What's New in Security for IBM i?

©2012 IBM Corporation

What’s New In IBM i

7.1 & 7.2 Security Presented by Robin Tatam & Jeff Uehling

© 2014 International Business Machines Corporation

2

Today’s Speakers

Robin Tatam

Director of Security Technologies

[email protected]

Jeff Uehling

IBM i Security Development

[email protected]


3

About PowerTech

• Premier Provider of Security Solutions & Services

– 17 years in the security industry as an established thought-leader

– Customers in over 70 countries, representing every industry

– Security subject-matter-expert for COMMON

• IBM Advanced Business Partner

• Member of PCI Security Standards Council

• Authorized by NASBA to issue CPE Credits for Security Education

• Publisher of the Annual “State of IBM i Security” Report

http://www8.software.ibm.com/bpconnections/bpcms.nsf/BPE/0D129368771B9F9786256C4A0067C0A3?OpenDocument&OpenFrameset


5

6.1 & 7.1 Security Enhancements

Overview


6

Password Rule & User Profile Enhancements

• New system values supported

– QPWDRULES, define new pwd rules

– QPWDEXPWRN, define pwd expired warning interval

– QPWDCHGBLK, prevent passwords from being changed repeatedly

• Changed system value

– QLMTDEVSSN, Limit device sessions (*NONE, 1-9 sessions)

• Changed/New user profile parameters

– LMTDEVSSN, Limit device sessions (1-9 sessions)

– PWDCHGBLK - Block password change (1-99 hours)


7

New User Profile Parameters – 7.1

• New user profile “expiration” parameters in 7.1

– USREXPDATE, User Expiration Date (Date when profile is *DISABLED)

– USREXPITV, User Expiration interval (1-366 days)


8

Intrusion Detection/Prevention

Release 6.1


9


• Real time notification enablement

– E-mail, messages, etc. (i.e., pagers, ISV solutions) in addition to IM records

• Intrusion events detected/audited – well-known attacks such as

“Smurf”, “Fraggle”, ACK storms, Address Poisoning (both IPv4 ARP

poisoning, and IPv6 neighbor discovery poisoning), Ping-Of-Death, etc.

• “Extrusions” detected – attacks, scans, traffic regulation anomalies

initiating from your IBM i server

• IPv4 & IPv6 support

• GUI –

– Management of IDS policies

– Display of intrusion events as an alternative to viewing the audit journal


10


• iNav GUI interface for configuration – IDS policies


11


• iNav GUI interface for configuration - Notification


12

Intrusion Detection Implementation

• Intrusion Detection System (IDS) behavior defined as policies in a policy file

• Audit events logged to the security audit journal

IDS

Policy

File

IDS

TCP/IP stack

Security

Audit

Journal

QAUDJRN

Intrusion

detected? Message queue

and e-mail


13

IM Audit record detail:

• The Intrusion Detection section in the Information Center contains information about the format of an IM entry type journal record.

Journal value Meaning

P Potential intrusion event detected.

2006-01-11-13.19.42.329688 Timestamp (11 Jan 2006, 13:19:42.329688)

1107 Detection point identifier

02 Local address family

119 Local port number

9.5.92.48 Local IP address associated with the detected event.

02 Remote address family

3511 Remote port number

9.5.92.102 Remote IP address associated with the detected event.

SCANE Probe type identifier (SCANE = Scan Event)

0020 Unique identifier for this specific intrusion event. You

can use this identifier to correlate this audit record with

other intrusion detection information.


14

Cryptographic Enhancements


15

Cryptographic Key Protection - Terminology

• A data encryption key should be well protected or data is exposed

– Used to encrypt data (SSN’s, credit card numbers, etc.)

• It is recommended to encrypt the data key with a key encrypting key (KEK)

– Used to encrypt data encryption keys

• A Master Key can then be used to encrypt all KEKs

– The master key is used to encrypt KEKs or Data Encryption Keys

– Top level key, in the clear! If master key is compromised, data is compromised

– How do you securely store this master key?

1 2 3 KEK2

1 2 3 KEK

1

Master

Clear Text


16

• GUI & CL interface to manage master keys

• GUI and CL commands to manage master keys

• GUI & CL interface to manage i/OS keystore and keys

• GUI and CL commands to manage key store files

• Create key store files

• Create encryption keys

Crypto Key Management Enhancements


17

Create Master Key(s) via Navigator

• Navigate to Security / Cryptographic Services Key Management / Master Keys

NOTE: The SAVRST Master Key is not yet set in the example above. A default key is in place to provide minimal protection until you

set your key. This means that the master keys are not “in the clear” on your SAVSYS tape, but any IBM i system can decrypt them


18

Key Store Enhancements

• Key stores protected by master keys

• Cryptographic Services APIs used to manage key stores

• A single key store file can be encrypted under one master key

• One master key can encrypt multiple key store files

• KEKs and data keys are stored in the key store file

• Key store is a database file

– normal file access methods disabled

Key store: MYKEYS

Library: KEYLIB

Public authority: *EXCLUDE

Master Key ID: 2

Public

Key

Key

label

Key

Type

Key

Size

KVV

Master

Encrypted

Key

Key

label

Key

Type

Key

Size

KVV

Master

Encrypted

Private Key Asymmetric Key

Symmetric Key

Key Store


19

Create Key Store Files via Navigator (6.1)

• Navigate to Security / Cryptographic Services Key Management /

Keystores. Use “Create New Keystore” to create file and “New Key

Record Wizard” to add encryption key entries

NOTE: Q1AKEYFILE in QUSRBRM is for BRMS tape encryption. Application keystore files

can be assigned any file name.


20

Software

Encryption Enhancements


21

IBM i Software Based Encryption

Encrypted Backup

OS Option 44 (priced option)


22

Software Encryption support for IBM i – Encrypted backup

Media encryption during Backup and Archive

Encrypted Backup &

Archive

Backup &

Archive

Media Duplication &

Encryption

Preserves non-encrypted backup window. Encryption can be performed to duplicated media after backup.

Media encryption during media duplication


23

Change Media Policy

Media policy . . . . . . . . . . : ENCRYPT

Type choices, press Enter.

Encrypt Data . . . . . . . . . . . . *YES *NO, *YES

Key store file . . . . . . . . . Q1AKEYFILE Name

Key store library. . . . . . . QUSRBRM Name

Key record label . . . . . . . ENCRYPTION

F3=Exit F5=Refresh F12=Cancel

BRMS Software-based Encryption

• Benefits

– Works with any tape drive, not just LTO4 and TS11x0

– Media Duplication

– Virtual Tape

• Who for?

– Customers with a large backup window and/or a small amount of data to encrypt (performance)

• What to Buy (Tier priced features)

– BRMS Advanced Feature - 5770-BR1 option 2

– IBM i Encrypted Backup Enablement – 5770-SS1 option 44

• How do you set it up?

1.Create Master Keys for Keystore

2.Create Keystore File via GUI (Security Section)

3.Update BRMS Media Policy and Control Group to select encryption options

Edit Backup Control Group Entries CLIO

Group . . . . . . . . . . . . : LIB001

Default activity . . . . . *BKUPCY

Text . . . . . . . . . . . . . LIBRARY backup

Type information, press Enter.

Backup List Parallel Private

Seq Items Type Type Authorities Encrypt 10 LIBA *DEFAULT *NO *MEDPCY 20 LIBB *DEFAULT *NO *NO

F3=Exit F5=Refresh F11=Display main F12=Cancel


24

IBM i Software Based Encryption

Encrypted ASP – Whole Disk Encryption

OS Option 45 (priced option)


25

Disk level encryption

• Encryption of data at rest

– Software solution

– Both older, User ASPs, and newer, Independent ASPs are supported

– Minimal key management requirements

– Performance considerations

• Threats

– Protection of data in flight to SAN

– Protection of data in flight in cross-site mirroring environment

– Data Loss

• Loss of disk drive

• Return drive to vendor (drive replacement of defective drive)

– Single level store on IBM i does not eliminate the need to protect individual drives


26

Implementation approach

• Provide the capability to encrypt all data residing on an ASP

• Cryptographic keys will be stored in software but protected by

“isolated” storage and master keys

– All data encryption keys are managed by the OS/LIC

– The only key that needs to be managed by the customer is the ASP

master key

• Minimal change required to an application

– ASP level changes may be required in the application to support independent

ASPs (independent of encryption)


27

Create ASP Master Key via Navigator

• Navigate to Security / Cryptographic Services Key Management / Master Keys

SET ASP Master

Key


28

ASP2 ASP1

ASP Encryption

ASP-Master-Key-Sys-1 “Managed by system administrator”

‘DATA-KEY1 “Managed by OS/LIC”



ASP3

REQUIREMENT: ASP Master Key equal on all systems in cluster

System ASP Encryption Keys, in 7.1,

can be changed (key

rotation) via the ASP

management GUI.

The ability to turn on/off

encryption on an existing

ASP is supported in 7.1 7.1

7.1


29

7.1 IBM i DB2 Field Procedures

Column Level Encryption Enablement


30

DB2 Field Procedures – 7.1

• DB2 Column Level (field) exit support

– Exit program (Field Procedure) called on insert/update/read of a column

– Similar to “Triggers” but additional support to enable encryption

– Exit added via SQL Alter Table

• One exit per column

– Masking of Data is also supported

• Enables Column Level Encryption

– Encrypt/Decrypt data in a DB2 column

• No need to change column attributes like field length or data type

– Encryption Key management must be implemented by the Exit Program (Field Procedure)

• Field Procedure is a user written program – Business partner solutions from Enforcive, Linoma software and Towsend Security


31

DB2 Field Procedures continued – 7.1

• Additional Security Checks within the Field Procedure

– To make the support meaningful, additional security checks should be implemented by the exit • Is the user listed on the Authorization list (*AUTL)?

• If so, decrypt the SS# (data), otherwise return ‘*********’ or ‘000000000’

• DB2 handles all length and data type issues

– I/O buffer doesn’t change but encrypted data length and data type can change • I/O buffer for SS# is 9 and type character

• Result of encryption is, for example, length 16 and data type binary

– Managed by DB2 internally


32

DB2 Field Procedures continued – 7.1

• Performance Considerations

– Field Procedure replaces application level code • Encryption/Decryption performance will be the same regardless of

where it is implemented (in application vrs field procedure)

• No application source code available to make updates

• Implement all encryption/decryption in one place

• No need to deal with length/data type changes on the column

• SQL Programming Guide will contain examples for Field Procedure implementation


33

7.2 Security Enhancements


34

7.2 DB2 Security Enhancements


35

What is RCAC (Row & Column Access Control)?

• Additional layer of data security

available with DB2 in 7.2

• Complementary to table

level security (object authority checking)

• Controls access to table data at the

ROW, COLUMN or BOTH

• Two sets of rules

– Permissions for rows

– Masks for columns

• IBM Advanced Data Security for i

– No-charge feature, OS Option 47

required for RCAC

IBM Advanced Data Security for i

(Boss option 47)

No Charge

http://www.redbooks.ibm.com/redbooks.nsf/RedpieceAbstracts/redp5110.html?Open


36

IBM Advanced Data Security for i (Boss Option 47)

• Option must be installed to:

– CREATE PERMISSION and CREATE MASK

– Open a file that has RCAC activated

• RCAC does not replace object authorization requirements

– If you pass the object authorization check:

• Row permissions reduce the set of rows returned

• Column Masks limit full or partial access to sensitive column data

• RCAC is comprehensive and applies to any interface

(Native DB, SQL, RPG, APIs, etc)

• Row Permissions are a replacement technology for Views /

Logical Files


37

Security - Separation of Duties Before 7.2

Problem:

Anyone who has the authority to grant privileges also has the authority to perform operations that require those privileges.

IBM i 7.2 with RCAC (Row and Column Access Control)

• Enable the management of security, without exposing the data to be read or modified.

• A user with security administration function usage (QIBM_DB_SECADM) will be able to grant or revoke privileges on any object to anyone, even if they do not have those privileges.

Should the security administrator be able to access the data within tables?


38

Setting up QIBM_DB_SECADM for an Administrator

• Authorization to the Database Security Administrator function of

IBM i can be assigned through Application Administration in IBM

Navigator for i and via the Change Function Usage

(WRK/CHGFCNUSG) command.

• Navigator Right click on the connection name and select

Application Administration.


39

DB2 for i - 7.2 Security Enhancements

New Catalogs

– QSYS2/SYSCONTROLS

– QSYS2/SYSCONTROLSDEP

New Journal Entry Types

For journal code D - Database file: M1, M2, M3 for create/drop/alter mask

P1, P2, P3 for create/drop/alter permission

For journal code T – Audit trail: AX for Row and Column Access Control

X2 for Query manager profile changes

New Boss Option IBM Advanced Data Security for i

(Boss option 47)

No Charge

New SQL Statements for security – CREATE PERMISSION

– ALTER PERMISSION

– CREATE MASK

– ALTER MASK

– ALTER TRIGGER

– TRANSFER OWNERSHIP

Some of the details…

New Built-in Function

– VERIFY_GROUP_FOR_USER()


40

How do I determine if RCAC is enabled for a file?

• DSPOBJAUT command

• Query new QSYS2/SYSCONTROLS catalog

• Navigator for i Column Masks/Row Permissions under Schemas

Right click on table Definition


41

Special registers – similar names, different purposes

The name CURRENT USER could easily be misunderstood.

Special Register Definition

USER

or

SESSION_USER

The effective user of the thread Is returned.

SYSTEM_USER The authorization ID that initiated the connection is

returned.

CURRENT USER

or

CURRENT_USER

The most recently program adopted authorization

ID within the thread will be returned.

When no adopted authority is active, the effective

user of the thread Is returned.


42

CREATE PERMISSION access_to_row ON patient

FOR ROWS WHERE

(

VERIFY_GROUP_FOR_USER(SESSION_USER,’PATIENTGRP’) = 1

AND patientID = SESSION_USER

)

OR

(

VERIFY_GROUP_FOR_USER (SESSION_USER,’PCPGRP’) = 1

AND patientpcp = SESSION_USER

)

OR

(

VERIFY_GROUP_FOR_USER (SESSION_USER,’MEMBERGRP’) = 1

OR

VERIFY_GROUP_FOR_USER (SESSION_USER,’ACCOUNTGRP’) = 1

OR

VERIFY_GROUP_FOR_USER(SESSION_USER,’RESEARCGRP’)= 1

)

ENFORCED FOR ALL ACCESS

ENABLE;

ALTER TABLE patient ACTIVATE ROW ACCESS CONTROL;

Scenario: Create Permission (Row Security)

1

2

3

• 1) Patients can see their data, 2) Primary Care Providers can see rows for their clients, 3) and

members of groups MEMBERGRP, ACCOUNTGRP and RESEARCGRP can see all rows… Everyone

else see no rows.


43

Scenario: Create Column Mask

• Scenario has the following permission attached to the patient ID column

– For the PID number column

• Users in group “BILLING” can see full Patient ID number

• Everyone else sees ‘XXX XXX ‘ + last three digits of Patient ID number

CREATE MASK pid_mask ON patient FOR

COLUMN pid RETURN

CASE

WHEN verify_group_for_user(SESSION_USER,

‘BILLING’) = 1

THEN pid

ELSE

‘XXX XXX ‘ || SUBSTR(pid, 8,3)

END

ENABLE;

ALTER TABLE patient ACTIVATE COLUMN ACCESS CONTROL;


44

Example: Step by Step, very simple scenario

• Create Schema “EMPDTA” and Table “EMPTBL” via “Run SQL Scripts”

– Schema contains a library, journal and receiver plus DB2 catalog objects

– After creating the schema “EMPDTA”, right click on Schemas in iNav and “select schemas to

display” to add “EMPDTA” to your schema list

Right click

For Run SQL

Scripts CREATE SCHEMA EMPDTA;

CREATE TABLE EMPDTA.EMPTBL(

FIRST CHAR(15) CCSID 37 DEFAULT NULL,

LAST CHAR(15) CCSID 37 DEFAULT NULL,

SSN CHAR(11) CCSID 37 DEFAULT NULL);


45

Example: Step by Step, very simple scenario (cont…)

• Edit data in the Table via iNav

Insert test data into rows


46

• View the data via “Run SQL Scripts” and SQL “select” statement

Select all rows from table EMPTBL

via

select * from empdta.emptbl


results


47


• Create “Row” Permissions – Return all ROWS for group profile = PAYROLL or return just the ROW where process user profile

= column LAST

Right click & New verify_group_for_user(session_user,’PAYROLL’ = 1 or

qsys2.upper(LAST) = session_user


48


• Activate “Row Access Control”

Double click


49


• View the data via “Run SQL Scripts” and SQL select statement

– iNav session user is “UEHLING” & no group profile


via

select * from empdta.emptbl

results

Row Access Control active


50


• Create “Column” Mask – Return all COLUMN data for group profile = PAYROLL or return masked data for the SSN column

where process user profile = column LAST

Right click & New

case when verify_group_for_user(session_user,’PAYROLL’) = 1

then SSN else ‘xxx-xx-’ || substr(SSN,8,4) end


51


• Activate “Column Access Control”

Double click


52


• View the data via “Run SQL Scripts” and SQL “select” statement & RUNQRY

– iNav session user is “UEHLING” & no group profile


via

select * from empdta.emptbl results

Row Permissions and Column Masking activated


53

7.2 Security Enhancements Continued


54

Security Enhancements – infrastructure currency

• System SSL (security updates to industry standards)

• Java – latest version (with quarterly updates)

• Web Servers – updated to latest levels for security compliance

• PASE Updates

– Latest AIX release, 7.1 (this is not IBM i 7.1)

– OpenSSL to latest version 1.0.1g


55

Security Enhancements – Crypto Performance

• Power 8 in-core Cryptographic Performance Acceleration

– Support within the processor itself, no additional products or HW required

– “Automatic” performance acceleration for certain cryptographic algorithms

• AES & SHA-2 message digest

– Does not support “cryptographic key” storage

• Certain customers will still need the HW Cryptographic Coprocessor Card

– Performance gains will be realized in support such as:

• Customer applications that use the Crypto Services APIs

• SSL (Secure Socket Layer)

• VPN (Virtual Private Network)

• Software Tape Encryption


56

Security Enhancements – Single Sign-on

• Enhance both FTP and TELNET to support authenticating with Kerberos

(SSO)

– Kerberos authentication and Enterprise Identity Mapping integrated in FTP &

TELNET

– Integrates into the IBM i SSO application suite

• FTP client and server support

• Telnet client and server support


57

Security Enhancements – Audit Record Changes

• Additional data logged in security audit records

– Both “before” and “after” values logged in the audit record • Prior release had only the “after” values

• Many audit records have been updated to log before/after data

– See appendix F of the security reference pdf in knowledge center

Example: Query of CA (Change Authority) audit record data from QAUDJRN


58

Security Enhancements - continued

• New option, via QPWDRULES system value, to enforce

password composition rules for security officers/admins – *ALLCRTCHG value added to QPWDRULES

– CRTUSRPRF & CHGUSRPRF will honor password syntax rules

• New Object Type parameter added to the Security

“WRK” commands – WRKOBJOWN, WRKOBJPGP, WRKOBJPVT


59

System SSL - New in 7.2 (PTFs back to 7.1)

• Transport Layer Security version 1.1 & 1.2 protocol (TLSv1.1

and TLSv1.2) RFC 4346 & RFC 5246

– SHA2 support

• Online Certificate Status Protocol (OCSP)

– A method to determine the revocation status for a digital

certificate.

• Digital Certificate Manager (DCM) Application Definitions

– New fields on App definitions for enabling new support for

existing applications (new SSL support)

– Multiple CA support: This support allows for the creation of

multiple digital certificates using RSA and ECC cryptographic

algorithms and the assigning of multiple certificates to

applications enabled for SSL


60

System SSL New in IBM i 7.2

• Elliptic Curve Cryptography (ECC)

– Asymmetric encryption algorithm similar to RSA. ECC has an advantage over RSA

in that it has smaller key sizes and better computational performance.

• Elliptic Curve Digital Signature Algorithm (ECDSA) certificates

• Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange method

• Galois/Counter Mode (GSM) – a mode of operation for symmetric key cryptographic

block ciphers. Considered more secure than Cipher Block Chaining (CBC) mode.

• New 7.2 SSL Ciphersuites

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_GCM_SHA384


61

VPN New in IBM i 7.2

• IKEv2 NAT support

• Advanced IKE & IpSec Cryptographic Algorithms

– Elliptic Curve Cryptography (ECC)

– Elliptic Curve Digital Signature Algorithm (ECDSA)

authentication

– Elliptic Curve Diffie-Hellman (ECDH) key exchange method


62

Questions?


63

Security Solutions for the Discerning


64

Rapid Vulnerability Scan

6 categories of review

Completes in under 5 minutes

Includes executive summary

Accompanied by live review and Q&A

Personalized recommendations

7-day grace period

FREE!


65

Thanks for your time!

Please visit www.helpsystems.com/powertech to access:

• Demonstration Videos & Trial Downloads

• Product Information Data Sheets

• Whitepapers / Technical Articles

• Customer Success Stories

• PowerNews (Newsletter)

•To request a FREE Compliance Assessment

(800) 915-7700

[email protected]


66

This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in

other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM

offerings available in your area.

Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions

on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give

you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY

10504-1785 USA.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives

only.

The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or

guarantees either expressed or implied.

All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the

results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations

and conditions.

IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions

worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment

type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal

without notice.

IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.

All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.

IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.

Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are

dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this

document may have been made on development-level systems. There is no guarantee these measurements will be the same on generally-

available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document

should verify the applicable data for their specific environment.

Special notices


67

IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 6 (logo), AS/400, BladeCenter, Blue Gene, ClusterProven, DB2, ESCON, i5/OS, i5/OS (logo), IBM Business Partner

(logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries, Rational, RISC

System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, AIX 5L, Chiphopper, Chipkill, Cloudscape,

DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Purpose File System, , GPFS, HACMP, HACMP/6000,

HASM, IBM Systems Director Active Energy Manager, iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture,

Power Everywhere, Power Family, POWER Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2,

POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, System i, System p, System p5, System Storage, System z, Tivoli Enterprise, TME 10,

Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation in the United States, other

countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols

indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law

trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml

The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.

UNIX is a registered trademark of The Open Group in the United States, other countries or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.

Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both.

Intel, Itanium, Pentium are registered trademarks and Xeon is a trademark of Intel Corporation or its subsidiaries in the United States, other countries or both.

AMD Opteron is a trademark of Advanced Micro Devices, Inc.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries or both.

TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).

SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are

trademarks of the Standard Performance Evaluation Corp (SPEC).

NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.

AltiVec is a trademark of Freescale Semiconductor, Inc.

Cell Broadband Engine is a trademark of Sony Computer Entertainment Inc.

InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association.

Other company, product and service names may be trademarks or service marks of others.

Special notices (cont.)

What's New in Security for IBM i?

Software

Transcript of What's New in Security for IBM i?