IBM z/OS Version 2 Release 3 enhancements and statements of directionIBM Europe Software Announcement ZP18-0562
November 13, 2018
|Table of contents|
IBM's z/OS® V2.3 operating system continuously delivers innovations designed to build and improve the highly scalable and securable next-generation infrastructure needed. IBM® z/OS V2.3 delivers the performance, availability, scale, I/O support, and security to provide this infrastructure, giving businesses the ability to instantly react to opportunities.
z/OS is designed to support companies' most mission-critical work while meeting stringent service levels, illustrated by clients that include the world's leading banks, financial services companies, healthcare enterprises, and governments. Focusing on three critical areas, security, simplification, and cloud, z/OS V2.3 enables extensive encryption of data, helps simplify the overall management of the z/OS ecosystem to increase productivity, and provides a simple, consumable approach for self-service provisioning and rapid delivery of software-as-a-service, helping companies to leverage the API economy.
This z/OS V2.3 announcement delivers the following new user experience, security, data protection, application development, and software installation capabilities:
- Simplify and modernize the user experience to enhance productivity:
- z/OS MF, the modern web interface for z/OS, has been enhanced for easier use and expanded capabilities in several areas, including workflows and sysplex management.
- Enhanced security and data protection:
- Ease-of-use improvements and stronger security technology have been delivered in the Integrated Cryptographic Service Facility (ICSF). ICSF helps protects data that is stored within a system, in a file on magnetic tape off a system, and sent between systems from unauthorized disclosure or modification.
- A new z/OSMF plug-in called the zERT Network Analyzer is now available to visually determine which z/OS TCP and Enterprise Extender traffic is or is not cryptographically protected.
- Improving and simplifying application development:
- Container Pricing for IBM Z®, providing simplified and transparent software pricing for qualified solutions, allowing broader application deployment on Z at a competitive price
- An upgraded version of X-Windows virtual framebuffer (Xvfb), enabling a client to run graphical applications without a physical display device
- Numerous improvements to simplify use of the Network File System (NFS), UNIX® System Services, z/OS Web Enablement Toolkit, program management binder, and the Language Environment®:
- New function in the z/OS NFS Server allows for the sharing of compressed data sets.
- Iconv utility enhancements when converting data from Unicode to other CCSIDs.
- Potential to reduce the size of the program object or load module with the program management binder enhancement.
- Enhanced authentication support for the Web Enablement Toolkit HTTP proxy function.
- Serviceability enhancement to Language Environment Dumps.
- Improvements that simplify z/OS platform software installation for the Z ecosystem:
- IBM intends to help drive z/OS platform-wide improvements in installation and deployment, along with functions that are intended to enable other software vendors to use them.
Back to top
Simplify and modernize the user experience to enhance productivity
The z/OSMF Sysplex Management task is enhanced by the PTF for APAR PI99307 so you can modify sysplex resources such as switching alternate/primary couple data set, set physical or logical path online or offline, reallocate structure, and so on.
z/OSMF supports Liberty 22.214.171.124 with the PTF for APAR PH02887.
z/OSMF Capacity Provisioning is enhanced to display the current weight of the LPAR where business-critical workload is running, as well as its weight share among all active LPARs of the CPC with the PTF for APAR PH00085.
z/OSMF supports the DISPLAY command to display the current setup of z/OSMF with the PTF for APAR PH00712.
z/OSMF supports the EXPORT WORKFLOW AS PRINTABLE FORMAT command with the PTF for APAR PH00582.
z/OSMF Workflow is enhanced with the PTF for APAR PH03053 to support the Array type of variable, which could contain a set of values.
z/OSMF Operator Consoles task is enhanced to support sticking WTOR messages on the top of the console and automatically cleaning up messages on the UI side with the PTF for APAR PI99365.
Enhanced security and data protection
On December 3, 2018, Cryptographic Support for z/OS V2.2 to z/OS V2.3 (HCR77D0) can be downloaded from the z/OS downloads website.
The contents of this new release of ICSF are as follows:
- Support for ISO-4 format PIN blocks as described in the ISO-9564-4 standard. In addition to a new service, CSNBPTR2 PIN Translate 2, the following services will be updated to support ISO-4 format PIN blocks: Clear PIN Encrypt (CSNBCPE), DK PIN Verify (CSNBDKPV), DK PIN Change (CSNBDKPC), and DK PAN Modify in Transaction (CSNBDKMT). This enhancement requires CCA Release 5.4, or later, on CEX5S or CCA Release 6.1, or later, on CEX6S.
- Three-key TDES Keys. Currently, only DATA key types are available in 3-key TDES key types. This enhancement allows for the following key types to be operational as a 3-key TDES key: CIPHER, ENCIPHER, DECIPHER, EXPORTER, IMPORTER, MAC, MACVER, IPINENC, OPINENC, PINGEN, and PINVER. This enhancement requires CCA Release 5.4, or later, on CEX5S or CCA Release 6.1, or later, on CEX6S. With CCA Release 6.2, 3-key TDES keys will also be able to be "tagged" for PCI Compliance.
- DK Key Diversification. The German Banking Industry Committee (GBIC) has introduced a new key diversification scheme such that a single diversification key can be used to generate keys with different key usage attributes. A new key type is introduced, KDKGENKY, as well as a new callable service, Diversify Directed Key (CSNBDDK). The following callable services are updated in support of DK Key Diversification: Diversified Key Generate 2 (CSNBDKG2), Key Token Build 2 (CSNBKTB2), and Key Generate 2 (CSKBKGN2). This enhancement requires CCA Release 5.4, or later, on CEX5S or CCA Release 6.1, or later, on CEX6S.
- ISO-20038 Key Wrapping. In support of the ISO-20038 standard, the TR-31 Import (CSNBT31I) and TR-31 Export (CSNBT31X) callable services will be updated to use AES IMPORTER and EXPORTER key types for key wrapping. This enhancement requires CCA Release 5.4, or later, on CEX5S or CCA Release 6.1, or later, on CEX6S.
- CCA redirection for Regional Crypto Enablement. Certain CCA callable services will have the ability to direct the request to a regional crypto device. This enhancement introduces the concept of "RCS Redirection" through a new XFACILIT resource and also adds the concept of an "RCS Token" to existing symmetric key token types. Included with this addition is the ability for a regional crypto device to support the cryptography primitives required for z/OS Dataset Encryption.
- With CCA Release 6.2, symmetric keys can now be restricted from being eligible for CPACF protected key. With updated flags in the control vector, it is possible to mark a key as either eligible or ineligible for being exported for CPACF use as a protected key. Support for CCA 6.2 will require Cryptographic Support for z/OS V2.2 to z/OS V2.3 (HCR77D0) plus PTF.
- ICSF will provide ChaCha20 and Poly1305 algorithm support via the PKCS#11 interfaces.
- With HCR77D0, clients will have the ability to apply service to a running ICSF instance without causing an interruption to their applications. When ICSF service is available on a system, ICSF will have a new operator command that will allow running requests to finish, pause incoming requests, prepare to restart with the service libraries, and then stop ICSF. Through system automation (preferred), ICSF will be restarted and the paused requests will be resumed without a visible interruption. Note: Applications or system components that make use of PKCS#11 session objects should be quiesced prior to issuing the SETICSF PAUSE command.
- ICSF will now be able to start much earlier in the IPL process such that ICSF should be available for work as early as full function start. ICSF is also adding new ways to provide installation options via a more standard PARMLIB interface.
- The following security enhancements are being added to ICSF:
- KGUP can be made to honor CSFKEYS resource profiles.
- KGUP can be configured to require higher permission when performing destructive operations on an existing key, such as UPDATE or DELETE.
- It is now possible to permit a user or group to a CSFKEYS resource but only for specific callable services.
- It is possible to have ICSF prepend a system name to a CSFKEYS resource prior to the SAF check.
- A new ISPF browser has been added for the PKDS.
- The 32-byte limit on the CKA_LABEL attribute of PKCS#11 key objects has been lifted.
- It is now possible to provide a CKDS label of a clear key to the CSNBKYT service.
- The key verification pattern written to SMF records after a successful Operational Key Load function will honor the MASTERKCVLEN keyword in the ICSF installation options dataset.
- The Operational Key Load ISPF Panel utility has been updated to allow the specification of the key wrapping scheme when importing the key.
- A new BSI mode, BSI 2017, has been added to the EP11 Coprocessor.
- The callable services PKCS#11 Wrap Key (CSFPWPK) and PKCS#11 Unwrap Key (CSFPUWK) will be updated to accept AES-GCM as a key wrapping mechanism for secret and private clear keys.
- A new DISPLAY ICSF, MKVPs operator command can be used to display the master key verification patterns recorded in the ICSF key data stores in comparison with the same MKVPs in online crypto coprocessors in such a way that discrepancies can be detected.
z/OS Encryption Readiness Technology (zERT) Network Analyzer
To further enable Pervasive Encryption for IBM Z regarding z/OS network traffic, a new z/OSMF plug-in called the zERT Network Analyzer will be delivered to visualize the data recorded by z/OS V2.3 Communications Server zERT. With this new Network Analyzer, z/OS network security administrators can formulate and execute queries over the data reported in SMF 119 subtype 12 "zERT Summary" records to easily determine which z/OS TCP and Enterprise Extender traffic is or is not protected according to the specific query criteria. The zERT Network Analyzer will be shipped on z/OS V2.3 as a PTF for APAR PH03137.
Improving application development
Container Pricing for IBM Z
z/OS V2.2 and later supports the recently announced updates for Container Pricing for IBM Z. This includes these updates:
- Development and Test Solution, as announced in Software Announcement ZP18-0392, dated October 2, 2018
- New Application Solution, as announced in Software Announcement ZP18-0393, dated October 2, 2018
Container Pricing provides simplified and transparent software pricing for qualified solutions, combining flexible deployment options with competitive economics that are directly relevant to those solutions. Note that z/OS V2.1 also supports these updates; however, it has an added requirement that the solutions are in separate LPAR configurations.
Upgraded X-Windows virtual framebuffer
With the PTF for APAR OA55855, an upgraded version of X-Windows virtual framebuffer (Xvfb) has been provided for z/OS V2.2 and V2.3. Formerly included in the IBM Ported Tools for z/OS product, the PTFs for this APAR deliver Xvfb X11R6.9 and is now included as part of the z/OS program product. Xvfb is an in-memory display server and enables a client to run graphical applications without a physical display device. It is especially useful when testing an X-Windows server without using real hardware.
Support for Compressed Data Sets by NFS Server
New function in the z/OS NFS Server allows for the sharing of compressed data sets. The use of compressed data sets requires no configuration changes to the NFS Server and is transparent to end users. This support is provided with the PTF for APAR OA54846 for z/OS V2.2 and V2.3.
iconv utility enhancements
An enhancement has been made to the iconv utility of z/OS UNIX System Services with the PTF for APAR OA54559 for z/OS V2.2 and V2.3 to allow for the removal of the BOM (Byte-Oriented Mark) from the beginning of Unicode (UTF-8, UTF-16, and UTF-32) byte streams. The new - B option is useful when converting data from Unicode to other CCSIDs, by eliminating the substitution character that would otherwise be placed at the beginning of the output buffer.
Web Enablement Toolkit HTTP proxy enhancements
Client applications using the z/OS Web Enablement Toolkit are often required to communicate with the outside world via a proxy server. With the PTF for APAR OA54902, the HTTP proxy support provided by the toolkit has been enhanced to provide both basic authentication to "authenticating" proxy servers and AT-TLS interoperability support for proxy users. This new support is available on z/OS V2.2 and V2.3.
Enhancement to program management binder
New function has been added to the program management binder to remove unreferenced sections (CSECTs) from a program object or load module. A new binder option called STRIPSEC=IGNEXP (Ignore Export) will remove unreferenced sections (CSECTs) even though they are in the exported symbols table. This support is available with the PTF for APAR OA53262 for z/OS V2.2 and V2.3 and has the potential of reducing the size of the program object or load module.
Serviceability enhancement to Language Environment Dumps
To improve serviceability of high-level language programs, enhancements have been made to the Language Environment IPCS LEDATA Verbexit and CEEDUMP to show full service level information in the traceback section, when users use the SERVICE compiler option to specify the service level string of COBOL, PL/I, or XL C/C++ programs. This enhancement is available with the PTF for APAR PI91583 on z/OS V2.3.
Enhancing availability, scalability, and performance
RPFC for XRC GA
z/OS Global Mirror (zGM), also known as Extended Remote Copy or XRC, combines hardware and z/OS software for an asynchronous remote copy solution to allow critical data to be mirrored between the application and recovery sites while maintaining consistency. A new enhancement to zGM removes existing restrictions and limitations by allowing a FlashCopy® between primary volumes at the application site that is then mirrored at the recovery site between secondary volumes without disrupting the mirror or consistency at the recovery site. This new function, known as Remote Pair FlashCopy (RPFC), was designed to enable production data, production point-in-time copies, and backup data to be available at all sites while maintaining both high availability and disaster recovery capability without recovery point objective (RPO) increase. The function is available on z/OS V2.2 and later via PTFs for APAR OA55068 and requires new zGM PARMLIB values to be enabled at both the application and recovery sites. In addition, RPFC exploits IBM DS8880 Cascaded FlashCopy functionality and requires DS8000® LMC as indicated in Hardware Announcement ZG18-0097, dated August 21, 2018.
DFSORT additional exploitation of zHPF
Prior experience with High Performance FICON® for System z® (zHPF) has shown improved performance over EXCP for DFSORT's access of basic and large format sequential SORTIN, SORTOUT, and OUTFIL data sets. DFSORT had previously used BSAM to gain access to zHPF, but a new enhancement will enable DFSORT to create channel programs that exploit zHPF with SORTWORK data sets. This is intended to provide I/O performance improvements without the need for application changes. The function is available on z/OS V2.2 and later via PTFs for APAR PI99290.
z/OS platform software installation improvements
As announced in Software Announcement ZP16-0504, dated October 4, 2016, and Software Announcement ZP17-0108, dated February 21, 2017, IBM and other leading industry software vendors have been collaborating on a variety of installation-related improvements. IBM intends to help drive z/OS platform-wide improvements in installation and deployment, along with functions that are intended to enable other software vendors to use them. Many of the functions designed to meet these requirements are now available in the z/OS MF component of z/OS V2.2 in PTFs, and more functions are planned. More information is available in Software Announcement ZP17-0316, dated July 17, 2017, and Software Announcement ZP17-0653, dated November 21, 2017.
See those prior announcements for more detail.
In the fourth quarter of 2018, IBM plans to provide the first stage of support for initiating workflows from z/OSMF Software Management within a sysplex with the PTF for APAR PH02650. This support will be designed to allow workflows to be defined for a software instance, exported as part of a software instance, and driven during or after deployment operations; it is intended to help you complete setup tasks for the products included in software instances provided by software vendors that provide the necessary supporting workflows. Also, this function partially satisfies the related Statement of Direction in Software Announcement ZP17-0108, dated February 21, 2017.
Back to top
OAM Cloud Storage
IBM intends to deliver a new cloud tier to OAM's existing storage hierarchy, which will provide the ability to store and manage primary copies of OAM objects on cloud storage, via public or private cloud infrastructures supporting the Amazon S3 API, and the ability to recall an object stored in the cloud to the disk level of the storage hierarchy. OAM managed backup copies will continue to be supported as they are today to removable media, typically virtual or physical tape.
OSA Support Facility support
OSA Support Facility (OSA/SF) is an element of z/OS that has been used to configure devices on Open Systems Adapter (OSA) cards used for the SNA protocol and to support and manage all OSA features. OSA/SF in z/OS has both a graphical user interface as well as a REXX API. On EC12/BC12 systems, IBM introduced support to configure these devices on the latest generation OSA adapters (OSA Express5S) and to support and manage these adapters exclusively using the Hardware Management Console (HMC), with no capability to configure or manage devices on these adapters provided in the z/OS OSA/SF application. The OSA/SF on the HMC functionality can be used to configure and manage OSA-Express4S and newer generation adapters. With this statement of direction, IBM is announcing that z/OS V2.3 is planned to be the last release of the operating system to support the OSA/SF functionality. No change to the OSA cards' strategic importance to z/OS is meant by this change. z/OS continues to support the networking operational use of OSA adapters.
Statements by IBM regarding its plans, directions, and intent are subject to change or withdrawal without notice at the sole discretion of IBM. Information regarding potential future products is intended to outline general product direction and should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for IBM products remain at the sole discretion of IBM.
Back to top
- Software Announcement ZP17-0316, dated July 17, 2017 (z/OS V2.3 GA)
- Hardware Announcement ZG17-0017, dated July 17, 2017 (z14)
Back to top
All European, Middle Eastern, and African countries, except Islamic Republic of Iran, Sudan, Syrian Arab Republic.
IBM, z/OS, IBM Z, Language Environment, FlashCopy, DS8000, FICON and System z are registered trademarks of IBM Corporation in the United States, other countries, or both.
Windows is a trademark of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.
For the most current information regarding IBM products, consult your IBM representative or reseller, or go to the IBM worldwide contacts page