IBM Security zSecure support for 64-bit addressing
JeroenTiggelman 27000186A5 Visits (12197)
The announcement letter for IBM
IBM Security zSecure suite can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. Most of the products run on the z/OS operating system.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for QRadar SIEM is called the CARLa Auditing and Reporting Language (CARLa). (This technically applies to zSecure Visual also, but as an end user you do not usually make direct use of the script language when using that product.)
Before release 2.2.0 the CARLa script language was processed by the CKRCARLA program. As of zSecure 2.2.0 the CKRCARLA program is a stub program that calls the CKR4Z program. The CKR4Z program is very similar to the former CKRCARLA program; it uses 31-bit addressing. The CKR8Z196 program is the 64-bit addressing edition of the former CKRCARLA program. CKR8Z196 originally shipped in a disabled state: if you tried to run it, it would issue message "CKR2246 12 This variant of CKRCARLA is not yet available and needs an enabling PTF".
IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting log records from the System Management Facilities (SMF) event log. IBM Security zSecure Adapters for QRadar SIEM send enriched SMF information to IBM Security QRadar SIEM. The Access Monitor component of zSecure Admin records access use in the system (including accesses that are not logged in SMF) in a compressed format.
The zSecure Audit Compliance Testing Framework was added in zSecure 1.13.1 (2012). A user interface was first provided in zSecure 2.1.0 (2013). The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the P
64-bit addressing was introduced to the mainframe by z/Architecture in 2000 through the z900. Later hardware (z800, z990, z890, z9, z10, z196, z114) has added progressively more 64-bit capable machine instructions.
An inherent feature of 64-bit addressing is that 8-byte addresses are required, where 31-bit addressing used 4-byte addresses. This implies that more virtual memory is required to hold the larger address variables. It also implies that more memory needs to be read (and written) to address the data. This raises some questions about the performance of a 64-bit addressing capable program vs. a 31-bit addressing program. For this reason zSecure has chosen to provide the CKR8Z196 program so that it runs on z196 and later hardware. The z196 introduced a number of (types of) machine instructions that allow better performance when using 64-bit addressing than older hardware. (Note that the name "CKR8Z196" contains the "8" for "8-byte addresses" and "Z196" to remind you that a z196 or better is required.)
The 64-bit addressing edition of the CARLa engine allows processing larger amounts of data by allowing many data structures to reside "above the bar". For existing queries the amount of storage used "below the bar" is less. (The "bar" is the 2GB line, i.e., memory "above the bar" cannot be addressed through a 31-bit address.) Using this feature requires a z196 or later hardware.
The main functions for which this is likely to be beneficial are:
- processing large amounts of SMF data at once;
- processing very large intervals of zSecure Admin Access Monitor data at once;
- processing rule-based compliance reports (AU.R);
- processing data for many security databases and LPARs at once.
Performance optimizations have been made. The CKR8Z196 program shipped in the SSE has a performance roughly comparable to that of the original CKR4Z program. The CKR4Z program as shipped in the SSE has become faster.
Scoping enhancements have been made (in addition to the scoping enhancements that were made in the original zSecure 2.2.0 release).
Documentation has been provided in a technote.
To fully benefit from these enhancements you need to run zSecure 2.2.0 on a z196 or later hardware. On older hardware you cannot use the CKR8Z196 program but you still benefit from the performance enhancements made to the CKR4Z program and the scoping improvements.
This SSE is only available for zSecure 2.2.0. Behavior of the CKRCARLA program (which you likely have in your JCL etc.) is unchanged: it will always call the CKR4Z program (which uses 31-bit addressing). To enable use of the 64-bit engine in the user interface, go to option SE.0 (run options) and select the newly available choice 3 for "program to run" on the second panel. This requires z196 or later hardware. If you want to use the 64-bit addressing program CKR8Z196 in a batch job, you need to call the program directly from it at this time. (Although a design intention of the CKRCARLA program is to dynamically call CKR4Z or CRK8Z196 based on criteria such as the hardware the program is running on, it was deemed unsuitable to change this default behavior in a service stream update.) Some notes on implications of the new program structure can be found in the zSec
You should note that the CKR4Z program is being replaced almost entirely by this SSE as well. You should furthermore note that also the CKFCOLL (zSecure Collect for z/OS), CKGRACF (a component of zSecure Admin and zSecure Visual), CKNSERVE (zSecure server), CKX (command execution utility), C2RIMENU (interactive menu), and C2RSUB (submission) programs have been replaced almost entirely, and that the C2POLICE (zSecure Alert address space), C2PACMON (zSecure Admin Access Monitor component), and C2XACTV (zSecure Exit Activator) programs have changes as well. User interface updates on the other hand are quite marginal.
Since this effectively replaces most of all engine programs related to the CARLa-driven components of zSecure for z/OS, this pulls in or supersedes most prior maintenance to zSecure 2.2.0, and future maintenance to zSecure 2.2.0 is quite likely to have this deliverable as a prerequisite. Note that this update is unrelated to zSecure CICS Toolkit and zSecure Command Verifier. (And of course it does not directly apply to zSecure Manager for RACF z/VM, which runs under z/VM.)
Some gotchas you can run into (such as z/OS APAR OA50672) and instructions for configuring zSecure Alert to run with the CKR8Z196 program can be found in the technote. At the present time, it is not possible to configure zSecure Visual (the Windows front-end for decentral administrators) to use the CKR8Z196 program.
If you are planning to migrate from an older zSecure release to zSecure 2.2.0, you are strongly encouraged to ensure this maintenance is included immediately. That way, you will also bypass some quirks in the scoping updates in the original zSecure 2.2.0 release.
Note that moving data structures above the 2GB bar provides virtual storage constraint relief below the bar. If you were planning to use the OPTIMIZE=STORAGE option first provided for zSecure 2.1.1 through APAR OA47619, you might want to check if using 64-bit addressing mode removes the need to do so.
Edit: The User
Edit: zSecure 2.2.1 has 64-bit exploitation enabled by default. It ships with updates to SETUP OUTPUT (SE.7) to allocate larger report files etc.
If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community and wiki. The I