Manage RACF better, faster, and easier with zSecure 2.1

Explore enhancements to compliance analysis, reporting, and certificate management

IBM® Resource Access Control Facility (RACF®) provides access control and auditing functions for z/OS® and z/VM® mainframe systems. IBM Security zSecure™ suite makes managing RACF easier. Follow along as Mark Hahn, a frontline mainframe support expert with experience in RACF and zSecure, highlights some of his favorite enhancements in the new 2.1 release of zSecure. These enhancements include additional IBM DB2® compliance analysis and reporting, better digital certificate management enhancement, deeper integration with QRadar® SIEM, and possibly the best feature—zSecure's first concurrent release with z/OS.


Mark Hahn (, Level 2 Tech Support, IBM

Photo of Mark HahnMark S. Hahn is an avid mainframer and has been working in the computer security industry for more than 30 years. Currently, he is Level 2 Tech Support for the zSecure suite and many of the encryption Key Lifecycle Manager products such as ISKLM and TKLM for z/OS. This is his second "tour of duty" with zSecure; he was also Tech Support for zSecure in the late 1990s. Mark has worn many hats in his career including RACF Administrator and Tech Support for security products. He has spoken at innumerable conferences (both security and auditing-centric) over the past 30 years and has published many articles. He is a dedicated digital photographer and loves spending time at Disneyland.

08 October 2013

Resource Access Control Facility (RACF) is an IBM software security system that provides access control and auditing functions for the z/OS and z/VM operating systems. RACF fits into the mainframe security environment by providing:

  • Authentication: Identification and verification of a user through user ID and password checks; identification, classification, and protection of system resources
  • Authorization: Maintenance of access rights to protected resources; control of the means of access to protected resources
  • Auditing: Logging of accesses to a protected system and protected resources

SANS 2013 Critical Controls Survey

Learn how zSecure 2.1 supports the controls identified in the "SANS 2013 Critical Controls Survey."

RACF was introduced in 1976, but it has continuously evolved to support modern security mechanisms like digital certificates/public key infrastructure services, LDAP interfaces, and case-sensitive IDs/passwords. Case sensitivity has enabled RACF to be more interoperable with systems such as UNIX® and Linux®. IBM zSeries hardware is designed to work closely with RACF. RACF's primary competitors have been ACF2 and TopSecret, both now produced by CA. (See Resources for more on RACF.)

RACF is a powerful authentication, authorization, and auditing tool for your security portfolio. zSecure suite makes using it easier by introducing a high level of automation.

developerWorks editors

The IBM Security zSecure suite helps you manage RACF in a variety of ways. This article explains the IBM Security zSecure suite and highlights some of the exciting features of the newest release, version 2.1.

What is the zSecure suite?

IBM Security zSecure suite provides cost-effective security administration, improves service by automating routine tasks and threat detection, and reduces risk with automated audit and compliance reporting. Automation and built-in expertise are key features of zSecure. By automating tasks and employing best practices gleaned from millions of hours of expertise in security auditing, reporting, verifying, and managing, security administrators can gain back time previously stolen by these mundane tasks.

Components in the zSecure suite (also known as product editions) include:

  • zSecure Admin: Adds a user-friendly layer over RACF to help ease and improve administration and reporting.
  • zSecure Alert/for ACF2/for RACF: Monitors the mainframe for external and internal security threats. It can detect and prevent intrusions and identify misconfigurations through real-time mainframe (ACF2, RACF) threat monitoring. (ACF2 is Access Control Facility, a commercial, discretionary access-control software security system developed for the z/OS, z/VSE, and z/VM.)
  • zSecure Audit/for ACF2/for RACF/for Top Secret: Enables you to detect and report security events and exposures on mainframes. It enables analysis and reporting on mainframe security events (ACF2, RACF, Top Secret); auditing detects exposures. It also formats and reports on more than 50 other z/OS System Management Facilty (SMF) records without any effort on your part. (Top Secret, or TSS, is the Computer Associates product for mainframe control and auditing functions.)
  • zSecure CICS Toolkit: Helps free TSO resources from routine administrative tasks through a CICS interface.
  • zSecure Command Verifier: Helps enforce mainframe compliance to installation-defined and standardized policies through granular controls for RACF commands.
  • zSecure Manager for RACF z/VM: Provides combined audit and administration functions for the virtual machine environment.
  • zSecure Visual: Enables cost savings by decentralizing RACF administration through a Microsoft® Windows®-based GUI.

See Resources for more on IBM Security zSecure suite 2.1.

New release, new features

The new zSecure suite release 2.1 delivers some especially interesting features (in my opinion):

  • Additional IBM DB2 compliance analysis and reporting
  • Digital certificate management enhancement
  • Easier compliance reporting for multiple (and roll-your-own) standards
  • Additional integration with QRadar SIEM

You can now order the zSecure suite 2.1, preceding the z/OS 2.1 release for the first time. I like this because it means you don't have to work with a previous version of zSecure while testing the new release of z/OS. You also won't have to install the new zSecure separately (like I did when it came out a few months after the new z/OS). Now you have one-stop shopping for z/OS and zSecure suite.

One of most exciting "features" of zSecure 2.1 for a support technician is that it is coming out concurrently with z/OS 2.1. You can install the latest version of both at the same time.

The author

Let's look a bit deeper into the interesting new features and what they mean.

Additional IBM DB2 compliance analysis and reporting

The breadth of coverage for IBM DB2 compliance analysis and reporting has been increased. The zSecure environmental collection program (zSecure Collect) will collect much more information from DB2 systems, making it even easier to produce more granular reporting than before. This includes reporting from both the DB2 perspective and RACF (or comparable product) point of view. This added collection of data greatly simplifies the compliance reporting requirements that pop up almost daily.

Figure 1. Reporting details for DB2 tables
Window showing the reporting details for DB2 tables

Digital certificate management enhancement

zSecure is aware of the complexities and demands of certificate requests. It automates renewing and rolling-over certifications and maintaining key rings and the related structures. zSecure 2.1 makes caring for and working with digital certificates within a RACF (or comparable product) so much easier.

With this new release, more data that is related, but may not be visible together, will be collected and reported, which greatly simplifies digital certificate processing and controls. When it's time to clean up the RACF digital cert repository and remove obsolete or unused certificates, the Access Monitor has been enhanced to provide assistance in identifying which digital certificates are effectively still in use, aiding administrators in removing obsolete profiles and unused IDs. It also reveals access to resources by watching your users and tracking the authorizations they make use of and those they do not.

Figure 2. zSecure is highly aware of the components of the certificate ecosystem
Drawing showing the usage and certification through the system

Easier compliance reporting for multiple and roll-your-own standards

Remember all that time you spent writing custom audit reports and checking to ensure they were properly testing for all the compliance requirements? Well, in zSecure 2.1, you get the ability to ease compliance reporting, including a user interface for the Defense Information Systems Agency (DISA), Security Technical Implementation Guide (STIG) (DISA-STIG), and RACF Standards. Now compliance reports can be standardized, stored in a library, and easily run by the auditors—not taking up your valuable time!

What's more, if you do need to write your own, there is a mechanism in place to standardize, store, and catalog them for later use. zSecure 2.1 comes with a library of compliance reports and lets you store the reports in a centralized repository. Now you can write the reports and allow the users to run them as needed, without your further involvement.

Figure 3. Sample output summary for compliance and auditing
Sample output summary for compliance and auditing

Additional integration with QRadar SIEM

Keeping track of security events across multiple environments within z/OS is made easier by zSecure Audit; it provides this information to the IBM Security QRadar SIEM dashboard. This integration greatly eases the effort of reporting and following up on important events in the z/OS environment, including events occurring in RACF, ACF2, CICS, and DB2. You might even say "But QRadar SIEM functionality is a dense topic; zSecure and QRadar integration could be the subject of an entire series of articles." (For more on QRadar SIEM and how it interacts with zSecure, see Resources.)

Figure 4. Integration with QRadar SIEM brings security events from multiple systems to one console
Integration with QRadar SIEM brings security events from multiple systems to one console

Automation, best practices, saves time and effort

Your time, like mine, is too valuable to have to focus on producing audit reports, tracking security events, and worrying about digital certificate currency and obsolescence and how DB2 is being administered. I'm going to let zSecure 2.1 help me get back hours in my day; you can too.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

ArticleTitle=Manage RACF better, faster, and easier with zSecure 2.1