Many people think that NAE "replaces" AC3, which is not true -- but they
think that because the upgrade process will install NAE automatically in
V5R4 if you had AC3 in V5R3.
However, the only part of AC3 that's in NAE is Kerberos support (for
single-sign on type things.) Everything else that was in AC3 is now
built-in to the operating system.
Background: The reason IBM created AC1/AC2/AC3 was due to the various
export regulations surrounding cryptography. Different countries had
different rules about what level cryptography could be sold/used, and
sometimes it varied depending on whether the seller was within the same
nation or not. Since special handling was therefore required, the
AC1/AC2/AC3 products were created, and had to be ordered/installed
But then the laws changed. Cryptography that was strong in the 1960s
isn't considered military-strength today, anymore! As the laws loosened,
IBM didn't need to do any special handling anymore. So by the time V5R4
was released, they were able to simply include all of their crypto in
the OS itself. Nothing needs to be installed.
For Kerberos, NAE needs to be installed, but it's shipped with the OS.
For everything else, it's simply built-in to the base OS. No need to
install anything at all.
On 9/13/2012 10:39 AM, rob@xxxxxxxxx wrote:
Just a little verification.
A Cryptographic Access Provider
Required if you plan to use SSL. You can choose one of these options:
5722-AC2 (56-bit), 5722-AC3 (128-bit). If you are using V5R4 or later,
5722-AC3 is part of the operating system and does not need to be installed
The Memo to Users for V5R4 had some interesting comments. Search on AC3
AC3 was replaced by NAE for parts of this.