40<br />
Explanation:<br />
Security Types Not Supported <strong>for</strong> file Archive.<br />
PKUNZIP could not extract file. archive indicates that it contains security types of<br />
certificate signature or combination password and signature. PKUNZIP only supports<br />
password only. Do a PKUNZIP TYPE(*VIEW) VIEWOPT(*DETAIL) to see security<br />
type.<br />
AQZ0277-40<br />
Explanation:<br />
Security Settings Require a Password on ZIP processes.<br />
The security configuration states that all archives must have a password <strong>for</strong><br />
encryption, but no password was entered in the PASSWORD parameter. See<br />
PKCFGSEC.<br />
AQZ0278-40<br />
Explanation:<br />
Enterprise Security Requires at least one Recipient <strong>for</strong><br />
Certificate processing.<br />
The security configuration states that all archives must have at least one recipient <strong>for</strong><br />
encryption, but no recipients were entered. See “ZIP Secure Settings: Recipient<br />
Secure(*RQD)” in PKCFGSEC *VIEW.<br />
AQZ0280-40<br />
Explanation:<br />
Only TYPE(*ADD) or TYPE(*MOVE) are valid with Spool Files<br />
selection.<br />
When parameter TYPFL2ZP(*SPL) is used <strong>for</strong> spool file selection, only *ADD and<br />
*MOVE are valid settings <strong>for</strong> the TYPE parameter. Correct and execute the job<br />
again.<br />
AQZ0281-40<br />
Explanation:<br />
File Inlcudes and Excludes are invalid <strong>for</strong> Spool File<br />
selection.<br />
When parameter TYPFL2ZP(*SPL) is used <strong>for</strong> spool file selection, the INCLUDE and<br />
EXCLUDE parameters are not allowed. Correct and execute the job again.<br />
AQZ0282-40<br />
Explanation:<br />
Input list file <strong>for</strong> file includes and excludes are invalid with<br />
Spool File Selection.<br />
When parameter TYPFL2ZP(*SPL) is used <strong>for</strong> spool file selection, the INCLFILE and<br />
EXCLFILE parameters <strong>for</strong> list input file includes and excludes are not allowed.<br />
Correct and execute the job again.<br />
264
AQZ0283-40<br />
Explanation:<br />
Date selection (DATETYPE) with Be<strong>for</strong>e or After is Invalid with<br />
Spool File Selection.<br />
When parameter TYPFL2ZP(*SPL) is used <strong>for</strong> spool file selection, the DATETYPE<br />
must be *NONE. Correct and execute the job again.<br />
AQZ0284-40<br />
Explanation:<br />
STOREPATH(*NO) is invalid with Spool Selection.<br />
When parameter TYPFL2ZP(*SPL) is used <strong>for</strong> spool file selection, the STOREPATH<br />
must be *YES. Correct and execute the job again.<br />
AQZ0285-40<br />
Explanation:<br />
The Spooled File and/or Attributes cannot be retrieved. Error<br />
Code=&1 with &2.<br />
While trying to retrieve a Spool File or the spool file attributes, an error (code=&1 with<br />
&2) occurred. Job will be aborted. It may be that the spool file was being modified.<br />
Try to execute the job again. If problem persists, please contact the Product Services<br />
Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0286-40<br />
Explanation:<br />
Job in<strong>for</strong>mation cannot be retrieved. Job ending with Error<br />
Code (&1 - &2).<br />
In<strong>for</strong>mation about current job could not be retrieved. Job will be aborted. Try |rerunning.<br />
If problem continues, please contact the Product Services Division at 1-937-<br />
847-2687 <strong>for</strong> assistance.<br />
AQZ0287-40<br />
Explanation:<br />
Spool File Selection List could not generated. Job ending with<br />
Error Code (&1 - &2).<br />
While trying to select spool files <strong>for</strong> processing, the job has failed while generating a<br />
list of spool files. Try to execute the job again. If problem persists, please contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0288-40<br />
Explanation:<br />
Abnormal Error Occurred while processing Spool Files.<br />
While processing a spool file, an internal error occurred with error codes (&1 - &2).<br />
Try re-running. If problem continues, please contact the Product Services Division at<br />
1-937-847-2687 <strong>for</strong> assistance.<br />
265
AQZ0289-40<br />
Explanation:<br />
Failure occurred during creation of Spool File.<br />
While trying to create a spool during extraction, a failure occurred with error codes<br />
(&1 - &2). Try re-running. If problem continues, please contact the Product Services<br />
Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0291-40<br />
Explanation:<br />
SFJOBNAM in the PKZIP command is incomplete or Invalid.<br />
If the Spool File Job Name is “*”, spool file job user and spool file job number must be<br />
blank. Otherwise all fields must contain valid name, user and number or they must all<br />
be blank. Correct and execute the job again.<br />
AQZ0292-40<br />
Explanation:<br />
Error Occurred while trans<strong>for</strong>ming the spool file. Job is<br />
aborted.<br />
A major error has occurred while trans<strong>for</strong>ming a spool file to an ASCII file. Job is<br />
being aborted with exception code(&1-&2). Try to execute the job again. If this<br />
failure continues, please contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
AQZ0293-40<br />
Explanation:<br />
Parameter SFTARGET(*SPLF) requires SFTGFILE(*GEN1). Correct<br />
and re_run.<br />
SFTGFILE must be coded as *GEN1 when requesting a target type of Spool File<br />
SFTARGET(*SPLF). Correct and execute the job again.<br />
AQZ0294-40<br />
Explanation:<br />
Spoof File (&1) is &2 type print file and Convert Format is<br />
TEXT. File bypassed.<br />
Only spool file types *SCS, *IPDS and *AFP are valid <strong>for</strong> text conversion. &2 type<br />
cannot convert to TEXT <strong>for</strong>mat.<br />
AQZ0295-10<br />
Explanation:<br />
Spool File &1 is being skipped due to being in OPEN Status.<br />
Spool files that are in an open status are not eligible <strong>for</strong> selection. File will be<br />
skipped.<br />
266
AQZ0296-10<br />
Explanation:<br />
Spool File "&1" Exceeds Maximum allowed size.<br />
The spool file &1 exceeded the maximum allowed of &2. File will be either skipped or<br />
the job will end based on ERROPT settings.<br />
AQZ0297-40<br />
Explanation:<br />
The Output Queue <strong>for</strong> Spool Files selection cannot be found.<br />
The output queue specified in parameter SFQUEUE is invalid or cannot be found in<br />
the libraries specified.<br />
AQZ0298-40<br />
Explanation:<br />
Invalid Code Page <strong>for</strong> Spool File conversion.<br />
While trying to convert a spool file to ASCII text, it was found the code page was<br />
invalid. Review parameter IFSCDEPAGE <strong>for</strong> overrides. Error occurred while using<br />
page code from &1 to &2.<br />
AQZ0299-40<br />
Explanation:<br />
Spool File Target File Cannot be named GEN1 nor GEN2 nor start<br />
with an *.<br />
Spool file parameter SFTGFILE cannot have file names GEN1 and GEN2. This is to<br />
prevent mistakes by leaving off the leading *. SFTGFILE cannot start with an * other<br />
than special names *GEN1, *GEN1P and *GEN2'.<br />
AQZ0300-10<br />
Explanation:<br />
A Specific File name was specified in SFTGFILE, but more than 1<br />
spool file was selected.<br />
When specifying a file name in SFTGFILE, only one spool file can be selected.<br />
Correct selections and re-run.<br />
AQZ0301-40<br />
Explanation:<br />
Parameter SFTARGET(*SPLF) requires EXTRAFLD(*YES). Correct and<br />
re_run.<br />
In order to be able to extract a spool file, extended attributes are required.<br />
AQZ0302-40<br />
Explanation:<br />
FILETYPE parameter must be (*DETECT) when compressing Spool<br />
Files.<br />
When parameter TYPFL2ZP(*SPL) is coded to compress spool files, the FILETYPE<br />
parameter must be (*DETECT).<br />
267
AQZ0303-10<br />
Explanation:<br />
Warning: Only Local Extended Attributes was selected to store<br />
<strong>iSeries</strong> Extended Attributes.<br />
This is a warning that the extra data fields will be stored only in the local directory<br />
because of parameter EXTRADATA(*LOCAL). SecureZIP <strong>for</strong> <strong>iSeries</strong> will not utilize<br />
the extended attributes.<br />
AQZ0304-30<br />
Explanation:<br />
SFJOBNAM(&1) Job cannot not be found or is invalid.<br />
The parameter SFJOBNAM(&1) <strong>for</strong> job selection of a spool file could not be found or<br />
is an invalid job. Correct and execute the job again.<br />
AQZ0305-30<br />
Explanation:<br />
SPLNBR parameter is non-numeric or invalid.<br />
The SPLNBR must be either *ALL, *LAST, or it must be a numeric value from 1 thru<br />
999999. Correct and execute the job again.<br />
AQZ0306-40<br />
Explanation:<br />
SFQUEUE with *SEL has invalid Outq library reference.<br />
The SFQUEUE parameter has the *SEL <strong>for</strong> the OUTQ name, but the library is either<br />
blank, *LIBL, or *CURRENT. PKZIP will be aborted. Correct and execute the job<br />
again.<br />
AQZ0306-40<br />
Explanation:<br />
SFQUEUE with *SEL has invalid Outq library reference.<br />
The SFQUEUE parameter has the *SEL <strong>for</strong> the OUTQ name, but the library is either<br />
blank, *LIBL, or *CURRENT. PKZIP will be aborted. Correct and execute the job<br />
again.<br />
AQZ0307-00<br />
Explanation:<br />
The SIGNPOL validation is locked down at the enterprise level.<br />
Warning. The SIGNPOL validation is locked down at the enterprise setting, there<strong>for</strong>e<br />
parameters request are ignored.<br />
AQZ0308-00<br />
Explanation:<br />
The AUTHPOL validation is locked down at the enterprise level.<br />
Warning. The AUTHPOL validation is locked down at the enterprise setting, there<strong>for</strong>e<br />
parameters request are ignored.<br />
268
AQZ0309-00<br />
Explanation:<br />
The ENCRYPOL validation is locked down at the enterprise level.<br />
Warning. The ENCYRPOL validation is locked down at the enterprise setting,<br />
there<strong>for</strong>e parameters request are ignored.<br />
AQZ0310-00<br />
Explanation:<br />
The SIGNPOL filters ared locked down at the enterprise level.<br />
Warning. The SIGNPOL filters are locked down at the enterprise setting, there<strong>for</strong>e<br />
parameters request are ignored.<br />
AQZ0311-00<br />
Explanation:<br />
The AUTHPOL filters ared locked down at the enterprise level.<br />
Warning. The AUTHPOL filters are locked down at the enterprise setting, there<strong>for</strong>e<br />
parameters request are ignored.<br />
AQZ0312-00<br />
Explanation:<br />
The ENCRYPOL filters ared locked down at the enterprise level.<br />
Warning. The ENCRYPOL filters are locked down at the enterprise setting, there<strong>for</strong>e<br />
parameters request are ignored.<br />
AQZ0320-30<br />
Explanation:<br />
Insufficient authority to open secured Archive. Requires valid<br />
&1.<br />
The archive specified is a filename-encrypted archive that requires validation be<strong>for</strong>e it<br />
can be opened by a password and/or valid private key from a recipient.<br />
AQZ0321-40<br />
Explanation:<br />
Problem Procssing FNE.<br />
An Internal error occurred with filename-encryption processing. This should not<br />
occur. The message detail contains diagnostic in<strong>for</strong>mation of this occurrence.<br />
Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
Please provide the message details <strong>for</strong> support.<br />
AQZ0322-40<br />
Explanation:<br />
FND Temporary File Failure.<br />
An Internal error occurred with the filename-encryption processing temporary file.<br />
The message detail contains diagnostic in<strong>for</strong>mation of this occurrence. Please<br />
contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance. Please<br />
provide the message details <strong>for</strong> support.<br />
269
AQZ0324-00<br />
Explanation:<br />
Warning: FNE Input Archive being converted to Non-FNE.<br />
The archive currently specified is a filename-encrypted archive, and the filename<br />
encryption parameter is coded as “FNE(*NO *YES)”. This will convert the filenameencrypted<br />
archive to be a non-filename-encrypted archive. This is a warning only.<br />
AQZ0325-40<br />
Explanation:<br />
FNE is Invalid with GZIP.<br />
Both GZIP(*YES) and FNE(*YES) was entered. Filename encryption is an invalid<br />
GZIP option.<br />
AQZ0326-40<br />
Explanation:<br />
FNE Requires a Password and/or Recipients.<br />
FNE(*YES) was entered to create a filename-encrypted archive, but no password or<br />
recipients were entered.<br />
AQZ0327-40<br />
Explanation:<br />
FNE Requires Strong Encryption Algorithm.<br />
FNE(*YES) was entered to create a filename-encrypted archive, but the parameter<br />
ADVCRYPT was *NONE or ZIPSTD. Filename encryption requires advanced<br />
encryption.<br />
AQZ0328-30<br />
Explanation:<br />
Input Archive is FNE with FNE(*NO *NO). Requires FNE Overwrite<br />
*YES to convert to non-FNE.<br />
The archive currently specified is a filename-encrypted archive, but the filename<br />
encryption parameter was FNE(*NO *NO). This filename-encryption setting will not<br />
create a new filename-encrypted archive or overwrite an existing filename-encrypted<br />
archive. If the updated archive is to be filename-encrypted, the parameter should be<br />
FNE(*YES). If the updated archive should be a non-FnE, the parameter should be<br />
(*NO *YES).<br />
AQZ0329-00<br />
Explanation:<br />
Warning FNE will <strong>for</strong>ce EXTRAFLD(*CENTRAL).<br />
The filename encryption parameter was *YES to create an FnE archive, but the extra<br />
field was either *LOCAL or *BOTH. SecureZIP will <strong>for</strong>ce EXTRAFLD(*CENTRAL).<br />
270
AQZ0330-00<br />
Explanation:<br />
Warning:FNE archive found. Inputted Password and/or Recipients<br />
will be ignored.<br />
The archive currently specified is a filename-encrypted archive <strong>for</strong> updating. The<br />
archive will be updated with its current password and/or recipients. This is a warning<br />
that any new password or new recipients will be ignored.<br />
AQZ0401-40<br />
Explanation:<br />
Memory allocation failure while processing Parameters &1 &2.<br />
A failure occurred while trying to allocate memory. Check other messages in the job<br />
log <strong>for</strong> possible causes and refer to Appendix C about memory errors. If this<br />
continues, please contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
AQZ0402-40<br />
Explanation:<br />
I/O Error: &1.<br />
An I/O error occurred. This message will help describe a previous message. Review<br />
all messages in the job log to resolve the problem.<br />
AQZ0403-40<br />
Explanation:<br />
Open error occurred on Translate table .<br />
While opening file &1, an open error occurred. Review FTRAN and TRAN keyword<br />
entries and messages in the job log to determine the cause of problem. Current run<br />
is terminated.<br />
AQZ0404-40<br />
Explanation:<br />
Read Error while reading Translate table .<br />
While reading file &1, an error occurred. Review FTRAN and TRAN keyword entries<br />
and messages in the job log to determine the cause of the problem. Browse file &1<br />
and review the data to ensure it follows the requirements of a translate table. The<br />
current run is terminated.<br />
AQZ0405-40<br />
Explanation:<br />
Translate Table must have 256 entries. File found &2<br />
entries.<br />
A translation table is required to have 256 entries. Browse file &1 and review the data<br />
to ensure it follows the requirements of a translate table. The current run is<br />
terminated.<br />
271
AQZ0406-40<br />
Explanation:<br />
Internal Error. Should not occur "&1".<br />
If this error occurs, review to ensure you have a valid archive. Please contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance. Current run is<br />
terminated.<br />
AQZ0407-40<br />
Explanation:<br />
&1 file size changed while zipping.<br />
PKZIP has determined that the size of file &1 has changed while compressing. Size<br />
In<strong>for</strong>mation (&2). File should be compressed again.<br />
AQZ0408-40<br />
Explanation:<br />
Compression of input file &1 failed. Could not read input<br />
file.<br />
A read error occurred while trying to compress input file &1. Review all job log<br />
messages to determine cause of read error. The job is terminated.<br />
AQZ0409-40<br />
Explanation:<br />
Failure during user space creation &1.<br />
A failure occurred while using an API, which required a user space that failed. See<br />
message &2 in job log <strong>for</strong> which API and why the failure occurred. The job is<br />
terminated.<br />
AQZ0410-40<br />
Explanation:<br />
API list command failure due error &1 &2.<br />
Review error message &1 <strong>for</strong> more in<strong>for</strong>mation why API list command &2 failed. The<br />
job is terminated.<br />
AQZ0411-40<br />
Explanation:<br />
File &1. is not a database.<br />
A list member API was issued <strong>for</strong> file &1. A return message, "CPF3C23," indicates<br />
this file is not a database file, which is allowed to have members. Review file &1 to<br />
ensure it is a valid file to compress. The job is terminated.<br />
AQZ0412-00<br />
Explanation:<br />
API error &1. Get Member descriptions .<br />
While issuing a Get Member descriptions <strong>for</strong> file &2, error &1 occurred. Review<br />
message &1 <strong>for</strong> more in<strong>for</strong>mation.<br />
272
AQZ0413-00<br />
Explanation:<br />
API error &1. Database File descriptions .<br />
While retrieving the file descriptions <strong>for</strong> file &2, error &1 occurred. Review message<br />
&1 <strong>for</strong> more in<strong>for</strong>mation.<br />
AQZ0414-00<br />
Explanation:<br />
API error &1. Get Object descriptions .<br />
While retrieving object descriptions <strong>for</strong> file &2, error &1 occurred. Review message<br />
&1 <strong>for</strong> more in<strong>for</strong>mation.<br />
AQZ0415-00<br />
Explanation:<br />
API error &1. Change Object descriptions .<br />
While issuing a change to the object &2, error &1 occurred. Review message &1 <strong>for</strong><br />
more in<strong>for</strong>mation.<br />
AQZ0416-00<br />
Explanation:<br />
API error &1. Process Command .<br />
While trying to process command &2, error &1 occurred. Review message &1 <strong>for</strong><br />
more in<strong>for</strong>mation. This may occur if the user does not have the proper authority <strong>for</strong><br />
the command.<br />
AQZ0417-40<br />
Explanation:<br />
Error writing List file &1.<br />
Keyword CRTLIST was specified and an error occurred while writing to file &1.<br />
Review all job log messages <strong>for</strong> more details. The job will be terminated.<br />
AQZ0418-40<br />
Explanation:<br />
Error opening or closing list file &1.<br />
Keyword CRTLIST was specified and an error occurred while &2 was opening or<br />
closing file &1. Review all job log messages <strong>for</strong> more details. The job will be<br />
terminated.<br />
AQZ0419-40<br />
Explanation:<br />
Cannot open file <strong>for</strong> Include selection.<br />
File &1 (specified in keyword INCLFILE) cannot be opened. See job log messages<br />
<strong>for</strong> more in<strong>for</strong>mation. Verify that file &1 is a valid file <strong>for</strong> input to include selection.<br />
The job is terminated.<br />
273
AQZ0420-40<br />
Explanation:<br />
Cannot open file <strong>for</strong> Exclude filtering.<br />
File &1 (specified in keyword EXCLFILE), cannot be opened. See job log messages<br />
<strong>for</strong> more in<strong>for</strong>mation. Verify that file &1 is a valid file <strong>for</strong> input to exclude selection.<br />
The job is terminated.<br />
AQZ0421-00<br />
Explanation:<br />
File failed while retrieving the members <strong>for</strong> the file.<br />
Review Job Log <strong>for</strong> previous message <strong>for</strong> details of failure.<br />
When trying to retrieve the members <strong>for</strong> file and record , the API failed.<br />
The job log will show more details in the previous messages. One cause may be the<br />
file was remote and could not be accessed.<br />
AQZ0450-40<br />
Explanation:<br />
Did not find end-of-central-dir signature at end of central<br />
dir.<br />
While scanning an archive <strong>for</strong> proper archive signatures, the end of central directory<br />
signature could not be found. Ensure it is a valid archive or if the archive was sent via<br />
FTP; ensure binary was used.<br />
AQZ0451-40<br />
Explanation:<br />
Expected central file header signature not found (file #&1).<br />
While scanning an archive <strong>for</strong> proper archive signatures, the expected central file<br />
header signature could not be found. The archive may be corrupted, or it was<br />
transferred from another source incorrectly.<br />
AQZ0452-40<br />
Explanation:<br />
Attempt to seek be<strong>for</strong>e beginning of Archive file &1.<br />
While scanning the archive <strong>for</strong> valid in<strong>for</strong>mation, an offset caused PKZIP to attempt<br />
seeking functions prior to the beginning of the archive. The archive may be<br />
corrupted.<br />
AQZ0453-40<br />
Explanation:<br />
&1: Bad file comment length.<br />
The archive indicated that a comment existed <strong>for</strong> file &1. The length was zero, or the<br />
comment length was wrong. Run PKUNZIP with detail view <strong>for</strong> more in<strong>for</strong>mation.<br />
274
AQZ0454-40<br />
Explanation:<br />
Invalid option mixture - should never occur by using PKUNZIP<br />
Command.<br />
Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0455-40<br />
Explanation:<br />
Both Overwrite *NONE and *ALL specified; ignoring *ALL - This<br />
should never Occur.<br />
By using the PKUNZIP command this error should never occur. Please contact the<br />
Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0456-40<br />
Explanation:<br />
&1: bad filename length in &2 directory.<br />
File &1 was found to have a bad file name length in the archive &2 directory.<br />
Processing will continue at the next entry. Try running PKUNZIP with<br />
VIEWOPT(*DETAIL) to gather more in<strong>for</strong>mation. The archive may be corrupt.<br />
AQZ0457-40<br />
Explanation:<br />
&1: Bad Extra data length in &2 directory.<br />
File &1 was found to have a bad extra data length in the archive &2 directory.<br />
Processing will continue at the next entry. Try running PKUNZIP with a detail view to<br />
gather more in<strong>for</strong>mation. The archive may be corrupt.<br />
AQZ0458-40<br />
Explanation:<br />
File # &1: Bad Archive File offset (&2): &3.<br />
PKUNZIP was trying to extract or test files in the archive. File number #1 in archive<br />
contained a bad offset length (&2).<br />
AQZ0459-20<br />
Explanation:<br />
Length warning: &1 bytes [&2].<br />
Length Warning: Based on the local directory, the bytes required are less than the<br />
actual bytes used. Review the extracted file and ensure it is extracted correctly. Run<br />
PKUNZIP with view detail to check files sizes. The file is extracted and the process<br />
continues.<br />
AQZ0460-40<br />
Explanation:<br />
Length Error: &1 bytes [&2].<br />
Length Failure: Based on the local directory, the bytes required are more than the<br />
actual bytes used. Review the extracted file and ensure it is extracted correctly. Run<br />
275
PKUNZIP with view detail to check files sizes. The file is extracted and the process<br />
continues.<br />
AQZ0461-40<br />
Explanation:<br />
Error: Not enough memory to Unshrink &1.<br />
While trying to allocate memory to Un-shrink file &1, an error occurred. All processing<br />
is terminated. Check other messages in the job log <strong>for</strong> possible causes and refer to<br />
Appendix C about memory errors. If this continues, please contact the Product<br />
Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0462-40<br />
Explanation:<br />
File #&1: Bad local header.<br />
File in the archive with sequence number &1 has an invalid local directory header.<br />
File cannot be extracted or tested. The archive may be corrupt.<br />
AQZ0463-40<br />
Explanation:<br />
(Attempting to re - compensate).<br />
An error occurred previously in the archive (see the message log). An attempt will be<br />
made to compensate <strong>for</strong> the error.<br />
AQZ0464-40<br />
Explanation:<br />
Skipping: &1 %2 volume label.<br />
An archive created under another system has a volume label appearing in the<br />
archive. <strong>iSeries</strong> cannot process this request and will skip file &1.<br />
AQZ0468-40<br />
Explanation:<br />
Invalid compressed data to &1 &2.<br />
While attempting to uncompress file &2 using method &1, it was determined that the<br />
compressed data was invalid or corrupt. Review the log <strong>for</strong> other messages to help<br />
diagnose the problem. Do a PKUNZIP with VIEWOPT(*DETAIL). Verify the source<br />
of the archive that is being processed to verify if it was created using a compression<br />
product from PKWARE, Inc. Please contact the Product Services Division at 1-937-<br />
847-2687 <strong>for</strong> assistance.<br />
AQZ0469-40<br />
Explanation:<br />
Error: Not enough memory to &1 &2.<br />
While attempting to uncompress file &2 using method &1, PKUNZIP could not<br />
allocate enough memory to extract file. Check other messages in the job log <strong>for</strong><br />
possible causes and refer to Appendix C about memory errors. If this continues,<br />
please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
276
AQZ0470-40<br />
Explanation:<br />
&1: Out of memory while inflating EAs.<br />
While extracting file &1, an allocation of memory failure occurred while trying to<br />
extract and file with extended attributes. This archive was created by another system<br />
type. Check other messages in the job log <strong>for</strong> possible causes and refer to Appendix<br />
C about memory errors. If this continues, please contact the Product Services<br />
Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0471-40<br />
Explanation:<br />
&1: Unknown error on extended attributes.<br />
While extracting file &1, an unknown error occurred while trying to process the<br />
extended attributes data. This archive was created by another system type.<br />
AQZ0472-40<br />
Explanation:<br />
Unsupported extra-field compression type (&1)—skipping.<br />
The extended data fields <strong>for</strong> file &1 was found, but it’s not recognized or it’s Invalid.<br />
The file will be skipped.<br />
AQZ0473-00<br />
Explanation:<br />
Error: Cannot allocate unzip buffers.<br />
While starting to extract the file, PKUNZIP could not allocate enough memory <strong>for</strong> IO<br />
buffers within the file. Job will be terminated. Check other messages in the job log<br />
<strong>for</strong> possible causes and refer to Appendix C about memory errors. If this continues,<br />
please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0475-40<br />
Explanation:<br />
Warning [&1]: Archive File is disk %u of a multi-disk archive<br />
and this is not the disk on which the central Archive File<br />
directory begins.<br />
The archive indicates that part of a multi-disk archive is invalid <strong>for</strong> PKUNZIP. Review<br />
the source of the archive and ensure the archive is made up of one file.<br />
AQZ0476-30<br />
Explanation:<br />
Warning [&1]: End-of-central-directory record claims this is<br />
disk &2 attempting to process anyway.<br />
The central directory has a setting that indicates this is a multi-archive disk file. It will<br />
attempt to process file &1. Expect "errors" and warnings; true multi-part support does<br />
not exist.<br />
277
AQZ0477-30<br />
Explanation:<br />
Warning [&1]: Archive File claims to be last disk of a multipart<br />
archive; attempting to process anyway.<br />
Expect errors and warnings, as true multi-part support does not exist.<br />
AQZ0478-30<br />
Error [&1]: Missing &2 bytes in Archive file (attempting to<br />
process anyway).<br />
Explanation: While extracting files from archive file &1 with PKUNZIP, it was found to have &2<br />
bytes missing according to the directories. PKUNZIP will continue attempting to<br />
extract the files and will complete the process.<br />
AQZ0479-30<br />
Explanation:<br />
Error [&1]: NULL central directory offset (attempting to<br />
process anyway).<br />
While extracting from archive file &1, an error was found in the central directory offset.<br />
PKUNZIP will try to compensate and continue the process.<br />
AQZ0480-30<br />
Explanation:<br />
Warning [&1]: Archive File is empty.<br />
PKUNZIP found that the archive file &1 is empty and that there is nothing to process.<br />
AQZ0481-30<br />
Explanation:<br />
Error [&1]: Start of central directory not found; Archive file<br />
is corrupt.<br />
PKUNZIP could not find the start of the central directory in archive file &1. archive file<br />
is corrupt and the job will be terminated.<br />
AQZ0482-30<br />
Warning[&1]: Reported length of central directory IS &2 bytes<br />
too long. Compensating...<br />
Explanation: PKUNZIP found that the length of the central directory of the archive is too long by &2<br />
bytes. PKUNZIP will try to compensate and continue.<br />
AQZ0483-40<br />
Explanation:<br />
End-of-central-directory signature not found in archive &1.<br />
An End-of-central-directory signature not found. Either the file &1 is not an archive<br />
file or it constitutes one disk of a multi-part archive. In the later case, the central<br />
directory and archive file comment will be found on the last disk(s) of this archive.<br />
278
AQZ0484-00<br />
Explanation:<br />
Caution: Archive file &1 comment will be truncated.<br />
While displaying the archive file comment, it was truncated due to excess length.<br />
This affects only the displayed in<strong>for</strong>mation, not the data itself.<br />
AQZ0485-30<br />
Explanation:<br />
Error: Cannot delete old &1.<br />
Cannot delete file &1 on IFS system file type. See the job message log <strong>for</strong> more<br />
in<strong>for</strong>mation.<br />
AQZ0486-30<br />
Explanation:<br />
Error: PKZIP cannot open Archive File [ &1 ].<br />
Archive file &1 cannot be opened <strong>for</strong> reading in PKZIP. See the job message log <strong>for</strong><br />
more in<strong>for</strong>mation.<br />
AQZ0487-30<br />
Explanation:<br />
Error: Cannot create &1.<br />
PKUNZIP was trying to create file &1 <strong>for</strong> extraction, but the create process failed.<br />
The file was not extracted. See the job message log <strong>for</strong> create failure.<br />
AQZ0488-40<br />
Explanation:<br />
Error: Archive file &1 read error.<br />
PKUNZIP received a file error while reading archive file &1. Job is terminated. See<br />
the job message log <strong>for</strong> explanation of the error.<br />
AQZ0489-10<br />
Warning: Filename too long -- truncating.<br />
Explanation: The file name length (including path) found in the archive exceeds the length of 255<br />
bytes allowed in PKUNZIP. File name is truncated.<br />
AQZ0490-10<br />
Explanation:<br />
Warning: Extra field too long (&1). Ignoring.<br />
The extended attribute is too long <strong>for</strong> PKUNZIP to allocate memory. The attributes<br />
will be ignored.<br />
279
AQZ0491-40<br />
Explanation:<br />
Error: More than &1 simultaneous threads. Some threads are<br />
probably not calling DESTROYTHREAD().<br />
Internal error. This should not occur. Please contact the Product Services Division at<br />
1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0492-40<br />
Explanation:<br />
Error: Could not find global pointer in table Maybe somebody<br />
accidentally called DESTROYTHREAD() twice.<br />
Internal error. This should not occur. Please contact the Product Services Division at<br />
1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0493-40<br />
Explanation:<br />
Error: Global pointer in table does not match pointer passed<br />
as parameter.<br />
Internal error. This should not occur. Please contact the Product Services Division at<br />
1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0494-00<br />
Explanation:<br />
Warning: Cannot set UID &1 and/or GID %d <strong>for</strong> &2.<br />
After extracting a file successfully, PKUNZIP could change the UID attributes <strong>for</strong> a file<br />
in the integrated file system to the UID in the archive settings. See the job log <strong>for</strong><br />
more in<strong>for</strong>mation.<br />
AQZ0495-00<br />
Explanation:<br />
Warning: Cannot set modification, access times <strong>for</strong> &1.<br />
After extracting a file successfully, PKUNZIP could change the modification time and<br />
the access time <strong>for</strong> a file in the integrated file system to the time that is stored within<br />
the archives. Times are left as the time extracted. See the job log <strong>for</strong> more<br />
In<strong>for</strong>mation.<br />
AQZ0496-00<br />
Explanation:<br />
Warning: Cannot set permissions <strong>for</strong> &1.<br />
After extracting a file successfully, PKUNZIP could not set the authority permissions<br />
<strong>for</strong> the file in the integrated file system. File has job user as owner. See the job log<br />
<strong>for</strong> more in<strong>for</strong>mation.<br />
280
AQZ0498-40<br />
Explanation:<br />
&1: Write error was encountered while extracting.<br />
While extracting and writing file &1, an error occurred. It could be the allowable disk<br />
allocation <strong>for</strong> a user, a job, or a file. See the job log <strong>for</strong> more in<strong>for</strong>mation. The current<br />
extracted file is incomplete.<br />
AQZ0499-50<br />
Explanation:<br />
Archive file probably corrupt (&1).<br />
A Handler signal occurred in PKUNZIP, which indicates an internal error occurred, or<br />
the archive file is corrupt. Please contact the Product Services Division at 1-937-847-<br />
2687 <strong>for</strong> assistance with the archive file and the job log.<br />
AQZ0501-20<br />
Explanation:<br />
Warning: Cannot allocate wildcard buffers.<br />
PKUNZIP could not allocate memory resources in the integrated file system wildcard<br />
buffers. Cannot select files. Check other messages in the job log <strong>for</strong> possible<br />
causes, and refer to Appendix C about memory errors. If problem persists, please<br />
contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0502-00<br />
Explanation:<br />
Creating directory: &1.<br />
In<strong>for</strong>mation only: PKUNZIP created directory &1 in the integrated file system.<br />
AQZ0503-30<br />
Explanation:<br />
Mapname: Conversion of &1 failed.<br />
PKUNZIP failed while converting (mapping) the internal file &1 name to an <strong>iSeries</strong><br />
external file name. Check the log to see if file was extracted successfully.<br />
AQZ0504-20<br />
Explanation:<br />
Checkdir: Cannot create extraction directory &1.<br />
PKUNZIP failed while trying to create directory &1 in the integrated file system<br />
required extracting file.<br />
AQZ0505-10<br />
Explanation:<br />
Warning: Cannot set UID &1 <strong>for</strong> &2.<br />
After extracting a file successfully, PKUNZIP could not change the UID attributes <strong>for</strong> a<br />
file in integrated file system to the UID in the archive settings. See the job log <strong>for</strong><br />
more In<strong>for</strong>mation.<br />
281
AQZ0506-10<br />
Explanation:<br />
Checkdir warning: Path too long; truncating &1.<br />
The path name in the archive file is longer than the 255 bytes permitted by the<br />
integrated file system. The path will be truncated <strong>for</strong> file extraction.<br />
AQZ0508-10<br />
Explanation:<br />
Checkdir error: &1 exists but is not directory: unable to<br />
process.<br />
PKUNZIP was extracting a file to the integrated file system where the archive file<br />
name indicated it is a directory, but the file already exists and is not a directory. A<br />
default path will be used.<br />
AQZ0509-10<br />
Explanation:<br />
Checkdir error: Cannot create &1 unable to process &2.<br />
PKUNZIP could not create directory &1 in the integrated files system. A default<br />
directory is used. See the JOB LOG For in<strong>for</strong>mation about the failure.<br />
AQZ0510-10<br />
Explanation:<br />
Checkdir error: Path too long: &1.<br />
PKUNZIP determined that the path of file to extract exceeded 255 bytes. The file will<br />
use default path.<br />
AQZ0511-40<br />
Explanation:<br />
Failure to create file in Library .<br />
PKUNZIP was issuing a CRTPF command <strong>for</strong> a file that was using default settings<br />
be<strong>for</strong>e extracting and an error occur in the CRTPF command. See the job log <strong>for</strong><br />
more in<strong>for</strong>mation. The files are not extracted.<br />
AQZ0512-40<br />
Explanation:<br />
Failure to create SAVF in Library .<br />
PKUNZIP was issuing a CRTSAVF command to create file &1 <strong>for</strong> extracting and the<br />
create process failed. See the job log <strong>for</strong> more in<strong>for</strong>mation. The files are not<br />
extracted.<br />
AQZ0513-10<br />
Explanation:<br />
Warning! Line &1 has been truncated.<br />
When writing a text file, the length of the line exceeded the record length of the output<br />
file and the line was truncated. Use an output file with the correct record length.<br />
282
AQZ0514-30<br />
Explanation:<br />
Failure in creating Library &1 <strong>for</strong> Archive.<br />
PKUNZIP was trying to extract a file to library &1 and the library did not exist.<br />
PKUNZIP failed when trying to create the Library. For more in<strong>for</strong>mation see the job<br />
log. This may be a security issue. The file is not extracted.<br />
AQZ0515-40<br />
Explanation:<br />
PKZIP Failure in file read request. Request bytes &1.<br />
While trying to read a selected file <strong>for</strong> compression, PKZIP experienced an error<br />
where the size of the data read failed the request. View the job log to see if any<br />
messages pertain to the file. The file being used may cause this. The job will be<br />
terminated and the archive will be corrupted.<br />
AQZ0516-40<br />
Explanation:<br />
Could not allocate Memory <strong>for</strong> Terse extraction. PKUNZIP is<br />
ending immediately.<br />
PKZIP was compressing the file with compression type *TERSE, but could not<br />
allocate memory <strong>for</strong> the TERSE buffers. Check other messages in the job log <strong>for</strong><br />
possible causes and refer to Appendix C about memory errors. If the problem<br />
persists, please contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
AQZ0517-40<br />
Explanation:<br />
Terse Extraction Failure. Work buffers are too small.<br />
PKUNZIP could not complete an extraction of a file compressed in TERSE mode<br />
because the buffers were too small. This should not occur <strong>for</strong> an archive created with<br />
this release. Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
AQZ0518-00<br />
Explanation:<br />
Warning! File &1 has associated triggers.<br />
PKZIP has detected that the database file being zipped has trigger programs<br />
associated with it. PKZIP does not store trigger program in<strong>for</strong>mation in the archive.<br />
See Appendix K <strong>for</strong> more in<strong>for</strong>mation. This message only appears when<br />
compressing database files. If you want to preserve the trigger in<strong>for</strong>mation, first save<br />
the file and trigger programs to a SAVF and then add the SAVF to the archive.<br />
AQZ0519-00<br />
Explanation:<br />
Warning! File &1 has associated constraints.<br />
PKZIP has detected that the database file being zipped has constraints associated<br />
with it. PKZIP does not store constraint in<strong>for</strong>mation in the archive. See Appendix K<br />
<strong>for</strong> more in<strong>for</strong>mation. This message appears only when compressing database files.<br />
283
If you wish constraint in<strong>for</strong>mation to be preserved, first save the file to a SAVF and<br />
then add to the archive.<br />
AQZ0520-00<br />
Explanation:<br />
Warning! File &1 uses an alternative collating sequence.<br />
The file being compressed uses an alternative collating sequence (the ALTSEQ<br />
keyword was specified in the DDS <strong>for</strong> the file). PKZIP does not store alternative<br />
collating table in<strong>for</strong>mation in an archive. When unzipped, the file will not have the<br />
same access path. This message only appears when compressing database files. If<br />
you want to preserve the alternate sort order, first save the file in a SAVE and then<br />
add to the archive.<br />
AQZ0521-00<br />
Explanation:<br />
Warning! File &1 has NULL capable fields.<br />
PKZIP has detected that one or more fields in the file are NULL capable. PKZIP will<br />
translate NULL numeric fields as zeros and NULL character fields as blanks. See<br />
Appendix K <strong>for</strong> more in<strong>for</strong>mation. This message only appears when compressing<br />
database files. If you want to preserve NULL fields, first save the file in a SAVF and<br />
then add the SAVF to the archive.<br />
AQZ0522-00<br />
Explanation:<br />
Database process selected but missing DB extended data record -<br />
File &1.<br />
Indicates that database attributes are present to create a database, but the database<br />
extended attributes could not be found. The archive may be corrupt. PKZIP will try to<br />
create file with default settings.<br />
AQZ0523-00<br />
Explanation:<br />
Failure building DDS source to gen database - File &1.<br />
While building the DDS source <strong>for</strong> creating file &1, an error occurred in routine<br />
build_ddssrc with number &2. See the job log <strong>for</strong> other messages. Please contact<br />
the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ0525-00<br />
Explanation:<br />
Warning! File &1 has Public Authorization List.<br />
PKZIP has detected that the database file being zipped has a public authorization list<br />
associated with it. PKZIP does not store public authorization list in<strong>for</strong>mation in the<br />
archive. See Appendix K <strong>for</strong> more in<strong>for</strong>mation. This message only appears when<br />
compressing database files. When extracting the file, it is up to the user to provide<br />
in<strong>for</strong>mation about a public authorization list. If you wish to preserve public<br />
authorization list in<strong>for</strong>mation, first save the file to a SAVF and then add the file to the<br />
archive.<br />
284
AQZ0526-30<br />
Explanation:<br />
Extended attributes exceed 64K<br />
The extended attributes <strong>for</strong> the file being compressed exceeded the maximum length<br />
that can be accommodated in a PKZIP archive. Action: Either compress the file with<br />
DBSERVICES(*NO) or first save the file in the save file and then add to the archive.<br />
AQZ0527-10<br />
Explanation:<br />
Warning: Text Record too long <strong>for</strong> buffers.<br />
length=&1. Buffer Length=&2<br />
Text Record<br />
A text record length exceeded the maximum supported buffer length of &2. Record is<br />
truncated. File extract should be reviewed <strong>for</strong> completeness. Probable cause: the<br />
file does not contain proper carriage return or line feed characters.<br />
AQZ0528-00<br />
Explanation:<br />
Certificate Deleted From &1 Store.<br />
Cert Deleted from &1 Store. Where &1 will be the store CA or Root. &2 is the<br />
certificate data that was deleted. Part 1 is the index number. Part 2 is the Serial<br />
Number of the certificate. Part 3 is the friendly name of the certificate. For example:<br />
“Cert Deleted from CA Store”<br />
AQZ0600-00<br />
Explanation:<br />
Archive &1 Identified as a GZIP archive.<br />
PKZIP was run, specifying existing archive &1 and that the archive is identified as a<br />
GZIP archive. GZIP archive files cannot be updated.<br />
AQZ0601-40<br />
Explanation:<br />
Option GZIP cannot zip to an existing archive.<br />
PKZIP GZIP(*YES) parameter has been specified and the archive indicated on the<br />
PKZIP command already exists. A GZIP archive cannot be updated; you can only<br />
compress in GZIP <strong>for</strong>mat to a new archive. Specify an archive name that is not in<br />
use.<br />
AQZ0602-40<br />
Explanation:<br />
Option GZIP only allows 1 file per archive.<br />
GZIP processing has identified more than one file to include in the archive, but only<br />
one file is allowed per GZIP archive. Specify a file name or wildcard combination that<br />
identifies only one file or be more specific and specify the library, the file, and the<br />
member names.<br />
285
AQZ0603-40<br />
Explanation:<br />
Invalid TYPE used with GZIP. TYPE(*ADD,*MOVEA,*VIEW) is only<br />
valid option <strong>for</strong> GZIP.<br />
A PKZIP TYPE other than *ADD, *MOVEA or *VIEW was specified with option<br />
GZIP(*YES). This is an invalid combination. The job will be terminated.<br />
AQZ0604-00<br />
Explanation:<br />
PKZIP Compressed &1 files in GZIP Archive &2.<br />
&1 is the number of files that were compressed in this run of PKZIP, storing them in<br />
the GZIP archive File &2.<br />
AQZ0605-40<br />
Explanation:<br />
GZIP cannot allocate memory <strong>for</strong> GZIP extraction.<br />
PKUNZIP was trying to extract the file from an archive identified as a GZIP archive,<br />
but could not allocate memory. The job is terminated. Check other messages in the<br />
job log <strong>for</strong> possible causes and refer to Appendix C about memory errors. If this<br />
continues, please contact the Product Services Division at 1-937-847-2687 <strong>for</strong><br />
assistance.<br />
AQZ0606-40<br />
Explanation:<br />
GZIP Archive File &1 probably corrupt.<br />
PKUNZIP was trying to extract from archive file &1, and it was identified as a GZIP<br />
archive. It was determined that it could be corrupt based on the setting in the header<br />
or trailer.<br />
AQZ0607-40<br />
Explanation:<br />
Cannot Use compress(*STORE or *TERSE) with GZIP.<br />
GZIP parameter *YES cannot be used when COMPRESS parameter is set to<br />
*STORE or *TERSE.<br />
AQZ0608-40<br />
Explanation:<br />
GZIP *YES cannot be used with FTRAN table.<br />
FTRAN table override cannot be used with option GZIP(*YES) due to compliance<br />
issues.<br />
AQZ0609-00<br />
Explanation:<br />
Warning! GZIP Archive has non-compliant Flag settings.<br />
The archive being processed has reserve bits in the flag byte set. This may indicate<br />
the presence of new fields or options in the archive that prevent the file being<br />
extracted from being extracted correctly.<br />
286
AQZ0610-40<br />
Explanation:<br />
GZIP Archive &1 contains no filename and Default Path was not<br />
specified.<br />
The GZIP archive that is being extracted does not contain a file name. To get a file<br />
name, use EXDIR keyword and enter a path and filename. If you are using the IFS,<br />
use path/filename. For the library file system, use library/filename.<br />
AQZ0611-40<br />
TEXTEDIT parameter is invalid with GZIP(*YES).<br />
Explanation: GZIP archives do not support file comments. TEXTEDIT must be *NO.<br />
287
AQZ0800 - AQZ0899 *VIEW Display Messages<br />
AQZ0800-00<br />
Explanation:<br />
Filename: &1.<br />
Displays the archive file name being viewed or processed.<br />
AQZ0801-00<br />
Explanation:<br />
Archive Comment: "&1".<br />
Displays the archive comment (if one exists) when TYPE(*VIEW) is used with<br />
parameters *NORMAL, *DETAIL, *COMMENT <strong>for</strong> keyword VIEWOPT( ).<br />
AQZ0802-00<br />
Explanation:<br />
Length, Date, Time, Name.<br />
This message will appear at the top of the file in<strong>for</strong>mation listing when the option<br />
VIEWOPT(*BRIEF) is used with TYPE(*VIEW).<br />
AQZ0803-00<br />
Explanation:<br />
-------- ---- ---- ----<br />
This message will appear after message AQZ0802 <strong>for</strong> the file in<strong>for</strong>mation listing when<br />
the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).<br />
AQZ0804-00<br />
Explanation:<br />
&1 &2 &3.<br />
File in<strong>for</strong>mation listing when the option VIEWOPT(*BRIEF) is used with<br />
TYPE(*VIEW). Length=uncompressed size, modifications Date and time of file, and<br />
the filename.<br />
AQZ0805-00<br />
Explanation:<br />
-------- -------<br />
This message will appear after the brief file in<strong>for</strong>mation listing as a separator when<br />
the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).<br />
288
AQZ0806-00<br />
Explanation:<br />
&1 &2 file&3.<br />
This message is the totals <strong>for</strong> file in<strong>for</strong>mation listing when the option<br />
VIEWOPT(*BRIEF) is used with TYPE(*VIEW). Total: Uncompressed size=&1, and<br />
Number of files in listing=&2.<br />
AQZ0807-00<br />
Explanation:<br />
File Comment: "&1".<br />
Displays the file comment text when the option VIEWOPT(*COMMENT or *DETAIL)<br />
is used with TYPE(*VIEW).<br />
AQZ0808-00<br />
Explanation:<br />
Length, Method, Size, Ratio, Date, Time, CRC-32, Name.<br />
This message displays the first heading in the file in<strong>for</strong>mation listing when any of the<br />
parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT() option.<br />
AQZ0809-00<br />
Explanation:<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
This message displays the second heading in the file in<strong>for</strong>mation listing when any of<br />
the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT()<br />
option.<br />
AQZ0810-00<br />
Explanation:<br />
&1 &2 &3 &4 &5 &6 &7 &8.<br />
This message displays the file attributes in the file in<strong>for</strong>mation listing when any of the<br />
parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )<br />
option. Uncompressed file length=&1, compression method used=&2, compressed<br />
size=&3, compression ratio=&4, file date/ Time=&5, CRC-32=&6, <strong>for</strong> the file name &7.<br />
AQZ0811-00<br />
Explanation:<br />
-------- ------- ---- -----<br />
--<br />
This message displays the totals separator in the file in<strong>for</strong>mation listing when any of<br />
the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )<br />
option.<br />
AQZ0812-00<br />
Explanation:<br />
&1 &2 &3 &4 file&5.<br />
This message displays the totals in the file in<strong>for</strong>mation listing when any of the<br />
parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )<br />
289
option. Total uncompressed size=&1, total compressed size=&2, <strong>for</strong> &3 number files<br />
in listing.<br />
AQZ0813-00<br />
Explanation:<br />
archive: &1 &2 bytes &3 file&4.<br />
Archive statistics <strong>for</strong> archive File &1, is &2 bytes is length with &3 files in archive.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0814-00<br />
Explanation:<br />
Created by: &1 &2.<br />
Displays the PKZIP operating system and the PKZIP algorithm version which the file<br />
was added to the archive. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0816-00<br />
Explanation:<br />
Minimum file system compatibility required: &1 &2.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL) and only with debug option<br />
on. Shows detail operating system (&1) with version (&2).<br />
AQZ0817-00<br />
Explanation:<br />
Zip Spec to Extract: &1.<br />
Displays the minimum version of the PKZIP specification required to extract the file<br />
from the archive. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0818-00<br />
Explanation:<br />
Compression method: &1 &2.<br />
Displays the compression method used to compress the file. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0821-00<br />
Explanation:<br />
Extended local header: &1.<br />
Shows the setting of the general-purpose bit to indicate an extended local header<br />
exists. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0822-00<br />
Explanation:<br />
Date and Time &1.<br />
Displays the modification date mm-dd-yyyy and time hh:mm of files attributes<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
290
AQZ0823-00<br />
Explanation:<br />
32-bit CRC value (hex): &1.<br />
Displays the value of the cyclical redundancy check (CRC) of a file in the archive.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0824-00<br />
Explanation:<br />
Compressed size: &1 bytes.<br />
Displays the compressed size of a file in the archive. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
AQZ0825-00<br />
Explanation:<br />
Uncompressed size: &1 bytes.<br />
Displays the Uncompressed size of a file in the archive. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0826-00<br />
Explanation:<br />
Length of filename: &1 bytes.<br />
Displays the length of the file name of a file in the archive. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0827-00<br />
Explanation:<br />
Length of extra field: &1 bytes.<br />
Displays the length of the extended data field in the archive. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0828-00<br />
Explanation:<br />
Length of file comment: &1 characters.<br />
Displays the Length of a file comment if it exists in the archive. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0829-00<br />
Explanation:<br />
Size of sliding dictionary (implosion): &1K.<br />
Displays the size of the sliding dictionary that was used to compress a file in the<br />
archive with the implode compression method. In<strong>for</strong>mation with TYPE(*VIEW) and<br />
VIEWOPT(*DETAIL).<br />
291
AQZ0830-00<br />
Explanation:<br />
Number of Shannon-Fano trees (implosion): &1.<br />
Displays the number of Shannon-Fano trees that were used to compress a file in the<br />
archive with an implode compression method. In<strong>for</strong>mation with TYPE(*VIEW) and<br />
VIEWOPT(*DETAIL).<br />
AQZ0831-00<br />
Explanation:<br />
Detected File type: &1 &2.<br />
Based on internal attributes; displays the file type that was detected <strong>for</strong> a file in the<br />
archive. The Types are: binary, text, text in EBCDIC, SAVF, UNKNOWN.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0834-10<br />
Explanation:<br />
Caution: Archive File comment truncated.<br />
The archive file comment exceeded the buffer size and will be truncated. This is only<br />
a warning that affects the display of the comment. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
AQZ0835-00<br />
Explanation:<br />
Unknown Extended Attribute TAG &1 with length of &2.<br />
An unknown extended attribute key was found; PKUNZIP does not handle this, and it<br />
will be bypassed. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0836-00<br />
Explanation:<br />
Extended attributes: &1, [Length = &2].<br />
If extended attributes are stored in the archive <strong>for</strong> this file, then [Yes] is displayed,<br />
otherwise, [No] is displayed. The size of these extended attributes are &2 bytes.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0837-00<br />
Explanation:<br />
A sub field with ID &1 with a length of &2 bytes.<br />
This is only used in DEBUG mode only. In<strong>for</strong>mation with TYPE(*VIEW) and<br />
VIEWOPT(*DETAIL).<br />
AQZ0838-00<br />
Explanation:<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Displays a View file separator <strong>for</strong> reading purposes. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
292
AQZ0839-00<br />
Explanation:<br />
Found &1 file&2, &3 bytes uncompressed, &4 bytes compressed:<br />
&5.<br />
Displays the total number of files found in the archive (&1). Displays the total bytes<br />
uncompressed(&3) and the total bytes compressed(&4) <strong>for</strong> the archive. In<strong>for</strong>mation<br />
with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0840-00<br />
Explanation:<br />
IFS: Code Page &1.<br />
Displays the code page of an IFS file in the archive. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
AQZ0841-00<br />
Explanation:<br />
IFS: Creation Time &1.<br />
Displays the creation date and time of an IFS file in the archive. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0842-00<br />
Explanation:<br />
IFS: Access Time &1.<br />
Displays the last access date and time of an IFS file in the archive. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0843-00<br />
Explanation:<br />
IFS: Modification Time &1.<br />
Displays the last modification date and time of an IFS file in the archive. In<strong>for</strong>mation<br />
with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0844-00<br />
Explanation:<br />
Lib Text Desc: &1.<br />
Displays the text associated with a library that contains the file that has been stored<br />
within the archive. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0845-00<br />
Explanation:<br />
File Text Desc: &1.<br />
Displays the text associated with a file that has been stored within the archive.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
293
AQZ0846-00<br />
Explanation:<br />
Mbr Text Desc: &1.<br />
Displays the text associated with the member of the file that has been stored in the<br />
archive. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0847-00<br />
Explanation:<br />
Record Length: &1.<br />
Displays the record length of the file in the archive. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
AQZ0848-00<br />
Explanation:<br />
Source or Data: &1.<br />
Displays whether the file stored in the archive is a PF-DTA file or is a PF-SRC file<br />
type. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0849-00<br />
Explanation:<br />
Source Type: &1.<br />
Displays the source type, <strong>for</strong> example, CLP, RPG, CMD, etc., <strong>for</strong> a PF-SRC member.<br />
Displays In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0850-00<br />
Explanation:<br />
Unknown Database type: &1.<br />
The extended data field specifying the file is a database or is not invalid. Database<br />
options ignored. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0851-00<br />
Explanation:<br />
Database File Attributes-.<br />
This indicates that a file contains database file attributes in the archive. In<strong>for</strong>mation<br />
with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0852-00<br />
Explanation:<br />
AUT(&1) MAXMBRS(&2) DLTPCT(&3) SIZE(&4 &5 &6) ALLOCATE(&7)<br />
CONTIG(&8) LVLCHK(&9) REUSEDLT(&10) Access path type: &11.<br />
Displays Database File Attributes:- File Authority:<br />
&1 Maximum no. members in file:<br />
&2 Max % deleted records in file:<br />
&3 Initial size of member:<br />
&4 Size of increment:<br />
&5 Max no. increments:<br />
&6. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
294
AQZ0853-00<br />
Explanation:<br />
Format Name(&1) No. Flds(&2) No. Key Flds(&3).<br />
Displays Database File Field Format Attributes: - File Format Name: &1 Number of<br />
fields in <strong>for</strong>mat:<br />
&2 No. key fields in <strong>for</strong>mat:<br />
&3 In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0854-00<br />
Explanation:<br />
-Field descriptions:-<br />
Displays that a heading of Field descriptions will follow. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0855-00<br />
Explanation:<br />
Num, Name, Width Gen. U D N V K CCSID.<br />
DB Field Format Attributes:<br />
Num Field Number<br />
Name Internal Field name<br />
Width Field width (Number of digits/characters)<br />
Gen. Decimal Pos./Allocated Length/Time or Date <strong>for</strong>mat<br />
U Usage (B = Both, I = Input, O = Output, N = Neither<br />
D Field Data type<br />
N Null field capable indicator<br />
V Variable length field indicator<br />
K Key Field indicator<br />
CCSID CCSID of field (N/A numeric fields).<br />
In<strong>for</strong>mation with TYPE(*VIEW)/VIEWOPT<br />
AQZ0856-00<br />
Explanation:<br />
----- ---------- ----- ----- - - - - - -----<br />
Displays heading separator <strong>for</strong> the field description details. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0857-00<br />
Explanation:<br />
&1 &2 &3 &4 &5 &6 &7 &8 &9 &10.<br />
This field has the following attributes:<br />
&1 Num: Field Number<br />
&2 Name: Internal Field name<br />
&3 Width: Field width<br />
&4 General:<br />
&5 U: Usage<br />
&6 D: Field Data type<br />
&7 N: Null capable<br />
&8 V: Variable length field<br />
&9 K: Key Field<br />
&10 CCSID: CCSID of field<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
295
AQZ0858-00<br />
Explanation:<br />
Text: &1.<br />
Displays the text description <strong>for</strong> this field: &1. In<strong>for</strong>mation with TYPE(*VIEW) and<br />
VIEWOPT(*DETAIL).<br />
AQZ0859-00<br />
Explanation:<br />
Alias: &1.<br />
Displays the alternative field name (alias) <strong>for</strong> this field: &1. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0860-00<br />
Explanation:<br />
Default: &1.<br />
Displays the default value <strong>for</strong> the field is: &1. In<strong>for</strong>mation with TYPE(*VIEW) and<br />
VIEWOPT(*DETAIL).<br />
AQZ0861-00<br />
Explanation:<br />
Col Heading 1: &1.<br />
Displays the First column heading <strong>for</strong> the field is: &1. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
AQZ0862-00<br />
Explanation:<br />
Col Heading 2: &1.<br />
Displays the second column heading <strong>for</strong> the field is: &1. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0863-00<br />
Explanation:<br />
Col Heading 3: &1.<br />
Displays the third column heading <strong>for</strong> the field is: &1. In<strong>for</strong>mation with TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL).<br />
AQZ0864-00<br />
Explanation:<br />
MAINT(&1) RECOVER(&2) FRCACCPTH(&3) ACCPTHSIZ(&4) Order: &5<br />
Displays the keyed access path attributes: - Order = Duplicate key sorting order.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
296
AQZ0865-00<br />
Explanation:<br />
File text: &1.<br />
Displays the text associated with the file that has been stored in the archive.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0866-00<br />
Explanation:<br />
Archive identified as a GZIP archive.<br />
Archive identified as a GZIP archive. In<strong>for</strong>mation with TYPE(*VIEW) and<br />
VIEWOPT(*DETAIL).<br />
AQZ0867-00<br />
Explanation:<br />
VMS file attributes (&1 octal): 2.<br />
If present <strong>for</strong> a file in the archive, displays VMS file attributes. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0868-00<br />
Explanation:<br />
Amiga file attributes (&1 octal): &2.<br />
If present <strong>for</strong> a file in the archive, displays Amiga file attributes. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0869-00<br />
Explanation:<br />
Unix file attributes (&1 octal): &2.<br />
If present <strong>for</strong> a file in the archive, displays UNIX file attributes. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0870-00<br />
Explanation:<br />
Non-MSDOS external file attributes: &1 hex.<br />
If present <strong>for</strong> a file in the archive, displays non-MSDOS external file attributes.<br />
In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0871-00<br />
Explanation:<br />
MS-DOS file attributes (&1 hex): &2.<br />
If present <strong>for</strong> a file in the archive, displays MS-DOS file attributes. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
297
AQZ0872-00<br />
Explanation:<br />
Advanced Encryption &1. &2.<br />
Displays the advanced encryption method the file was archived. In<strong>for</strong>mation with<br />
TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0873-00<br />
Explanation:<br />
Algorithm Key &1, Security type &2.<br />
Displays the Advanced encryption algorithm key text description and the security type<br />
(password, certificate signature, or combination password with signature) that was<br />
used to encrypt the file. In<strong>for</strong>mation with TYPE(*VIEW) and VIEWOPT(*DETAIL).<br />
AQZ0874-00<br />
Explanation:<br />
Spool File Type: &1, Target File:&2, (CdPg=&3), Nbr Of<br />
pages(&4).<br />
Displays the spool file type, the target <strong>for</strong>mat file type, and the number of pages in the<br />
spool file. If the target is Text or PDF then (CdPg=&3) will be displayed to show the<br />
code page that was used to translate the EBCDIC to ASCII.<br />
AQZ0875-00<br />
Explanation:<br />
SPLF Desc: &1.<br />
Displays the spool file name attributes with / separation with <strong>for</strong>mat: “Job-<br />
Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-Number.Suffix”.<br />
AQZ0876-00<br />
Explanation:<br />
OS390 File Type &1<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0877-00<br />
Explanation:<br />
OS390 Record Format<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0878-00<br />
OS390 Block Size &1<br />
Explanation: Z390 MVS or VSE extended attributes.<br />
298
AQZ0879-00<br />
Explanation:<br />
OS390 VSAM Record Size &1<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0880-00<br />
Explanation:<br />
OS390 VSAM Max Record Size &1<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0881-00<br />
Explanation:<br />
OS390 VSAM Cluster Name &1<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0882-00<br />
Explanation:<br />
OS390 VSAM Data Name &1<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0883-00<br />
Explanation:<br />
OS390 VSAM Index Name &1<br />
Z390 MVS or VSE extended attributes.<br />
AQZ0884-00<br />
Explanation:<br />
ZIP64 Extended In<strong>for</strong>mation: Uncompressed size=&1; Compressed<br />
Size=&2<br />
Extended data to support large files. Original uncompressed size=&1; Compressed<br />
size=&2; Offset=&3.<br />
AQZ0885-00<br />
Explanation:<br />
ZIP 64 Large File Support Found<br />
PKZIP was able to support large <strong>for</strong>mat files <strong>for</strong> this archive<br />
AQZ0886-00<br />
Archive has been Digitally Signed.<br />
Explanation: The archive contains a digital signature <strong>for</strong> security purpose.<br />
299
AQZ0887-00<br />
Explanation:<br />
Spool File OUTQ(&1) and User(&2)<br />
Displays the OUTQ that the spool file was compressed from and the user ID of the<br />
spool file.<br />
AQZ0888-00<br />
Explanation:<br />
Number Certifcate Recipients &1.<br />
VIEWOPT(*ALL) option: Displays the number recipients found <strong>for</strong> the file in archive.<br />
AQZ0889-00<br />
Explanation:<br />
Recipient List:<br />
VIEWOPT(*ALL) option: Header <strong>for</strong> recipient list in the messages aqz0890 following.<br />
AQZ0890-00<br />
Explanation:<br />
CN=&1, EM=&2.<br />
VIEWOPT(*ALL) option: The common name and email address <strong>for</strong> each recipient<br />
found <strong>for</strong> the file in archive.<br />
AQZ0891-00<br />
Explanation:<br />
Archive is FnE (File Name Encrypted).<br />
View in<strong>for</strong>mation that the archive is a filename-encrypted archive.<br />
AQZ0892-00<br />
Explanation:<br />
Archive is created as FNE &1.<br />
In<strong>for</strong>mational only. Shows that the archive created is filename-encrypted and shows<br />
the compression and encryption used.<br />
AQZ0893-00<br />
Explanation:<br />
File Signature: CN=&1; EM=&2; S/N=&3.<br />
In<strong>for</strong>mational only. Shows in<strong>for</strong>mational data of the signature that is used to signed<br />
the file or archive. CN- Common name, EM-Email, and S/N- Serial Number.<br />
AQZ0900-00<br />
Explanation:<br />
Archive is Non FNE Archive. Nothing to View.<br />
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested, but the archive is not filenameencrypted.<br />
300
AQZ0901-00<br />
Explanation:<br />
FNE: Encryption Type (&1) with Algo (&2).<br />
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested <strong>for</strong> a filename-encrypted<br />
archive. This message shows the encryption type and algorithm used <strong>for</strong> the archive.<br />
Example “FNE: Encryption Type (Password and Recipients) with Algo (AES 256 Key)<br />
“.<br />
AQZ0902-00<br />
Explanation:<br />
FNE: Compression &1 percent.<br />
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested <strong>for</strong> FnE archive. This message<br />
shows the compression (if any exist) used <strong>for</strong> the archive. Example “FNE:<br />
Compression 0 percent “.<br />
AQZ0903-00<br />
Explanation:<br />
FNE: Hashing Algo &1 with hash length &2.<br />
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested <strong>for</strong> a filename-encrypted<br />
archive. This message shows the hash method used <strong>for</strong> the archive. Example “FNE:<br />
Hashing Algo CRC32 with hash length 4 “.<br />
AQZ0904-00<br />
Explanation:<br />
FNE Contains &1 Recipients.<br />
VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested <strong>for</strong> a filename-encrypted<br />
archive. This message shows the number of recipients used <strong>for</strong> the FnE.<br />
AQZ0905-00<br />
Explanation:<br />
FNE Recp #&1:&2.<br />
VIEWOPT(*FNEALL) requested <strong>for</strong> a filename-encrypted archive. This message<br />
shows the each FnE’s recipient Common Name and Email. Example “FNE Recp<br />
#2:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com;”.<br />
AQZ0906-00<br />
Explanation:<br />
FNE : &1.<br />
VIEWOPT(*FNEALL) and VERBOSE(*ALL) requested <strong>for</strong> a filename-encrypted<br />
archive. This message shows the valid certificate dates <strong>for</strong> each recipient of a<br />
filename-encrypted archive. Example “FNE Recp #2:CN=PKWARE Test3;<br />
EM=PKTESTDB3@nowhere.com;”.<br />
301
AQZ8xxx Configuration Messages<br />
AQZ8003-00<br />
Explanation:<br />
SecureZIP Config Updated Successfully.<br />
PKCFGSEC had no errors while updating the enterprise configuration file. The<br />
“PKZCFG” file was updated.<br />
AQZ8004-00<br />
Explanation:<br />
SecureZIP Config Updated Failed.<br />
PKCFGSEC encountered errors while updating the enterprise configuration file. The<br />
“PKZCFG” file has not been updated<br />
AQZ8005-40<br />
Explanation:<br />
Could not create Config file - aborting.<br />
While running PKCFGSEC, the configuration file “PKZCFG” was not found. There<strong>for</strong>e<br />
PKCFGSEC tried to create the file but the creation failed. Review the job log <strong>for</strong><br />
messages on why the create failed.<br />
AQZ8006-40<br />
Explanation:<br />
Could not Write Config file - aborting.<br />
While running PKCFGSEC, the configuration file “PKZCFG” is trying to be updated<br />
but failed. Review job log <strong>for</strong> messages on why update failed.<br />
AQZ8007-40<br />
Explanation:<br />
Could not Copy Config file - aborting.<br />
Review the job log <strong>for</strong> messages on why the copy failed.<br />
AQZ8008-40<br />
Could open Confiuration File.<br />
Explanation: The opening of configuration file “PKZCFG” has failed. Review the job log <strong>for</strong><br />
messages on why update failed.<br />
AQZ8009-40<br />
Explanation:<br />
Parameter &1 Path/File does not exist. .<br />
The File or Path <strong>for</strong> parameter &1 does not exist. Correct file/path or create the<br />
path/file and re-run. No updates will take place.<br />
302
AQZ8010-40<br />
Explanation:<br />
The Library &1 in the parameters CERTDB does not exist.<br />
The Library <strong>for</strong> parameter CERTDB does not exist. Correct Parameter <strong>for</strong> the library<br />
where the Certificate Locator Database is located and re-run. No updates will take<br />
place.<br />
AQZ8200-00<br />
Explanation:<br />
SecureZIP Security Administration.<br />
PKCFGSEC in<strong>for</strong>mational. Main heading.<br />
AQZ8201-00<br />
Explanation:<br />
ZIP Secure Settings:<br />
PKCFGSEC in<strong>for</strong>mational. Subsection heading <strong>for</strong> ZIP secure settings.<br />
AQZ8202-00<br />
Explanation:<br />
SecureZIP Active . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure settings.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8203-00<br />
Explanation:<br />
Password . . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure password<br />
setting. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8204-00<br />
Explanation:<br />
Recipient Secure . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure recipient<br />
secure setting. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8205-00<br />
Explanation:<br />
File Signing . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure file signing<br />
setting. See PKCFGSEC <strong>for</strong> explanation.<br />
303
AQZ8206-00<br />
Explanation:<br />
Archive Signing<br />
. . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure archive<br />
signing setting. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8207-00<br />
Explanation:<br />
File Authentication<br />
. . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> zip secure file<br />
authentication setting. See PKCFGSEC <strong>for</strong> explanation..<br />
AQZ8208-00<br />
Explanation:<br />
Archive Authentication . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure archive<br />
authentication setting. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8209-00<br />
Explanation:<br />
Advance Encryption:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> advance encryption.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8210-00<br />
Explanation:<br />
Frozen Method &.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> advance encryption.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8211-00<br />
Explanation:<br />
Frozen Mode<br />
&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ADVANCE<br />
ENCRYPTION. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8212-00<br />
Explanation:<br />
Archive Password Specs:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> archive password<br />
specifications. See PKCFGSEC <strong>for</strong> explanation.<br />
304
AQZ8213-00<br />
Explanation:<br />
Min Length . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> archive password<br />
specifications. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8214-00<br />
Explanation:<br />
Max Length . . . . . . . .&1<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> archive password<br />
specifications. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8215-00<br />
Explanation:<br />
Hardening Options . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> archive password<br />
specifications. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8216-00<br />
Explanation:<br />
Certificate PUBLIC Store:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate public store.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8217-00<br />
Explanation:<br />
Certificate PRIVATE Store:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate private store.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8218-00<br />
Explanation:<br />
Certificate CA Store:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate authority (CA)<br />
store. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8219-00<br />
Explanation:<br />
Certificate ROOT Store:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate ROOT store.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
305
AQZ8220-00<br />
Explanation:<br />
Store&1 Location=&2.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> store of group. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8221-00<br />
Explanation:<br />
Enterprise Encrypt Recipient:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> enterprise encrypt<br />
recipient. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8222-00<br />
Explanation:<br />
Store Type(&1) Select="&2".<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> enterprise encrypt<br />
recipient. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8223-00<br />
Explanation:<br />
(&1)- Recipient &2.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> enterprise encrypt<br />
Recipient. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8224-00<br />
Explanation:<br />
Enterprise Certificate Database.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> enterprise certificate<br />
database. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8225-00<br />
Explanation:<br />
Active . . . . . . . . . .&.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> enterprise certificate<br />
database. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8226-00<br />
Explanation:<br />
Search Mode . . . . . . . &1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> enterprise certificate<br />
database. See PKCFGSEC <strong>for</strong> explanation.<br />
306
AQZ8227-00<br />
Explanation:<br />
File Name Encryption<br />
. .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> ZIP secure settings. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8228-00<br />
Explanation:<br />
Signing<br />
PKCFGSEC in<strong>for</strong>mational. Heading <strong>for</strong> Digital Signing settings.<br />
AQZ8229-00<br />
Explanation:<br />
Hash . . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. The hashing method used when per<strong>for</strong>ming digital signing.<br />
Either SHA1 or MD5.<br />
AQZ8230-00<br />
Explanation:<br />
Configuration File &1.<br />
PKCFGSEC in<strong>for</strong>mational. Shows the actual configuration file used in PKCFGSEC.<br />
AQZ8231-00<br />
Explanation:<br />
Updated date/time =&1.<br />
PKCFGSEC in<strong>for</strong>mational. Displays the date and time the configuration file was last<br />
updated.<br />
AQZ8232-00<br />
Explanation:<br />
Authentication.<br />
PKCFGSEC in<strong>for</strong>mational. Heading <strong>for</strong> Authentication settings.<br />
AQZ8233-00<br />
Explanation:<br />
Check . . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Defines the level of authentication or CRL. If None, no<br />
authentication will take place even if the files or archive have been signed. Warning<br />
will issue warning messages on any failures and Authenticate will stop processing on<br />
failures.<br />
307
AQZ8234-00<br />
Explanation:<br />
Filters . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Describes the filters used <strong>for</strong> authentication.<br />
AQZ8235-00<br />
Explanation:<br />
Encryption:.<br />
PKCFGSEC in<strong>for</strong>mational. Heading <strong>for</strong> Encryption certificate settings.<br />
AQZ8236-00<br />
Explanation:<br />
Decryption:.<br />
PKCFGSEC in<strong>for</strong>mational. Heading <strong>for</strong> Decryption:certificate settings.<br />
AQZ8237-00<br />
Explanation:<br />
Certificate CRL Store:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate CRL<br />
(certificate Revocation List) store. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8238-00<br />
Explanation:<br />
Revocation:.<br />
PKCFGSEC in<strong>for</strong>mational. Heading <strong>for</strong> Revocation processing settings.<br />
AQZ8239-00<br />
Explanation:<br />
CRL Type. . . . . . . .&1.<br />
Define if CRL exist and the type of CRL store processing. At this time only Static CRL<br />
stores are supported.<br />
AQZ8297-00<br />
Explanation:<br />
Certificate Validation Level:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate validation level.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8298-00<br />
Explanation:<br />
Best Fit: . . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate validation level.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
308
AQZ8299-00<br />
Explanation:<br />
Type Select . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> certificate validation level.<br />
See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8300-00<br />
Explanation:<br />
LDAP Definitions:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8301-00<br />
Explanation:<br />
Nbr Of Active . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> the number of active<br />
LDAPs. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8302-00<br />
Explanation:<br />
LDAP nbr &1:<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8303-00<br />
Explanation:<br />
Network Name . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8304-00<br />
Explanation:<br />
Network Name . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8305-00<br />
Explanation:<br />
Port . . . . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
309
AQZ8306-00<br />
Explanation:<br />
Access User . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8307-00<br />
Explanation:<br />
Access Password . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8308-00<br />
Explanation:<br />
Search Mode . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8309-00<br />
Explanation:<br />
Start Node . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8310-00<br />
Explanation:<br />
3DES Compatability . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> SecureZIP <strong>for</strong> 3DES<br />
compatibility setting. See PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8311-00<br />
Explanation:<br />
Time Out.<br />
. . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
AQZ8312-00<br />
Explanation:<br />
Sequence. . . . . . . . . .&1.<br />
PKCFGSEC in<strong>for</strong>mational. Security configuration setting <strong>for</strong> LDAP definitions. See<br />
PKCFGSEC <strong>for</strong> explanation.<br />
310
AQZ9xxx LICENSE Messages<br />
AQZ9000-00<br />
Explanation:<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (TM) Compression Utility Version &1, &2.<br />
Displays the Version &1 of SecureZIP <strong>for</strong> <strong>iSeries</strong> with version release date of &2.<br />
AQZ9001-00<br />
Explanation:<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) running under Beta release &1.<br />
Displays if PKZIP is running under an Alpha or a Beta Release.<br />
AQZ9002-00<br />
Explanation:<br />
PKZIP is being terminated due license validation failure.<br />
PKZIP could not validate the license. Obtain proper licensing keys from PKWARE,<br />
Inc., and run INSTPKLIC.<br />
AQZ9003-00<br />
Explanation:<br />
Machine ID = &1, Processor Group = &2.<br />
Displays the machine CPU serial number and the processor group in<strong>for</strong>mation.<br />
AQZ9004-00<br />
Explanation:<br />
EVALUATION Running.<br />
PKZIP is running under demo and in evaluation mode. a license key needs to be<br />
obtained.<br />
AQZ9005-00<br />
Explanation:<br />
Enterprise Registered.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> is licensed with enterprise registered.<br />
AQZ9006-00<br />
Registered.<br />
Explanation: SecureZIP <strong>for</strong> <strong>iSeries</strong> has been registered with a valid license key.<br />
311
AQZ9007-00<br />
Explanation:<br />
Copyright. 2004 PKWARE, Inc. All Rights Reserved.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> banner lines. Displays when PKZIP or PKUNZIP starts.<br />
AQZ9008-00<br />
Explanation:<br />
THIS LICENSE HAS EXPIRED. To renew your license.<br />
During PKZIP start up processing, it was determined that your license has expired.<br />
See following messages on how to update your licenses.<br />
AQZ9009-00<br />
Explanation:<br />
Contact your dealer with the following in<strong>for</strong>mation.<br />
In<strong>for</strong>ming that the next message provides in<strong>for</strong>mation required to obtain a license<br />
update.<br />
AQZ9010-00<br />
Explanation:<br />
Make sure you have run the Install License program INSTPKLIC.<br />
A problem has occurred when trying to open and process the licensing. This is<br />
probably due to not running the install license program.<br />
AQZ9011-50<br />
Explanation:<br />
Could not open License file <strong>for</strong> -aborting &2.<br />
PKZIP or PKUNZIP could not open the license file. Job will terminate. This is<br />
probably due to not running the install program.<br />
AQZ9012-50<br />
Explanation:<br />
Could not read License file base <strong>for</strong> , Length returned =&2.<br />
An error occurred while reading the PKZIP licensing file. Review the job log <strong>for</strong> more<br />
details. Job will be terminated.<br />
AQZ9013-50<br />
Explanation:<br />
Could not read License file Feature <strong>for</strong> , Length returned<br />
=&2.<br />
An error occurred while reading the PKZIP licensing file. Review the job log <strong>for</strong> more<br />
details. Job is being terminated.<br />
312
AQZ9014-00<br />
Explanation:<br />
&1, Warning - This license will expire in &2 days on &3.<br />
A warning that your license will expire soon. Contact your supplier to obtain a new<br />
license.<br />
AQZ9015-00<br />
UNREGISTERED Copy Running,<br />
Explanation: SecureZIP <strong>for</strong> <strong>iSeries</strong> is running without a valid license. It will run temporarily <strong>for</strong> 30<br />
days. Contact your supplier to obtain a new license with your serial number and<br />
processor group.<br />
AQZ9016-00<br />
Explanation:<br />
Unregistered Hardware Found Exception. &1 Grace days allowed.<br />
Serial number and/or processor group was not found <strong>for</strong> SecureZIP <strong>for</strong> <strong>iSeries</strong>. A<br />
temporary license will be granted <strong>for</strong> &1 days. Contact your supplier to obtain a new<br />
license with your serial number and processor group.<br />
AQZ9017-00<br />
Explanation:<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Trademark notes.<br />
AQZ9018-40<br />
Explanation:<br />
Beta Release Has Expired Contact PKWARE, Inc. <strong>for</strong> Final Beta<br />
Release.<br />
You are running a Beta Version of SecureZIP <strong>for</strong> <strong>iSeries</strong> that has expired. Contact<br />
PKWARE, Inc., <strong>for</strong> a newer version of SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
AQZ9021-00<br />
Explanation:<br />
SecureZip(tm) is a trademark of PKWARE (R), Inc.<br />
Trademark.<br />
AQZ9050-50<br />
Explanation:<br />
Could not create License file - aborting.<br />
While running INSTPKLIC, the licensing did not exist, so one needed to be created.<br />
An error occurred and INSTPKLIC could not be created. See the job log <strong>for</strong> more<br />
detailed in<strong>for</strong>mation. Job will be terminated.<br />
313
AQZ9051-50<br />
Explanation:<br />
Could not open License file <strong>for</strong> update-aborting.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> could not open the license file <strong>for</strong> updating. Job will terminate.<br />
See the job log <strong>for</strong> details.<br />
AQZ9052-50<br />
Explanation:<br />
Could write License file <strong>for</strong> update-aborting.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> could not write to the license file with updates. Job will<br />
terminate. See the job log <strong>for</strong> details.<br />
AQZ9054-50<br />
Input File cannot be open <strong>for</strong> input.<br />
Explanation: The PKZIP License Install program could not open the "Library/File(member)" - &1<br />
input file that contains the licensing update keys. Job is terminated. See the job log<br />
<strong>for</strong> details.<br />
AQZ9055-50<br />
Error Reading Input Control file .<br />
Explanation: The PKZIP License Install program could not read the "Library/File(member)" - &1<br />
input file that contains the licensing update keys. Job is terminated. See the job log<br />
<strong>for</strong> details.<br />
AQZ9056-00<br />
Explanation:<br />
&1 Evaluation set to expire in &2 days on &3.<br />
Feature Code &1 has been set <strong>for</strong> evaluation and will expire in &2 days on the date of<br />
&3.<br />
AQZ9057-00<br />
Explanation:<br />
Nbr of Feature Control Records Type-&1 was &2.<br />
The total of inputted feature control records with type &1 was processed. This is only<br />
with debug turned on.<br />
AQZ9058-00<br />
Rec - &1 &2.<br />
Explanation: Displays detail input control records being processed by INSTPKLIC (includes *<br />
comments).<br />
314
AQZ9059-00<br />
Explanation:<br />
License File &1 Updated successfully.<br />
The PKZIP license file &1 was updated successfully with supplied control records.<br />
AQZ9060-50<br />
Explanation:<br />
License file NOT Updated.<br />
Due to errors wile running the license install program, the license file was not<br />
updated. Review the job log <strong>for</strong> previous message, which indicates why the file was<br />
not updated.<br />
AQZ9061-40<br />
Explanation:<br />
Error found in processing input parameters.<br />
Errors were found while processing the input control records in the license install<br />
program. License file was not updated. Review the job log <strong>for</strong> previous message,<br />
which indicates why the file was not updated.<br />
AQZ9062-40<br />
Explanation:<br />
More than 1 control code 55 record, Run terminated.<br />
Only one customer control record beginning with 55 is allowed in the license control<br />
Program. Job will be terminated. Review Input Control file <strong>for</strong> control records.<br />
AQZ9063-40<br />
Explanation:<br />
Control Record 55 must be 1st non-comment record.<br />
The first control record (non-comment) in the license control input file must the<br />
customer control record beginning with 55. Job will be terminated.<br />
AQZ9064-40<br />
Explanation:<br />
Invalid Feature Code in Position 1 & 2.<br />
In positions 1 and 2 of the license control record is the feature code. The license<br />
install program found the invalid feature code of &1. The license file will not be<br />
updated. (See “Licensed Product Features” in Chapter 4).<br />
AQZ9065-40<br />
Explanation:<br />
Invalid Date on record &2.<br />
An invalid feature date on control record number &2 was found. Date must be<br />
YYYYMMDD <strong>for</strong>mat with valid month and day. The license file will not be updated.<br />
315
AQZ9066-40<br />
Explanation:<br />
An error has occurred in validating the Customer Number &1 -<br />
Contact your Dealer.<br />
The customer number &1 was found to be invalid. Contact your salesperson or<br />
reseller <strong>for</strong> correct codes. The license file will not be updated.<br />
AQZ9067-40<br />
Explanation:<br />
An error has occurred in validating the License - Contact Your<br />
Dealer.<br />
The validation of the license was found to be Invalid. Contact your salesperson or<br />
reseller <strong>for</strong> correct codes. The license file will not be updated.<br />
AQZ9068-40<br />
Explanation:<br />
An error has occurred in validating the License. Contact Your<br />
Dealer.<br />
The validation of the license was found to be Invalid. Contact your salesperson or<br />
reseller <strong>for</strong> correct codes. The license file will not be updated.<br />
AQZ9069-40<br />
Explanation:<br />
Customer name cannot be blank <strong>for</strong> Control 55.<br />
In the customer control record (starts with 55), the customer name should contain the<br />
Customers name in positions 23 thru 72 and must not be blank.<br />
AQZ9070-40<br />
Explanation:<br />
Duplicate hardware found <strong>for</strong> Feature %2.<br />
Only one unique hardware (serial number and processor group) is allowed per feature<br />
code. The license file will not be updated.<br />
AQZ9071-40<br />
Explanation:<br />
Embedded blanks in hardware <strong>for</strong> feature &2.<br />
The hardware codes (serial number and processor group) must all be non-blank<br />
characters. The license file will not be updated.<br />
AQZ9072-40<br />
Explanation:<br />
Max hardware exceeded &2 <strong>for</strong> Feature &2.<br />
All hardware available entries are in use. There is no room to add another hardware<br />
entry <strong>for</strong> the product. Contact your salesperson or reseller.<br />
316
AQZ9073-40<br />
Explanation:<br />
&1 Request to setup DEMO rejected. DEMO is already running.<br />
A request in the License install program to setup a demo license was issued, but a<br />
demo is currently active. A demo request cannot be run until current demo expires.<br />
The license file is not updated.<br />
AQZ9074-40<br />
Explanation:<br />
Cannot do VIEW option until file has been Installed.<br />
A request in the license Install program to view the current license setting was issued,<br />
but the VIEW option cannot be used until one valid install is processed.<br />
AQZ9075-40<br />
Explanation:<br />
Invalid or Missing Member Name.<br />
Special characters or a blank member name was submitted in the command<br />
INSTPKLIC <strong>for</strong> parameter INMBR.<br />
AQZ9076-40<br />
Explanation:<br />
Feature Code &1 is invalid <strong>for</strong> Customer Number &2.<br />
The customer number &2 on the input control record is invalid <strong>for</strong> the specified feature<br />
code &1. Contact your salesperson or reseller <strong>for</strong> correct codes. The license file will<br />
not be updated.<br />
AQZ9077-40<br />
Explanation:<br />
License Keys have invalid version setting.<br />
The version of the keys entered is a mismatch to SecureZIP <strong>for</strong> <strong>iSeries</strong> version.<br />
Review input file <strong>for</strong> keys.<br />
AQZ9078-40<br />
Explanation:<br />
SecureZip Control Record 57 must be 1st non-comment record.<br />
The first control record (non-comment) in the license control input file must the<br />
customer control record beginning with 57. Job will be terminated.<br />
AQZ9079-00<br />
*********************************************<br />
Explanation: Displays a print separator <strong>for</strong> INSTPKLIC viewing.<br />
317
AQZ9080-00<br />
Explanation:<br />
A License Report requested on &1 from CPU Serial# &2.<br />
The licensing Install program was run with TYPE(*VIEW), and the report of the<br />
current status of the license will be following <strong>for</strong> this CPU.<br />
AQZ9081-00<br />
Explanation:<br />
&1 Product Licensed to Customer # &2 -&3.<br />
Displays the version, customer number and customer name currently on license file.<br />
In<strong>for</strong>mation of INSTPKLIC with TYPE(*VIEW).<br />
AQZ9082-00<br />
Explanation:<br />
&1-DEMO with &2 Days remaining (&3).<br />
Displays the hardware &1 is running as a demo and has &2 days remaining.<br />
In<strong>for</strong>mation of INSTPKLIC with TYPE(*VIEW).<br />
AQZ9083-00<br />
Explanation:<br />
Enterprise Licensed. All Products Features are available on<br />
all CPUs. Expiration Date is &1.<br />
Display that all CPUs are being run with the enterprise license; also displays the<br />
expiration date. In<strong>for</strong>mation of INSTPKLIC with TYPE(*VIEW).<br />
AQZ9084-00<br />
Explanation:<br />
&1 Licensed --Expires &2 <strong>for</strong> processors:.<br />
Displays the feature codes (&1) and their expiration date(&2) that is associated with<br />
the current license file. In<strong>for</strong>mation of INSTPKLIC with TYPE(*VIEW).<br />
AQZ9085-00<br />
Explanation:<br />
Serial# &1 Processor Type &2.<br />
Displays the list of hardware that is active under the feature code (AQZ90084).<br />
In<strong>for</strong>mation of INSTPKLIC with TYPE(*VIEW).<br />
AQZ9086-00<br />
Explanation:<br />
Serial# &1 is Not Licensed. Use Of The Product will CEASE in<br />
&2 days (&3).<br />
Displays the hardware that is not currently licensed <strong>for</strong> the above feature code<br />
(AQZ9084) and display when it will expire. In<strong>for</strong>mation of INSTPKLIC with<br />
TYPE(*VIEW).<br />
318
AQZ9087-00<br />
Explanation:<br />
Contact PKWARE, Inc. <strong>for</strong> Licensing.<br />
In<strong>for</strong>mational message to contact your support technician <strong>for</strong> licensing update.<br />
Please contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
AQZ9100-40<br />
Explanation:<br />
!!!PZ Base Module is not licensed <strong>for</strong> this Serial Number. Run<br />
will not be processed.<br />
The !!!PZ base module could not be validated. Obtain proper licensing keys from<br />
your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 <strong>for</strong> more<br />
contact in<strong>for</strong>mation.<br />
AQZ9101-40<br />
Explanation:<br />
Compression Feature is not licensed <strong>for</strong> this Serial Number.<br />
Run will not be processed.<br />
PKZIP could not validate the compression license feature. Obtain proper licensing<br />
keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087<br />
<strong>for</strong> more contact in<strong>for</strong>mation.<br />
AQZ9102-40<br />
Explanation:<br />
Decompression Feature is not licensed <strong>for</strong> this Serial Number.<br />
Run will not be processed.<br />
PKZIP could not validate the decompression license feature. Obtain proper licensing<br />
keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087<br />
<strong>for</strong> contact in<strong>for</strong>mation.<br />
AQZ9103-40<br />
Explanation:<br />
GZIP Feature is not licensed <strong>for</strong> this Serial Number. Run will<br />
not be processed.<br />
PKZIP could not validate the GZIP license feature. Obtain proper licensing keys from<br />
your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 <strong>for</strong> more<br />
contact in<strong>for</strong>mation.<br />
AQZ9104-40<br />
Explanation:<br />
Directory Integration Feature is not licensed <strong>for</strong> this Serial<br />
Number. Run will not be processed.<br />
PKZIP could not validate the directory integration (LDAP) license feature. Obtain<br />
proper licensing keys from your salesperson or reseller and run INSTPKLIC. See<br />
Message AQZ9087 <strong>for</strong> more contact in<strong>for</strong>mation.<br />
319
AQZ9105-40<br />
Explanation:<br />
Advance Encryption Feature is not licensed <strong>for</strong> this Serial<br />
Number. Run will not be processed.<br />
PKZIP could not validate the advance encryption license feature. Obtain proper<br />
licensing keys from your salesperson or reseller and run INSTPKLIC. See Message<br />
AQZ9087 <strong>for</strong> more contact in<strong>for</strong>mation.<br />
AQZ9106-40<br />
Explanation:<br />
Spool File Feature is not licensed <strong>for</strong> this Serial Number. Run<br />
will not be processed.<br />
PKZIP could not validate the spool file license feature. Obtain proper licensing keys<br />
from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 <strong>for</strong><br />
more contact in<strong>for</strong>mation.<br />
AQZ9107-40<br />
Explanation:<br />
Beta Release Has Expired Contact PKWARE, Inc. <strong>for</strong> Final Beta<br />
Release.<br />
You are running a beta version of SecureZIP <strong>for</strong> <strong>iSeries</strong> that has expired. Contact<br />
PKWARE, Inc., <strong>for</strong> a newer version of SecureZIP <strong>for</strong> <strong>iSeries</strong>.<br />
AQZ9109-00<br />
Explanation:<br />
Self Extraction Support Feature is not licensed <strong>for</strong> this Serial<br />
Number. Run will not be processed.<br />
PKZIP could not validate the self extraction support feature. Obtain proper licensing<br />
keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087<br />
<strong>for</strong> more contact in<strong>for</strong>mation.<br />
AQZ9110-40<br />
Explanation:<br />
Advance Encryption Feature is not licensed <strong>for</strong> this Serial<br />
Number. Authentication will not take place.<br />
The AUTHPOL was set to authenticate either the archive or file, But Advance<br />
Encryption Feature is not licensed. The AUTHPOL will now be set to *NONE.<br />
320
ZPCA801x – ZPCA899x Messages<br />
These messages relate to certificate store administration.<br />
ZPCA801E<br />
Explanation:<br />
Response:<br />
Invalid parameter value <strong>for</strong> Preferred Certificate Store. Value<br />
= %s..<br />
The PKCAADMN utility expects one of the following value <strong>for</strong> the Preferred Certificate<br />
Store parameter:<br />
CA - Certificate Authority Store<br />
RT - Root Store<br />
CR - Certificate Revocation List Store<br />
BG - Best Guess or DETECT (PKCAADMN attempts to select the storebased on the<br />
input certificate constraints.)<br />
%s Shows the value that the PKCAADMN utility received <strong>for</strong> the Preferred Certificate<br />
Store parameter.<br />
The PKCAADMN utility will be unable to proceed without a properly specified<br />
Preferred Certificate Store parameter. Program execution will terminate.<br />
Determine the origin of the incorrect value and change to one of the correct input<br />
values listed above.<br />
ZPCA802E<br />
ZPCA802E Invalid parameter value <strong>for</strong> Action. Value = %s.<br />
Explanation: The PKCAADMN utility expects one of the following value <strong>for</strong> the Action parameter: -<br />
Add certificate to a store D - Delete a certificate from a store V - Verify the integrity of<br />
a store S - Short list of a store's contents L - Long list of a store's contents I - Initialize<br />
a certificate store B - Browse a certificate file's contents<br />
%s Shows the value that the PKCAADMN utility received <strong>for</strong> the Action parameter.<br />
Response:<br />
The PKCAADMN utility will be unable to proceed without a properly specified Action<br />
parameter. Program execution will terminate. Determine the origin of the incorrect<br />
value and change to one of the correct input values listed above.<br />
ZPCA803E<br />
Explanation:<br />
Invalid parameter value <strong>for</strong> Certificate File Type. Value = %s.<br />
The PKCAADMN utility expects one of the following value <strong>for</strong> the Certificate File Type<br />
parameter:<br />
CER - .cer Certificate File (also called a PEM file) P7B - PKCS #7 Certificate File CRL<br />
- .crl Certificate Revocation List File<br />
%s Shows the value that the PKCAADMN utility received <strong>for</strong> the Certificate File Type<br />
parameter.<br />
Response:<br />
The PKCAADMN utility will be unable to proceed without a properly specified<br />
Certificate File Type parameter. Program execution will terminate. Determine the<br />
321
origin of the incorrect value and change to one of the correct input values listed<br />
above.<br />
ZPCA804E<br />
Explanation:<br />
Response:<br />
Cert Wrap initialization failed.<br />
The PKCAADMN relies on the Cert Wrap modules to process certificate files and<br />
stores. Without the proper execution of these modules, the PKCAADMN cannot<br />
function. If initialization of Cert Wrap cannot be completed, the PKCAADMN program<br />
cannot continue.<br />
The PKCAADMN utility will be unable to proceed without Cert Wrap initialization.<br />
Program execution will terminate. Contact PKWARE Technical Support to determine<br />
the origin of the Cert Wrap failure.<br />
ZPCA805E<br />
Explanation:<br />
Open certificate store failed. Store '%s1' type incompatible<br />
with certificate '%s2' type.<br />
When per<strong>for</strong>ming an add to store operation, the PKCAADMN utility requires that the<br />
type of the certificate match the type of the store that the certificate is being added to.<br />
In the case of the CA store, this means the certificate must have the certificate<br />
authority constraint.* For the root store, the certificate must be self signed.<br />
%s1 Shows the value that the PKCAADMN utility received <strong>for</strong> the certificate store.<br />
%s2 Shows the value that the PKCAADMN utility received the certificate file.<br />
Response:<br />
The PKCAADMN utility will be unable to proceed with the add command without the<br />
certificate store type and the certificate file type matching. Program execution will<br />
terminate. Determine the origin of the type mismatch and change the certificate store<br />
and/or certificate file values so that the certificate and store types match and<br />
reattempt the add command.<br />
ZPCA806E<br />
Explanation:<br />
Response:<br />
The certificate store '%s' was not opened.<br />
While attempting to open the certificate store file, the PKCAADMN program was<br />
unable to open the file. %s Shows the value that the PKCAADMN utility received <strong>for</strong><br />
the certificate store.<br />
The PKCAADMN utility will be unable to proceed with the command without a valid<br />
certificate store being specified. Program execution will terminate. Verify that the<br />
correct file name was passed to PKCAADMN <strong>for</strong> the certificate store name and<br />
reattempt the command.<br />
322
ZPCA807E<br />
Explanation:<br />
Response:<br />
Memory allocation error.<br />
The PKCAADMN program was unable to allocate storage space.<br />
The PKCAADMN utility will be unable to proceed without the ability to allocate<br />
memory <strong>for</strong> storage. Program execution will terminate. Contact PKWARE Technical<br />
Support to determine the origin of the memory allocation error.<br />
ZPCA808E<br />
Explanation:<br />
Response:<br />
Failed to read from certificate store '%s'.<br />
The PKCAADMN program was unable to read from the specified certificate store file.<br />
%s Shows the value that the PKCAADMN utility received <strong>for</strong> the certificate store.<br />
The PKCAADMN utility was able to open the specified certificate store file. However,<br />
the program was unable read from the file. Program execution will terminate. Verify<br />
that the file is indeed a valid certificate store file and attempt the command again.<br />
ZPCA809E<br />
Explanation:<br />
Response:<br />
Failed to read the entire file '%s'. Expected %d1, read %d2.<br />
The PKCAADMN program was unable to read all of the data from the specified<br />
certificate store file. %s Shows the value that the PKCAADMN utility received <strong>for</strong> the<br />
certificate store. %d1 Shows the expected data size to be read from the certificate<br />
store file. %d2 Shows the actual data size read from the certificate store file.<br />
The PKCAADMN utility was able to open the specified certificate store file and read<br />
from it successfully. However, the program was unable to read all the expected data<br />
from the file. Program execution will terminate. Verify that the file is indeed a valid<br />
certificate store file and attempt the command again.<br />
ZPCA810E<br />
Explanation:<br />
Response:<br />
Failed to build certificate store '%s'.<br />
The PKCAADMN program was unable take the data from the file and <strong>for</strong>m a<br />
certificate store in memory. %s Shows the value that the PKCAADMN utility<br />
received <strong>for</strong> the certificate store.<br />
The PKCAADMN utility was able to open the specified certificate store file and read<br />
all the data from it successfully. However, the program was unable to use the data<br />
from the file to <strong>for</strong>m a valid certificate data structure in memory. Program execution<br />
will terminate. Verify that the file is indeed a valid certificate store file and attempt the<br />
command again.<br />
ZPCA811E<br />
Explanation:<br />
Cert Wrap failed to open '%s'. CW Error = 0X%X.<br />
The PKCAADMN program was unable take the data from the certificate file and <strong>for</strong>m<br />
a certificate data object in memory. %s Shows the value that the PKCAADMN utility<br />
323
eceived <strong>for</strong> the certificate file. %X Shows the hexadecimal value the Cert Wrap<br />
module returned upon failure to process the certificate file.<br />
Response:<br />
The PKCAADMN utility was able to open the specified certificate file and read all the<br />
data from it successfully. However, the program was unable to use the data from the<br />
file to <strong>for</strong>m a valid certificate data structure in memory. Program execution will<br />
terminate. Verify that the file is indeed a valid certificate file and attempt the command<br />
again.<br />
ZPCA812E<br />
Explanation:<br />
Response:<br />
Cert Wrap failed to add '%s'. CW Error = 0X%X.<br />
The PKCAADMN program was unable to add the specified certificate file to the<br />
certificate store. %s Shows the value that the PKCAADMN utility received <strong>for</strong> the<br />
certificate file. %X Shows the hexadecimal value the Cert Wrap module returned<br />
upon failure to add the certificate file to the certificate store.<br />
The PKCAADMN utility was able to open the specified certificate file and process the<br />
data. However, the utility failed to add to certificate to the store. Program execution<br />
will terminate. Verify that the file is indeed a valid certificate file and attempt the<br />
command again.<br />
ZPCA813E<br />
Explanation:<br />
Response:<br />
Cert Wrap failed to free certificate context. CW Error = 0X%X.<br />
The PKCAADMN program was unable to release the system resources allocated by<br />
the Cert Wrap modules during program execution. %X Shows the hexadecimal<br />
value the Cert Wrap module returned upon failure to free the certificate context.<br />
The PKCAADMN utility was unable to release the system resources allocated by the<br />
Cert Wrap modules during program execution. This is indicative of an internal<br />
program error. Program execution will terminate. Contact PKWARE Technical<br />
Support to determine the resolution of the program error.<br />
ZPCA814E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to close root store.<br />
The PKCAADMN program was unable to close the root store. The program allocates<br />
system resources associated with the root store and was unable to free those<br />
resources after use.<br />
The PKCAADMN utility was unable return the root store resources back to the<br />
operating system after use. The program cannot recover from this state and the<br />
program execution will terminate. It is possible that the certificate store is corrupt in<br />
some way. Verify that the root store is valid. If the root store proves valid, contact<br />
PKWARE Technical Support to determine the source of the failure.<br />
324
ZPCA815E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to close CA store.<br />
The PKCAADMN program was unable to close the CA store. The program allocates<br />
system resources associated with the CA store and was unable to free those<br />
resources after use.<br />
The PKCAADMN utility was unable return the CA store resources back to the<br />
operating system after use. The program cannot recover from this state and the<br />
program execution will terminate. It is possible that the certificate store is corrupt in<br />
some way. Verify that the CA store is valid. If the CA store proves valid, contact<br />
PKWARE Technical Support to determine the source of the failure.<br />
ZPCA816E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to save certificate store.<br />
The PKCAADMN program was unable to save the certificate store. The program<br />
write the certificate store back to disk to complete the operation and was unable to do<br />
so.<br />
The PKCAADMN utility was unable write the certificate store back to disk. The<br />
program cannot recover from this state and the program execution will terminate. It is<br />
possible that the certificate store is corrupt in some way. Verify that the certificate<br />
store is valid. If the store proves valid, verify that the utility has write access to the<br />
disk in question and reattempt the operation.*<br />
ZPCA817E<br />
Explanation:<br />
Response:<br />
Failed to write to certificate store '%s'.<br />
The PKCAADMN program was unable to write to the specified certificate store file.<br />
%s Shows the value that the PKCAADMN utility received <strong>for</strong> the certificate store.<br />
The PKCAADMN utility was able to open the specified certificate store file. However,<br />
the program was unable write to the file. Program execution will terminate. Verify that<br />
the file is indeed a valid certificate store file and attempt the command again.<br />
ZPCA818E<br />
Explanation:<br />
Response:<br />
Failed to write the entire file '%s'. Expected %d1, wrote %d2.<br />
The PKCAADMN program was unable to write all of the data to the specified<br />
certificate store file. %s Shows the value that the PKCAADMN utility received <strong>for</strong> the<br />
certificate store. %d1 Shows the expected data size to be written to the certificate<br />
store file. %d2 Shows the actual data size written to the certificate store file.<br />
The PKCAADMN utility was able to open the specified certificate store file and wrote<br />
to it successfully. However, the program was unable to write all the expected data to<br />
the file. Program execution will terminate. Verify that the file is indeed a valid<br />
certificate store file and attempt the command again.<br />
325
ZPCA819E<br />
Explanation:<br />
Response:<br />
Cannot continue. Nothing found to save to the certificate<br />
store.<br />
The PKCAADMN program found nothing to write to the specified certificate store file.<br />
The PKCAADMN utility was able to open the specified certificate store file but found<br />
nothing to write. This is an unrecoverable program state and the program execution<br />
will terminate. Verify that the file is indeed a valid certificate store file and attempt the<br />
command again.<br />
ZPCA820E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to close the certificate store.<br />
The PKCAADMN program was unable to close the certificate store. The program<br />
allocates system resources associated with the certificate store and was unable to<br />
free those resources after use.<br />
The PKCAADMN utility was unable return the root store resources back to the<br />
operating system after use. The program cannot recover from this state and the<br />
program execution will terminate. It is possible that the certificate store is corrupt in<br />
some way. Verify that the root store is valid. If the root store proves valid, contact<br />
PKWARE Technical Support to determine the source of the failure.<br />
ZPCA821E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to close certificate revocation list<br />
store.<br />
The PKCAADMN program was unable to close the certificate revocation list store.<br />
The program allocates system resources associated with the certificate revocation list<br />
store and was unable to free those resources after use.<br />
The PKCAADMN utility was unable return the certificate revocation list store<br />
resources back to the operating system after use. The program cannot recover from<br />
this state and the program execution will terminate. It is possible that the certificate<br />
store is corrupt in some way. Verify that the certificate revocation list store is valid. If<br />
the certificate revocation list store proves valid, contact PKWARE Technical Support<br />
to determine the source of the failure.<br />
ZPCA822E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unhandled certificate file type.<br />
The PKCAADMN utility received a certificate file type that the program does not know<br />
how to process.<br />
The PKCAADMN utility will be unable to proceed without a properly specified<br />
certificate file type parameter. Program execution will terminate. This is an error<br />
internal to the program. Contact PKWARE Technical Support to resolve this issue.<br />
326
ZPCA823E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to retrieve certificate name from the<br />
store.<br />
The PKCAADMN utility must match the certificate name specified <strong>for</strong> deletion with the<br />
certificate name found in the certificate store. The program was unable to read the<br />
certificate name from the certificate store.<br />
The PKCAADMN utility will be unable to proceed without properly reading the<br />
certificate name from the store. Program execution will terminate. The certificate store<br />
in question may be invalid. Verify the integrity of the certificate store and try the<br />
command again.<br />
ZPCA824E<br />
Explanation:<br />
Response:<br />
Cannot continue. Delete certificate failed.<br />
The PKCAADMN utility was unable to delete the certificate from the certificate store.<br />
The PKCAADMN utility will be unable to proceed past this point in the deletion<br />
process and program execution will terminate. This is an error internal to the program.<br />
The program was able to identify the certificate to be deleted in the certificate store<br />
but the deletion failed. Contact PKWARE Technical Support to resolve this issue.<br />
ZPCA825E<br />
Explanation:<br />
Response:<br />
Delete certificate failed. Match was not found in the<br />
specified store.<br />
The PKCAADMN utility must match the certificate specified in the input parameters<br />
with a certificate in the specified certificate store in order to per<strong>for</strong>m the deletion<br />
process. This match failed.<br />
The PKCAADMN utility will be unable to proceed without properly matching the<br />
certificate specified <strong>for</strong> deletion with an entry in the certificate store. Program<br />
execution will terminate. The certificate store in question may not contain the<br />
specified certificate. Verify the certificate store contents and try the command again.<br />
ZPCA826E<br />
Explanation:<br />
Response:<br />
Serial number must be in hexadecimal notation.<br />
The PKCAADMN utility must match the certificate serial number to an entry in the<br />
certificate store. The provided serial number was not in proper hexadecimal notation.<br />
The PKCAADMN utility will be unable to proceed without properly matching the<br />
certificate specified <strong>for</strong> deletion with an entry in the certificate store. Program<br />
execution will terminate. The serial number may have been improperly entered in the<br />
PKCAADMN utility. Verify the serial number parameter and try the command again.<br />
ZPCA827E<br />
Explanation:<br />
Certificate store verification failed.<br />
The PKCAADMN utility was unable to verify the specified certificate store.<br />
327
Response:<br />
The PKCAADMN utility failed to verify the store <strong>for</strong> a specific reason. Look to the<br />
previous errors associated with this error in the listing to determine the exact cause of<br />
the verify command failure. Investigate the previous errors in the listing to determine<br />
the root cause of the verify failure.<br />
ZPCA828E<br />
Explanation:<br />
Response:<br />
Must specify root, CA or CRL store to initialize.<br />
The PKCAADMN utility was to continue with the certificate store initialization due to<br />
an invalid store type.<br />
The PKCAADMN utility will be unable to proceed past this point in the initialization<br />
process and program execution will terminate. This is an error internal to the program.<br />
Contact PKWARE Technical Support to resolve this issue.<br />
ZPCA829E<br />
Explanation:<br />
Response:<br />
Certificate store initialization failed.<br />
The PKCAADMN utility was unable to initialize the specified certificate store.<br />
The PKCAADMN utility failed to initialize the store <strong>for</strong> a specific reason. Look to the<br />
previous errors associated with this error in the listing to determine the exact cause of<br />
the initialization command failure. Investigate the previous errors in the listing to<br />
determine the root cause of the initialization failure.<br />
ZPCA830E<br />
The end entity file '%s' was not opened.<br />
Explanation: The PKCAADMN program was unable to open the specified end entity output file. %s<br />
Shows the value that the PKCAADMN utility received <strong>for</strong> the output file.<br />
Response:<br />
The PKCAADMN utility was unable to open the specified end entity output file. The<br />
program cannot recover from this situation and the program execution will terminate.<br />
Verify that the file name is indeed a valid and attempt the command again.<br />
ZPCA831E<br />
Explanation:<br />
Response:<br />
Could not retrieve certificate property from store.<br />
The PKCAADMN utility must retrieve certificate properties from the certificate store<br />
and could not.<br />
The PKCAADMN utility will be unable to proceed past this point in the end entity<br />
output process and program execution will terminate. This is an error internal to the<br />
program. Contact PKWARE Technical Support to resolve this issue.<br />
328
ZPCA832E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to make CRL from file '%s'.<br />
The PKCAADMN utility must create a certificate revocation list data structure from the<br />
input file but was unable to. %s Shows the value that the PKCAADMN utility<br />
received <strong>for</strong> the certificate revocation list.<br />
The PKCAADMN utility will be unable to proceed past this point in the certificate<br />
revocation list add process and program execution will terminate. It is possible that<br />
the input file is not a valid certificate revocation list file. Verify the input file attempt<br />
the command again.<br />
ZPCA833W<br />
Explanation:<br />
Response:<br />
Cannot verify CRL issuer '%s' with CA Store. Trying Root<br />
Store.<br />
The PKCAADMN utility must verify the certificate revocation list data issuer to be sure<br />
the revocation list is valid. The program was unable to find the CRL issuer in the CA<br />
store. %s The issuer name <strong>for</strong> the certificate revocation list in question.<br />
The PKCAADMN utility will also look in the root store <strong>for</strong> the issuer be<strong>for</strong>e abandoning<br />
the CRL add process. The utility will also check the root store <strong>for</strong> the CRL issuer.<br />
This is only a warning message and will not hinder the CRL add process unless the<br />
CRL issuer is not found in the root store either.<br />
ZPCA834W<br />
Explanation:<br />
Response:<br />
Cannot verify CRL issuer with root store.<br />
The PKCAADMN utility must verify the certificate revocation list data issuer to be sure<br />
the revocation list is valid. The program was unable to find the CRL issuer in the root<br />
store.<br />
The PKCAADMN utility will also look in the CA store <strong>for</strong> the issuer be<strong>for</strong>e abandoning<br />
the CRL add process. The utility will also check the CA store <strong>for</strong> the CRL issuer. This<br />
is only a warning message and will not hinder the CRL add process unless the CRL<br />
issuer is not found in the CA store either.<br />
ZPCA835E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to verify CRL issuer.<br />
The PKCAADMN utility must verify the certificate revocation list data issuer to be sure<br />
the revocation list is valid. The program was unable to find the CRL issuer in the root<br />
store or the CA store.<br />
The PKCAADMN utility has checked both the root and the CA stores <strong>for</strong> the CRL<br />
issuer and was unsuccessful. The program cannot continue with the CRL add<br />
without verifying the issuer and the program execution will terminate. Verify the<br />
contents of the root and/or CA stores to be sure that the issuer <strong>for</strong> the CRL in<br />
question is present in one of the stores and attempt the command again.<br />
329
ZPCA836E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to add CRL to store.<br />
The PKCAADMN utility was unable to add the CRL file to the certificate revocation list<br />
store.<br />
The PKCAADMN utility cannot continue the add process past this point and the<br />
program execution will terminate. Verify the certificate revocation list store is valid and<br />
attempt the command again.<br />
ZPCA837E<br />
Explanation:<br />
Response:<br />
Cert Wrap failed to free CRL context. CW Error = 0X%X.<br />
The PKCAADMN program was unable to release the system resources allocated by<br />
the Cert Wrap modules during program execution. %X Shows the hexadecimal<br />
value the Cert Wrap module returned upon failure to free the CRL context.<br />
The PKCAADMN utility was unable to release the system resources allocated by the<br />
Cert Wrap modules during program execution. This is indicative of an internal<br />
program error. Program execution will terminate. Contact PKWARE Technical<br />
Support to determine the resolution of the program error.<br />
ZPCA838E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to get in<strong>for</strong>mation from CRL.<br />
The PKCAADMN program was unable to retrieve in<strong>for</strong>mation from the certificate<br />
revocation list data structure.<br />
The PKCAADMN utility was unable to retrieve in<strong>for</strong>mation from the certificate<br />
revocation list data structure. This is indicative of an internal program error. Program<br />
execution will terminate. Contact PKWARE Technical Support to determine the<br />
resolution of the program error.<br />
ZPCA839E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to get name from CRL.<br />
The PKCAADMN program was unable to retrieve the CRL name from the certificate<br />
revocation list data structure.<br />
The PKCAADMN utility was unable to retrieve the CRL name from the certificate<br />
revocation list data structure. This is indicative of an internal program error. Program<br />
execution will terminate. Contact PKWARE Technical Support to determine the<br />
resolution of the program error.<br />
ZPCA840E<br />
Explanation:<br />
Delete CRL failed. Match was not found in the CA or Root<br />
store.<br />
The PKCAADMN program was unable to find the CRL issuer in the CA or root stores.<br />
The CRL delete is unable to proceed in this situation.<br />
330
Response:<br />
The PKCAADMN utility was unable to retrieve the CRL issuer from the root or CA<br />
stores. The program cannot recover from this situation and the program execution<br />
will terminate. Verify the contents of the CA and/or root stores and attempt the<br />
command again.<br />
ZPCA841E<br />
Explanation:<br />
Response:<br />
Delete CRL failed. Unable to find the CRL in the store.<br />
The PKCAADMN program was unable to find the specified CRL in the certificate<br />
revocation list store. The CRL delete command is unable to proceed in this situation.<br />
The PKCAADMN utility was unable to find the CRL in the certificate revocation list<br />
store. The program cannot recover from this situation and the program execution will<br />
terminate. Verify the contents of the certificate revocation list store and attempt the<br />
command again.<br />
ZPCA842E<br />
Explanation:<br />
Response:<br />
Delete CRL failed. Unable to remove the CRL from the store.<br />
The PKCAADMN program was unable to delete the specified CRL entry from the<br />
certificate revocation list store.<br />
This error is indicative of an internal program error. The program execution will<br />
terminate. Contact PKWARE Technical Support to determine the resolution of the<br />
program error.<br />
ZPCA843E<br />
Explanation:<br />
Response:<br />
The store file '%s' was empty. Please try a valid certificate<br />
store.<br />
The PKCAADMN program was passed the name of an empty file in place of a<br />
certificate store. %s Shows the value that the PKCAADMN utility received <strong>for</strong> the<br />
certificate store.<br />
The PKCAADMN utility is unable to proceed without properly specified certificate<br />
stores. The program cannot recover from this situation and the program execution<br />
will terminate. Verify the certificate store file names and attempt the command again.<br />
ZPCA844E<br />
Explanation:<br />
Response:<br />
Certificate type could not be determined.<br />
The PKCAADMN program was unable to determine the type of the certificate to be<br />
add.<br />
The PKCAADMN utility is unable to proceed without properly the type of the certificate<br />
being added as this type determines which store the certificate should be placed in.<br />
The program cannot recover from this situation and the program execution will<br />
terminate. Verify the origin of the input file and be sure it is a valid certificate file and<br />
try the command again.<br />
331
ZPCA845E<br />
Invalid type specified <strong>for</strong> '%s' <strong>for</strong> Browse. Only CER and P7B<br />
types are valid.<br />
Explanation: The PKCAADMN program was unable to browse a file of the specified file type. %s<br />
Shows the value that the PKCAADMN utility received <strong>for</strong> the certificate file.<br />
Response:<br />
The PKCAADMN utility was able to browse the specified certificate file type. Program<br />
execution will terminate. Verify the type of the certificate file in question and attempt<br />
the command again.<br />
ZPCA846W<br />
Explanation:<br />
Response:<br />
Simulation Requested. Nothing will be saved to the store.<br />
The PKCAADMN utility has been given a simulate add command via the flag settings.<br />
Due to the simulation, nothing was saved to the certificate store.<br />
The PKCAADMN utility successfully ran the add command to completion, however<br />
nothing was saved to the certificate store. This is expected behavior <strong>for</strong> the simulated<br />
add command and this message is presented only as a reminder. If a simulate add<br />
was requested, no user action is required. However, if a simulation was not desired,<br />
change the flags so that a simulation will not occur and attempt the command again.<br />
ZPCA847W<br />
Explanation:<br />
Response:<br />
Simulation Requested. The end entity was not saved.<br />
The PKCAADMN utility has been given a simulate add command via the flag settings.<br />
Due to the simulation, the end entity was not saved to the output file.<br />
The PKCAADMN utility successfully ran the add command to completion, however<br />
nothing was saved to the output file. This is expected behavior <strong>for</strong> the simulated add<br />
command and this message is presented only as a reminder. If a simulate add was<br />
requested, no user action is required. However, if a simulation was not desired,<br />
change the flags so that a simulation will not occur and attempt the command again.<br />
ZPCA848W<br />
Explanation:<br />
Response:<br />
End entity not saved as file was not specified.<br />
The PKCAADMN utility could not save the end entity to disk as no output file was<br />
specified in the input parameters to the PKCAADMN program.<br />
The PKCAADMN utility successfully ran the add command to completion, however<br />
nothing was saved as the output file was not specified. If this was the desired<br />
command, no user action is required. However, if the end entity output was needed,<br />
change the input parameters so that a valid output file is specified and attempt the<br />
command again.<br />
332
ZPCA849E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to determine certificate store count.<br />
The PKCAADMN utility was not able to determine the number of certificates in the<br />
certificate store.<br />
The PKCAADMN utility successfully opened the certificate store but was unable to get<br />
a count of the number of certificates in that store. The program can not continue if<br />
this situation occurs. This error could be indicative of an invalid store. Run a validate<br />
command against the store in question to determine that it is not corrupt. If the<br />
validate command is successful, this could be indicative of an internal program error.<br />
In this case, contact PKWARE Technical Support to resolve this problem.<br />
ZPCA850E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to determine certificate file count.<br />
The PKCAADMN utility was not able to determine the number of certificates in the<br />
specified input file.<br />
The PKCAADMN utility successfully opened the input file but was unable to get a<br />
count of the number of certificates in that file. The program can not continue if this<br />
situation occurs. This error could be indicative of an invalid input file. Verify the source<br />
of the input file in question to determine that it is not corrupt. If necessary, export<br />
and/or transfer the input file to the system again ensure file integrity. If this fails to<br />
resolve the problem with the file, contact PKWARE Technical Support to resolve this<br />
problem.<br />
ZPCA851E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to determine CRL store count.<br />
The PKCAADMN utility was not able to determine the number of certificate revocation<br />
list entries in the CRL store.<br />
The PKCAADMN utility successfully opened the CRL store but unable to get a count<br />
of the number of certificate revocation list entries in that store. The program can not<br />
continue if this situation occurs. This error could be indicative of an invalid store. Run<br />
a validate command against the store in question to determine that it is not corrupt. If<br />
the validate command is successful, this could be indicative of an internal program<br />
error. In this case, contact PKWARE Technical Support to resolve this problem.<br />
ZPCA852E<br />
Explanation:<br />
Response:<br />
Cannot continue. Unable to determine CRL file count.<br />
The PKCAADMN utility was not able to determine the number of certificate revocation<br />
list entries were contained in the specified input file.<br />
The PKCAADMN utility successfully opened the input file but was unable to get a<br />
count of the number of certificate revocation list entries in that file. The program can<br />
not continue if this situation occurs. This error could be indicative of an invalid input<br />
file. Verify the source of the input file in question to determine that it is not corrupt. If<br />
necessary, export and/or transfer the input file to the system again ensure file<br />
integrity. If this fails to resolve the problem with the file, contact PKWARE Technical<br />
Support to resolve this problem.<br />
333
ZPCA853E<br />
Explanation:<br />
Response:<br />
Add operation was not completed due to newer CRL entry in the<br />
CRL store.<br />
The PKCAADMN utility was unable to complete the Add command due to the fact that<br />
there was a newer copy of the input certificate revocation list already in the CRL<br />
store.<br />
The PKCAADMN utility will not permit an older certificate revocation list to overwrite a<br />
newer one already present in the CRL store. The program will terminate in this case.<br />
This error could be indicative of an invalid input file. Verify the source of the input file<br />
in question to determine that it is not corrupt. If necessary, export and/or transfer the<br />
input file to the system again ensure the newest available certificate revocation list is<br />
being added to the CRL store.<br />
ZPCA854E<br />
Explanation:<br />
Response:<br />
Add operation was not completed due to newer certificate entry<br />
in the store.<br />
The PKCAADMN utility was unable to complete the Add command due to the fact that<br />
there was a newer copy of the input certificate already in the certificate store.<br />
The PKCAADMN utility will not permit an older certificate to overwrite a newer one<br />
already present in the certificate store. The program will terminate in this case. This<br />
error could be indicative of an invalid input file. Verify the source of the input file in<br />
question to determine that it is not corrupt. If necessary, export and/or transfer the<br />
input file to the system again ensure the newest available certificate is being added to<br />
the certificate store.<br />
334
A<br />
Per<strong>for</strong>mance Considerations<br />
This appendix lists a few per<strong>for</strong>mance considerations when running SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>. Most per<strong>for</strong>mance related issues can be controlled by the PKZIP/PKUNZIP<br />
parameters. However, it should be noted that PKZIP data compression is CPU<br />
intensive by its very nature, and that PKZIP/PKUNZIP parameters can only help to a<br />
limited degree. There<strong>for</strong>e, it should be expected that a reasonable amount of CPU<br />
resources will be needed <strong>for</strong> such operations.<br />
Interactive Per<strong>for</strong>mance<br />
When compressing large size files, PKZIP will sometimes use as much CPU resources<br />
as the system will allow. With this in mind, processing very large files may per<strong>for</strong>m<br />
best as a submitted job. However, some <strong>iSeries</strong> environments have constraints on<br />
running interactive jobs. If those interactive jobs run <strong>for</strong> a long time and use a high<br />
amount of CPU resources, the system will slow down and may issue the message<br />
CPI1479 "Interactive activity approaching capacity of installed feature." In this case,<br />
review the details of this message. This usually means that the interactive systems<br />
are using more resources than the <strong>iSeries</strong> was configured to use.<br />
Compression Type Per<strong>for</strong>mance<br />
Selecting a compression method is one way to get the smallest compressed file with<br />
the relationship to the CPU usage and run times. Sometimes, to get the best results,<br />
you may have to run several tests with the data to balance the compression ratio to<br />
the length of the run time. Running with *MAX will usually get the best compression<br />
ratio but will also run the longest. In most of our test cases, *MAX would run 30%-<br />
40% longer than *NORMAL and might only gain less than 1% better ratio. This is<br />
why we recommend using SUPERFAST (the default) unless your testing implies<br />
otherwise.<br />
To minimize the overhead needed to ZIP, the best thing (and the easiest) is to select<br />
a compression method other than *MAX. PKZIP’s default compression method is<br />
SUPERFAST.<br />
When using the compression method of Maximum, you are only compressing the<br />
data by another 1-8% over a job that might use the SUPERFAST compression<br />
method. The archive file size change is minimal. However, the time difference<br />
335
etween a maximum and a SUPERFAST job can be measured in hours if the file is big<br />
enough!<br />
You may read more about the compression levels by prompting the Compression<br />
Level parameter (F1).<br />
Compression Level . . . . . . . *SUPERFAST *FAST, *NORMAL, *MAX...<br />
Data Type Selection<br />
Getting the best per<strong>for</strong>mance from your <strong>iSeries</strong> machine with regards to a PKZIP job<br />
can truly depend on the parameters you have selected <strong>for</strong> the job. In many cases,<br />
the compressed size of a file depends on the type of data (Binary vs. Text), and the<br />
compression type selected. Text will usually compress more since it has a higher<br />
probability of repeated characters.<br />
Knowing the target plat<strong>for</strong>m of the data will help you resolve how PKZIP is to treat<br />
the data during the compression process. However, PKZIP treatment of data defaults<br />
to *DETECT. *DETECT means that PKZIP will scan the data (up to 97% of the input<br />
file) to determine whether the data that it is going to compress should be treated as<br />
TEXT or BINARY. This can be an especially painful process if you are selecting large<br />
files <strong>for</strong> compression. However, to get around the scanning overhead, if you know<br />
you are sending the archive or ZIP file to a PC or to a UNIX machine, you know that<br />
the data will need to be converted to TEXT (or ASCII). There<strong>for</strong>e, you should select<br />
file Types(*TEXT). If the data is targeted <strong>for</strong> another <strong>iSeries</strong> machine, then you<br />
should select *BINARY. *DETECT should only be used when you do not know the<br />
nature of the data.<br />
You may read more about the data types by prompting the file Types parameter<br />
(F1).<br />
File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ....<br />
Archive Placement (IFS or in a Library)<br />
For best per<strong>for</strong>mance try to store the archives in the IFS. By placing the archive in<br />
the IFS instead of in a library/file reduces the overall CPU usage and in some cases<br />
can reduce the run times as much as 30%-40%.<br />
It is recommended when using the ZIP process <strong>for</strong> large files that the ZIP archive be<br />
stored in the IFS. This method provides the best per<strong>for</strong>mance and makes the most<br />
efficient use of storage space <strong>for</strong> both ZIP archives and ZIP temporary files.<br />
ZIP64 Processing Considerations<br />
When processing very large files or high volumes of files, the processing<br />
characteristics of PKZIP may vary depending on the phase of processing involved.<br />
Some common processing phases and their run-time characteristics are:<br />
• ZIP file selection: When selecting a very large number of files through many<br />
directories and/or libraries, the initial selection requires IO time and memory<br />
per file to analyze and manage each of the file’s properties. The more files to<br />
336
select, the more memory and initial startup overhead. Each site will have to<br />
discover their practical limits based on their environments and resources.<br />
• Archive directory read processing: When updating an existing archive that<br />
contains a very large number of files, time and memory again are used to<br />
manage the archives and its directory. Or when using PKUNZIP to view the<br />
files, the more files in the archive, the more memory that is required and the<br />
more time that is involved when sorting the files in archive properties be<strong>for</strong>e<br />
displaying or printing the contents.<br />
• Archive updating: When updating a large archive with large file sizes, there<br />
will be overhead to copy the files from the previous archive, be<strong>for</strong>e adding or<br />
updating new files to the archive. For example, if you have a 10 GB archive<br />
with 5 files that are each compressed, down to 2 GB, overhead will be<br />
required to copy the compressed files from the old archive to the new archive.<br />
This is another reason <strong>for</strong> storing the archive in the IFS, which can help<br />
reduce resources rather than storing the archive in a file in a library.<br />
• When compressing large size files, PKZIP will sometimes use as much CPU as<br />
the system will allow. With this in mind, processing very large files may<br />
per<strong>for</strong>m best as a submitted job. Some <strong>iSeries</strong> systems have constraints on<br />
running interactively, and if interactive jobs run a long time and use high<br />
amounts of CPU resources, their system will start slowing down and may<br />
issue the message CPI1479 "Interactive activity approaching capacity of<br />
installed feature." In this case they should review the details of this message,<br />
which usually means that their interactive systems are using more resources<br />
than the <strong>iSeries</strong> was configured to use.<br />
Encryption Per<strong>for</strong>mance<br />
When using advanced encryption versus no encryption, there will be a slight increase<br />
in the overall size of the archive that contains the AES overhead (approximately 300<br />
bytes per file in archive). The increase in size will be same whether you use AES 128,<br />
AES 192, or AES 256.<br />
AES 256 being the most secure encryption algorithm, will also consume the most<br />
CPU usage. AES 128 on average could use around 9% more CPU than running with<br />
no encryption. AES 256 averages about 3.4% more usage when compared with AES<br />
128 (or around 12.5% versus no encryption).<br />
Extended Attributes Selections<br />
The extended attributes naturally contribute some overhead to the archive but it is<br />
minimal, unless you are compressing a database file in the QSYS library file system<br />
with the parameter DBSERVICE(*YES). This size then depends on the definitions of<br />
the database (fields, headings, etc), but also is very important in rebuilding a DB2<br />
database where it does not exist.<br />
These extended attributes can be stored in two places, called the local header and<br />
central header directories. SecureZIP <strong>for</strong> <strong>iSeries</strong> 8.1 and other current PKWARE<br />
products now only use the extended attributes from the central directory. PKZIP <strong>for</strong><br />
OS/400 5.5 required some of the attributes in the local header.<br />
337
To help reduce the archive overhead the parameter EXTRAFLD in PKZIP has been<br />
expanded to select where you want to store the attributes. By using<br />
EXTRAFLD(*Central), you reduce the size of each file in the archive by the size of the<br />
extended attributes. Caution: If the attributes are required on another <strong>iSeries</strong><br />
not running on 8.0 or above, use the option EXTRAFLD(*BOTH) or<br />
EXTRAFLD(*YES).<br />
338
B<br />
Examples<br />
Example 1 - PKUNZIP Files to a New or Different Library<br />
To extract the files in the archive to a new library. An example of the files in the<br />
archives are:<br />
PKUNZIP ARCHIVE('atest/qz/tstchg')<br />
Archive: ATEST/QZ(TSTCHG) 88572 bytes 6 files<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
259 Defl:F 178 01-16-01 08:24 b5dbf80c TESTLIB1/BEN/BEESON<br />
449664 Defl:F 48720 01-16-01 14:46 94c7506c<br />
TESTLIB1/MYSPLFTM.P/AQZIP123.4X<br />
205693 Defl:F 29687 01-16-01 14:46 e2473ea4<br />
TESTLIB1/MYSPLFTM.P/LISTDBOB.X<br />
27488 Defl:F 6771 01-16-01 14:46 c264817a TESTLIB1/MYSPLFTM.P/QPRINT1X<br />
3352 Defl:F 800 01-16-01 14:46 3e485445<br />
TESTLIB1/MYSPLFTM.P/T4RSTLIB.XY<br />
256 Stored 256 01-16-01 15:22 29058c73 TESTLIB1/TEST1/HEX<br />
-------- ------- --- -------<br />
686712 86412 6 files<br />
To extract to a new library, use the keyword EXDIR and DROPPATH<br />
PKUNZIP ARCHIVE('atest/qz/tstchg') TYPE(*EXTRACT) EXDIR(mynewlib) DROPPATH(*LIB)<br />
PKUNZIP Archive: ATEST/QZ(TSTCHG)<br />
Searching Archive ATEST/QZ(TSTCHG) <strong>for</strong> files to extract<br />
Extracting file TESTLIB1/BEN/BEESON<br />
NOTE path<br />
Library MYNEWLIB created.<br />
NOTE Library<br />
created<br />
File BEN created in library MYNEWLIB.<br />
Member BEESON added to file BEN in MYNEWLIB.<br />
Member BEESON file BEN in MYNEWLIB changed.<br />
Inflating: MYNEWLIB/BEN(BEESON) Text NOTE new path<br />
Extracting file TESTLIB1/MYSPLFTM.P/AQZIP123.4X<br />
File MYSPLFTMP created in library MYNEWLIB.<br />
Member AQZIP1234X added to file MYSPLFTMP in MYNEWLIB.<br />
Member AQZIP1234X file MYSPLFTMP in MYNEWLIB changed.<br />
Inflating: MYNEWLIB/MYSPLFTMP(AQZIP1234X) Text<br />
Since the library mynewlib did not exist, it was created.<br />
339
Example 2 - CLP with Override <strong>for</strong> Stdout and Stderr to an OUTQ<br />
The following is an example of overriding the PKZIP and PKUNZIP program output,<br />
and then redirecting the output to an OUTQ. This also provides an example of using<br />
mixed file systems, such as having the archive file in the IFS and selecting files from<br />
the QSYS library file system.<br />
ZIPEXPL01: PGM PARM(&OUTQ)<br />
/* Program: ZIPEXPL01 Example */<br />
/*****************************************************************/<br />
/* Abstract: This is a example CL program has on parameter <strong>for</strong> */<br />
/* the OUTQ <strong>for</strong> the processing of SecureZIP <strong>for</strong> <strong>iSeries</strong>. If it is */<br />
/* *none or *NONE no overriding to QPRINT will take place. */<br />
/* 1. Will add the SecureZIP <strong>for</strong> <strong>iSeries</strong> Library to Library List */<br />
/* If it is already part of LIBL then note so as to not */<br />
/* remove at the end. */<br />
/* 2. Set the Current Library (only required if parameters of */<br />
/* PKZIP leaves out the Library and a default is needed) */<br />
/* 3. An example of setting the current directory is IFS */<br />
/* 4. Check input OUTQ. If none keep processing */<br />
/* 5. Override the Stdout and Stderr to input outq */<br />
/* This is where PKZIP will send messages when the */<br />
/* MSGTYPE is (*PRINT) or (*BOTH). */<br />
/* 6. Run Test01 of PKZIP */<br />
/* 7. Run Test02 of PKZIP with archive in IFS */<br />
/* 8. Run Test03 of PKZIP with IFS system */<br />
/* 9. Run Test04 of PKUNZIP to view archive */<br />
/* 10. If the PKZIP Library was not present at the beginning */<br />
/* remove it from *LIBL. */<br />
/* */<br />
/*****************************************************************/<br />
OUTQ: DCL VAR(&OUTQ) TYPE(*CHAR) LEN(10)<br />
PKZIPLIB: DCL VAR(&PKZIPLIB) TYPE(*CHAR) LEN(10) +<br />
VALUE(PKW81051S)<br />
/* if PKZIP library is in Libl do not remove it at the end */<br />
LIBLCHG: DCL VAR(&LIBLCHG) TYPE(*CHAR) LEN(1) VALUE('Y')<br />
CURLIB: DCL VAR(&CURLIB) TYPE(*CHAR) LEN(10) VALUE(MYLIB)<br />
ZIPDIR: DCL VAR(&ZIPDIR) TYPE(*CHAR) LEN(10) +<br />
VALUE('/mydir')<br />
/* Add the SecureZIP <strong>for</strong> <strong>iSeries</strong> library to library List */<br />
ADDLIBLE LIB(&PKZIPLIB)<br />
MONMSG MSGID(CPF2103) EXEC(CHGVAR VAR(&LIBLCHG) +<br />
VALUE('N'))<br />
/* Set Current Directory to MYLIB */<br />
/*(not Required <strong>for</strong> this test Just an example)*/<br />
CHGCURLIB CURLIB(&CURLIB)<br />
/* Set Current Directory to zip */<br />
/*(not Required <strong>for</strong> this test Just an example)*/<br />
CD<br />
DIR(&zipdir)<br />
/* Check input outq to see overides required */<br />
CHKOUTQ: IF COND((&OUTQ *EQ '*none') *OR (&OUTQ *EQ +<br />
'*NONE')) THEN(GOTO CMDLBL(NOOUTQ))<br />
/* change Stdout and Stderr to my outq */<br />
OVRPRTF FILE(STDOUT) TOFILE(*LIBL/QSYSPRT) OUTQ(&OUTQ)<br />
OVRPRTF FILE(STDERR) TOFILE(*LIBL/QSYSPRT) OUTQ(&OUTQ)<br />
NOOUTQ:<br />
/* Test basic PKZIP */<br />
TEST01: PKZIP ARCHIVE('ATEST/PKZ2(MYSL04)') +<br />
FILES('TESTLIB/MYSPLF(*ALL)') +<br />
EXCLUDE('TESTLIB/MYSPLF(Q*)')<br />
/* Test basic PKZIP with archive in IFS and print only messages */<br />
340
TEST02: PKZIP ARCHIVE('/mydir /tmpsave/itest01') +<br />
FILES('TESTLIB/TEST') FILETYPE(*BINARY) +<br />
TYPARCHFL(*IFS) MSGTYPE(*PRINT)<br />
/* Test PKZIP with all files in IFS */<br />
TEST03: PKZIP ARCHIVE('/mydir/tmpsave/itest02.zip') +<br />
FILES('/mydir/test1/basetest') +<br />
TYPARCHFL(*IFS) TYPFL2ZP(*IFS)<br />
/* Test PKUNZIP view of archive from test02 */<br />
TEST04: PKUNZIP ARCHIVE('/mydir/tmpsave/itest01') +<br />
TYPARCHFL(*IFS) MSGTYPE(*PRINT)<br />
/* If PKZIP Library was added to LIBL then remove it */<br />
ENDPGM: IF COND(&LIBLCHG *EQ 'Y') THEN(RMVLIBLE +<br />
LIB(&PKZIPLIB))<br />
ENDPGM<br />
Example 3 - Creating an Archive in Personal Folders (QDLS)<br />
The following is an example of creating and processing the archive in the Document<br />
library Services file system (QDLS). First, assume a folder in QDLS with a name of<br />
MYFOLDER where the archives will be stored. To view the folders, issue the<br />
command WRKLNK '/QDLS/*' (you could use WRKDOC and WRKFLR, but WRKLNK is<br />
better to use since PKZIP will be using /QDLS).<br />
Work with Object Links<br />
Directory . . . . :<br />
/qdls<br />
Type options, press Enter.<br />
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attribu<br />
11=Change current directory ...<br />
Opt Object link Type Attribute Text<br />
. FLR<br />
.. FLR<br />
MYFOLDER<br />
FLR<br />
QBKBOOKS<br />
FLR<br />
Run the PKZIP command:<br />
PKZIP ARCHIVE('/QDLS/MYFOLDER/MYARCH1.ZIP') FILES('testlib/ben')<br />
TYPARCHFL(*IFS)<br />
The suffix .ZIP was added to help identify the file as an archive file.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.1, 2003/08/21<br />
Copyright. 2004. PKWARE, Inc. All Rights Reserved.<br />
PKZIP is a registered trademark of PKWARE, Inc.<br />
EVALUATION Running<br />
EVALUATION, Warning - This license will expire in 29 days on 2003/09/20<br />
Contact your dealer with the following in<strong>for</strong>mation<br />
Machine ID = , Processor Group = P05<br />
Scanning files <strong>for</strong> match ...<br />
Found 1 matching files<br />
Compressing TESTLIB/BEN(BEESON) in TEXT mode<br />
Add TESTLIB/BEN/BEESON -- Deflating (32%)<br />
PKZIP Compressed 1 files in Archive /QDLS/MYFOLDER/MYARCH1.ZIP<br />
PKZIP Completed Successfully<br />
Press ENTER to end terminal session.<br />
341
To see the file in the folders, run WRKLNK '/QDLS/MYFOLDER/*'<br />
Work with Object Links<br />
Directory . . . . :<br />
/QDLS/MYFOLDER<br />
Type options, press Enter.<br />
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes<br />
11=Change current directory ...<br />
Opt Object link Type Attribute Text<br />
. FLR<br />
.. FLR<br />
MYARCH1.ZIP<br />
DOC<br />
Next, to view the contents, run:<br />
PKUNZIP ARCHIVE('/QDLS/MYFOLDER/MYARCH1.ZIP') TYPARCHFL(*IFS)<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.16<br />
2003/08/21<br />
Copyright. 2004. PKWARE, Inc. All Rights Reserved.<br />
PKZIP is a registered trademark of PKWARE, Inc.<br />
Archive: /QDLS/MYFOLDER/MYARCH1.ZIP 551 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
259 Defl:F 177 32% 11-27-00 15:32 b5dbf80c TESTLIB/BEN/BEESON<br />
-------- ------- ---- -------<br />
259 177 32% 1 file<br />
PKUNZIP extracted 0 files<br />
PKUNZIP Completed Successfully<br />
Press ENTER to end terminal session.<br />
Example 4 - Processing Archive on a CD (QOPT)<br />
The following is an example of processing an archive that exists on a CD and using<br />
PKUNZIP to view or extract. Because the archive file is on a CD, and the file system<br />
QOPT controls the CD, this archive basically exists in the IFS.<br />
First, check and ensure the archive is on the CD by doing a WRKLNK (you can use<br />
WRKOPTDIR, but using WRKLNK will show the actual paths required). Remember,<br />
the volume of the CD is also a directory in QOPT file system. If the file names are<br />
longer than eight characters, the file name will be changed, much like you see in<br />
DOS systems. It will contain a tilda (~) followed by a number <strong>for</strong> files found with<br />
excessive name lengths.<br />
WRKLNK ‘/QOPT/*’<br />
Work with Object Links<br />
Directory . . . . :<br />
/QOPT<br />
Type options, press Enter.<br />
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes<br />
11=Change current directory ...<br />
Opt Object link Type Attribute Text<br />
MYTESTLABEL<br />
DDIR<br />
342
The above screen shows that the volume label of the CD is “MYTESTLABEL”. Using<br />
the “5” <strong>for</strong> the next level option, you can navigate through the directories. You will<br />
then see the files and directories on the root of the CD. For example:<br />
Work with Object Links<br />
Directory . . . . :<br />
/QOPT/MYTESTLABEL<br />
Type options, press Enter.<br />
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes<br />
11=Change current directory ...<br />
Opt Object link Type Attribute Text<br />
ARCHIVE.ZIP<br />
DSTMF<br />
GZIPPW.GAR<br />
DSTMF<br />
OS_400~3.DOC<br />
DSTMF<br />
PKZCVT~2.DOC<br />
DSTMF<br />
PKW80~1.SAV<br />
DSTMF<br />
PKW80~1.ZIP<br />
DSTMF<br />
To view the archive PKW80~1.ZIP (which is really the long name PKW81051S.ZIP)<br />
contents, use PKUNZIP with *VIEW.<br />
Use the command:<br />
PKUNZIP ARCHIVE('/QOPT/MYTESTLABEL/PKW80~1.ZIP') TYPARCHFL(*IFS)<br />
TYPE(*VIEW)<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.1, 2003/08/22<br />
Copyright. 2004. PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Archive: /QOPT/MYTESTLABEL/PKW80~1.ZIP 1373026 bytes 1 file<br />
Length Method Size Ratio Date Time CRC-32 Name<br />
-------- ------ ------- ----- ---- ---- ------ ----<br />
6044544 Defl:N 1372902 77% 08-16-01 21:17 d73f09cf PKW81051S.sav<br />
-------- ------- ---- -------<br />
6044544 1372902 77% 1 file<br />
PKUNZIP extracted 0 files<br />
PKUNZIP Completed Successfully<br />
Example 5 - Compressing files from a CD (QOPT)<br />
Using the document (.DOC) files on the CD shown in Example 4, we can compress<br />
the files and store them in the archive in my archive library ATEST under the file<br />
V509 archives with an archive file member named CDTEST01.<br />
PKZIP ARCHIVE('atest/v509/cdtest01') FILES('/QOPT/MYTESTLABEL/OS_400~3.DOC'<br />
'/QOPT/MYTESTLABEL/PKZCVT~2.DOC') TYPFL2ZP(*IFS)<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> (tm) Compression Utility Version 8.1, 2003/08/22<br />
Copyright. 2004. PKWARE, Inc. All Rights Reserved.<br />
PKZIP (R) is a registered trademark of PKWARE (R), Inc.<br />
Scanning<br />
files <strong>for</strong> match ...<br />
Found 2 matching files<br />
Compressing /QOPT/MYTESTLABEL/OS_400~3.DOC in BINARY mode<br />
Add /QOPT/MYTESTLABEL/OS_400~3.DOC -- Deflating (77%)<br />
Compressing /QOPT/MYTESTLABEL/PKZCVT~2.DOC in BINARY mode<br />
Add /QOPT/MYTESTLABEL/PKZCVT~2.DOC -- Deflating (79%)<br />
PKZIP Compressed 2 files in Archive ATEST/V509(CDTEST01)<br />
343
PKZIP Completed Successfully<br />
Because you would not be able to extract them to the CD, you may want to use the<br />
parameter STOREPATH(*NO) so that only file names OS_400~3.DOC and<br />
PKZCVT~2.DOC are stored in the archive.<br />
Example 6 - Compressing CL with MSG Checking<br />
The following brief example demonstrates using PKZIP in a CL passing the archive’s<br />
library, file, and member as variables and then monitoring <strong>for</strong> errors from the PKZIP<br />
run.<br />
ZIPEXPL03: PGM<br />
PARM(&ZIPLIB &ZIPFILE &ZIPMBR)<br />
/* Program: ZIPEXPL03 Example */<br />
/*****************************************************************/<br />
/* Abstract: This is a example CL program that has 3 paramters */<br />
/* that specifies the archive's Library, File and Member. */<br />
/* 1. Will add the SecureZIP <strong>for</strong> <strong>iSeries</strong> Library to Library List */<br />
/* If it is already part of LIBL then note so as to not */<br />
/* remove at the end. */<br />
/* 2. Build the archive file name<strong>for</strong> PKZIP by concatenating */<br />
/* the inputted library, file and member names. */<br />
/* 3. Compress all files in TESTLIB with PKZIP Command */<br />
/* 4. Monitor <strong>for</strong> error messages from PKZIP. */<br />
/* If errors send message. */<br />
/* 5. If the PKZIP Library was not present at the beginning */<br />
/* remove it from *LIBL. */<br />
/* */<br />
/*****************************************************************/<br />
/* &PKZIPLIB contains the current PKZIP library */<br />
DCL VAR(&PKZIPLIB) TYPE(*CHAR) LEN(10) +<br />
VALUE(PKW81051S)<br />
/* if PKZIP library is in Libl do not remove it at the end */<br />
DCL VAR(&LIBLCHG) TYPE(*CHAR) LEN(1) VALUE('Y')<br />
/* &ZIPLIB is Library where archive will be stored */<br />
DCL VAR(&ZIPLIB) TYPE(*CHAR) LEN(10)<br />
/* &ZIPFILE is File <strong>for</strong> the archive */<br />
DCL VAR(&ZIPFILE) TYPE(*CHAR) LEN(10)<br />
/* &ZIPMBR is Member of the archive file */<br />
DCL VAR(&ZIPMBR) TYPE(*CHAR) LEN(10)<br />
/* Archive file <strong>for</strong> PKZIP built with concatenation */<br />
DCL VAR(&ZARCHF) TYPE(*CHAR) LEN(36)<br />
/* Add the SecureZIP <strong>for</strong> <strong>iSeries</strong> library to library List */<br />
ADDLIBLE LIB(&PKZIPLIB)<br />
MONMSG MSGID(CPF2103) EXEC(CHGVAR VAR(&LIBLCHG) +<br />
VALUE('N'))<br />
/*Concatenate the libraries, files and members <strong>for</strong> PKZIP of the archive*/<br />
CHGVAR VAR(&ZARCHF) VALUE(&ZIPLIB *TCAT '/' *TCAT +<br />
&ZIPFILE *TCAT '/' *TCAT &ZIPMBR)<br />
/* Compress all files in the library TESTLIB and */<br />
/* store them in the archive specified in the */<br />
/* calling of the CLP program */<br />
/* If messages AQZ0022 "PKZIP Completed with Errors." */<br />
/* or AQZ0012 "PKZIP ending with Nothing to do" */<br />
/* are returned */<br />
/* from PKZIP, send message indicating an error */<br />
/* Occured. */<br />
PKZIP ARCHIVE(&ZARCHF) FILES('TESTLIB/*all(*all)') +<br />
COMPRESS(*NORMAL) ARCHTEXT('This the text +<br />
of the archive <strong>for</strong> example 3')<br />
MONMSG MSGID(AQZ0022) EXEC(SNDPGMMSG MSG('PKZIP +<br />
Ended with MONMSG <strong>for</strong> AQZ0022'))<br />
344
MONMSG MSGID(AQZ0012) EXEC(SNDPGMMSG MSG('PKZIP +<br />
Ended with MONMSG <strong>for</strong> AQZ0012'))<br />
/* If PKZIP Library was added to LIBL then remove it */<br />
ENDPGM: IF COND(&LIBLCHG *EQ 'Y') THEN(RMVLIBLE +<br />
LIB(&PKZIPLIB))<br />
EOJ: ENDPGM<br />
Example 7 – Compressing Spool Files Samples<br />
The following are several samples demonstrating the selection of spool file <strong>for</strong><br />
compression.<br />
Sample 1: Select a specific spool file (MYSPLFFILE) <strong>for</strong> the specific job (jobname-<br />
WSSSPL, User-WSS and job number 11) in all output queues (the default of<br />
SFQUEUE) and convert the spool file to a PDF <strong>for</strong>mat SFTARGET(*PDFLETTER) to fit<br />
a letter <strong>for</strong>mat. store the archive in the IFS with TYPARCHFL(*IFS) .<br />
PKZSPOOL ARCHIVE('/pkzshare/bills/splftest01.zip') TYPARCHFL(*IFS)<br />
SPLFILE(MYSPLFILE) SFUSER(*ALL) SFJOBNAM(11/WSS/WSSSPL)<br />
SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P)<br />
Sample 2: Select all spool files belonging to users WSS and TAIT (SPLUSERID) that<br />
resides in the OUTQ QPRINTS (SFQUEUE) and compress them as spool files with<br />
SFTARGET(*SPLF). This might be done to save the spool files <strong>for</strong> later review since<br />
this OUTQ is purged on a regular basis.<br />
PKZSPOOL ARCHIVE('/pkzshare/bills/splftest02.zip') TYPARCHFL(*IFS)<br />
SFUSER(WSS TAIT) SFQUEUE(QPRINTS) SFTARGET(*SPLF) SFTGFILE(*GEN1)<br />
Sample 3: Using the archive from Sample 2, we want to restore or extract the spool<br />
files in order to print them again. Except in this case we want them to belong to the<br />
user MAS with SPLUSERID and place the spool files in the OUTQ MASQ (SFQUEUE)<br />
located in the library DEVPLIB.<br />
PKUNZIP ARCHIVE('/pkzshare/bills/splftest02.zip') TYPARCHFL(*IFS)<br />
TYPE(*EXTRACT) SPLUSRID(MAS) SFQUEUE(DEVPLIB/MASQ)<br />
Sample 4: Select the spool file QPRINTS (SPLFILE), spool file number 17 (SPLNBR),<br />
user MAS (SFUSER) and convert the file to a TEXT file with SFTARGET(*TEXTFC). In<br />
this case, the file is needed to read into a PC program and the user wants the ANSI<br />
control characters in position 1 of each line.<br />
PKZSPOOL ARCHIVE('/pkzshare/bills/splftest04.zip') TYPARCHFL(*IFS)<br />
SPLFILE(QPRINTS) SFUSER(MAS) SPLNBR(17)<br />
SFTARGET(*TEXTFC) SFTGFILE(*GEN1P)<br />
Sample 5: Now we want to extract the text file created in Sample 4 to one of our<br />
shared drives areas ('/PKZSHARE/PCFILES') that our PCs can access. In this case the<br />
normal extraction would identify the file as a text file and would convert it to<br />
EBCDIC. Since the file will be used by a PC program that is expecting the data to be<br />
in ASCII, we will have to extract the file as binary since the internal file is already in<br />
345
ASCII. By specifying FILETYPE(*BINARY), this ensures that no translation of the data<br />
takes place.<br />
PKUNZIP ARCHIVE('/pkzshare/bills/splftest04.zip') TYPARCHFL(*IFS) TYPFL2ZP(*IFS)<br />
TYPE(*EXTRACT) FILETYPE(*BINARY)<br />
EXDIR('/PKZSHARE/PCFILES') DROPPATH(*ALL)<br />
Example 8 – PKZSPOOL The Last Spool File of Current Job<br />
The following brief CLP example demonstrates using PKZSPOOL to compress to a<br />
PDF, only the last spool file that was written out by the current job.<br />
ZIPEXPL07: PGM<br />
/* Program: ZIPEXPL07 Example */<br />
/*****************************************************************/<br />
/* Abstract: This is an example CL program that per<strong>for</strong>m several */<br />
/* task that prints reports. Then compresses only the LAST */<br />
/* spool file created to a PDF file in a archive */<br />
/* */<br />
/*****************************************************************/<br />
/* display the properties of the files start with "i" in QIBM folder */<br />
DSPLNK OBJ('/QIBM/i*') OUTPUT(*PRINT) +<br />
DETAIL(*EXTENDED) DSPOPT(*ALL)<br />
/* display all libraries that start with Q and print */<br />
DSPOBJD OBJ(*LIBL/Q*) OBJTYPE(*LIB) DETAIL(*BASIC) +<br />
OUTPUT(*PRINT)<br />
/* Compress the ONLY the last spool file created to a PDF file */<br />
PKZSPOOL ARCHIVE('/pkzshare/bills/PKZdata1.zip') +<br />
SFJOBNAM(*) SPLNBR(*LAST) +<br />
SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P) +<br />
TYPARCHFL(*IFS)<br />
ENDOFJOB: ENDPGM<br />
Example 9 - CL to Compress All Spool Files <strong>for</strong> a Job to a PDF<br />
The following brief example demonstrates using PKZIP in a CL to pass the archive’s<br />
library, file, and member as variables and then monitor <strong>for</strong> errors from the PKZIP<br />
run.<br />
ZIPEXPL08: PGM<br />
/* Program: ZIPEXPL08 Example */<br />
/*****************************************************************/<br />
/* Abstract: This is an example CL program that per<strong>for</strong>m several */<br />
/* task that prints reports. Then submits a job at the end of */<br />
/* the job that will compress all spool files to PDF files. The */<br />
/* reason the job was submitted was to also compress the job log */<br />
/* to a PDF */<br />
/* */<br />
/*****************************************************************/<br />
/* Current Job Name */<br />
DCL VAR(&MYJOBNM) TYPE(*CHAR) LEN(10) VALUE(' ')<br />
/* Current Job User */<br />
346
DCL VAR(&MYJUSER) TYPE(*CHAR) LEN(10) VALUE(' ')<br />
/* Current Job Number */<br />
DCL VAR(&MYJNBR) TYPE(*CHAR) LEN(10) +<br />
VALUE('000000')<br />
/* retrieve the job name, user, and job number <strong>for</strong> later use */<br />
RTVJOBA JOB(&MYJOBNM) USER(&MYJUSER) NBR(&MYJNBR)<br />
/* this job to get a full job log */<br />
CHGJOB LOG(4 00 *SECLVL) LOGCLPGM(*YES)<br />
/* display the properties of the files start with c in my folder */<br />
DSPLNK OBJ('/pkzshare/bills/c*') OUTPUT(*PRINT) +<br />
DETAIL(*EXTENDED) DSPOPT(*ALL)<br />
DSPAUT OBJ('/pkzshare/BILLS') OUTPUT(*PRINT)<br />
/* create an archive with one file */<br />
PKZIP ARCHIVE('/pkzshare/bills/PKZtest1.zip') +<br />
FILES('/pkzshare/bills/chartest2.zip') +<br />
TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO)<br />
/* display detail attributes <strong>for</strong> the new archive created */<br />
DSPLNK OBJ('/pkzshare/bills/PKZtest1*') OUTPUT(*PRINT) +<br />
DETAIL(*EXTENDED) DSPOPT(*ALL)<br />
/* submit a job to create all spool Files including the job log into a */<br />
/* PDF file and place them in archive PKZdata1 */<br />
SBMJOB CMD(PKZSPOOL +<br />
ARCHIVE('/pkzshare/bills/PKZdata1.zip') +<br />
SFJOBNAM(&MYJNBR/&MYJUSER/&MYJOBNM) +<br />
SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P) +<br />
TYPARCHFL(*IFS)) JOB(&MYJOBNM) +<br />
INLLIBL(*CURRENT)<br />
ENDOFJOB: ENDPGM<br />
347
C<br />
Memory Errors<br />
In some rare cases, SecureZIP <strong>for</strong> <strong>iSeries</strong> may experience a memory error<br />
condition. While running SecureZIP <strong>for</strong> <strong>iSeries</strong> the program allocates memory <strong>for</strong><br />
sorts, buffers, and other storage requirements. There are diagnostic checks in the<br />
system to validate memory requests. If a request fails, the job will terminate and<br />
send a message to the message queue indicating a memory allocation failure. Some<br />
systems limit the memory allocation <strong>for</strong> certain user/jobs which may cause this<br />
problem. In some cases, programs can have what are called “memory leaks” where<br />
memory is never freed. Signing off or ending the job will free the allocated memory.<br />
If a message indicates that a memory allocation error occurred, retrieve the failed<br />
job log and contact the Product Services Division at 1-937-847-2687 <strong>for</strong> assistance.<br />
348
D<br />
External Name Conversion Program<br />
CVTNAME<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> provides an exit that calls a compiled CLP program named<br />
CVTNAME. PKZIP can change the names of <strong>iSeries</strong> file names to a ZIPPED file name<br />
to be used in the archive. PKUNZIP can change a ZIPPED file name in an archive to<br />
an <strong>iSeries</strong> file name. This is activated by using the parameter CVTFLAG and not<br />
setting the parameter to *NONE. SecureZIP <strong>for</strong> <strong>iSeries</strong> will call the first CVTNAME<br />
program found in the library list.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> will call the program and pass three fields to CVTNAME and<br />
will expect a return field. The first field passed is a 256-byte field that contains the<br />
input name (in PKZIP, it is the <strong>iSeries</strong> name, and in PKUNZIP, it is the ZIPPED name<br />
in the archive) that can be changed. The second field passed is a 5-byte field that<br />
can be used to help code specific logic to control the name change process. The third<br />
field is up to 256 bytes of extended data from the command to provide more<br />
flexibility in controlling the conversion of file names.<br />
The program will return up to 256 bytes of a file name that will be used as the<br />
output name in the archive.<br />
The exit can be divided into different conversion routines by assigning each routine a<br />
five-character name, which is passed in as the CVTFLAG parameter value. This<br />
routine works <strong>for</strong> both the PKZIP and PKUNZIP programs, but normally you will need<br />
a different conversion routine or CVTFLAG <strong>for</strong> archiving or extraction. When the<br />
CVTNAME returns, the returned name should either hold the new name, or remain<br />
blank to indicate that the default conversion rules should be used.<br />
Note: The PKZIP and PKUNZIP programs per<strong>for</strong>m no validity checking on the name<br />
that is passed back and assumes that the name is valid and unique. If the name is<br />
not valid or unique, open errors or missing files may occur.<br />
For PKZIP, the name exit receives the OS/400 file name and the returned name is<br />
the name that will be used <strong>for</strong> the file name in the archive. Ensure that names<br />
returned are unique; otherwise, only the first of the duplicated files will be<br />
compressed.<br />
For PKUNZIP, the CVTNAME exit receives the name of the file that is in the archive<br />
and expects to return the name of a file on the OS/400 as ‘library/file(member)’. If<br />
this is invalid, then file open errors will occur. If they are valid but did not exist<br />
be<strong>for</strong>e, PKUNZIP will create the library, file, and member.<br />
In the supplied library, there is a sample CVTNAME CLP that contains logic <strong>for</strong> the<br />
following flags:<br />
349
• If the flag is *400, there is no conversion taking place, and the input name is<br />
passed back as a new name.<br />
• If the flag is O4MS, the program will convert an <strong>iSeries</strong> file name<br />
“library/file(member)” to a MS-DOS name with ‘/’ (such as<br />
“library/file/member”).<br />
• If the flag is MSO4, the program will take a MS-DOS file name<br />
“/dir1/dir2/dir3/name.xxx” and make it an <strong>iSeries</strong> name (such as<br />
“dir2/dir3{namexxx)”) where dir2 will be the library, dir3 will be a file name,<br />
and namexxx will be up to a 10-byte character member name.<br />
• If the flag is *MSD, the program will convert an <strong>iSeries</strong> file name<br />
"library/file(member)" to a MS-DOS name with suffix .TXT to the file<br />
"library/file.TXT".<br />
• If the flag is *MSM, the program will convert an <strong>iSeries</strong> file name<br />
"library/file(member)" to an MS-DOS name with a suffix .TXT added to the<br />
member name, such as "library/file/member.TXT".<br />
• If the flag is *IFS, the program will <strong>for</strong>mat a file name "library/file(member)"<br />
<strong>for</strong> the <strong>iSeries</strong> QSYS.LIB integrated file system. For example<br />
"/QSYS.LIB/LIBRARY.LIB/FILE.FILE/MEMBER.MBR".<br />
• If the flag is SPLF1, the program will take a spool file name<br />
"jobname/useriud/jobnumber/splfname/splfnbr.suffix" and build each in it<br />
own DCL field. Then taking the first 10 bytes of the CVTDATA passed from the<br />
command will build a new name that looks like “CVTDATA.splfnbr.suffix”.<br />
• Of course the correct flag should be used with the appropriate file system.<br />
Changes can be made to CVTNAME to fit the customer’s site requirements. The use<br />
of (and changes to) the CVTNAME program is the customer’s responsibility.<br />
The following is an example of the CVTNAME CLP source code included in the<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> library:<br />
Sample CVTNAME<br />
/* Program: CVTNAME Sample VERSION 8.1.0 */<br />
/*****************************************************************/<br />
/* Abstract: This is a sample CL program that can be used by */<br />
/* SecureZIP <strong>for</strong> <strong>iSeries</strong> product as an exit program to change the */<br />
/* names from <strong>iSeries</strong> to an archive name and visa versus. */<br />
/* There are 4 parameters: */<br />
/* 1. The input name that is supplied by PKZIP or PKUNZIP */<br />
/* to this program to analyze (up 255 bytes). */<br />
/* 2. The Name that this program can change and passes back */<br />
/* to the calling programs to use (up to 255 bytes). */<br />
/* If this is passed back with the 1st position blank, */<br />
/* PKZIP/PKUNZIP will revert back to settings of the */<br />
/* CVTTYPE parameter. */<br />
/* 3. A 5 byte field that represents a control field or */<br />
/* or flags, that controls how CVTNAME should process the */<br />
/* name. */<br />
/* 4. A 255 byte field that is user defined in the command to*/<br />
/* provide more in<strong>for</strong>mation to assist controlling the */<br />
/* logic in processing the name. For Example it may */<br />
/* time stamp prefix of the file names */<br />
/* */<br />
/* This sample CVTNAME CLP has three flags accepted: */<br />
350
* */<br />
/* 1. If the flag is *400 there are no conversion taking */<br />
/* place and the input name is passed back as new name. */<br />
/* 2. If the flag is O4MS, the program will convert an */<br />
/* <strong>iSeries</strong> name "library/file(member)" to a MS-DOS */<br />
/* name with '/' such as "library/file/member". */<br />
/* 3. If the flag is MSO4, the program will take a MS-DOS */<br />
/* file name "/dir1/dir2/dir3/name.xxx" and make it an */<br />
/* <strong>iSeries</strong> name such as "dir2/dir3{namexxx)" where dir2 */<br />
/* will be the library, dir3 will be a file name and */<br />
/* namexxx will be up to a 10 byte character */<br />
/* member name. */<br />
/* 4. If the flag is *MSD, the program will convert an */<br />
/* <strong>iSeries</strong> file name "library/file(member)" to a MS-DOS */<br />
/* name with suffix .TXT to the file "library/file.TXT". */<br />
/* 5. If the flag is *MSM, the program will convert an */<br />
/* <strong>iSeries</strong> file name "library/file(member)" to a MS-DOS */<br />
/* name with suffix .TXT to the member name */<br />
/* such as "library/file/member.TXT". */<br />
/* 6. If the flag is *MST, the program will convert an */<br />
/* <strong>iSeries</strong> file name "library/file(member)" to a MS-DOS */<br />
/* name with suffix .TXT to the member name only */<br />
/* such as "member.TXT". */<br />
/* 7. If the flag is *IFS, the program will <strong>for</strong>mat a */<br />
/* file name "library/file(member)" <strong>for</strong>matted <strong>for</strong> the */<br />
/* <strong>iSeries</strong> QSYS.LIB Integrated File System. <strong>for</strong> example */<br />
/* "/QSYS.LIB/LIBRARY.LIB/FILE.FILE/MEMBER.MBR" */<br />
/* */<br />
/* 8. If the flag is SPLF1, the program will <strong>for</strong>mat a */<br />
/* spool file name <strong>for</strong>mated as: */<br />
/* "jobname/useriud/jobnumber/splfname/splfnbr.suffix" */<br />
/* and rebuild a new name with data from the CVTDATA */<br />
/* parameter. */<br />
/* */<br />
/* */<br />
/*NOTE: PKZIP and PKUNZIP per<strong>for</strong>ms no validity checking on the */<br />
/* name that is passed back and assumes that the name is valid */<br />
/* and unique. If the name is not valid or unique, open errors */<br />
/* or missing files may occur. */<br />
/* */<br />
/* */<br />
/*****************************************************************/<br />
CVTNAME: PGM PARM(&INNAME &OUTNAME &CVTFLAGS &CVTDATA)<br />
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */<br />
/* Parameter Program Variables */<br />
/* Input Name that is used examine <strong>for</strong> change */<br />
INNAME: DCL VAR(&INNAME) TYPE(*CHAR) LEN(256)<br />
/* Changed name that is passed back to SecureZIP <strong>for</strong> <strong>iSeries</strong> */<br />
OUTNAME: DCL VAR(&OUTNAME) TYPE(*CHAR) LEN(256)<br />
/* Flags from SecureZIP <strong>for</strong> <strong>iSeries</strong> <strong>for</strong> controlling logic flow */<br />
CVTFLAGS: DCL VAR(&CVTFLAGS) TYPE(*CHAR) LEN(5)<br />
/* data from PKZIP command <strong>for</strong> controlling logic flow */<br />
CVTDATA: DCL VAR(&CVTDATA) TYPE(*CHAR) LEN(256)<br />
/* */<br />
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */<br />
/* Program Variables */<br />
/* <strong>iSeries</strong> QSYS file name represented like "libnm/filenm(mbrnm)" */<br />
LIBNM: DCL VAR(&LIBNM) TYPE(*CHAR) LEN(10) /* Library +<br />
Name */<br />
FILENM: DCL VAR(&FILENM) TYPE(*CHAR) LEN(10) /* File +<br />
name */<br />
MBRNM: DCL VAR(&MBRNM) TYPE(*CHAR) LEN(10) /* Member +<br />
name */<br />
DCL VAR(&IDX) TYPE(*DEC) LEN(3)<br />
DCL VAR(&IDXPRV) TYPE(*DEC) LEN(3)<br />
DCL VAR(&LEN) TYPE(*DEC) LEN(3)<br />
/* DCL VAR(&MSGVAR) TYPE(*CHAR) LEN(300) */<br />
/* DCL VAR(&MUVAR) TYPE(*CHAR) LEN(6) VALUE('..OUT=') */<br />
/* Spool file name represented like */<br />
/* "JOBNAM/USERID/JOBNBR/SPLFNAM/SPLFNBR.SPLSUFIX" */<br />
351
JOBNAM: DCL VAR(&JOBNAM) TYPE(*CHAR) LEN(10) /* Job +<br />
Name */<br />
USERID: DCL VAR(&USERID) TYPE(*CHAR) LEN(10) /* User +<br />
Id */<br />
JOBNBR: DCL VAR(&JOBNBR) TYPE(*CHAR) LEN(7) /* Job +<br />
Number */<br />
SPLFNAM: DCL VAR(&SPLFNAM) TYPE(*CHAR) LEN(10) /* Spool +<br />
File name */<br />
SPLFNBR: DCL VAR(&SPLFNBR) TYPE(*CHAR) LEN(5) /* Spool +<br />
File Number */<br />
SPLSUFIX: DCL VAR(&SPLSUFIX) TYPE(*CHAR) LEN(4) /* +<br />
Suffix */<br />
/* blank out name uncase no hit */<br />
CHGVAR VAR(&OUTNAME) VALUE(' ')<br />
/* */<br />
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */<br />
/* Flag set to *400 */<br />
IF<br />
COND(&CVTFLAGS *EQ '*400') THEN(DO)<br />
CHGVAR<br />
VAR(&OUTNAME) VALUE(&INNAME)<br />
GOTO CMDLBL(ENDCHG)<br />
ENDDO<br />
/* */<br />
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */<br />
/* Flag set to O4MS */<br />
/* Change <strong>iSeries</strong> Library/File(Member) to */<br />
/* MSDOS library/File/Member */<br />
O4MS: IF COND((&CVTFLAGS *EQ 'O4MS') *OR (&CVTFLAGS +<br />
*EQ '*MSD') *OR (&CVTFLAGS *EQ '*MSM') +<br />
*OR (&CVTFLAGS *EQ '*MST') +<br />
*OR (&CVTFLAGS *EQ '*IFS')) +<br />
THEN(DO)<br />
CHGVAR VAR(&IDX) VALUE(0)<br />
CHGVAR VAR(&IDXPRV) VALUE(1)<br />
/* Find a Library Note:max length must be 11 */<br />
DOLIB1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
THEN(GOTO CMDLBL(DOLIB1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&LIBNM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a File Note:max length must be 11 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
DOFILE1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '(') +<br />
THEN(GOTO CMDLBL(DOFILE1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&FILENM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a Member Note:max length must be 11 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
DOMBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE ')') +<br />
THEN(GOTO CMDLBL(DOMBR1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&MBRNM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
CHGVAR VAR(&OUTNAME) VALUE(&INNAME)<br />
/* Save the new name lib/file/mbr */<br />
DOOUT1:<br />
AMSD: IF (&CVTFLAGS *EQ '*MSD') +<br />
DO<br />
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' +<br />
*TCAT &FILENM *TCAT '.TXT ')<br />
GOTO CMDLBL(ENDCHG)<br />
ENDDO<br />
352
AMSM: IF (&CVTFLAGS *EQ '*MSM') +<br />
DO<br />
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' +<br />
*TCAT &FILENM *TCAT '/' *TCAT &MBRNM +<br />
*TCAT '.TXT ')<br />
GOTO CMDLBL(ENDCHG)<br />
ENDDO<br />
AMST: IF (&CVTFLAGS *EQ '*MST') +<br />
DO<br />
CHGVAR VAR(&OUTNAME) VALUE(&MBRNM +<br />
*TCAT '.TXT ')<br />
GOTO CMDLBL(ENDCHG)<br />
ENDDO<br />
AIFS: IF (&CVTFLAGS *EQ '*IFS') +<br />
DO<br />
CHGVAR VAR(&OUTNAME) VALUE('/QSYS.LIB/' *TCAT +<br />
&LIBNM *TCAT '.LIB/' *TCAT &FILENM *TCAT +<br />
'.FILE/' *TCAT &MBRNM *TCAT '.MBR')<br />
GOTO CMDLBL(ENDCHG)<br />
ENDDO<br />
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' +<br />
*TCAT &FILENM *TCAT '/' +<br />
*TCAT &MBRNM *TCAT ' ')<br />
ENDO4MS: GOTO CMDLBL(ENDCHG)<br />
ENDDO /* end of O4MS do flag */<br />
/* */<br />
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */<br />
/* Flag set to MSO4 */<br />
/* Change a MSDOS file /dir1/dir2/../dirn/file.xxx to */<br />
/* dir2/dirn(filexxx) <strong>iSeries</strong> file */<br />
MSO4: IF COND(&CVTFLAGS *EQ 'MSO4') THEN(DO)<br />
CHGVAR VAR(&IDX) VALUE(0)<br />
CHGVAR VAR(&IDXPRV) VALUE(1)<br />
CHGVAR VAR(&LIBNM) VALUE(' ')<br />
CHGVAR VAR(&FILENM) VALUE(' ')<br />
CHGVAR VAR(&MBRNM) VALUE(' ')<br />
/* first find 1st blank and work backwards */<br />
FINDLST2: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
if<br />
COND(&IDX *GT 250) THEN(GOTO CMDLBL(ENDCHG))<br />
IF COND(%SST(&INNAME &IDX 1) *NE ' ') +<br />
THEN(GOTO CMDLBL(FINDLST2))<br />
/* Find a Member Note:max length must be 11 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)<br />
DOMBR2: CHGVAR VAR(&IDX) VALUE(&IDX - 1)<br />
IF<br />
COND(&IDX *LT 1) THEN(GOTO CMDLBL(ENDCHG))<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
THEN(GOTO CMDLBL(DOMBR2))<br />
CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX)<br />
IF COND(&LEN > 11) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(11))<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)<br />
CHGVAR VAR(&MBRNM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* REMOVE . IF ANY AND FORCE LENGTH TO 10 */<br />
/* Find a File Note:max length must be 10 */<br />
DOFILE2: CHGVAR VAR(&IDX) VALUE(&IDX - 1)<br />
IF<br />
COND(&IDX *LT 1) THEN(GOTO CMDLBL(SETNAME2))<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
THEN(GOTO CMDLBL(DOFILE2))<br />
CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX)<br />
IF COND(&LEN > 11) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(11))<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)<br />
CHGVAR VAR(&FILENM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a Library Note:max length must be 10 */<br />
DOLIB2: CHGVAR VAR(&IDX) VALUE(&IDX - 1)<br />
IF<br />
COND(&IDX *LT 1) THEN(GOTO CMDLBL(ENDCHG))<br />
353
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
THEN(GOTO CMDLBL(DOLIB2))<br />
CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX)<br />
IF COND(&LEN > 11) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(11))<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1)<br />
CHGVAR VAR(&LIBNM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Save the new name lib/file/mbr */<br />
SETNAME2:<br />
IF COND(&LIBNM *NE ' ') THEN(DO)<br />
CHGVAR VAR(&LIBNM) VALUE(&LIBNM *TCAT '/')<br />
ENDDO<br />
IF COND(&FILENM *NE ' ') THEN(DO)<br />
CHGVAR VAR(&FILENM) VALUE(&FILENM *TCAT '/')<br />
ENDDO<br />
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT &FILENM +<br />
*TCAT &MBRNM *TCAT ' ')<br />
ENDMSO4: GOTO CMDLBL(ENDCHG)<br />
ENDDO /* end of O4MS do flag */<br />
/* */<br />
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */<br />
/* Flag set to SPLF1 Sample */<br />
/* Change "jobname/useriud/jobnumber/splfname/splfnbr.suffix" */<br />
/* and build new name with 10 bytes of the CVTDATA field */<br />
/* with a '.' separator followed by splfnbr.suffix */<br />
/* <strong>for</strong> CVTDATA.splfnbr.suffix */<br />
/* all fields from the Spool File passed file name are built */<br />
/* care should be taken not to build duplicate file names in */<br />
/* Archive */<br />
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */<br />
SPLF1: IF COND((&CVTFLAGS *EQ 'SPLF1')) +<br />
THEN(DO)<br />
CHGVAR VAR(&IDX) VALUE(0)<br />
CHGVAR VAR(&IDXPRV) VALUE(1)<br />
/* Find a Jobname Note:max length must be 10 */<br />
JOBNAM1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') THEN(GOTO +<br />
CMDLBL(JOBNAM1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&JOBNAM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a User ID Note:max length must be 10 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
USERID1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
THEN(GOTO CMDLBL(USERID1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&USERID) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a Job Number Note:max length must be 6 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
JOBNBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
THEN(GOTO CMDLBL(JOBNBR1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 7) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(7))<br />
CHGVAR VAR(&JOBNBR) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a SPLF Name Note:max length must be 10 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
SPLFNAM1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '/') +<br />
354
THEN(GOTO CMDLBL(SPLFNAM1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&SPLFNAM) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a SPLF nbr Note:max length must be 5 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
SPLFNBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE '.') +<br />
THEN(GOTO CMDLBL(SPLFNBR1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 5) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(5))<br />
CHGVAR VAR(&SPLFNBR) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Find a Suffix Note:max length must be 4 */<br />
CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1)<br />
SPLSUFIX1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&INNAME &IDX 1) *NE ' ') +<br />
THEN(GOTO CMDLBL(SPLSUFIX1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV)<br />
IF COND(&LEN > 4) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(4))<br />
CHGVAR VAR(&SPLSUFIX) VALUE(%SST(&INNAME &IDXPRV &LEN))<br />
/* Set CVTDATA Note:max length must be 4 */<br />
CHGVAR VAR(&IDX) VALUE(0)<br />
CVTDATA1: CHGVAR VAR(&IDX) VALUE(&IDX + 1)<br />
IF COND(%SST(&CVTDATA &IDX 1) *NE ' ') +<br />
THEN(GOTO CMDLBL(CVTDATA1))<br />
CHGVAR VAR(&LEN) VALUE(&IDX)<br />
IF COND(&LEN > 10) +<br />
THEN(CHGVAR VAR(&LEN) VALUE(10))<br />
CHGVAR VAR(&LIBNM) VALUE(%SST(&CVTDATA 1 &LEN))<br />
IF COND(&LEN > 1) +<br />
THEN(CHGVAR VAR(%SST(&CVTDATA &LEN 1)) +<br />
VALUE('.'))<br />
/* Save the new name lib/file/mbr */<br />
CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT &SPLFNBR +<br />
*TCAT '.' *TCAT &SPLSUFIX *TCAT ' ')<br />
ENDSPLF1: GOTO CMDLBL(ENDCHG)<br />
ENDDO /* end of SPLF1 do flag */<br />
/* */<br />
ENDERR: CHGVAR VAR(&OUTNAME) VALUE(' ')<br />
/* */<br />
/* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */<br />
/* End of CVTNAME <strong>for</strong> return */<br />
ENDCHG:<br />
/* CHGVAR VAR(&MSGVAR) VALUE(&INNAME *BCAT &MUVAR + */<br />
/* *BCAT &OUTNAME) */<br />
/* SNDPGMMSG MSGID(AQZ0000) MSGF(*LIBL/PKZIPMSG) */<br />
/* MSGDTA(&MSGVAR) TOPGMQ(*PRV) */<br />
/* DMPCLPGM CL dump of variable to help debug */<br />
ENDEXIT:<br />
ENDPGM<br />
355
E<br />
List Files<br />
The list file capabilities provided in the PKZIP and PKUNZIP commands can be a<br />
powerful tool <strong>for</strong> maintaining detailed selection criteria and to exclude files. PKZIP<br />
and PKUNZIP commands also allow creating a list of files that are located in a<br />
particular archive.<br />
Creating List Files<br />
Both PKZIP and PKUNZIP can create a text <strong>for</strong>mat file of file names that meet criteria<br />
entered within the FILES and EXCLUDE parameters. In PKZIP, the output files<br />
contain the names of all files in the OS/400 <strong>for</strong>mat, depending on if the files are from<br />
the QSYS file system or IFS. The PKUNZIP program will produce a list of names in<br />
the <strong>for</strong>mat of the archive. To create an output list file, place the output file name in<br />
the parameter CRTLIST(). The default value is CRTLIST(*NONE).<br />
Depending on the value of the TYPLISTFL parameter, the output file can be put in<br />
either the QSYS file system or IFS.<br />
TYPLISTFL(*DB): When the file system is QSYS, the output file will create<br />
a physical file (PF-DTA) with a record length of 132. For the file <strong>for</strong>mat in<br />
CRTLIST, you can use any of the following <strong>for</strong>mats: library/file,<br />
library/file(member), file, or file(member). When a member is not entered,<br />
the member name will be the same as the file name. You should use the<br />
utility that your organization uses to edit data files.<br />
TYPLISTFL(*IFS): When using the IFS, the output file will create a stream<br />
file (*STMF object type). Most organization uses EDTF. For the file <strong>for</strong>mat in<br />
CRTLIST, you can use any of the following <strong>for</strong>mats: file, file.suffix, dir1/file,<br />
dir1/dir2/../dirn/file, /dir1., etc. When the path does not start with ‘/’, then<br />
the path starts in your current directory (relative path).<br />
When creating a file manually, follow the creation attributes described above.<br />
Using List Files as Input<br />
Both PKZIP and PKUNZIP programs can use list file parameters <strong>for</strong> both selections of<br />
files (INCLFILE(‘file name’)) and/or the excluding of file (EXCLFILE(‘file name’). They<br />
can also use an inlist file <strong>for</strong> the encryption recipient ENTPREC. The file name of<br />
356
parameters depends on the setting of TYPLISTFL (*DB or *IFS) and should follow the<br />
guidelines in “Creating List Files,” above.<br />
When using PKZIP, the <strong>for</strong>mat of files in the list file should be in the <strong>for</strong>mat of the<br />
<strong>iSeries</strong> files that will be processed. See the parameters FILES and EXCLUDE <strong>for</strong><br />
specifications.<br />
When using PKUNZIP, the <strong>for</strong>mat of the files in the list file should be in the <strong>for</strong>mat of<br />
the archive. See the parameters FILES and EXCLUDE <strong>for</strong> specifications.<br />
PKUNZIP also has an option to create a list file in expanded mode, which will create<br />
the date and time along with the file names. This is accomplished by having a ‘>’<br />
character being the in the first position of the CRTLIST parameter. See the two<br />
examples below.<br />
Create normal list file: PKUNZIP ARCHIVE('atest/V800/listf')<br />
CRTLIST('atest/listfile(demo)')<br />
Edit File: ATEST/LISTFILE(DEMO)<br />
Record : 1 of 4 by 8 Column : 1 132 by 74<br />
CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+<br />
************Beginning of data**************<br />
TESTLIB/MYFILE/MYMBR<br />
TESTLIB/MYFILEGE.R/MYMBR<br />
TESTLIB/MYFILETE.XT/MYMBR<br />
TESTLIB/MYFILE27.3/MYMBR<br />
************End of Data********************<br />
Create an expanded list file: PKUNZIP ARCHIVE('atest/V800/listf')<br />
CRTLIST('>atest/listfile(demo)')<br />
Edit File: ATEST/LISTFILE(DEMO)<br />
Record : 1 of 4 by 8 Column : 1 132 by 74<br />
CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+<br />
************Beginning of data**************<br />
DT(05-20-03 16:16) TESTLIB/MYFILE/MYMBR<br />
DT(02-14-03 16:44) TESTLIB/MYFILEGE.R/MYMBR<br />
DT(02-14-03 16:44) TESTLIB/MYFILETE.XT/MYMBR<br />
DT(02-14-03 16:44) TESTLIB/MYFILE27.3/MYMBR<br />
************End of Data********************<br />
357
F<br />
Translation Tables<br />
Text files (such as program source code) are usually held within an archive using the<br />
ASCII character set <strong>for</strong> compatibility with other versions of PKZIP. For these to be<br />
usable on OS/400, they must be converted to the IBM EBCDIC character set.<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> uses one of two possible internal translation tables, which<br />
should be suitable <strong>for</strong> most customers. These translation table members are used by<br />
parameters FTRAN and TRAN in both the PKZIP and PKUNZIP programs. Included (as<br />
part of the distribution) are a series of override translation tables. Some users may<br />
wish to define their own table.<br />
The override translation tables included are stored as source members in file<br />
PKZTABLES SecureZIP <strong>for</strong> <strong>iSeries</strong> resources tables. By referencing the members in<br />
parameters TRAN and FTRAN, SecureZIP <strong>for</strong> <strong>iSeries</strong> will access the selected<br />
member in the PKZTABLES file and parse them to an internal hexadecimal table <strong>for</strong><br />
use in translation.<br />
The following translation tables are included:<br />
Table<br />
Name<br />
Translation<br />
from<br />
Translation<br />
to<br />
Explanation<br />
ASCIIISO EBCDIC ASCII - iso Translate Table<br />
LATIN1 EBCDIC ASCII Latin Translate Table<br />
NOOP NO-OP Translation Table Straight Hex<br />
UKASCII EBCDIC UK ASCII Translate Table<br />
UKASCIIE EBCDIC UK ASCII Translate Table-Euro<br />
USASCII EBCDIC USA ASCII Translate Table<br />
(Internal Default)<br />
USASCIIE EBCDIC USA ASCII Translate Table-Euro<br />
Standard Code Page Support with Tables<br />
Three data translation tables are available to assist with one or more of the latest<br />
standard EBCDIC text translation to ASCII. These tables were built to relate directly<br />
to IBM code pages numbers.<br />
358
Code page tables available are:<br />
Table<br />
Name<br />
ASCII<br />
Code Page<br />
EBCDIC<br />
Code Page<br />
Explanation<br />
PKZ819037 819 037 ASCII-819 EBCDIC-037<br />
Translation<br />
PKZ819273 819 273 ASCII-819 EBCDIC-273<br />
Translation German<br />
PKZ819277 819 277 ASCII-819 EBCDIC-277<br />
Translation Den/Nor<br />
PKZ819278 819 278 ASCII-819 EBCDIC-278<br />
Translation Fin/Swe<br />
PKZ819280 819 280 ASCII-819 EBCDIC-0280<br />
Translation Italy<br />
PKZ819284 819 284 ASCII-819 EBCDIC-284<br />
Translation Spanish<br />
PKZ819297 819 297 ASCII-819 EBCDIC-297<br />
Translation French<br />
PKZ819500 819 500 ASCII-819 EBCDIC-500<br />
Translation ISO8859-1<br />
PKZ819871 819 871 ASCII-819 EBCDIC-871<br />
Translation Icelandic<br />
PKZ850037 850 037 ASCII-850 EBCDIC-037<br />
Translation<br />
PKZ850284 850 284 ASCII-850 EBCDIC-284<br />
Translation Spanish<br />
International Code Page Support<br />
Some data-interchange environments require specialized multi-language character<br />
translation support. SecureZIP <strong>for</strong> <strong>iSeries</strong> provides tables <strong>for</strong> character based data<br />
translation through translation tables that are also included in the PKZTABLES.<br />
The tables <strong>for</strong> the following international code pages are provided in the SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> PKZTABLES as members TRTxxyy (where xx = “from” and yy = “to”).<br />
Language EBCDIC ASCII EURO/ASCII FROM TO EURO<br />
German 273 850* 858 EB AA AI<br />
Spanish 284 850 858 EJ AA AI<br />
Portuguese 282 850 858 EI AA AI<br />
Italian 280 850 858 EG AA AI<br />
Danish 277 850 858 EE AA AI<br />
Norwegian 277 850 858 EE AA AI<br />
Swedish 278 850 858 EF AA AI<br />
Finnish 278 850 858 EF AA AI<br />
359
French 297 850 858 EM AA AI<br />
* IBM-850 = IBM-4946<br />
These members are provided "as is.” It is the responsibility of the user to ensure<br />
that data translation mapping is in accordance with their business needs.<br />
Translation Table Layout<br />
There are two translation tables in PKZTABLES. The first table is a translation from<br />
ASCII to EBCDIC. The second is EBCDIC to ASCII.<br />
In each table there are 256 entries representing hex values from x’00’ thru x’FF’.<br />
Each entry is represented as a 4-character field such as 0x00 and 0xFF.<br />
On each line there must be 8 entries with each entry separated by a space. With 8<br />
entries per line, there must be 32 lines of table entries <strong>for</strong> each table set,<br />
representing the 256 translation values.<br />
The tables have embedded comments to help in their documentation.<br />
In the table example below, to translate an ASCII character A (hexadecimal x’41’ or<br />
decimal value of ‘65’), go to entry 65 in the table (Line 8, entry 2) and find a<br />
hexadecimal x’C1’ which is the EBCDIC A.<br />
See “Example of PKZTABLES (USASCII) Translation Table.”<br />
Note: Do not alter any other members found in the PKZTABLES file or SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> may not function correctly.<br />
Creating New Translation Table Members<br />
Take the following steps to define your own translation table:<br />
1. Copy one of the distributed members in PKZTABLES to a member name of<br />
your choice.<br />
2. Edit the new table using the OS/400 Source Entry Utility (SEU).<br />
3. Change the values with respect to the layout describe above, making sure not<br />
to alter the overall table layout. If the overall layout is altered, SecureZIP<br />
<strong>for</strong> <strong>iSeries</strong> may not work correctly.<br />
4. Save the member and test your changes.<br />
Example of PKZTABLES (USASCII) Translation Table<br />
/* PKZIP/400 Translate Table USASCII to EBCDIC */<br />
/*00-07*/ 0x00 0x01 0x02 0x03 0x37 0x2D 0x2E 0x2F /*00-07*/<br />
/*08-0f*/ 0x16 0x05 0x25 0x0B 0x0C 0x0D 0x0E 0x9F /*08-0f*/<br />
/*10-17*/ 0x10 0x11 0x12 0x13 0xB6 0xB5 0x32 0x26 /*10-17*/<br />
/*18-1f*/ 0x18 0x19 0x3F 0x27 0x1C 0x1D 0x1E 0x1F /*18-1f*/<br />
/*20-27*/ 0x40 0x5A 0x7F 0x7B 0x5B 0x6C 0x50 0x7D /*20-27*/<br />
/*28-2f*/ 0x4D 0x5D 0x5C 0x4E 0x6B 0x60 0x4B 0x61 /*28-2f*/<br />
/*30-37*/ 0xF0 0xF1 0xF2 0xF3 0xF4 0xF5 0xF6 0xF7 /*30-37*/<br />
/*38-3f*/ 0xF8 0xF9 0x7A 0x5E 0x4C 0x7E 0x6E 0x6F /*38-3f*/<br />
/*40-47*/ 0x7C 0xC1 0xC2 0xC3 0xC4 0xC5 0xC6 0xC7 /*40-47*/<br />
/*48-4f*/ 0xC8 0xC9 0xD1 0xD2 0xD3 0xD4 0xD5 0xD6 /*48-4f*/<br />
/*50-57*/ 0xD7 0xD8 0xD9 0xE2 0xE3 0xE4 0xE5 0xE6 /*50-57*/<br />
360
*58-5f*/ 0xE7 0xE8 0xE9 0xBA 0xE0 0xBB 0xB0 0x6D /*58-5f*/<br />
/*60-67*/ 0x79 0x81 0x82 0x83 0x84 0x85 0x86 0x87 /*60-67*/<br />
/*68-6f*/ 0x88 0x89 0x91 0x92 0x93 0x94 0x95 0x96 /*68-6f*/<br />
/*70-77*/ 0x97 0x98 0x99 0xA2 0xA3 0xA4 0xA5 0xA6 /*70-77*/<br />
/*78-7f*/ 0xA7 0xA8 0xA9 0xC0 0x6A 0xD0 0xA1 0x07 /*78-7f*/<br />
/*80-87*/ 0x68 0xDC 0x51 0x42 0x43 0x44 0x47 0x48 /*80-87*/<br />
/*88-8f*/ 0x52 0x53 0x54 0x57 0x56 0x58 0x63 0x67 /*88-8f*/<br />
/*90-97*/ 0x71 0x9C 0x9E 0xCB 0xCC 0xCD 0xDB 0xDD /*90-97*/<br />
/*98-9f*/ 0xDF 0xEC 0xFC 0x4A 0xB1 0xB2 0x3E 0xB4 /*98-9f*/<br />
/*a0-a7*/ 0x45 0x55 0xCE 0xDE 0x49 0x69 0x9A 0x9B /*a0-a7*/<br />
/*a8-af*/ 0xAB 0x0F 0x5F 0xB8 0xB7 0xAA 0x8A 0x8B /*a8-af*/<br />
/*b0-b7*/ 0x3C 0x3D 0x62 0x4F 0x64 0x65 0x66 0x20 /*b0-b7*/<br />
/*b8-bf*/ 0x21 0x22 0x70 0x23 0x72 0x73 0x74 0xBE /*b8-bf*/<br />
/*c0-c7*/ 0x76 0x77 0x78 0x80 0x24 0x15 0x8C 0x8D /*c0-c7*/<br />
/*c8-cf*/ 0x8E 0x41 0x06 0x17 0x28 0x29 0x9D 0x2A /*c8-cf*/<br />
/*d0-d7*/ 0x2B 0x2C 0x09 0x0A 0xAC 0xAD 0xAE 0xAF /*d0-d7*/<br />
/*d8-df*/ 0x1B 0x30 0x31 0xFA 0x1A 0x33 0x34 0x35 /*d8-df*/<br />
/*e0-e7*/ 0x36 0x59 0x08 0x38 0xBC 0x39 0xA0 0xBF /*e0-e7*/<br />
/*e8-ef*/ 0xCA 0x3A 0xFE 0x3B 0x04 0xCF 0xDA 0x14 /*e8-ef*/<br />
/*f0-f7*/ 0xE1 0x8F 0x46 0x75 0xFD 0xEB 0xEE 0xED /*f0-f7*/<br />
/*f8-ff*/ 0x90 0xEF 0xB3 0xFB 0xB9 0xEA 0xBD 0xFF /*f8-ff*/<br />
/* PKZIP/400 Translate Table EBCDIC to USASCII */<br />
/*00-07*/ 0x00 0x01 0x02 0x03 0xEC 0x09 0xCA 0x7F /*00-07*/<br />
/*08-0f*/ 0xE2 0xD2 0xD3 0x0B 0x0C 0x0D 0x0E 0xA9 /*08-0f*/<br />
/*10-17*/ 0x10 0x11 0x12 0x13 0xEF 0xC5 0x08 0xCB /*10-17*/<br />
/*18-1f*/ 0x18 0x19 0xDC 0xD8 0x1C 0x1D 0x1E 0x1F /*18-1f*/<br />
/*20-27*/ 0xB7 0xB8 0xB9 0xBB 0xC4 0x0A 0x17 0x1B /*20-27*/<br />
/*28-2f*/ 0xCC 0xCD 0xCF 0xD0 0xD1 0x05 0x06 0x07 /*28-2f*/<br />
/*30-37*/ 0xD9 0xDA 0x16 0xDD 0xDE 0xDF 0xE0 0x04 /*30-37*/<br />
/*38-3f*/ 0xE3 0xE5 0xE9 0xEB 0xB0 0xB1 0x9E 0x1A /*38-3f*/<br />
/*40-47*/ 0x20 0xC9 0x83 0x84 0x85 0xA0 0xF2 0x86 /*40-47*/<br />
/*48-4f*/ 0x87 0xA4 0x9B 0x2E 0x3C 0x28 0x2B 0xB3 /*48-4f*/<br />
/*50-57*/ 0x26 0x82 0x88 0x89 0x8A 0xA1 0x8C 0x8B /*50-57*/<br />
/*58-5f*/ 0x8D 0xE1 0x21 0x24 0x2A 0x29 0x3B 0xAA /*58-5f*/<br />
/*60-67*/ 0x2D 0x2F 0xB2 0x8E 0xB4 0xB5 0xB6 0x8F /*60-67*/<br />
/*68-6f*/ 0x80 0xA5 0x7C 0x2C 0x25 0x5F 0x3E 0x3F /*68-6f*/<br />
/*70-77*/ 0xBA 0x90 0xBC 0xBD 0xBE 0xF3 0xC0 0xC1 /*70-77*/<br />
/*78-7f*/ 0xC2 0x60 0x3A 0x23 0x40 0x27 0x3D 0x22 /*78-7f*/<br />
/*80-87*/ 0xC3 0x61 0x62 0x63 0x64 0x65 0x66 0x67 /*80-87*/<br />
/*88-8f*/ 0x68 0x69 0xAE 0xAF 0xC6 0xC7 0xC8 0xF1 /*88-8f*/<br />
/*90-97*/ 0xF8 0x6A 0x6B 0x6C 0x6D 0x6E 0x6F 0x70 /*90-97*/<br />
/*98-9f*/ 0x71 0x72 0xA6 0xA7 0x91 0xCE 0x92 0x0F /*98-9f*/<br />
/*a0-a7*/ 0xE6 0x7E 0x73 0x74 0x75 0x76 0x77 0x78 /*a0-a7*/<br />
/*a8-af*/ 0x79 0x7A 0xAD 0xA8 0xD4 0xD5 0xD6 0xD7 /*a8-af*/<br />
/*b0-b7*/ 0x5E 0x9C 0x9D 0xFA 0x9F 0x15 0x14 0xAC /*b0-b7*/<br />
/*b8-bf*/ 0xAB 0xFC 0x5B 0x5D 0xE4 0xFE 0xBF 0xE7 /*b8-bf*/<br />
/*c0-c7*/ 0x7B 0x41 0x42 0x43 0x44 0x45 0x46 0x47 /*c0-c7*/<br />
/*c8-cf*/ 0x48 0x49 0xE8 0x93 0x94 0x95 0xA2 0xED /*c8-cf*/<br />
/*d0-d7*/ 0x7D 0x4A 0x4B 0x4C 0x4D 0x4E 0x4F 0x50 /*d0-d7*/<br />
/*d8-df*/ 0x51 0x52 0xEE 0x96 0x81 0x97 0xA3 0x98 /*d8-df*/<br />
/*e0-e7*/ 0x5C 0xF0 0x53 0x54 0x55 0x56 0x57 0x58 /*e0-e7*/<br />
/*e8-ef*/ 0x59 0x5A 0xFD 0xF5 0x99 0xF7 0xF6 0xF9 /*e8-ef*/<br />
/*f0-f7*/ 0x30 0x31 0x32 0x33 0x34 0x35 0x36 0x37 /*f0-f7*/<br />
/*f8-ff*/ 0x38 0x39 0xDB 0xFB 0x9A 0xF4 0xEA 0xFF /*f8-ff*/<br />
/* PKZIP/400 Translate Tables end */<br />
361
G Implementation Considerations<br />
SecureZIP <strong>for</strong> <strong>iSeries</strong> components have been structured and written <strong>for</strong> the <strong>iSeries</strong><br />
plat<strong>for</strong>ms and <strong>iSeries</strong> servers. The code base includes support <strong>for</strong> the OS/400<br />
operating system.<br />
As with any product placed into production, familiarity with (and verification of)<br />
features is always highly recommended. Below is a list of key features that users of<br />
PKZIP should thoroughly understand.<br />
Key Features<br />
• The commands PKZIP and PKUNZIP contain all parameters and options<br />
required to use SecureZIP <strong>for</strong> <strong>iSeries</strong>. The parameters and options are in a<br />
<strong>for</strong>mat that provide a migration path toward the open systems environment.<br />
All parameters in the two commands are supported with the OS/400 help<br />
panels. The parameters and options should be reviewed to understand the<br />
features supported.<br />
• With the IFS, long file names are supported <strong>for</strong> files, archive files, and list<br />
files.<br />
• List files <strong>for</strong> inputting file selections and outputting selections is supported <strong>for</strong><br />
both the QSYS library file system and the IFS.<br />
• Archive files are supported in both the QSYS library file system and the IFS.<br />
By using the archive files within the IFS, per<strong>for</strong>mance is enhanced. CPU<br />
operation is more efficient and archive files are smaller. As a result, elapsed<br />
run time is reduced.<br />
• Provides a quick and easy method <strong>for</strong> installing on the <strong>iSeries</strong> without running<br />
under the QSECOFR user or security authority.<br />
• Using the parameter MSGTYPE, messages can be directed to a printer file, the<br />
message queue, or both.<br />
• When archive files are created in the QSYS library file system, the record<br />
length can be defined to fit the customer environment.<br />
• When a file is extracted to the QSYS library file system, and neither the file<br />
nor the extended attribute <strong>for</strong> the record length exists, the default file’s<br />
created record length can be defined externally.<br />
362
• When compressing a file in text mode, you can define the record as a fixedlength<br />
record with trailing blanks that are based on the file’s record length<br />
description in the QSYS library file system.<br />
• When selecting files <strong>for</strong> compression in the IFS, you can specify whether to<br />
search recursively through the directories <strong>for</strong> file selection, or to only search<br />
the currently specified directory.<br />
• When extracting files with the PKUNZIP command, you can drop the path of<br />
files in the archive and use only the file name. This allows you to build the<br />
extracted file in new directories, libraries, and/or files. This applies to IFS and<br />
QSYS library file systems.<br />
• When using files with the product, the attributes are stored in the archive to<br />
indicate how the file was stored (binary, text, text in EBCDIC, SAVF, or<br />
Database Services) and can be used when extracting files with<br />
FILETYPE(*DETECT).<br />
• The PKUNZIP command allows <strong>for</strong> defining default paths and libraries <strong>for</strong> both<br />
IFS and QSYS library file systems.<br />
• File selection has been written to provide additional file filtering controls.<br />
Individual file selection can be made using the FILE parameter and/or the<br />
“List File” (INCLFILE) which allows a list of files to be selected.<br />
• File exclusion has been written to provide additional file filtering controls.<br />
Individual file exclusion can be made using the EXCLUDE parameter and/or<br />
the “List File” (EXCLFILE), which allows a list of files to be excluded.<br />
• SecureZIP <strong>for</strong> <strong>iSeries</strong> is a licensed product, and without proper licensing, it<br />
can only be used to view archives. Licensing allows flexibility with the product<br />
features and hardware plat<strong>for</strong>ms. The license dataset must be defined and<br />
customized prior to use of the product.<br />
• Extended attributes are stored within the archive directory.<br />
• Note: These attributes are not published as part of a program control<br />
interface and may change between releases. Using the parameter<br />
TYPE(*VIEW) with VIEWOPT(*ALL) will report extended file in<strong>for</strong>mation in the<br />
same report <strong>for</strong>mat order, regardless of the order that extended attributes<br />
are stored in the archive.<br />
• SecureZIP <strong>for</strong> <strong>iSeries</strong> library can be renamed from the standard distribution<br />
name of PKW81051S to fit the operational environment.<br />
• PKZIP and PKUNZIP commands can be executed without the product’s library<br />
being part of the library list.<br />
363
H<br />
SPOOL Files Considerations<br />
This appendix contains in<strong>for</strong>mation on how SecureZIP <strong>for</strong> <strong>iSeries</strong> handles spool<br />
files in different scenarios that might be helpful to consider in planning <strong>for</strong><br />
compressing spool files.<br />
Spool File Selections<br />
Care should be taken when selecting spool files not to set all of the spool file<br />
selection parameters to *ALL, as this will select all spool files on your <strong>iSeries</strong>. This is<br />
why the default <strong>for</strong> the user ID is SFUSER(*CURRENT) to at least limit it to the<br />
current user in case a selection is not filled in correctly.<br />
If a spool file is deleted after the selection but be<strong>for</strong>e the actual compression takes<br />
place, the PKZIP job will fail.<br />
SPLF Attributes<br />
When a spool file is selected and the parameter EXTRAFL is coded *YES (the<br />
default), then the extended attributes listed below are stored in archive and can be<br />
viewed with PKUNZIP TYPE(*VIEW) VIEWOPT(*ALL). Also when the spool files are<br />
stored in the archive, the date and time <strong>for</strong> the file is the spool files creation date<br />
and time and can be viewed with PKUNZIP.<br />
Extended Attributes:<br />
• Description: The spool file description is built as follows:<br />
"Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-<br />
Number.Suffix" For Example: "MYJOB/BILLS#152681/INVOICE/F0021.SPLF"<br />
• Spool file type: *SCS: SNA Character Stream, *IPDS: An intelligent printer<br />
data stream, *AFPDS: Advanced Function Print Data Stream, *USERASCII:<br />
An ASCII data stream user defined, *LINE: Line data that is very printer<br />
specific, and *AFPDSLINE: Mixed data (line data and AFPDS data).<br />
• Target file created: Describes the target type file created during<br />
compression. SPLF: Spool Files, TXT: ASCII Text Conversion, and PDF:<br />
Portable Document Format.<br />
• Number of pages contained in the spool file.<br />
364
An example of the attributes view seen with –VIEWOPT(*ALL) <strong>for</strong> a spool file<br />
converted to a PDF might appear as follows:<br />
Filename: CRTCM60.PDF<br />
Detected File type: Binary<br />
Created by: SecureZIP <strong>for</strong> <strong>iSeries</strong> 8.1 PKZIP 2.x compatible<br />
Minimum to Extract: PKZIP 2.0 Or Greater<br />
Compression method: Deflated [Fast]<br />
Date and Time 2003 Oct 17 07:22:00<br />
Compressed size: 2316 bytes<br />
Uncompressed size: 8146 bytes<br />
32-bit CRC value (hex): 40950039<br />
Extended attributes: yes, [Length = 112]<br />
Spool File Type:*SCS, Target File:PDF, Nbr Of pages(3).<br />
SPLF Desc:EVWSS/EVWSS/#007892/CRTCM/F0060.PDF.<br />
File Comment:"none"<br />
The preceding view comes from the following spool file:<br />
5722SS1 V5R1M0 Work With Output Queue QPRINT2 in QGPL 11/19/02 14:08:53 Page 1<br />
File User User Data Status Pages Cpy Form Tp Pty File Number Job Number Date<br />
Time<br />
CRTCM EVWSS RDY 3 1 *STD 5 60 EVWSS 007892 10/17/02<br />
07:22:00<br />
PDF Creation Attributes<br />
When creating a PDF, the attributes are also stored in the PDF document to help<br />
trace back what spool file they originated from.<br />
• The date and time of the spool file creation will be the PDF date and time of<br />
creation.<br />
• The author will be the user ID that created the spool file.<br />
• The subject will be made up of the spool file name, number, and the job<br />
(number/user ID/job name).<br />
365
An example of a PDF summary is:<br />
366
I<br />
History of Changes<br />
RELEASE 5.6 September 2003<br />
• Support <strong>for</strong> ZIP64 archive <strong>for</strong>mats to support large file system feature.<br />
• Control over extra data to reduce total archive size. (New options in PKZIP<br />
parameter EXTRAFLD.)<br />
• Warning when updating digitally signed archives.<br />
• Ability to ignore case sensitivity when selecting files in the IFS. (New Option<br />
*IFS2 with parameter TYPFL2ZP).<br />
• Ability to use CVTNAME when selecting spool files to change name in archive.<br />
• New warning message AQZ0024 to monitoring when no files are selected.<br />
• Ability to create and maintain self extracting archives. (New PKZIP parameter<br />
SELFXTRACT.)<br />
• Ability to insert a path to the file names in archive. (New PKZIP parameter<br />
ISRTPATH.)<br />
• New translating tables <strong>for</strong> code pages included in file PKZTABLES.<br />
• Ability to handle extremely large spool file conversions to PDF or TEXT.<br />
• Ability to convert a spool file to an ASCII Text document with ANSI control<br />
characters. The first character of every record contains an American National<br />
Standards Institute (ANSI) <strong>for</strong>ms control character. (New option *TEXTFC in<br />
parameter SFTARGET.)<br />
• More in<strong>for</strong>mation with detail view of spool file in an archive.<br />
• The ARCHIVE and FILE paths and file names has been expanded to 256<br />
characters.<br />
• The ARCHIVE will now accept imbedded spaces in the path and file name <strong>for</strong><br />
archives in the IFS..<br />
• A new PKZIP global setting to disallow wildcard selection is provided<br />
• PKZIP will now post a standard description to archive document file<br />
descriptions <strong>for</strong> archives created in the /QDLS.<br />
367
RELEASE 5.5 January 2003<br />
• New parameter ADVCRYPT to specify encryption level.<br />
• New parameter VPASSWORD which is required <strong>for</strong> advanced encryption and is<br />
used to verify with PASSWORD to ensure accuracy.<br />
• Password now accepts up to 200 characters.<br />
• Spool files can be archived or converted to a TEXT or PDF <strong>for</strong>mat.<br />
• PKUNZIP now supports using a member *FIRST or *LAST <strong>for</strong> a member when<br />
using the QSYS file system.<br />
• PKZIP now recognizes the older physical files with attributes of PF38<br />
(System/38) physical files.<br />
• Parameter CVTDATA is added to PKZIP and PKUNZIP commands and<br />
CVTNAME program changed to accept 4 variables (old file name, new file<br />
name, CVTFLAG, and CVTDATA).<br />
• PKZIP and PKUNZIP will issues *STATUS message <strong>for</strong> completion messages<br />
so they can be monitored. The following message can now be monitored:<br />
AQZ0012 - PKZIP ending with nothing to do <strong>for</strong> .<br />
AQZ0020 - PKZIP completed successfully.<br />
AQZ0022 - PKZIP completed with errors.<br />
AQZ0037 - PKUNZIP completed successfully.<br />
AQZ0038 - PKUNZIP completed with errors.<br />
• Fix security authorization when creating a new directory or folder in the IFS<br />
so that authority is inherited from directory above.<br />
• When only the file name is used in FILES parameter <strong>for</strong> selection, PKZIP was<br />
defaulting to *CURLIB. This has been revised per documentation to use *LIBL<br />
as the default.<br />
• When creating a file in the integrated file system, the file will be created with<br />
attributes of directory that is created in plus owner of the PKUNZIP run.<br />
• PKZIP revised to include files with attribute DDMF and file type DDM while<br />
searching <strong>for</strong> files in the selection parameters.<br />
• Added translation code tables 850 ASCII and 037 EBCDIC to PKZIPTABLES file<br />
(PKZ850037).<br />
• PKZCHGOWN CLP program "source" is provided in the source file QCLSRC file<br />
to assist customer who may want to change the owner of the object<br />
distributed.<br />
• When creating files, PKUNZIP uses SIZE(*NOMAX) with CRTPF to avoid<br />
constant message replies.<br />
• Added the in<strong>for</strong>mational program WHATOSV to distribution. WHATOSV shows<br />
OS Version, serial number, and process group required <strong>for</strong> licensing. To use<br />
CALL WHATOSV.<br />
• EXDIR was expanded from 30 character to 224 characters to allow <strong>for</strong> more<br />
flexibility with the IFS.<br />
368
• When getting the message AQZ0148 "Archive file empty", PKZIP will also<br />
issue the message AQZ0022 "PKZIP Completed with Errors" at the end of the<br />
run. The AQZ0022 is a message that can be monitored. The message<br />
AQZ0022 is now being issued as a diagnostic type message instead of a<br />
completion message.<br />
• PKUNZIP revised to not use IFS Stat when checking the archives in the QSYS<br />
file system. This was preventing authority adoption <strong>for</strong> PKUNZIP archive files.<br />
PKUNZIP is now per<strong>for</strong>ming object and file checking.<br />
• PKZIP revised random number <strong>for</strong> creation of the temporary archive name<br />
was improved to avoid duplication. The random routines now use the job<br />
number <strong>for</strong> initial seed.<br />
• When extracting with PKUNZIP TYPE(*NEWER) and the files do not exist,<br />
extract the files as if they are the same as newer when files do exist.<br />
• Improved per<strong>for</strong>mance extracting to a file that has a large number of<br />
members. Improved per<strong>for</strong>mance selecting files <strong>for</strong> compression when files<br />
have a large number of members.<br />
• Expanded the field sizes of the ARCHIVE and FILES parameters to 140<br />
characters in PKZIP and PKUNZIP commands to allow more folders in the path<br />
of IFS files.<br />
• Added keyword ?MBR to parameter EXDIR in command PKUNZIP. If EXDIR is<br />
coded with keyword ?MBR and the file system is the QSYS library system<br />
PKUNZIP will use the member name <strong>for</strong> the file name. For example:<br />
EXDIR('newlib/?MBR') and DROPPATH(*ALL) parameters are coded and the<br />
file name in archive is "mylib/myfile/mymbr", the file will be extract to the file<br />
"newlib/mymbr(mymbr)". This is valid only <strong>for</strong> TYPFL2ZP(*DB) files.<br />
• Support of spool files along with text document conversion.<br />
• New parameter DELIM was added to PKZIP to provide the ability to define the<br />
end-of-record characters at the end of a text record (such as CRLF, etc.).<br />
• New install process from CD using LODRUN command.<br />
RELEASE 5.5.1 – March 2003<br />
• Resolved under rare conditions when extracting a text file from an archive<br />
created in a UNIX environment, there may be 1- 2 invalid extra last text<br />
records..<br />
• Added new error check <strong>for</strong> spool files: AQZ0301 Parameter SFTARGET(*SPLF)<br />
requires EXTRAFLD(*YES). Correct and rerun. AQZ0302 FILETYPE parameter<br />
must be (*DETECT) when compressing spool files.<br />
• Improved page fitting during spool file conversion when using *PDFLETTER<br />
and PDFLEGAL as the option in the parameter SFTARGET.<br />
369
RELEASE 5.5.2 – May 2003<br />
• Under certain conditions when converting a spool file to a text or PDF file,<br />
there are extraneous characters in some lines due to buffers not being<br />
cleared properly.<br />
• Added message AQZ0304 to indicate the job in parameter SFJOBNAM cannot<br />
be found or is invalid when selecting a spool file.<br />
• Added ability to have a GZIP archive file greater than 2 GB.<br />
370
J<br />
Creating Commands with new<br />
defaults<br />
There are times when some clients would like to change the defaults of the<br />
commands <strong>for</strong> their environment. This is why the source <strong>for</strong> the commands PKZIP,<br />
PKZSPOOL, and PKUNZIP are included in the distribution library in the QCMDSRC file.<br />
It is important that the sequences, values, and properties of the parameters do not<br />
change. To protect you ability to recover, it is suggested that you rename the<br />
previous command and command source and copy them be<strong>for</strong>e make any changes.<br />
If you want to restrict where the commands can be per<strong>for</strong>med then change the<br />
parameter ALLOW(*ALL) to the value you require. See IBM CL manuals or prompt<br />
CRTCM.<br />
Below are sample statements to create the commands. In this example, the PKZIP<br />
library is PKW81051S.<br />
Create PKZIP Command:<br />
CRTCMD CMD(PKW81051S/PKZIP) PGM(PKW81051S/PKZIP)<br />
SRCFILE(PKW81051S/QCMDSRC)<br />
HLPPNLGRP(PKW81051S/ ZIPHLP) HLPID(*CMD)<br />
Create PKZSPOOL Command<br />
CRTCMD CMD(PKW81051S/PKZSPOOL) PGM(PKW81051S/PKZIP)<br />
SRCFILE(PKW81051S/QCMDSRC)<br />
HLPPNLGRP(PKW81051S/ ZIPHLP) HLPID(*CMD)<br />
Create PKUNZIP Command:<br />
CRTCMD CMD(PKW81051S/PKUNZIP) PGM(PKW81051S/PKUNZIP)<br />
SRCFILE(PKW81051S/QCMDSRC)<br />
HLPPNLGRP(PKW81051S/ UZIPHLP) HLPID(*CMD)<br />
Appendix K 371
K<br />
Extended Attributes<br />
This chapter reviews the extended attributes that SecureZIP <strong>for</strong> <strong>iSeries</strong> builds<br />
when using the parameters EXTRAFLD(*YES) or DBSERVICE(*YES). These extended<br />
attributes can be viewed <strong>for</strong> a file by using PKUNZIP with parameters TYPE(*VIEW)<br />
and VIEWOPT(*DETAIL) <strong>for</strong> the archive.<br />
Within the ZIP archive are two directories that provide in<strong>for</strong>mation about the files<br />
that are held within it. A local directory (included at the beginning of each file)<br />
contains in<strong>for</strong>mation such as the file size and the date the file was zipped. The<br />
central directory (located at the end of the ZIP archive) lists the complete contents<br />
of the ZIP archive and is the primary source of in<strong>for</strong>mation <strong>for</strong> UNZIP processing. In<br />
each directory there can exist extended data or attributes <strong>for</strong> the compressed files.<br />
When EXTRAFLD(*YES) is specified, a set of basic attributes are created <strong>for</strong> each file<br />
in the archive. The type of attribute created depends on the type of file system<br />
(QSYS library file system or IFS) in which the file being compressed exists. The<br />
standard attributes <strong>for</strong> both systems are described below.<br />
If the parameter DBSERVICE(*YES) is specified <strong>for</strong> the PKZIP command, and if the<br />
file being compressed is a physical file (PF-DTA or PF_SRC), then the basic extended<br />
attributes are created followed by the detailed database attributes. With the detailed<br />
database attributes, PKUNZIP can build and compile the DDS source file to recreate<br />
the database file (see DATABASE attributes). The database file will be compressed in<br />
the binary mode.<br />
Standard QSYS Library File System Attributes<br />
When the files being compressed are from the QSYS library file system, the standard<br />
attributes created are described in the following tables.<br />
For additional in<strong>for</strong>mation, see the DSPFD command in the IBM manuals.<br />
Physical Files (both Source and Data)<br />
Attribute<br />
Description<br />
1 Maximum Record Length Specifies the length (in bytes) of the records<br />
stored in the physical file.<br />
2 Library Text The text description of the library that the file<br />
does exist.<br />
372
SAVF<br />
3 File Text The text description of the File.<br />
4 Member Text The text description of the member.<br />
5 File Type Specifies whether each member of the<br />
physical file being created contains data<br />
records or contains source records<br />
(statements. PF_SRC or PF_DTA.).<br />
6 Source Type Code Specifies the source type of the member,<br />
such as, CLP, PF, LF, RPGLE, etc.<br />
Attribute<br />
Description<br />
1 Library Text The text description of the library that the<br />
SAVF exists.<br />
2 File Text The text description of the SAVF.<br />
Standard IFS Attributes<br />
When the files being compressed are from the integrated file system, the standard<br />
attributes <strong>for</strong> stream files are as described in the following table.<br />
Attribute<br />
Description<br />
1 Code Page<br />
2 File creations date/time The date and time when the file was created.<br />
3 File last access date/time The date and time when the file was last<br />
accessed.<br />
4 File last modification<br />
date/time<br />
The data and time when the file was last<br />
modified.<br />
Advanced Encryption Attributes<br />
When the files being compressed with advanced encryption, encryption attributes are<br />
added to the archive.<br />
Attribute<br />
Description<br />
1 Encryption Method/ Algorithm Indicates the Encryption Method.<br />
2 Encryption Key Type The key type used with the encryption<br />
algorithm.<br />
3 Security Method Indicates whether a password, certificate, or<br />
both password and certificate are in use.<br />
DATABASE Attributes<br />
With the parameter DBSERVICE(*YES) in PKZIP, a special set of attributes are<br />
created <strong>for</strong> files that are physical files (both source and data types) in the QSYS<br />
library file system. These attributes can be used by PKUNZIP to create a database by<br />
building the DDS source and issuing the CRTPF command <strong>for</strong> the source.<br />
373
These database attributes are described in the following tables.<br />
File Physical Attributes<br />
For more in<strong>for</strong>mation, see the CRTPF and CHGPF commands or IBM publications.<br />
Attribute<br />
Description<br />
1 File Record Format The name of the file’s record <strong>for</strong>mat.<br />
2 File Record Text The Text description <strong>for</strong> the file’s <strong>for</strong>mat.<br />
3 Maximum Number of<br />
Members<br />
Specifies the maximum number of members<br />
that the physical file being created can have<br />
at any time.<br />
4 Number Fields The number of fields in the database.<br />
5 Number of keys The number of key fields in the database.<br />
6 SIZE - nbr Records SIZE parameter option - The number of<br />
records that can be inserted be<strong>for</strong>e an<br />
automatic extension occurs.<br />
7 SIZE - increment value SIZE parameter option - Value <strong>for</strong> the number<br />
of additional records.<br />
8 SIZE - number of increments SIZE parameter option - Maximum number of<br />
parts to be added automatically to the<br />
member.<br />
9 Public Authority AUT - Specifies the authority given to users<br />
who do not have specific authority to the<br />
physical file.<br />
Note: If an authorization list was specified <strong>for</strong><br />
the file then AUT is set to *CHANGED. See<br />
“Database Attributes Considerations.”<br />
10 Record Description CCSID The coded character set identifier <strong>for</strong> the<br />
record description.<br />
11 Delete Percent DLTPCT - Specifies the percentage of deleted<br />
records a file can contain be<strong>for</strong>e you want the<br />
system to send a message to the system<br />
history log.<br />
12 Reuse deleted records REUSEDLT - Specifies whether deleted<br />
record space should be reused on<br />
subsequent write operations.<br />
13 Access path size ACCPTHSIZ - Specifies the maximum size of<br />
auxiliary storage that can be occupied by<br />
access paths that are associated with keyed<br />
source physical files.<br />
14 Access path maintenance MAINT - Specifies the type of access path<br />
maintenance used <strong>for</strong> all members of the<br />
physical file.<br />
15 Access path recovery RECOVER - For files having immediate or<br />
delayed maintenance on their access paths,<br />
specifies when recovery processing of the file<br />
is done if a system failure occurs while the<br />
access path is being changed.<br />
16 Allocate storage ALLOCATE - Specifies storage space is<br />
allocated <strong>for</strong> the initial number of records<br />
(SIZE parameter) <strong>for</strong> each physical file<br />
member when it is added.<br />
374
Attribute<br />
Description<br />
17 Force keyed access path FRCACCPTH - For files with keyed access<br />
paths only, specifies access path changes are<br />
<strong>for</strong>ced to auxiliary storage along with the<br />
associated records in the file whenever the<br />
access path is changed.<br />
18 Record <strong>for</strong>mat level check LVLCHK - Specifies the record <strong>for</strong>mat level<br />
identifiers in the program are checked against<br />
those in the logical file when the file is<br />
opened.<br />
19 Program describe File Defines whether file is external file type.<br />
20 Triggers Available File had triggers defined. See “Database<br />
Attributes Considerations.”<br />
21 File SQL Table File is an SQL Table.<br />
22 Constraints Available File had Constraints defined. See “Database<br />
Attributes Considerations.”<br />
23 File has Null Fields File contains fields which allow NULL<br />
contents. See “Database Attributes<br />
Considerations.”<br />
File Field Attributes<br />
See “<strong>iSeries</strong> e DDS Reference Publication No. RBAF-P000-00” <strong>for</strong> a description of the<br />
keywords.<br />
Attribute<br />
Description<br />
1 Field Name Field name.<br />
2 Field Data Type Specifies the data type associated with the<br />
field (such as, A-character, P-Packed,<br />
Decimal, etc.).<br />
3 Field Length Specifies the field length <strong>for</strong> named field.<br />
4 Number of Decimals Specifies the decimal placement within a<br />
zoned decimal field and the data type of the<br />
field as it appears in your program.<br />
5 Field Usage Specifies that a named field is an output-only<br />
or program-to-system field.<br />
6 Field CCSID (CCSID) - Specifies a coded character set<br />
identifier <strong>for</strong> character fields.<br />
7 Field Text (TEXT) - A text description (or comment) <strong>for</strong><br />
the record <strong>for</strong>mat or field that is used <strong>for</strong><br />
program documentation.<br />
8 Column Headings (COLHDG) - Specifies column headings used<br />
as a label <strong>for</strong> this field by various <strong>iSeries</strong> file<br />
tools.<br />
9 Keyboard Shift Character (REFSHIFT) - Specifies a keyboard shift <strong>for</strong> a<br />
field when the field is referred to in a display<br />
file or DFU operation.<br />
10 Allow NULLS (ALWNULL) - To define this field to allow the<br />
null value.<br />
11 Variable Length (VARLEN) - To define this field as a variable<br />
length field.<br />
12 Alias (ALIAS) - Specifies an alternative name <strong>for</strong><br />
the field.<br />
13 Default Values (DFT) - Specifies a default value <strong>for</strong> a field.<br />
375
Attribute<br />
Description<br />
14 Edit Formatting values (EDTCDE, EDTWRD, DATFMT, DATSEP,<br />
TIMFMT, TIMSEP) - Specifies editing <strong>for</strong> the<br />
field you are defining when the field is<br />
referenced later during display or printer file<br />
creation.<br />
15 Validity Checking (CHECK, COMP, RANGE, etc.) - Specifies<br />
validity checking in display files.<br />
16 Indicator <strong>for</strong> Double Precision An indicator <strong>for</strong> float type fields specifying<br />
single or double precision.<br />
17 Allocated Length The allocated length in bytes <strong>for</strong> data types<br />
that use variable lengths.<br />
Key Field Attributes<br />
See the IBM manual <strong>for</strong> the DDS description of keywords <strong>for</strong> KEYS.<br />
Attribute<br />
Description<br />
1 Key Field Name The field name of the key.<br />
2 Type of Sequence Defines the type of key and the sequence of<br />
the key.<br />
Database Attribute Considerations<br />
Special database functionality and in<strong>for</strong>mation such as triggers, file constraints,<br />
authorization lists, and alternate collating sequences are not stored in an archive.<br />
1. If a file has fields that have the option ALWNULL, warning message AQZ0521<br />
will be issued.<br />
2. If the file contains triggers, warning message AQZ0518 will be issued. Any<br />
in<strong>for</strong>mation about the triggers and associated programs are not stored in the<br />
archive.<br />
3. If a file has file constraints, warning message AQZ0519 will be issued.<br />
4. If an authorization list was specified <strong>for</strong> the file, then the AUT parameter is<br />
set to “*CHANGED.” The authorization list is not stored in the archive. It is<br />
up to the user to set the authorization list when extracted.<br />
5. If a file has an alternate collating sequence, warning message AQZ0520 will<br />
be issued. The in<strong>for</strong>mation about the alternate collating sequence is not<br />
stored the archive.<br />
If the database’s triggers, file constraints, alternate collating sequence, and logical<br />
files are to be preserved, then save the database file, trigger programs (if they<br />
exist), and logical files to a SAVF. Then compress the SAVF.<br />
Note: Using DBSERVICE(*YES) can increase the size of the archive because some<br />
databases may have hundreds of fields and attributes. If this archive will be used on<br />
a plat<strong>for</strong>m other than <strong>iSeries</strong> with SecureZIP <strong>for</strong> <strong>iSeries</strong> , these attributes are<br />
ignored and there<strong>for</strong>e should not be used.<br />
376
Source File Considerations<br />
When compressing source files, the use of the archive file should be considered. By<br />
using the DBSERVICE(*NO), only the data is extracted in text mode. Other attributes<br />
such as the sequences numbers and change dates are not included. This would be<br />
the desired method if the source members are being transferred to another plat<strong>for</strong>m,<br />
or if the sequence number and changes dates are not important. This method would<br />
also give the best results <strong>for</strong> the total size of the archive.<br />
If the sequence numbers and change dates are to be preserved, then you would use<br />
DBSERVICE(*YES) to store this source file as a database file. This would not work<br />
very well on non-EBCDIC plat<strong>for</strong>ms because the data is stored in binary mode with<br />
no EBCDIC to ASCII translation. The problem is that each member will have all<br />
available database attributes. This is still minimal because there are only three fields<br />
<strong>for</strong> a source database.<br />
Spool File Attributes<br />
When the files being compressed are from a spool file, the standard attributes are:<br />
Attribute<br />
Description<br />
1 Spool File Type Device type SCS, AFP, etc.<br />
2 Target Output Type The type of file that was archived or converted<br />
(spool file, text, or PDF).<br />
3 Internal Job and spool ID Internal Job and Spool codes controlling the<br />
spool file.<br />
4 Spool File description The description of the file using the file name,<br />
file number, job, user and job number.<br />
5 Pages Number of pages in the spool file.<br />
6 Code Page The code page the was used to convert the<br />
spool file to TEXT or PDF.<br />
7 OUTQ The OUTQ and the OUTQ library the spool<br />
file resided.<br />
8 User ID The user who created the spool file<br />
377
L<br />
FIPS-197 Certification of PKZIP <strong>for</strong><br />
AES<br />
Advanced Encryption Standard FIPS Validation<br />
PKZIP <strong>for</strong> OS/400 Version 5.5 and higher (which includes SecureZIP <strong>for</strong><br />
<strong>iSeries</strong>) use AES, which is the official US Government standard <strong>for</strong> encryption. The<br />
AES algorithm was approved as the Federal In<strong>for</strong>mation Processing Standard by the<br />
Commerce Department on May 26 th , 2002.<br />
The National Institute of Standards and Technology (NIST) has announced approval<br />
of the Federal In<strong>for</strong>mation Processing Standard (FIPS) <strong>for</strong> the AES algorithm (see<br />
NIST AES FIPS In<strong>for</strong>mation at http://csrc.nist.gov/CryptoToolkit/aes/).<br />
The PKZIP <strong>for</strong> OS/400 Version 5.5 implementation was validated in accordance<br />
with FIPS-197 <strong>for</strong> the Advanced encryption Standard. In<strong>for</strong>mation regarding the<br />
validation specification and certifications of PKWARE products can be found at<br />
http://www.csrc.nist.gov/cryptval/aes/aesval.html (certificate #63).<br />
The AES Algorithm<br />
The Rijndael algorithm chosen uses a combination of advanced security,<br />
per<strong>for</strong>mance, efficiency, ease of implementation, and flexibility to make it the<br />
appropriate standard of advanced encryption <strong>for</strong> the AES.<br />
Rijndael per<strong>for</strong>ms consistently in both hardware and software and in cross plat<strong>for</strong>m<br />
environments regardless of its use in feedback or non-feedback modes. Rijndael’s<br />
key setup time is very good, and its key agility is excellent. Memory requirements<br />
are very low, making it the first choice <strong>for</strong> restricted-space environments, in which it<br />
also demonstrates high per<strong>for</strong>mance. Power and timing attacks are easily defended<br />
against due to Rijndael's operations.<br />
Note that the AES was intentionally developed to replace DES.<br />
AES Key Sizes<br />
Currently, AES has three key sizes. They are: 128, 192, and 256 bits. Key sizes are<br />
depicted in the following decimal terms:<br />
• 3.4 x 10 38 possible 128-bit keys<br />
378
• 6.2 x 10 57 possible 192-bit keys<br />
• 1.1 x 10 77 possible 256-bit keys<br />
In comparison, DES keys are only 56 bits, which means there are approximately 7.2<br />
x 10 16 possible DES keys. There<strong>for</strong>e, there they are on the order of 10 21 times more<br />
AES 128-bit keys than DES 56-bit keys.<br />
379
M Contact In<strong>for</strong>mation<br />
PKWARE, Inc.<br />
Web Site: www.pkware.com<br />
For Licensing, please contact the Sales Division at 937-847-2374 or email<br />
PKSALES@PKWARE.COM.<br />
For Technical Support assistance, please contact the Product Services Division at<br />
937-847-2687 or visit the support web site.<br />
PROBLEM REPORTING<br />
Providing appropriate documentation on the initial call <strong>for</strong> a problem expedites the<br />
analysis and resolution process. The following sections describe the type of<br />
in<strong>for</strong>mation that should be supplied <strong>for</strong> each category of problem.<br />
PROBLEM REPORTING (General)<br />
When reporting a problem regarding PKZIP <strong>for</strong> <strong>iSeries</strong>, please be prepared to provide<br />
the following in<strong>for</strong>mation:<br />
• The displayed output from CALL ziplib/WHATOSV or the details that<br />
WHATOSV provides<br />
• Release level of the operating system<br />
• Release level of PKZIP <strong>for</strong> <strong>iSeries</strong> being run<br />
• A description of the process being run and any differentiating circumstances<br />
from job(s) that do run<br />
• A display of the command problem with parameters<br />
• A copy of the output and JobLog from the failing execution<br />
• If run from a CL and practical, please include source listing of the CL<br />
• If PKUNZIP is failing, provide the Output from the following:<br />
PKUNZIP TYPE(*VIEW) VIEWOPT(*ALL)<br />
380
• If requested by Technical Support, the display with various tracing options<br />
turned on<br />
• If practical, please include the archive/input file involved in the failing<br />
execution<br />
PROBLEM REPORTING (Licensing)<br />
When reporting a problem regarding licensing, please be prepared to provide the<br />
following in<strong>for</strong>mation:<br />
• The displayed output from CALL ziplib/WHATOSV<br />
• A copy of the INSTPKLIC command and its parameters<br />
• A copy of the output from the INSTPKLIC job<br />
If the problem occurs in a PKZIP/PKUNZIP job then follow the steps outlined above<br />
<strong>for</strong> PKZIP <strong>for</strong> <strong>iSeries</strong>.<br />
381
Glossary<br />
This glossary provides definitions <strong>for</strong> items that may have been referenced in the<br />
PKZIP ® documentation. It is not meant to be exhaustive. One Web site that provides<br />
excellent source documentation <strong>for</strong> computing terms is the IBM Terminology site:<br />
http://www-306.ibm.com/ibm/terminology<br />
Absolute Path Name<br />
A string of characters that is used to refer to an object, starting at the highest<br />
level (or root) of the directory hierarchy. The absolute path name must begin<br />
with a slash (/), which indicates that the path begins at the root. This is in<br />
contrast to a Relative Path Name. See also Path Name.<br />
AES<br />
The Advanced Encryption Standard is the official US Government encryption<br />
stand <strong>for</strong> customer data.<br />
American Standard Code <strong>for</strong> In<strong>for</strong>mation Interchange<br />
The ASCII code (American Standard Code <strong>for</strong> In<strong>for</strong>mation Interchange) was<br />
developed by the American National Standards Institute <strong>for</strong> in<strong>for</strong>mation<br />
exchange among data processing systems, data communications systems,<br />
and associated equipment and is the standard character set used on MS-DOS<br />
and UNIX-based operating systems. In a ZIP archive, ASCII is used as the<br />
normal character set <strong>for</strong> compressed text files. The ASCII character set<br />
consists of 7-bit control characters and symbolic characters, plus a single<br />
parity bit. Since ASCII is used by most microcomputers and printers, textonly<br />
files can be transferred easily between different kinds of computers and<br />
operating systems. While ASCII code does include characters to indicate<br />
backspace, carriage return, etc., it does not include accents and special<br />
letters that are not used in English. To accommodate those special<br />
characters, extended ASCII has additional characters (128-255). Only the<br />
first 128 characters in the ASCII character set are standard on all systems.<br />
Others may be different <strong>for</strong> a given language set. It may be necessary to<br />
create a different translation tables (see Translation Table) to create standard<br />
translation between ASCII and other character sets.<br />
American National Standards Institute (ANSI)<br />
An organization sponsored by the Computer and Business Equipment<br />
Manufacturers Association <strong>for</strong> establishing voluntary industry standards.<br />
382
ANSI<br />
See American National Standards Institute.<br />
API<br />
See Application Programming Interface, below.<br />
Application Programming Interface<br />
An interface between the operating system (or systems-related program) that<br />
allows an application program written in a high-level language to use specific<br />
data or services of the operating system or the program. The API also allows<br />
the user to develop an application program written in a high level language to<br />
access PKZIP data and/or functions of the PKZIP system.<br />
Application System/400 (<strong>iSeries</strong>)<br />
One of a family of general purpose systems with a single operating system<br />
(Operating System/400) that provides application portability across all<br />
models.<br />
Archive<br />
The act of transferring files from the computer into a long-term storage<br />
medium. Archived files are often compressed to save space.<br />
An individual file or group of files which must be extracted and decompressed<br />
in order to be used.<br />
A file stored on a computer network, which can be retrieved by a file transfer<br />
program (FTP) or other means.<br />
The PKZIP file that holds the compressed/zipped data file.<br />
ASCII<br />
See American Standard Code <strong>for</strong> In<strong>for</strong>mation Interchange.<br />
<strong>iSeries</strong><br />
See Application System/400, above.<br />
<strong>iSeries</strong> Object<br />
An object that exists in a library on the <strong>iSeries</strong> system and is represented by<br />
an object on the PC. For example, a user profile is an <strong>iSeries</strong> object<br />
represented on the PC by the user profile object.<br />
Authorized Program Analysis Report (APAR)<br />
A request <strong>for</strong> correction of a defect in a current release of an IBM supplied<br />
program.<br />
383
Bandwidth<br />
The capacity of a communications line, normally expressed in bits per second<br />
(bps). A lack of bandwidth is one of the prime motivations <strong>for</strong> using<br />
compression software.<br />
Batch Job<br />
A predefined group of processing actions submitted to the system to be<br />
per<strong>for</strong>med with little or no interaction between the user and the system. This<br />
is in contrast to an Interactive Job.<br />
Binary File<br />
A file that contains codes that are not part of the ASCII character set. Binary<br />
files can utilize all 256 possible values <strong>for</strong> each byte in the file.<br />
Bit<br />
A contraction of binary digit. Either of the binary digits, 0 or 1. Compare with<br />
Byte.<br />
Block<br />
A group of records that are recorded or processed as a unit.<br />
A set of adjacent records stored as a unit on a disk, diskette, or magnetic<br />
tape.<br />
Byte<br />
The smallest unit of storage that can be addressed directly.<br />
A group of 8 adjacent bits. In the EBCDIC/ASCII coding system, 1 byte can<br />
represent a character. In the double-byte coding system, 2 bytes represent a<br />
character.<br />
Code Page<br />
A specification of code points <strong>for</strong> each graphic character set or <strong>for</strong> a collection<br />
of graphic character sets. Within a given code page, a code point can have<br />
only one specific meaning. A code page is also sometimes known as a code<br />
set.<br />
Command Line<br />
The blank line on a display console where commands, option numbers, or<br />
selections can be entered.<br />
Control Language (CL) Program<br />
A program that is created from source statements consisting entirely of<br />
control language commands.<br />
384
CRC<br />
See Cyclic Redundancy Check.<br />
Cryptography<br />
A method of protecting data. Cryptographic services include data encryption<br />
and message authentication.<br />
In cryptographic software, the trans<strong>for</strong>mation of data to conceal its meaning;<br />
secret code.<br />
The trans<strong>for</strong>mation of data to conceal its in<strong>for</strong>mation content, to prevent its<br />
undetected modification, or to prevent its unauthorized use.<br />
Current Library<br />
The library that is specified to be the first user library searched <strong>for</strong> objects<br />
requested by a user. The name <strong>for</strong> the current library can be specified on the<br />
sign-on display or in a user profile. When you specify an object name (such<br />
as the name of a file or program) on a command, but do not specify a library<br />
name, the system searches the libraries in the system part of the library list,<br />
then searches the current library be<strong>for</strong>e searching the user part of the library<br />
list. The current library is also the library that the system uses when you<br />
create a new object, if you do not specify a library name.<br />
Cyclic Redundancy Check (CRC)<br />
A Cyclic Redundancy Check is a number derived from a block of data, and<br />
stored or transmitted with the data in order to detect any errors in<br />
transmission. This can also be used to check the contents of a ZIP archive.<br />
It's similar in nature to a checksum. A CRC may be calculated by adding<br />
words or bytes of the data. Once the data arrives at the receiving computer,<br />
a calculation and comparison is made to the value originally transmitted. If<br />
the calculated values are different, a transmission error is indicated. The CRC<br />
in<strong>for</strong>mation is called redundant because it adds no significant in<strong>for</strong>mation to<br />
the transmission or archive itself. It’s only used to check that the contents of<br />
a ZIP archive are correct. When a file is compressed, the CRC is calculated<br />
and a value is calculated based upon the contents and using a standard<br />
algorithm. The resulting value (32 bits in length) is the CRC that is stored<br />
with that compressed file. When the file is decompressed, the CRC is<br />
recalculated (again, based upon the extracted contents), and compared to the<br />
original CRC. Error results will be generated showing any file corruption that<br />
may have occurred.<br />
Data Compression<br />
The reduction in size (or space taken) of data volume on the media when<br />
per<strong>for</strong>ming a save or store operations.<br />
Data Integrity<br />
The condition that exists as long as accidental or intentional destruction,<br />
alteration, or loss of data does not occur.<br />
385
Within the scope of a unit of work, either all changes to the database<br />
management systems are completed or none of them are. The set of change<br />
operations are considered an integral set.<br />
DBCS<br />
See Double-byte Character Set.<br />
Double-byte Character Set (DBCS)<br />
A set of characters in which each character is represented by 2 bytes.<br />
Languages such as Japanese, Chinese, and Korean, which contain more<br />
symbols than can be represented by 256 code points, require double-byte<br />
character sets. Because each character requires 2 bytes, the typing,<br />
displaying, and printing of DBCS characters requires hardware and programs<br />
that support DBCS. Four double-byte character sets are supported by the<br />
system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See<br />
also the Single-Byte Character Set (SBCS).<br />
EBCDIC<br />
See the Extended Binary Coded Decimal Interchange Code, below.<br />
Encryption<br />
The trans<strong>for</strong>mation of data into an unintelligible <strong>for</strong>m so that the original data<br />
either cannot be obtained or can be obtained only by decryption.<br />
Extended Attribute<br />
In<strong>for</strong>mation attached to an object that provides a detailed description about<br />
the object to an application system or user.<br />
Extended Binary Coded Decimal Interchange Code (EBCDIC)<br />
The Extended Binary Coded Decimal Interchange Code is an 8-bit binary code<br />
<strong>for</strong> larger IBM mainframes in which each byte represents one alphanumeric<br />
character or two decimal digits. The single-byte structure has a range of<br />
X’00’ to X’FF’. Control commands are subset with a range of X’00’ to X’3F’<br />
while graphic characters have a range from X’41’ to X’FE’. The space<br />
character is represented by a X’40’. EBCDIC is similar in nature to ASCII<br />
code, which is used on many other computers. When ZIP programs compress<br />
a text file, they translate data from EBCDIC to ASCII characters within a ZIP<br />
archive using a translation table.<br />
File Transfer Protocol (FTP)<br />
In TCP/IP, an application protocol used <strong>for</strong> transferring files to and from host<br />
computers. FTP requires a user ID and possibly a password to allow access to<br />
files on a remote host system. FTP assumes that the transmission control<br />
protocol (TCP) is the underlying protocol.<br />
386
FTP<br />
See File Transfer Protocol above.<br />
GZIP<br />
GZIP (also known as GNU zip) is a compression utility designed to utilize a<br />
different standard <strong>for</strong> handling compressed file data in an archive. Its main<br />
advantages over other compression utilities are much better compression and<br />
freedom from patented algorithms. It has been adopted by the GNU project<br />
and is now relatively popular on the Internet. Additional in<strong>for</strong>mation can be<br />
found at http://www.gzip.org.<br />
Host<br />
The controlling or highest-level system in a data communications<br />
configuration. For example, an <strong>iSeries</strong> system is the host system <strong>for</strong> the work<br />
stations connected to it.<br />
Integrated File System<br />
A function of the operating system that provides storage support similar to<br />
personal computer operating systems (such as DOS and OS/2) and UNIX<br />
systems.<br />
Interactive Job<br />
A job started <strong>for</strong> a person who signs on to a work station and communicates<br />
(or “converses”) with another computing entity such as a mainframe or<br />
<strong>iSeries</strong> system. This is in contrast to a Batch Job.<br />
Keyed Sequence<br />
An order in which records are retrieved based on the contents of key fields in<br />
records. For example, a bank name and address file might be in order and<br />
keyed by the account number.<br />
Keyword<br />
A mnemonic (abbreviation) that identifies a parameter in a command.<br />
A user-defined word used as one of the search values to identify a document<br />
during a search operation.<br />
In COBOL, a reserved word that is required by the syntax of a COBOL<br />
statement or entry.<br />
In DDS, a name that identifies a function.<br />
In REXX, a symbol reserved <strong>for</strong> use by the language processor in a certain<br />
context. Keywords include the names of the instructions and ELSE, END,<br />
OTHERWISE, THEN, and WHEN.<br />
In query management, one of the predefined words associated with a query<br />
command.<br />
A name that identifies a parameter used in an SQL statement.<br />
387
LAC<br />
See License Authorization Code, below.<br />
Lempel-Ziv (LZ)<br />
A technique <strong>for</strong> compressing data. This technique replaces some character<br />
strings, which occur repeatedly within the data, with codes. The encoded<br />
character strings are then kept in a common dictionary, which is created as<br />
the data is being sent.<br />
Library List<br />
A list that indicates which libraries are to be searched and the order in which<br />
they are to be searched. The system-recognized identifier is *LIBL.<br />
License Authorization Code (LAC)<br />
The inserted code that is needed to unlock an <strong>iSeries</strong> licensed program.<br />
Logical Partition<br />
A subset of a single <strong>iSeries</strong> system that contains resources (such as<br />
processors, memory, and input/output devices). A logical partition operates<br />
as an independent system. If hardware requirements are sufficient, multiple<br />
logical partitions can exist within a system.<br />
LZ<br />
See the entry <strong>for</strong> Lempel-Ziv (LZ), above.<br />
New ZIP Archive<br />
A new ZIP archive is the archive created by a compression program when<br />
either an old ZIP archive is updated or when files are compressed and no ZIP<br />
archive currently exists. It may be thought of as the “receiving” archive.<br />
Also see Old ZIP archive.<br />
Null Value<br />
A parameter position within a record <strong>for</strong> which no value is specified.<br />
n-way Processor Architecture<br />
A processor architecture that provides expandability <strong>for</strong> future system growth<br />
by allowing <strong>for</strong> additional processors. To the user, the additional processors<br />
are transparent because they separately manage the work load by sharing<br />
the work evenly among the n-way processors.<br />
Old ZIP Archive<br />
An old ZIP archive is an existing archive which is opened by a compression<br />
program to be updated or <strong>for</strong> its contents to be extracted. It may be thought<br />
of as the “sending” archive. Also see New ZIP archive.<br />
388
Operating System/400 (OS/400)<br />
An IBM-licensed program that is as the primary operating system <strong>for</strong> an<br />
<strong>iSeries</strong> system.<br />
OS/400<br />
See Operating System/400, above.<br />
Output Queue<br />
An AS/400 object that contains entries <strong>for</strong> spooled output files to be written<br />
to an output device.<br />
Packed Decimal Format<br />
A decimal value in which each byte within a field represents two numeric<br />
digits except the far right byte, which contains one digit in bits 0 through 3<br />
and the sign in bits 4 through 7. For all other bytes, bits 0 through 3<br />
represent one digit; bits 4 through 7 represent one digit. For example, the<br />
decimal value +123 is represented as 0001 0010 0011 1111 (or 123F in<br />
hexadecimal).<br />
Path Name<br />
A string of characters used to refer to an object. The string can consist of one<br />
or more elements, each separated by a slash (/), and may begin with a slash.<br />
Each element is typically a directory or equivalent, except <strong>for</strong> the last<br />
element, which can be a directory or another object (such as a file).<br />
A sequence of directory names followed by a file name, each separated by a<br />
slash.<br />
In a hierarchical file system (HFS), the name used to refer to a file or<br />
directory. The path name must start with a slash (/) and consist of elements<br />
separated by a slash. The first element must be the name of a registered file<br />
system. All remaining elements must be the name of a directory, except the<br />
last element, which can be the name of a directory or file. See also Absolute<br />
Path Name and Relative Path Name.<br />
The name of an object in the integrated file system. Protected objects have<br />
one or more path names.<br />
Physical File<br />
Describes how data is to be presented to (or received from) a program and<br />
how data is stored in the database. A physical file contains a single record<br />
<strong>for</strong>mat and at least one member.<br />
Physical File Member<br />
A named subset of the data records in a physical file. See also member.<br />
389
Production Library<br />
A library which contains objects needed <strong>for</strong> normal processing. This contrasts<br />
with a Test Library.<br />
Program Temporary Fix (PTF)<br />
A temporary solution to (or a bypass of) a problem that is necessary to<br />
provide a complete solution to correct a defect in a current unaltered release<br />
of a program. May also be used to provide an enhancement to a product<br />
be<strong>for</strong>e a new release of the product is available. Generally, PTFs are<br />
incorporated in a future release of the product.<br />
PTF<br />
See Program Temporary Fix, above.<br />
QSYS<br />
The library shipped with the <strong>iSeries</strong> system that contains objects, such as<br />
authorization lists and device descriptions created by a user, and the system<br />
commands and other system objects required to run the system. The system<br />
identifier is QSYS.<br />
Qualified Name<br />
The full name of the library that contains the object and the name of the<br />
object.<br />
Record<br />
A group of related data, words, or fields treated as a single unit, such as a<br />
name, address, and social security number.<br />
Reduced Instruction Set Computer (RISC)<br />
A RISC computer uses a small, highly efficient subset of the instructions<br />
available on a standard computer. This allows <strong>for</strong> rapid processing.<br />
Relative Path Name<br />
A string of characters that is used to refer to an object, starting at some point<br />
in the directory hierarchy other than the root. A relative path name does not<br />
begin with a slash (/). The starting point is frequently a user's current<br />
directory. This is in contrast to an Absolute Path Name. See also Path Name.<br />
Return Code<br />
A value generated by operating system software to a program to indicate the<br />
results of an operation by that program. The value may also be generated by<br />
the program and passed back to the operator.<br />
390
RISC<br />
See Reduced Instruction Set Computer, above.<br />
SBCS<br />
See Single-Byte Character Set.<br />
Service Pack<br />
The <strong>iSeries</strong> product has available a collection of code fixes that contain PC<br />
code. These fixes are contained in a single program temporary fix (PTF)<br />
which makes installation easier.<br />
Single-Byte Character Set (SBCS)<br />
A coded character set in which each character is represented by a one-byte<br />
code point. A one-byte code point allows representation of up to 256<br />
characters. Languages that are based on an alphabet, such as the Latin<br />
alphabet (as contrasted with languages that are based on ideographic<br />
characters) are usually represented by a single-byte coded character set. For<br />
example, the Spanish language can be represented by a single-byte coded<br />
character set. See also the Double-Byte Character Set (DBCS).<br />
Source File<br />
A file of programming code that has not yet been compiled into machine<br />
language. A source file can be created by the specification of<br />
FILETYPE(*SRC) on the create command. A source file can contain source<br />
statements <strong>for</strong> such items as high-level language programs and data<br />
description specifications. Source files maintained on a PC typically use a<br />
.TXT as the extension. On a mainframe, source files are typically found in a<br />
partitioned data set or are maintained within a library management tool.<br />
Spool File<br />
Files that exist in an "output queue" which contain reports to printed on the<br />
AS/400 system. Theses files along with attributes can then be directed and<br />
trans<strong>for</strong>med to a printer attached to your system.<br />
Stream File<br />
A data file that contains continuous streams of bits such as PC files,<br />
documents, and other data stored in <strong>iSeries</strong> folders. Stream files are well<br />
suited <strong>for</strong> storing strings of data such as the text of a document, images,<br />
audio, and video. The content and <strong>for</strong>mat of stream files are managed by the<br />
application rather than by the system.<br />
System Library<br />
The library shipped with the operating system that contains objects such as<br />
authorization lists and device descriptions created by a user. Also included<br />
are system commands and other system objects required to run the system.<br />
The system identifier is QSYS.<br />
391
System Processor<br />
The operating system logic that contains the processor function to translate<br />
and process OS/400 control language commands and programming language<br />
statements.<br />
Time Stamp<br />
A software mechanism <strong>for</strong> recording the current date and/or current time of<br />
day.<br />
Translation Table<br />
Translation tables are used by the PKZIP and PKUNZIP programs <strong>for</strong><br />
translating characters in compressed text files between the ASCII character<br />
sets used within a ZIP archive and the EBCDIC character set used on IBMbased<br />
systems. These tables may be created and modified by the user as<br />
documented in the <strong>User's</strong> <strong>Guide</strong>.<br />
Trigger<br />
A set of predefined actions that run automatically whenever a specified action<br />
or change occurs, <strong>for</strong> example, a change to a specified table or file. Triggers<br />
are often used to automate environments, such as running a backup when a<br />
certain number of transactions are processed.<br />
Truncate<br />
To cut off or delete the data that will not fit within a specified line width or<br />
display. This may also be attributed to data that does not fit within the<br />
specified length of a field definition.<br />
User Interface<br />
The actions or items that allow a user to interact with (and/or per<strong>for</strong>m<br />
operations on) a computer.<br />
Variable-Length<br />
A characteristic of a file in which the individual records (and/or the file itself)<br />
can be of varying length. See also Fixed-Length.<br />
ZIP64<br />
ZIP64 is reference to the archive <strong>for</strong>mat that supports more than 65,534 files<br />
per archive, uncompressed files greater than 4 Gig and archives greater than<br />
4 Gig.<br />
ZIP Archive<br />
A ZIP archive is used to refer to a single file that contains a number of files<br />
compressed into a much smaller physical space by the ZIP software.<br />
392
3270 Display Emulation<br />
A personal computer-based program that allows a PC to per<strong>for</strong>m like a 3270<br />
display station or printer. The program will allow use of the various <strong>iSeries</strong><br />
system functions.<br />
5250 Emulation<br />
A personal computer-based program that allows a PC to per<strong>for</strong>m like a 5250<br />
display station or printer. The program will allow use of the various <strong>iSeries</strong><br />
system functions.<br />
393
Index<br />
/ file system, 63<br />
3<br />
3270 Display Emulation, 393<br />
3DES, 16, 17<br />
5250 Emulation, 393<br />
/<br />
5<br />
A<br />
About this Manual, 1<br />
Absolute Path Name, 382<br />
ADVCRYPT, 116, 181<br />
AES, 17, 382<br />
AES Algorithm, 378<br />
AES FIPS Validation, 378<br />
AES Key Sizes, 378<br />
Alternate Install from SAVF with Non-Standard<br />
Library Name, 46<br />
American National Standards Institute, 382<br />
American Standard Code <strong>for</strong> In<strong>for</strong>mation Interchange,<br />
382<br />
ANSI, 383<br />
API, 383<br />
Application Programming Interface, 383<br />
Application System/400 (AS/400), 383<br />
AQZ0001 - AQZ0799 Messages, 234<br />
AQZ0012 - PKZIP ending with Nothing to do <strong>for</strong>,<br />
232, 235<br />
AQZ0020 - PKZIP Completed Successfully, 232, 236<br />
AQZ0022 - PKZIP Completed with Errors, 232, 236<br />
AQZ0024 - PKZIP Completing with a Warning. No<br />
Files Selected, 232, 236<br />
AQZ0037, 232, 238<br />
AQZ0038 - PKUNZIP Completed with Errors., 232,<br />
238<br />
AQZ0043, 239<br />
AQZ0044 - PKUNZIP Completed with Errors., 239<br />
AQZ0045, 239<br />
AQZ0046 - PKUNZIP Completed with Errors., 239<br />
AQZ0047, 240<br />
AQZ0048 - PKUNZIP Completed with Errors., 240<br />
AQZ0049, 240<br />
AQZ0050 - PKUNZIP Completed with Errors., 240<br />
AQZ0143-00, 246<br />
AQZ0262, 261<br />
AQZ0800 - AQZ0899 *VIEW Display Messages, 288<br />
AQZ8xxx configuration messages, 302<br />
AQZ9xxx LICENSE Messages, 311<br />
Archive, 383<br />
ARCHIVE, 117, 156<br />
Archive Placement (IFS or in a Library), 336<br />
archives, 6<br />
updating, 103<br />
viewing, 28, 94, 103<br />
ARCHTEXT, 118<br />
AS/400, 383<br />
AS/400 Object, 383<br />
ASCII, 57, 383<br />
AUTHCHK, 118, 157<br />
authenticating, 97<br />
authentication, 13, 14<br />
authority settings, 58<br />
Authorized Program Analysis Report (APAR), 383<br />
AUTHPOL, 122, 160, 185<br />
Bandwidth, 384<br />
Batch Job, 384<br />
Binary File, 384<br />
binary records, 52<br />
Bit, 384<br />
Block, 384<br />
Byte, 384<br />
CERTDB, 191<br />
certificate<br />
stores, 25<br />
certificate authority, 15, 20, 80<br />
certificate locator database, 81, 85, 92<br />
certificate revocation list store, 81<br />
certificate revocation lists, 81, 100<br />
certificate stores, 79, 80, 81, 85, 215<br />
testing, 88<br />
certificates, 14, 15, 76, 215<br />
end entity, 16<br />
locating, 79<br />
root, 16<br />
CERTSELT, 189<br />
Code Page, 384<br />
Command Line, 384<br />
B<br />
C<br />
394
Commands, 152<br />
Comment Control Card, 41<br />
COMPAT, 123<br />
COMPRESS, 124<br />
Compressing, 230<br />
Compressing a file, 231<br />
Compressing a SAVF file, 67<br />
Compressing SPOOL Files, 68<br />
Compression, 5, 40<br />
Compression Type Per<strong>for</strong>mance, 335<br />
Conditional Use, 44<br />
configuration profiles, 77<br />
Control Language (CL) Program, 384<br />
Conventions Used in this Manual, 2<br />
CRC, 6, 13, 385<br />
Creating Commands with new defaults, 371<br />
Creating List Files, 356<br />
Creating new Translation Table Members, 360<br />
CRL. See certificate revocation lists<br />
CRL <strong>for</strong>mat, 217<br />
cross-plat<strong>for</strong>m compatibility, 8, 229<br />
CRTLIST, 124, 162<br />
Cryptography, 385<br />
CSCA, 193<br />
CSCRL, 194<br />
CSPRVT, 193<br />
CSPUB, 192<br />
CSROOT, 194<br />
Current Library, 385<br />
Customer Control Card, 41<br />
CVTDATA, 125, 162<br />
CVTFLAG, 125, 162<br />
CVTNAME name conversion program, 349<br />
CVTTYPE, 125, 163<br />
CWRKPATH, 195<br />
Cyclic Redundancy Check (CRC), 385<br />
D<br />
Data Compression, 385<br />
data <strong>for</strong>mat, text vs. binary, 52<br />
Data Integrity, 385<br />
data security, 12, 22, 75<br />
Data Type Selection, 336<br />
Database Attribute Considerations, 376<br />
DATABASE Attributes, 373<br />
DATEAB, 126<br />
DATETYPE, 126<br />
DBCS, 386<br />
DBSERVICE, 126<br />
Decompression, 40<br />
decrypting, 94<br />
DELIM, 127<br />
DES, 16<br />
DFTARCHREC, 126<br />
DFTDBRECLN, 163<br />
directories, 62<br />
DIRNAMES, 127<br />
DIRRECRS, 127<br />
Document Library Services file system, 63<br />
Document Library Services file system (QDLS), 64<br />
Double-byte Character Set (DBCS), 386<br />
DROPPATH, 163<br />
E<br />
EBCDIC, 57, 386<br />
ENCRYPOL, 131, 187<br />
encryption, 12, 22, 24, 386<br />
algorithms, 16<br />
filename, 26, 102<br />
methods, 23<br />
passwords, 19, 24<br />
recipient-based, 19, 24, 93<br />
Windows compatibility, 23<br />
Encryption Per<strong>for</strong>mance, 337<br />
ENTPREC, 128, 164, 195<br />
Escape Messages, 232, 236, 238, 239, 240<br />
Example 1 - PKUNZIP Files to a New or Different<br />
Library, 339<br />
Example 2 - CLP with Override <strong>for</strong> Stdout and Stderr<br />
to an OUTQ, 340<br />
Example 3 - Creating an Archive in Personal Folders<br />
(QDLS), 341<br />
Example 4 - Processing Archive on a CD (QOPT),<br />
342<br />
Example 5 - Compressing files from a CD (QOPT),<br />
343<br />
Example 6 - Compressing CL with MSG Checking,<br />
344<br />
Example 7 - Compressing Spool Files Samples, 345<br />
Example 8 - PKZSPOOL the last spool file of current<br />
Job, 346<br />
Example 9 - CL to submit a job to compress all spool<br />
files <strong>for</strong> a job to a PDF, 346<br />
Example of PKZTABLES (USASCII) Translation<br />
Table, 360<br />
Examples, 339<br />
EXCLFILE, 132, 167<br />
EXCLUDE, 133, 167<br />
EXDIR, 168<br />
EXRROPT, 132<br />
Extended Attributes, 372, 386<br />
Extended Attributes Selections, 337<br />
Extended Binary Coded Decimal Interchange Code<br />
(EBCDIC), 386<br />
extended features, 30<br />
Extracting, 230<br />
extracting files, 55<br />
IFS, 57<br />
Extracting Records into a SAVF file, 67<br />
extracting spool files, 58<br />
extracting Windows text files, 54<br />
EXTRAFLD, 133<br />
F<br />
Feature Control Card, 41<br />
file attributes, 53<br />
File Considerations, 7<br />
file exclusion inputs, 50<br />
File Field Attributes, 375<br />
file names, 32<br />
File Physical Attributes, 374<br />
file processing support, 61<br />
395
file selection and name processing, 48<br />
file selection inputs, 48<br />
File Transfer Protocol (FTP), 386<br />
filename encryption, 102<br />
GZIP, 229<br />
FILES, 134, 168<br />
FILESTEXT, 134<br />
FILETYPE, 135, 169<br />
FIPS, 16<br />
FND, 136<br />
FTP, 35, 387<br />
FTRAN, 136, 169<br />
G<br />
GIGA ZIP, 40<br />
Global settings, 45<br />
Glossary, 382<br />
GNU zip, 227<br />
GZIP, 137, 387<br />
GZIP archives, 228<br />
GZIP Compressing, 230<br />
GZIP Extracting, 230<br />
GZIP processing, 227, 229<br />
GZIP restrictions, 229<br />
History of Changes, 367<br />
Host, 387<br />
I<br />
IBM publications, 3<br />
IFS File Handler, 40<br />
IFS file system, 62, 63<br />
IFS Summary, 67<br />
IFSCDEPAGE, 137, 170<br />
Implementation Considerations, 362<br />
INCLFILE, 138, 170<br />
In<strong>for</strong>mation on the Internet, 4<br />
Input ZIP Archive files, 51<br />
Install Basic, 42<br />
Install Demo, 41<br />
Install Single, 42<br />
installation, 33<br />
Installation Procedures, 35<br />
Integrated File System, 387<br />
Interactive Job, 387<br />
interactive per<strong>for</strong>mance, 335<br />
intermediate store, 81<br />
International Code Page Support, 359<br />
H<br />
K<br />
Key Features, 362, 364, 365<br />
Key Field Attributes, 376<br />
Keyed Sequence, 387<br />
keys, 14, 18, 20<br />
accessing, 76<br />
Keyword, 387<br />
L<br />
LAC, 388<br />
Large File Considerations, 7<br />
Large File Support File Capacities, 7<br />
Large File Support Summary, 7<br />
LDAP, 79<br />
LDAP certificate store, 81<br />
LDAP directories, 80, 86<br />
LDAP1, 196<br />
LDAPACTV, 196<br />
Library file system, 63<br />
Library List, 388<br />
License Authorization Code (LAC), 388<br />
Licensed Product Features, 38<br />
Licensing Requirements, 36<br />
List Files, 61, 67, 124, 132, 138, 151, 162, 167, 170,<br />
173, 356<br />
List Files and their Usage, 356<br />
local certificate store, 80, 84<br />
Logical Partition, 388<br />
LZ, 388<br />
M<br />
MD5, 13<br />
memory errors, 348<br />
Messages, 232<br />
MONMSG, 232, 235, 236, 238, 239, 240<br />
MSGTYPE, 138, 171<br />
N<br />
name conversion program CVTNAME, 349<br />
name processing, 48<br />
Network File System, 64<br />
New Features, 10<br />
New ZIP Archive, 388<br />
NFS, 64<br />
Non-Standard Library Name, 46<br />
Notices, 1<br />
Null Value, 388<br />
n-way Processor Architecture, 388<br />
O<br />
OAEP processing, 24<br />
Old ZIP Archive, 388<br />
Open Systems file system, 64<br />
operating environment, 44<br />
Optical file system, 63<br />
Optical File System (QOPT), 65<br />
OS/400, 389<br />
Other IFS Objects, 63<br />
Output Queue, 389<br />
OVERWRITE, 171<br />
Overwriting Current SAVF File, 68<br />
Packed Decimal Format, 389<br />
PASSWORD, 138, 151, 171, 182<br />
passwords, 19, 29<br />
path name, 62, 389<br />
P<br />
396
absolute, 62<br />
relative, 63<br />
paths, 57<br />
to certificate stores, 84<br />
PDF Creation Attributes, 365<br />
PEM <strong>for</strong>mat, 84, 217<br />
per<strong>for</strong>mance considerations, 335<br />
Physical File, 389<br />
Physical File Member, 389<br />
Physical Files (both Source and Data), 372<br />
PING option, 87<br />
PKBLDCDB command details, 204<br />
PKBLDCDB command summary, 203<br />
PKBLDCDB utility, 85<br />
PKCFGSEC command, 77, 86<br />
PKCFGSEC command details, 180<br />
PKCFGSEC command summary, 176<br />
PKCS#12 <strong>for</strong>mat, 84<br />
PKCS#7 <strong>for</strong>mat, 81, 84, 217<br />
PKI, 13, 14<br />
PKLDAPTST command details, 200<br />
PKLDAPTST command summary, 199<br />
PKQRYCDB command details, 210<br />
PKQRYCDB command summary, 210<br />
PKSTORADM command details, 216<br />
PKSTORADM command summary, 215<br />
PKUNZIP Command, 152<br />
PKUNZIP command details, 156<br />
PKUNZIP command summary, 152<br />
PKZCF1F file, 81<br />
PKZCF1LCN file, 81<br />
PKZCF1LEM file, 81<br />
PKZCF1LPH file, 81<br />
PKZDTA5 Data Area, 45<br />
PKZIP command, 110<br />
PKZIP command details, 116<br />
PKZIP <strong>for</strong> DOS, 32<br />
PKZIP library<br />
renaming, 45<br />
PKZSPOOL command, 110<br />
PKZTABLES, 360<br />
plat<strong>for</strong>m-specific differences, 31<br />
Preface, 1<br />
private key, 14, 15, 76, 86<br />
private-key, 23<br />
Processing with GZIP, 227<br />
Production Library, 390<br />
Program Temporary Fix (PTF), 390<br />
PTF, 390<br />
public key, 14, 15, 16, 76, 85<br />
QDLS, 63<br />
QDLS file system, 64<br />
QFileSvr.400, 64<br />
QNetWare, 64<br />
QNTC, 64<br />
QOpenSys, 64<br />
QOPT, 63, 65<br />
QSYS, 390<br />
QSYS file system, 61<br />
Q<br />
QSYS library file system, 55<br />
QSYS.LIB, 63<br />
Qualified Name, 390<br />
R<br />
RC4, 18<br />
recipients, 19, 23, 26, 79, 95<br />
searching <strong>for</strong>, 79<br />
Record, 390<br />
Record Layouts, 40<br />
Reduced Instruction Set Computer (RISC), 390<br />
Related Publications, 3<br />
Relative Path Name, 390<br />
Release Licensing, 36<br />
Release Summary, 10<br />
Reporting, 42<br />
Reporting Environment, 36<br />
restoring the library, 35<br />
Restrictions, 10<br />
Return Code, 390<br />
REVKEPOL, 189<br />
RISC, 391<br />
root, 63<br />
root store, 81, 84<br />
Running Without the Library in the Library List, 46<br />
Sample CVTNAME, 350<br />
Sample GZIP Processing, 231<br />
SAVF, 67, 373<br />
SAVF method, 32<br />
SBCS, 391<br />
SECTYPE, 180<br />
SecureZIP<br />
invoking, 31<br />
Self Extracting, 40, 139, 245, 320<br />
self-extracting archives, 71<br />
SELFXTRACT, 139<br />
Service Pack, 391<br />
SFFORM, 140<br />
SFJOBNAM, 141<br />
SFQUEUE, 140, 172<br />
SFSTATUS, 141<br />
SFTARGET, 141<br />
SFTGFILE, 142<br />
SFUSER, 139<br />
SFUSRDTA, 140<br />
SHA-1, 13<br />
signatures, 13<br />
SIGNERS, 144<br />
signing, 14, 15, 96, 99<br />
SIGNPOL, 147, 183<br />
Source File, 391<br />
Source File Considerations, 377<br />
SPLF Attributes, 364<br />
SPLFILE, 143<br />
SPLNBR, 143<br />
SPLUSRID, 172<br />
Spool File, 391<br />
Spool File Attributes, 377<br />
SPOOL File Selecting, 51<br />
S<br />
397
Spool File Selections, 364<br />
spool files, 68<br />
SPOOL Files Considerations, 364<br />
Standard “IFS” Attributes, 373<br />
Standard Code Page Support, 358<br />
Standard QSYS Library File System Attributes, 372<br />
Status Messages, 232, 235, 236, 238, 239, 240<br />
STOREPATH, 149<br />
Stream File, 391<br />
stream files, 63<br />
System Library, 391<br />
System Processor, 392<br />
T<br />
temporary archive files, 71<br />
test certificates, 87<br />
text records, 52<br />
Time Stamp, 392<br />
TMPPATH, 149<br />
TRAN, 150, 172<br />
Translation Tables, 358, 360, 392<br />
Trial Period, 36<br />
Trigger, 392<br />
Triple DES, 16<br />
Truncate, 392<br />
trust chain, 15<br />
TSTCERTS program, 88<br />
TYPARCHFL, 150, 173<br />
TYPE, 116, 156, 180<br />
TYPFL2ZP, 150, 173<br />
TYPLISTFL, 151, 173<br />
UDFS, 64<br />
U<br />
unloading from a CD ROM, 34<br />
unloading from tape, 33<br />
Updating License Files, 37<br />
USASCII, 360<br />
User Interface, 392<br />
User-Defined File System, 64<br />
Using QSYS.LIB Through the Integrated File System<br />
Interface, 66<br />
V<br />
Variable-Length, 392<br />
VERBOSE, 151, 173<br />
View Demo, 42<br />
View Single, 43<br />
View Single with Exception, 43<br />
VIEWOPT, 174<br />
VIEWSORT, 174<br />
W<br />
Windows NT Server file system, 64<br />
X.509, 15<br />
ZIP archives, 70, 71, 392<br />
ZIP file <strong>for</strong>mat specification, 9<br />
ZIP files, 52<br />
ZIP Processing File Selection, 48<br />
ZIP64, 7, 250, 299, 336, 367, 392<br />
ZIP64 Processing Considerations, 336<br />
ZPCA801x – ZPCA899x Messages, 321<br />
X<br />
Z<br />
398