Some blog entries ago I promised to give you an overview about the security related enhancements in z/VSE 6.2.
Here they are:
- OpenSSL component of z/VSE (z/VSE Cryptographic Services):
- is upgraded to OpenSSL 1.0.2h to benefit from newer SSL/TLS functions for enhanced data in flight encryption.
- The Elliptic Curve Cryptography (ECC) hardware acceleration with a Crypto Express6S in CCA coprocessor mode is transparently used. If the hardware is not available, the ECC software implementation continues to be used.
- Clients can choose to use OpenSSL for their online and batch applications for enhanced data at rest and data in flight security and more flexibility
- Ability to use OpenSSL for CICS Web Support:
- Clients using CICS Web Support with SSL/TLS are now able to choose between the OpenSSL component delivered as part of the z/VSE operating system and the SSL component of a TCP/IP stack. This simplifies the configuration, gives clients more flexibility, and allows them to take advantage of the OpenSSL security.
- EZA 'Multiplexer' and EZA OpenSSL support:
- The EZA 'Multiplexer' simplifies the use of the EZA interface with any TCP/IP stack. Clients can configure which EZA interface phase is to be used for a given TCP/IP stack ID.
- It also allows clients to use OpenSSL for the EZA SSL/TLS interface, independent of the used TCP/IP stack.
- Ability to use SSL/TLS connections for remote VTAPEs to achieve transport layer encryption of sensitive tape data during network transfer.
- Basic Security Manager (BSM) simplifies the administration of batch resources:
- The z/VSE Basic Security Manager (BSM) distinguishes between repositories for online and batch security definitions. The repository to protect batch resources is the phase DTSECTAB. It contains library, sublibrary, member, and file definitions. Whereas online resources can be easily maintained using the dialogs of the Interactive User Interface (IUI), the DTSECTAB needs to be updated for each batch resource. To simplify the administration of batch resources, z/VSE provides a common interface for both online and batch resources. An IUI dialog is offered that builds a DTSECTAB with the resources specified.
- Enhanced LDAP sign-on support:
- z/VSE provides a RESET option for the LDAP user mapping tool to clear the cached password hash for a user. This forces a full LDAP sign-on to be performed next time the user signs in.
- z/VSE provides wildcard support for the CHANGE and DELETE commands of the LDAP user mapping tool to allow modification or deletion of multiple user records with one command. This, for example, allows clients to generate a new VSE password for all mapped users with one command.
- VSE/POWER enables TLS 1.0 (and higher) for PNET SSL connections.
- IBM IPv6/VSE V1.3 enhancements:
- New FTP server security interface to simplify security definitions:
- FTP access to the z/VSE file system is protected using the Basic Security Manager (BSM) or any other External Security Manager (ESM) product that clients may choose. This allows clients to simplify their security definitions by using the resource class FACILITY as a single source.
- SSH (Secure Shell) copy facility for secure file transfer using SSH to and from z/VSE:
- This facility uses a Linux pass-through image to facilitate an SSH connection to a remote host, providing for secure file transfer using SSH to and from z/VSE. It is compatible with the IBM TCP/IP for z/VSE product, LFP, z/VM IP Assist, and the z/VSE Network Appliance.
- Enhanced security through encrypted password facility: Passwords are no longer stored as clear text on the system.
- IBM TCP/IP for z/VSE V2.2 enhancements: It delivers support for the TLS 1.1 and TLS 1.2 protocols for enhanced security.
The summary of z/VSE 6.2 security enhancements are from the z/VSE 6.2 Release Guide. You can download this book from the z/VSE Documentation web page - here.
Have a good weekend.