In Montpellier last month there was much talk of Security enhancements in z/OS 1.12, on which I had intended to blog earlier. Now, thanks to the excellent zSecure newsletter (subscriptions available from the z Security team at IBM, message me for contact details) I have been prompted to write this. Key enhancements are:-
• A discrete general resource profile with generic characters (*,%,&) in its name, defined in a class not enabled for generics (GENCMD or GENERIC), is often called a "ghost" profile. Such profiles are not referenced by RACF for authorisation checking. However, when defined, they can confuse and annoy RACF administrators and system programmers. RACF now provides a new NOGENERIC keyword for the RDELETE command to enable you to delete these profiles along with a GENERIC=N option for R_admin DELETE.
• RACF now issues a warning message when creating a profile which contains generic characters (*,% or &) in a non-generic class
• Prior to z/OS V1.12, RACF caches up to 4 sets of generic profile names per address space to speed up authorisation checks for resources which are covered by generic profiles. If an address space uses more than 4 sets of profiles, RACF discards the least recently used list of generic profiles. If a deleted HLQ or class is referenced, the list is built again, which can result in thrashing. With V1.12, you can configure the number of sets of profiles, up to a maximum of 99.
• The SAFTRACE facility allows an in-depth analysis of the calls made from resource managers to RACF. With V1.12, you can control SAFTRACE records for RACROUTE and database (ICHEINTY) access by class and user ID.
There are a number of improvements for ICSF, including:-
◦ New ICSF segment on CSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY profiles allows the specification of controls on high performance secure keys
◦ ICSF segment fields may be extracted using RACROUTE REQUEST=EXTRACT,BRANCH=YES
◦ Mapping of in-storage ICSF segment information is in ICHPISP SAF mapping macro
◦ ICSF segment is unloaded by IRRDBU00 as record type 05G0
◦ RACF panels are populated with initial values for the ICSF segment
• RACDCERT and PKI Services enhancements include:
◦ Support for elliptic curve cryptography (ECC) when creating certificates and when processing certificates created using ECC
◦ Support for RSA keys up to 4096 bits
◦ Support for DSA key types
◦ Support for long issuer distinguished names
◦ Extend certificate validity date beyond its current limit (PKI:2038, RACF:2041) to the year 9999
◦ Support for certificate management protocol (CMP)
◦ Support for custom X.509 certificate extensions
◦ Support for the posting of certificates and certificate revocation lists (CRLs) to LDAP at any time
◦ Configurable maintenance task execution time
The full z/OS 1.12 announcement letter can be found here