IBM Security zSecure, Version 2.3.0

Release notes

IBM® Security zSecure™ V2.3.0 is available. Read this document to find important installation information. You can also learn about compatibility issues, limitations, and known problems.

For information about the new features for zSecure V2.3.0, see What's new for zSecure V2.3.0.

For information about the zSecure documentation and steps to obtain the licensed publications, see zSecure documentation.

If you are upgrading from a version of IBM Security zSecure that is older than V2.2.1, also see the Release Information for the versions that you skipped. You can find the documentation for all versions in the IBM Knowledge Center for IBM Security zSecure Suite.

Contents

Announcement

The zSecure V2.3.0 announcement (ENUS217-367) includes information about the following topics:
  • Prerequisites
  • Technical information
  • Ordering information
  • Terms and conditions

System requirements

This section lists the minimum and advised processor, disk space, and memory requirements for the zSecure V2.3.0 products and solutions:
  Minimum Advised
Processor CKR4Z: z9 Business Class (BC) or higher
Note: No known issues on z800, although not supported
 IBM System z9® or z10TM Enterprise Class (EC) or z9® or z10™ Business Class (BC)
CKR8Z196: z196 or higher CKR8Z196: z196 or higher
Disk space 300 MB 450 MB
Memory 1 GB 2 GB
For programming and space requirements for CICS Toolkit, Command Verifier, and RACF-Offline, see the following Program Directories: All other CARLa-driven components of zSecure have a common Program Directory: Program Directory for IBM Security zSecure Suite: CARLa-driven components.

Supported platforms and applications

IBM Security zSecure products are supported on the following platforms and applications:
  • IBM z/OS version 2 release 1 (V2R1) through z/OS version 2 release 3 (V2R3)
  • CICS Transaction Server version 4 release 1 (V4R1) through version 5 release 4 (V5R4)
  • DB2 version 10 release 1 (V10R1) through DB2 version 12 release 1 (V12R1)
  • IMS version 13 (V13) through version 14 (V14)
  • IBM MQ version 8 (V8) through IBM MQ version 9 (V9)
  • CA ACF2 release 15 through 16
  • CA Top Secret release 15 through 16
  • Microsoft Windows Server 2008, 2012, and 2016
  • zSecure Visual Client requires Microsoft Windows 7, 8, or 10
  • All currently supported versions of WebSphere HTTP server
  • Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77C0
zSecure no longer supports the following platforms and applications:
  • DB2 version 9 release 1 (V9R1)
  • IMS V12
  • CA ACF2 release 14
  • CA Top Secret release 14

Installing IBM Security zSecure

For installation instructions, see the Program Directories:

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure V2.3.0, see the IBM Security zSecure CARLa-Driven ComponentsInstallation and Deployment Guide.

This documentation is available with the product at the IBM Knowledge Center for IBM Security zSecure Suite V2.3.0.

Incompatibility warnings

NEWLIST TYPE=RACF field TUPT
The default width for field TUPT increased by 1 (one) to accommodate an 8-character TSO user prefix.
Using RECREATE CARLa members in locally developed scripts
CARLa members in SCKRCARL for the RECREATE functions in zSecure Admin have changed. If you include members starting with CKRXC or CKRXR in your locally developed CARLa scripts or batch jobs, be aware of changes in these members.

The newlist names that are used to select profiles in CKRXRACR have changed from DACL and RACL to REFRSEL. CKRXCRE and CKRXCREE now require a defined field RECREATE_CLASS instead of NEW_CLASS, to align with the RECREATE_KEY field.

CKRXRRE and CKRXRREE have the same support to specify the class name externally, so RECREATE_CLASS must be defined before including these members in your CARLa job.

When you recreate profiles to the same class, add this line to your calling CARLa program: 
DEFINE RECREATE_CLASS(8) AS CLASS
When you copy profiles to the another class, add this line to your calling CARLa program, where newclass is the destination class name: 
DEFINE RECREATE_CLASS(8,HDR$BLANK,"newclass") TRUE
AU.R evaluation standards: subsets that are saved
In V2.2.1 and V2.2.0 subsets are saved in the CKACUST data sets in a #SUBSETS index member and a member that contains a list of the compliance members that are selected for the saved subset. V2.3.0, and V2.2.1 and V2.2.0 with APAR OA53309, change this behavior and save subsets in member SUB#SETS in your CKACUST data set.
Existing saved subsets are automatically migrated the first time that a user saves a subset or deletes a subset that was already saved. After migration, users of zSecure V2.2.0 and V2.2.1 without APAR OA53309 can no longer work with the migrated saved subsets.
Message CKR0617
Message CKR0617 is currently sometimes issued without reason and suppressed in zSecure Access Monitor jobs as a bypass. Severity of message CKR0617 was raised to 04 to better indicate the cause of issuing message CKR0381.
Alert table
A new version of the Alert table has been shipped. The first time SE.A.A is used, the alert definitions in C2PCUST are upgraded with the new Alert table. A Verify using the new release of the Alert table generates CARLa code that will not execute correctly with older releases of zSecure. Do not use SE.A.A from zSecure V2.3.0 on a shared C2PCUST data set until all LPARs sharing the C2PCUST data sets have been upgraded.

Migration considerations

A new version of the National Language Support (NLS) table is shipped to introduce new options in RE and IN menus. If your installation has customized the options or menus using SE.D.N, logon with a user ID that has UPDATE access to the CKRPROF data set and start option SE.D.N in zSecure V2.3.0.

Alert skeletons have been reorganized. Existing installation-defined alert skeletons should continue to work, but care must be given to the following changes:

COMPAREOPT

The COMPAREOPT parameter was previously specified on the alert specification panel, but was optionally included in the alert skeleton with release 2.2.1. With release 2.3.0, all standard alerts have the COMPAREOPT parameter removed from the alert table, and the COMPAREOPT command moved from member C2PSGLOB to the respective alert skeletons. Installation-defined alerts that relied on COMPAREOPT command in C2PSGLOB should also move these into their own skeleton.

C2PSSSENS
RACF alerts 1212 and 1213 and ACF alerts 2212 and 2213 use a common member C2PSSENS to generate CARLa code. With zSecure 2.3.0, this member has been refactored with a new member C2PSDFSE containing common code. Installation-defined alerts that were cloned from their standard alerts, that means, contain an )IM C2PSSENS, or refer to newlist names that were created by these alerts, must verify that these installation-defined alerts still work as before.
SENSREAD and SENSUPDT
Syntax requirements for these whitelist members were very loosely checked in prior releases. With zSecure 2.3.0, these members are converted into CARLa EXCLUDE statements. The values in the whitelist members must now meet the requirements of SELECT/EXCLUDE commands: all three fields must be valid literals or generic filters. The parser for these members can be used to process installation-defined whitelist members, for use in installation-defined alerts. Suppose a whitelist member MYPRIVAC exists in C2PCUST, with the same fields as SENSREAD, you can process this member by including these commands in your skeleton:
)CM Pass one query
)SEL &C2PEPASS = Y
)SET SENSDEF  = MYPRIVAC
)IM C2PSDFSE
)ENDSEL
and reference the generated CARLa in your event selection like so:
)SEL &C2PEPASS = N 
)IM C2PSGNEW
  select likelist=recent likelist=MYPRIVAC
C2PSINIT and C2PXINIT, &C2PENSEL
Members C2PSINIT and C2PXINIT in SCKRSLIB and C2PCUST, resp., are available to initialize dialog variables. These variables can be used to reduce generation of similar or identical code in skeletons. For an example, see alert 1409, member C2PS1409.
Dialog variable C2PENSEL can be used to remember that a function has already been executed during the interpretation of a skeleton. This field is cleared when the skeleton is interpreted for Stage 1, and again when Stage 2 interprets the skeleton. See alert 1107, member C2PS1107.
Message generation
Message generation has been rewritten, using a message formatting skeleton. This resulted in more conformity of the messages and, as a side effect, minor changes in the contents of messages. If you rely on the contents of messages for automated processing, check the layout.
Customization of messages
The layout of the start of alert messages can be customized, up to a point, through member C2PXFMSG. For example, the system name can be included at the beginning of email subject lines.

Limitations and known problems

At the time of publication of this Release Notes document, no limitations or known problems exist. Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general documentation technote lists all updates to the documentation of 2.3.0 since availability.

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.

Table 1. Recommended fixes for zSecure
zSecure Admin zSecure CICS® Toolkit
zSecure Alert for RACF® zSecure Command Verifier
zSecure Alert for ACF2 zSecure Visual (Server and Client)
zSecure Audit for RACF, ACF2, and Top Secret (including zSecure Adapters for SIEM) zSecure Manager for RACF z/VM®

Feedback