Release notes for zSecure 2.5.0
IBM Security zSecure 2.5.0 has been available since September 30, 2021. In June 2022, a
Service Stream Enhancement (SSE) was published.
Read this document to find important
installation information and learn about compatibility issues, limitations, and known
problems.
For information about the new features for zSecure 2.5.0, see What's new for zSecure 2.5.0.
For information about the zSecure documentation, see zSecure Suite documentation. For steps to access the licensed User Reference Manuals for RACF, ACF2, and Top Secret, see Obtain licensed documentation.
If you are upgrading from a version of zSecure that is older than 2.4.0, also see the Release
notes
for the versions that you skipped for IBM®
Security zSecure Suite.
This document consists of the following sections:
Announcement
- Description
- Technical information
- Ordering information
- Terms and conditions
IBM Z Security and Compliance Center 1.1
On April 5, 2022, IBM announced the Z Security and Compliance Center. This new solution provides a dashboard for compliance evidence that is based on SMF 1154 records. It includes all the functionality of IBM Security zSecure Audit and relies on the zSecure CARLa and Collect engines.
The Z Security and Compliance Center includes the z/OS Compliance Integration Manager component, which provides a started task that is required to create SMF 1154 records for the following z/OS subsystems: Console, DFSMS, InetD, IMS, IMS-Connect, IMS-OM, IBM MQ, SMF, SSHD, and z/OS UNIX System Services. Other subsystems write their own SMF 1154 records.
The Program Directory for Z Security and Compliance Center, Compliance Integration Manager Component contains information concerning the material and procedures that are associated with the installation of the z/OS Compliance Integration Manager.
System requirements
Minimum | Advised | |
---|---|---|
Processor | An IBM Z® server that is capable of supporting z/OS® 2.3 or later. | |
Disk space | 1 GB | 1.5 GB |
Memory | 1 GB | 2 GB |
For the Z Security and Compliance Center requirements, see the Program Directory for IBM Z Security and Compliance Center Compliance
Integration Manager Component or the Technical information
section in the announcement.
- Program Directory for IBM Security zSecure CICS Toolkit
- Program Directory for IBM Security zSecure Command Verifier
- Program Directory for IBM Security zSecure Admin RACF-Offline
CARLa-drivencomponents) of zSecure have a common Program Directory: Program Directory for IBM Security zSecure Suite: CARLa-driven components.
Supported platforms and applications
- IBM z/OS 2.3 through z/OS 2.5
- IBM z/VM® 7.1, 7.2, and 7.3
- CICS Transaction Server 5.3 through 6.1
- Db2® 12.1
- IMS 15.1 and 15.2
- IBM MQ 9.1 and IBM MQ 9.2
- CA ACF2 Release 16
- CA Top Secret Release 16
- Microsoft Windows 10, Windows Server, in support by Microsoft
- zSecure Visual Client requires Microsoft Windows 10
- All currently supported versions of WebSphere® HTTP server
- Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77D2
- IBM z/OS 2.2
- IBM z/VM 6.4
- IMS Version 14
- Db2 11.1
- IBM MQ 8.0 through IBM MQ 9.0.x
- CICS TS 4.1 and 5.2
Installing IBM Security zSecure
- Program Directory for IBM Security zSecure Suite: CARLa-driven components
- Program Directory for IBM Security zSecure Admin RACF-Offline
- Program Directory for IBM Security zSecure Command Verifier
- Program Directory for IBM Security zSecure CICS Toolkit
- Program Directory for IBM Security zSecure Administration
- Program Directory for IBM Security zSecure Compliance and Administration
- Program Directory for IBM Security zSecure Compliance and Auditing
- Program Directory for IBM Z Security and Compliance Center Compliance Integration Manager Component
For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure 2.5.0, see the zSecure CARLa-Driven Components Installation and Deployment Guide.
This unlicensed documentation is available with the product and at the IBM Documentation for IBM Security zSecure Suite 2.5.0. To obtain access to the licensed documentation , send an email to zDoc@nl.ibm.com; include your IBM ID and your organization's customer number. Following registration, you will receive a link to the IBM Security zSecure Suite Library
Incompatibility warnings
- Version changes in DISA z/OS STIG (February 2023)
- z/OS STIG (Security Technical Implementation Guides) included controls that were specific to
z/OS and z/OS Products. With z/OS STIG version 6, release 43 (6.43), DISA split z/OS STIG into two
separate standards: z/OS Products STIG and z/OS STIG. z/OS STIG version 8 was introduced, while the
z/OS Products STIGs continued to follow version 6.
With the implementation of this SSE, zSecure Audit incorporates the changes that DISA introduced into the implementation of the STIG standard. As a result of this split, the following changes are observed in zSecure:
- The reported version in z/OS RACF/ACF2/TSS STIG version 6 drops from 6.52 to 6.43. Release 43 is the last applicable release for z/OS RACF/ACF2/TSS STIG version 6.
- z/OS Products STIG continues to be updated under version 6. The release is now reported as LATEST, because the release number can vary among products.
- z/OS RACF/ACF2/TSS STIG version 8 is introduced.
- BMC INCONTROL IOA (February 2023)
- The following DISA STIG controls no longer require the use of a SIMULATE SUBSYS statement to
simulate an active INCONTROL IOA environment for the BMC INCONTROL family of products. zSecure now
has the capability to automatically detect INCONTROL IOA resources and assign a sensitivity. As a
result, existing configurations in the C2RG@IDF customization member are no longer needed and will
be ignored when the controls are evaluated.
ZCTDA020
ZCTDR020
ZCTMA020
ZCTMR020ZCTOA020
ZCTOR020
ZIOAA020
ZIOAR020
- CSSMTP_TS_TYPE default output length increased (February 2023)
- The default output length of the SMF newlist field CSSMTP_TS_TYPE has been increased from 6 to 7 characters.
- LIST USER statements (July 2022)
- The LIST USER TAG field U-PASSINT now shows NONE (instead of 255) for non-protected users that have no password interval. The output of LIST USER commands without a TAG option has a changed layout (and can show more information than before). The layout is not intended to be a programming interface.
- CKGRACF (June 2022)
- When manipulating USRDATA through CKGRACF for fully qualified generic dataset profiles, it is now required to explicitly mark the profile as a GENERIC profile. Previously, all profiles that were not explicitly marked as either generic or discrete were assumed to be generic. Discrete profiles were not supported. With this update, discrete profiles are supported, but generic profiles without generic characters must be marked explicitly as generic.
- SMF field CC_SERIAL is a repeated field (June 2022)
- The NEWLIST TYPE=SMF field CC_SERIAL has become a repeated field. This implies that the field is shown on the detail display by default.
- Support dropped for configurable sensitivity types BMCMVSTC_ and BMCIOASTC_
- zSecure Audit now supports automatic determination of the data set names that belong to the
started tasks of the BMC Integrated Operations Architecture (IOA) and BMC MainView products. As a
consequence, the support for the configurable sensitivity types BMCMVSTC_ (used in rule set
ZMVZR001) and BMCIOASTC_ (used in rule set ZIOAR001) was dropped. Be aware that these configurable
assertions are now silently ignored in the compliance evaluation of the rule sets ZMVZR001 and
ZIOAR001. If BMCMVSTC_ and BMCIOASTC_ configurations were specified in the past, these
specifications will still be reported from the assertion history log (option AU.R.H). The following changes apply:
- Users are no longer required to specify the started task data set names for the configurable sensitivity types BMCMVSTC_ and BMCIOASTC_
- The zSecure user interface no longer produces the CONFIGS and CONFIGX reports for controls CKAGOA01 and CKAGMV01 to enable configuration of sensitivity types BMCMVSTC_ and BMCIOASTC_
- Remaining SIMULATE statements for sensitivity types BMCMVSTC_ and BMCIOASTC_ in member ACPCNFG can be removed; these are ignored.
- Generated output no longer held in spool
- Sample procedures for the zSecure started tasks have been changed to no longer generate HELD output. If you require output to be HELD, modify the sample procedures to specify a different output class, or add the HOLD=YES specification to the SYSOUT file.
- TN3270 Telnet SMF records sent to SIEM
- In the representations of TN3270 Telnet server and client SMF records (record type 118 with subtypes 4, 20, 21, 200, and 201, and record type 119 with subtypes 20, 21, 22, and 23) that are sent to SIEM applications (for example, IBM QRadar® SIEM) using CARLa scripts CKQLEEF and CKQLEEFL, the cmd field was replaced with the action
field.
action field replaces cmd field
Previous situation: cmd field values Current® situation: action field values LGON, LOGN LOGON LGOF, LOGF LOGOFF In the representations of TN3270 Telnet server and client SMF records SMF (record type 118, subtype 4, 20, 21, 200, 201, and record type 119, subtypes 20, 21, 22, and 23) that are sent to Micro Focus ArcSight using CARLa script CKQCEFG, the information that the request field used to convey is now found in the header of a record representation.
Header information replaces request fieldtype-subtype Previous situation:
request field valueCurrent situation:
header value118-4 LGON logon TN3270 client 118-4 LGOF logoff TN3270 client 118-20, 119-20 LOGN (or missing) logon TN3270 server 118-21, 119-21 LOGF (or missing) logoff TN3270 server 119-22 (missing) init TN3270 client 119-23 (missing) term TN3270 client - PROTECTED_ZVM was removed
- The PROTECTED_ZVM variable was removed from the C2RXDEF1 include member. PROTECTED_ZVM was the equivalent of the PROTECTED variable for RACF for z/VM databases. You can now use the built-in field PROTECTED for both z/VM and z/OS.
- CKXLOGID changed to CKXLOG
- The CKXLOGID primary command was changed to CKXLOG to avoid confusion with the CKXLOGID TSO command.
- zSecure Admin RACF Access Monitor: retain jobname information
- In previous versions of RACF Access Monitor, it was
possible to retain jobname information for user IDs that are a proper substring of another user ID,
while removing jobname information for that second user ID. For example:
- Retain jobname information for user ID XYZZY
- Drop jobname information for user ID XYZZYZ
- STIG members renamed
- Several SCKRCARL members were renamed, either from a generic name to a member name that is
specific to an External Security Manager (ESM), or from an ESM-specific member name to a general
member name.
Table 1. SCKRCARL generic member names renamed for RACF, ACF2, and Top Secret systems Control Original member Renamed members RACF ACF2 Top Secret AAMV0410 C2RGM410 CKAGM410 C2AGM410 CKTGM410 AAMV0420 C2RGM420 CKAGM420 C2AGM420 CKTGM420 STIG ID ZCICR021 was renamed to STIG ID ZCICR038 as specified in the z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide. The SCKRCARL member was renamed accordingly.Table 2. SCKRCARL member names for RACF, ACF2, and Top Secret systems renamed to generic member name Control Original members Renamed member RACF ACF2 Top Secret IUTN0020 CKAGIU20 C2AGIU20 CKTGIU20 C2RGIU20 Table 3. SCKRCARL member name renamed for RACF Control Original member Renamed RACF member ZCICR021 CKAGCI21 CKAGCI38 - Multi-line mixed SBCS/DBCS strings
- With previous versions of CARLa and CKGRACF, within a string literal crossing a line boundary,
if a line ended with a shift-in character and an optional space, and if the next line started with a
shift-out character, the shift-in character, optional space, and shift-out character were trimmed
away by the parser. This trimming behavior has been extended as follows.
Within a string literal crossing a line boundary, if a continuation line starts with a shift-out (SO) character, optionally preceded by SBCS (Single-byte Character Set) space characters, lines immediately preceding this line are trimmed away if they entirely consist of SBCS spaces. Trailing SBCS spaces in the line before these blank lines, if any, are trimmed away as well. If the trimmed line ends with a shift-in (SI) character and the continuation line starts with an SO character, these SI and SO characters are trimmed away, too.
For more information, see
Syntax rules
in zSecure CARLa Command Reference. - BMC_MAINVIEW_STC removed
- The BMC_MAINVIEW_STC variable in NEWLIST TYPE=REPORT_STC cannot be used anymore to specify which
non-default BMC MainView started tasks are defined on a system. Instead, the CKAGMV30 and CKAGMV32
(for RACF), and C2AGMV30 (for ACF2) DISA STIG controls use
the names of started tasks that are specified in a customization member.zSecure Audit for RACF and ACF2 automatically checks the following default BMC MainView started tasks:BBIDLOG
BBIILOG
BBMCAS
BBMPAS
MV$ALMGR
MV$LAS
MVALARMMVALMGR
MVCAS
MVLAS
MVSPAS
MV$CAS
MV$PAS
MV$MVSOSZ$EXEC
OSZ$INIT
OSZ$RTCS
OSZEXEC
OSZINIT
OSZRTCSTo further specify non-default BMC MainView started tasks, use the MVPROC customization member. For more information about customization members, see section
Preparation for CKACUST members
in the zSecure (Admin and) Audit User Reference Manual. - Sensitivity types
DspSysCfg
(class SDSF, with audit concern textCan display system configuration information in SDSF
) was changed toSDSFAppInfo
(with audit concern textIn SDSF, can display regular operation information
). For more information, seePredefined sensitivity types related to newlists
in zSecure CARLa Command Reference.
Migration consideration
- IBM Z NetView®
- BMC INCONTROL IOA
- BMC MainView
- Advantage CA-Roscoe
- Compuware Abend-AID
- Rocket Software Catalog Soluton
Limitations and known problems
At the time of publication of this Release Notes® document, no problems exist.
Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general documentation technote lists all updates to the documentation of 2.5.0 since availability.
You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.