z/VSE 5.2 provides several security and encryption enhancements. Today I want to give some more details.
Here is a brief overview of the new z/VSE 5.2 security / encryption enhancements:
Support for the latest crypto card on zEC12 / zBC12: the support for the configurable Crypto Express4s feature.
Separation of the auditor function from the administrator function:
The administrator is responsible for the resource profile definitions, the audit options and the collection of the logging information. With the new user type AUDITOR you can now separate the logging information and the system-wide audit options.
Extension of the IUI security dialogs to support MQ classes
Since z/VSE 4.3 the Basic Security Manager (BSM) supports MQ resource classes. Now those resource classes can be managed via a new BSM panel (BSM Resource Classes).
Unique Group (GPR) and User Id (UID) names are ensured
With z/VSE 5.2 the BSM will no longer allow new groups with the same name as existing user ids and vice versa.
Integration of openSSL
The openSSL open source project provides Secure Socket Layer (SSL), Transport Layer Security (TLS) and key management utilities. We integrated the openSSL 1.0.1e level. z/VSE SSL applications such as the z/VSE Connector Server or LDAP client can now run transparently with openSSL
openSSL to GSK interface
z/VSE 5.2 provides the OS/390 GSK API for openSSL
Key store conversion
Now you can manage different SSL key store types, e.g. an openSSL and CSI key store type.
The Language Environment (LE) Multiplexer is enhanced to separate SSL functions from other socket API functions.
New LDAP batch tools for LDAP search, add, modify and delete are introduced.
Monitoring Agent (SNMP) security enhancements
The Simple Network Management Protocol (SNMP) is not encrypted. The Monitoring Agent now checks, if the source IP address of each incoming packed matches a ruleset in the configuration file.
VSE/VSAM IDCAMS security
The IDCAMS tool provides a number of backup / restore, define / delete and catalog maintenance commands. Now you can protect those IDCAMS commands. RACROUTE security checks are used. The administrator can control access to IDCAMS commands by using BSM resource profiles of resource class FACILITY called IDCAMS.GENERAL.
More information of the the security functionality is in the z/VSE Administration and z/VSE TCP/IP Support books.
Both books can be downloaded from our z/VSE Documentation web page.
The z/VSE TCP/IP Support book is still in the update process. I expect that on our web page in about a month.
If you want to get an overview of z/VSE's (BSM) security, I recommend the IBM Redbook "Security on IBM z/VSE".