IBM z/OS V2.4 1Q 2021 enhancements enrich security, systems operations, and management

IBM Asia Pacific Software Announcement AP21-0094
March 16, 2021

Table of contents
OverviewOverviewTechnical informationTechnical information
Key requirementsKey requirementsOrdering informationOrdering information
Planned availability datePlanned availability dateTerms and conditionsTerms and conditions
DescriptionDescriptionAP distributionAP distribution
Program numberProgram number


Top rule

IBM® z/OS® is designed to keep applications and data available, systems highly secure, server utilization high, and to enable agile development. z/OS continuous delivery (CD) offers clients the opportunity to use new z/OS functions, capabilities, and technologies by applying service rather than upgrading.

This quarter's CD further extends the capabilities of z/OS V2.4 with enhanced and new functions that can benefit clients across areas of security, systems operations, and management. Key features delivered in this first-quarter CD release in support of z/OS V2.4 include:

  • IBM z/OS Workload Interaction Correlator. A z/OS priced feature that provides infrastructure to z/OS and middleware exploiters to generate synchronized, standardized, context-rich workload data. This data enables products such as the IBM z/OS Workload Interaction Navigator to enable sysplex-wide problem analysis.
  • IBM RACF® enhanced PassTicket algorithm with secret hash-based message authentication code (HMAC) key. Enhancements include a configurable validity period, optionally expanded character set, and improved PassTicket error diagnostics.
  • Enhanced file systems. Enhancements include improvements to the Network File System (NFS) server, enabling better compatibility with Microsoft™ Windows™ clients, and updates to IBM z/OS File System (zFS) administration commands to enable faster file system reconfiguration and improved availability.
  • Enhanced Cloud Provisioning and Management for z/OS. Includes improvements to template creation and management, simplified security configuration, and a domain-shared resource pool.
  • Enhanced IBM z/OS Management Facility (z/OSMF). z/OSMF Workflow improvements simplify searching and creation of workflows and their steps. The Security Configuration plug-in supports analysis of any piece of software through a JavaScript Object Notation (JSON) file.

Back to topBack to top

Key requirements

Top rule

z/OS V2.4 operates on the following IBM Z® servers:

  • IBM z15™ Models T01 and T02
  • IBM z14® Models M01-M05
  • IBM z14 Model ZR1
  • IBM z13®
  • IBM z13s®
  • IBM zEnterprise® EC12 (zEC12)
  • IBM zEnterprise BC12 (zBC12)

If you run z/OS V2.4 on IBM z/VM®, the z/VM release must be z/VM V6.4, or later.

For a complete description of z/OS V2.4 hardware requirements, see the z/OS V2.4 Planning for Installation (GA32-0890) web page.

Back to topBack to top

Planned availability date

Top rule

March 31, 2021

Back to topBack to top


Top rule

Resource Measurement Facility (RMF) enhancements

RMF has improved Postprocessor Reports by enhancing the Transport Class in the Cross-System Coupling Facility (XCF) Singling Report to include additional XCF performance statistics.

With the PTF for APAR OA60873, this enhancement is available on z/OS V2.4.

IBM z/OS Workload Interaction Correlator

The IBM z/OS Workload Interaction Correlator, announced in Software Announcement AP20-0030, dated January 21, 2020, 220-032, dated January 21, 2020 is a z/OS priced feature that provides infrastructure to z/OS and middleware exploiters to generate synchronized, standardized, context-rich data with a focus on low CPU cost. This data enables products such as the IBM z/OS Workload Interaction Navigator, announced in Software Announcement AP20-0095, dated February 25, 2020, to dynamically identify, temporally correlate, and visualize significant deviations from normal across z/OS and its middleware silos. Together, these technologies help a subject matter expert implicate and exonerate workload components and their activities and can reduce the time and skill required to diagnose the root cause of a z/OS workload performance problem.

z/OS Supervisor correlator data generation enhancements for products such as the z/OS Workload Interaction Navigator perform the following functions:

  • Identify interdependent activities to ease switching analysis among related activities
  • Define key activities with anomalies that warrant further attention
  • Enable sysplex-wide analysis to dynamically identify, temporally correlate, and visualize disparate client-specific anomalies with worst-offending jobs, across all sysplex members, across the z/OS stack, and on a single pane of glass, with no predefined policy

With the PTFs for APAR OA57165 and OA60372, these enhancements are available on z/OS V2.3 and later.

Enhanced support for NFS

The z/OS NFS Server has been enhanced to support Microsoft Windows clients. This enhancement no longer requires Windows clients to unmount and remount the NFS drives after the NFS Server has been restarted. This support helps clients who are migrating from Server Message Block (SMB) to z/OS NFS.

With the PTF for APAR OA59310, this enhancement is available on z/OS V2.3 and later.

Better administration capabilities for zFS

System administrators can now use a wildcard character in the aggregate name on the zfsadm chaggr command. This enhancement enables an administrator to change attributes of multiple zFS instances with a single command, rather than issuing several individual commands. For example, this added wildcard support could be used to assign the high-availability (HA) attribute to all mounted file systems. This enhancement can reduce the time required for reconfiguring zFS environments while maintaining their availability.

With the PTF for APAR OA59435, this enhancement is available on z/OS V2.3 and later.

RACF enhanced PassTicket support

RACF PassTicket capabilities are updated to support a new PassTicket algorithm option called "enhanced PassTickets". RACF PassTickets can be configured with either the legacy PassTicket algorithm or the enhanced PassTicket algorithm that uses a secret HMAC key. RACF supports the generation and evaluation of PassTickets with either the original PassTicket algorithm or the enhanced PassTicket algorithm based on system configuration. The RACF enhanced PassTicket support includes other enhancements, such as a configurable validity period, an optionally expanded character set, and improved PassTicket error diagnostics.

With PTFs for RACF APAR OA59196 and SAF APAR OA59197, these enhancements are available on z/OS V2.3 and later.

Cloud Provisioning and Management for z/OS

Cloud Provisioning and Management continues to deliver many new functions and improved user experiences with CD. The following capabilities expand Cloud Provisioning and Management provisioning capabilities and offer a robust software provisioning platform on z/OS.

  • Domain-shared resource pool

    The concept of a shared resource pool is expanded to include sharing resources across an entire domain. Previously, clients were limited to sharing a resource pool within a single tenant. By enabling multiple tenants within a domain to share a resource pool, clients can simplify resource management in a cloud provisioning environment. Administrators can create a domain-shared resource pool once and then enable resources from the pool to be shared across multiple tenants. In contrast, if an organization's z/OS environment requires resource isolation across tenants and templates, it is recommended that a tenant-specific shared resource pool for all available templates or a dedicated template-specific resource pool be defined for each tenant in the domain.

    No changes are required in the middleware provisioning template to use this function because cloud provisioning orchestration dynamically detects that the template is associated with a domain-shared resource pool and subsequently routes REST APIs to obtain resources from that pool.

  • Security simplification

    The default domain now supports manual security mode for creating templates and tenants. This option is intended for provisioning environments that do not use an automatic security mode. Previously, customers were required to create a new domain if their environment did not support an automatic security mode. Now, when the default domain is created at z/OSMF startup time, it is placed in manual security mode if the CLOUD_SEC_ADMIN parameter is not specified in the IZUPRMxx parmlib member.

    Cloud Provisioning and Management security definition sample IZUPRSEC is enhanced to configure a user ID that is not RACF SPECIAL for a cloud security administrator role. System programmers can specify a user ID that is not RACF SPECIAL for the CLOUD_SEC_ADMIN parameter.

  • Template and instance management

    Numerous enhancements are provided to help administrators efficiently manage templates and instances, including the following:

    • When a template is created, the domain administrator can identify that instances can be deleted automatically after they are deprovisioned. With this enhancement, domain administrators no longer are required to manually delete deprovisioned instances, which can reduce instance management overhead.
    • When creating a template, the domain administrator can now select an option to automatically archive provisioning workflows after the template is provisioned successfully. This helps the domain administrator to automatically manage the number of active workflows, which are limited to 200.
    • Domain administrators can:
      • Modify the published template and change the description of the template and other properties such as workflow and instance disposition.
      • Set a maximum time limit for a provisioned software instance, such as 7 days, 30 days, or unlimited. When consumers provision the template, they can select the time duration for their provisioned instance. When a provisioned instance exceeds its time limit, it is marked as expired, and the consumer who provisioned the instance and domain administrators are notified. Consumers can then deprovision the instance. This enhancement helps the domain administrator to clean up stale, expired instances in a timely manner and keep the provisioning environment in good health.

  • Resource management enhancements

    The following enhancements are provided in the cloud provisioning resource management function:

    • Support modification to the software service instance name prefix. If the naming convention for the provisioned instance is not properly established when resource pools are defined, the domain administrator can specify a different general name prefix or switch to using the SNA application ID as the prefix.
    • Externalization of APIs so that they can be programmatically invoked.

With the PTF for APAR PH29813, these enhancements were made available on z/OS V2.3 and later.


z/OSMF as the modernization platform of z/OS management continues to deliver many improved functions with z/OS V2.4. Enhancements have been made in the following areas:

  • z/OSMF Workflow Editor enhancements

    IBM introduced features to help simplify workflow creation with the z/OSMF Workflow Editor in Software Announcement AP20-0469, dated December 8, 2020.

    Additional enhancements include the following:

    • Users can open the Workflows task directly from the Workflows Editor by using the "Test" action, which provides a way to quickly create and run workflow instances using your workflow definition.
    • A path selector option is added to some input fields to assist with locating workflow files and templates on the system.

    With the PTF for APAR PH28532, these enhancements were made available on z/OS V2.3 and later.

  • z/OSMF Workflow plug-in

    The z/OSMF Workflow plug-in has been enhanced to support searching keywords from the content of workflow steps. This can help users quickly locate corresponding steps.

    With the PTF for APAR PH27725, this enhancement is available on z/OS V2.3 and later.

  • z/OSMF Security Configuration Assistant (SCA)

    The z/OSMF SCA plug-in is enhanced to support z/OS components, features, and products. Previously, SCA was able to give detailed information to a system programmer about the missing security rules for the z/OSMF component only. This capability is extended to any piece of software. A JSON file is created by exploiting the software that defines the security requirements. A properly permitted system programmer or the security administrator can run this plug-in and see in one list all the security rules that are missing and what that might mean. The SCA is designed to help system programmers understand security requirements of specific functions and quickly identify the function failure that would be caused by the incorrect security setup. Used as a vehicle to communicate between system programmers and security administrators, this information is designed to improve the time to value for software on z/OS. Several of the z/OS DFSMS features are planned to be among the first exploiters of this function because they provide security JSON descriptor files that can be imported to SCA.

    With the PTF for APAR PH29907, this enhancement is available on z/OS V2.3 and later.

Back to topBack to top

Hardware and software support services

Top rule

SmoothStart/installation services

IBM SmoothStart Services and Installation Services are not provided.

Back to topBack to top

Reference information

Top rule

For information about z/OS V2.5 Preview, see Software Announcement AP21-0051, dated March 2, 2021.

For additional information about z/OS and components with new capabilities in this continuous delivery release, see the following:

For information about z/OS V2.4, see:

  • Software Announcement AP20-0469, dated December 8, 2020
  • Software Announcement AP20-0455, dated October 13, 2020
  • Software Announcement AP20-0362, dated September 22, 2020
  • Software Announcement AP20-0211, dated June 16, 2020
  • Software Announcement AP20-0097, dated March 17, 2020
  • Software Announcement AP19-0199, dated December 10, 2019
  • Software Announcement AP19-0326, dated July 23, 2019
  • Software Announcement AP19-0011, dated February 26, 2019

For information about z15, see:

  • Hardware Announcement AG20-0056, dated August 4, 2020
  • Hardware Announcement AG20-0006, dated April 14, 2020
  • Hardware Announcement AG20-0013, dated January 14, 2020
  • Hardware Announcement AG19-0094, dated November 26, 2019
  • Hardware Announcement AG19-0032, dated September 12, 2019

For information about z14 Model ZR1, see:

  • Hardware Announcement AG18-0074, dated October 2, 2018
  • Hardware Announcement AG18-0018, dated April 10, 2018

For information about z14, see:

  • Hardware Announcement AG18-0074, dated October 2, 2018
  • Hardware Announcement AG17-0093, dated November 28, 2017
  • Hardware Announcement AG17-0044, dated July 17, 2017

For information about z13®, see:

  • Hardware Announcement AG19-0045, dated May 7, 2019
  • Hardware Announcement AG19-0017, dated February 12, 2019
  • Hardware Announcement AG16-0058, dated June 7, 2016
  • Hardware Announcement AG15-0060, dated March 3, 2015
  • Hardware Announcement AG15-0001, dated January 14, 2015

For information about z13s®, see:

  • Hardware Announcement AG16-0058, dated June 7, 2016
  • Hardware Announcement AG16-0002, dated February 16, 2016

For information about zEnterprise EC12, see Hardware Announcement AG12-0167, dated August 28, 2012

For information about zEnterprise BC12, see Hardware Announcement AG13-0134, dated July 23, 2013

Back to topBack to top

Availability of national languages

Top rule

The z/OS national language support features will become generally available when the executable code becomes available.

Translation information, if available, can be found at the Translation Reports website.

Back to topBack to top

Program number

Top rule

Program number VRM Program name
5650-ZOS V2.4 z/OS

Back to topBack to top

Technical information

Top rule

Specified operating environment

Hardware requirements

z/OS V2.4 runs on the following IBM Z servers:

  • z15 Models T01 and T02
  • z14 Models M01-M05
  • z14 Model ZR1
  • z13
  • z13s
  • zEnterprise EC12 (zEC12)
  • zEnterprise BC12 (zBC12)

For a complete description of z/OS V2.4 hardware prerequisites, see the z/OS V2.4 Planning for Installation (GA32-0890) web page.

Software requirements

The z/OS base is a system that can be IPLed. There are no software prerequisites in order to IPL. Specific functions might require additional products not included in the z/OS base or in the optional features of z/OS. See the z/OS V2.4 Planning for Installation (GA32-0890) web page for a listing of specific software requirements.


For compatibility information about z/OS V2.4, see Software Announcement AP19-0326, dated July 23, 2019.

Planning information

Direct client support

To obtain information on client eligibility and registration procedures, contact the appropriate support center.

Security, auditability, and control

Data security and auditability in the z/OS environment are enhanced by the functions available in the optional Security Server for z/OS feature.

The client is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.

Back to topBack to top

Ordering information

Top rule

New licensees

Not applicable.

For ordering information on the base program, z/OS V2.4, see Software Announcement AP19-0326, dated July 23, 2019.


A program directory is supplied automatically with the basic machine-readable material.

To access the unlicensed z/OS product documentation, start at the z/OS Internet Library. It contains direct links to the following repositories and content:

  • IBM Knowledge Center sections for z/OS V2.4 and other supported releases.
  • z/OS V2.4 Library, hosted on Resource Link®, to download individual or grouped PDFs. An IBMid and password are required.
  • Adobe™ Indexed PDF Collections (SC27-8430) to easily conduct offline searches on the z/OS product documentation.
  • Downloadable collections of IBM Knowledge Center plug-ins for clients who host their own instances of IBM Knowledge Center for z/OS (KC4z).
  • IBM Z and LinuxONE content solutions, which provide comprehensive and interactive content such as workflows, videos, and content collections.
  • IBM Z Publications Library Archive, to obtain as-is content for out-of-service products and releases.

PDF collections are provided in the "zip" format that any modern zip utility can process.

Licensed documentation

Subsequent updates (technical newsletters or revisions between releases) to the publications shipped with the product will be distributed to the user of record for as long as a license for this software remains in effect. A separate publication order or subscription is not needed.

Back to topBack to top

Terms and conditions

Top rule

The terms are unaffected by this announcement.

Back to topBack to top

Statement of good security practices

Top rule

IT system security involves protecting systems and information through prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Back to topBack to top

AP distribution

Top rule

Country/Region Announced
India/South Asia ** Yes
Australia Yes
Hong Kong Yes
Macao SAR of the PRC Yes
Mongolia Yes
New Zealand Yes
People's Republic of China Yes
South Korea Yes
Taiwan Yes

* Brunei Darussalam, Cambodia, Indonesia, Lao People's Democratic Republic, Malaysia, Myanmar, Philippines, Singapore, Thailand, Timor-Leste, and Vietnam

** Bangladesh, Bhutan, India, Maldives, Nepal, and Sri Lanka


z15 is a trademark of IBM Corporation in the United States, other countries, or both.

IBM, z/OS, RACF, IBM Z, IBM z14, IBM z13, IBM z13s, zEnterprise, z/VM, z13, z13s and Resource Link are registered trademarks of IBM Corporation in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Adobe is a trademark of Adobe Systems Incorporated in the United States, and/or other countries.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Reference to other products in this announcement does not necessarily imply those products are announced, or intend to be announced, in your country. Additional terms of use are located at

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or go to the IBM worldwide contacts page

IBM Directory of worldwide contacts