Release notes for zSecure 2.5.0

IBM Security zSecure 2.5.0 has been available since September 30, 2021. In June 2022, a Service Stream Enhancement (SSE) was published.
Read this document to find important installation information and learn about compatibility issues, limitations, and known problems.

For information about the new features for zSecure 2.5.0, see What's new for zSecure 2.5.0.

For information about the zSecure documentation, see zSecure Suite documentation. For steps to access the licensed User Reference Manuals for RACF, ACF2, and Top Secret, see Obtain licensed documentation.

If you are upgrading from a version of zSecure that is older than 2.4.0, also see the Release notes for the versions that you skipped for IBM® Security zSecure Suite.

This document consists of the following sections:


The zSecure 2.5.0 announcement includes information about the following topics:
  • Description
  • Technical information
  • Ordering information
  • Terms and conditions

IBM Z Security and Compliance Center 1.1

On April 5, 2022, IBM announced the Z Security and Compliance Center. This new solution provides a dashboard for compliance evidence that is based on SMF 1154 records. It includes all the functionality of IBM Security zSecure Audit and relies on the zSecure CARLa and Collect engines.

The Z Security and Compliance Center includes the z/OS Compliance Integration Manager component, which provides a started task that is required to create SMF 1154 records for the following z/OS subsystems: Console, DFSMS, InetD, IMS, IMS-Connect, IMS-OM, IBM MQ, SMF, SSHD, and z/OS UNIX System Services. Other subsystems write their own SMF 1154 records.

The Program Directory for Z Security and Compliance Center, Compliance Integration Manager Component contains information concerning the material and procedures that are associated with the installation of the z/OS Compliance Integration Manager.

System requirements

This section lists the minimum and advised processor, disk space, and memory requirements for the zSecure 2.5.0 products and solutions:
  Minimum Advised
Processor An IBM Z® server that is capable of supporting z/OS® 2.3 or later.
Disk space 1 GB 1.5 GB
Memory 1 GB 2 GB

For the Z Security and Compliance Center requirements, see the Program Directory for IBM Z Security and Compliance Center Compliance Integration Manager Component or the Technical information section in the announcement.

For programming and space requirements for zSecure CICS® Toolkit, Command Verifier, and RACF®-Offline, see the following Program Directories: All other components (the CARLa-driven components) of zSecure have a common Program Directory: Program Directory for IBM Security zSecure Suite: CARLa-driven components.

Supported platforms and applications

The zSecure products are supported on the following platforms and applications:
  • IBM z/OS 2.3 through z/OS 2.5
  • IBM z/VM® 7.1, 7.2, and 7.3
  • CICS Transaction Server 5.3 through 6.1
  • Db2® 12.1
  • IMS 15.1 and 15.2
  • IBM MQ 9.1 and IBM MQ 9.2
  • CA ACF2 Release 16
  • CA Top Secret Release 16
  • Microsoft Windows 10, Windows Server, in support by Microsoft
  • zSecure Visual Client requires Microsoft Windows 10
  • All currently supported versions of WebSphere® HTTP server
  • Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77D2
zSecure no longer supports the following platforms and applications:
  • IBM z/OS 2.2
  • IBM z/VM 6.4
  • IMS Version 14
  • Db2 11.1
  • IBM MQ 8.0 through IBM MQ 9.0.x
  • CICS TS 4.1 and 5.2

Installing IBM Security zSecure

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure 2.5.0, see the zSecure CARLa-Driven Components Installation and Deployment Guide.

This unlicensed documentation is available with the product and at the IBM Documentation for IBM Security zSecure Suite 2.5.0. To obtain access to the licensed documentation , send an email to; include your IBM ID and your organization's customer number. Following registration, you will receive a link to the IBM Security zSecure Suite Library

Incompatibility warnings

Version changes in DISA z/OS STIG (February 2023)
z/OS STIG (Security Technical Implementation Guides) included controls that were specific to z/OS and z/OS Products. With z/OS STIG version 6, release 43 (6.43), DISA split z/OS STIG into two separate standards: z/OS Products STIG and z/OS STIG. z/OS STIG version 8 was introduced, while the z/OS Products STIGs continued to follow version 6.

With the implementation of this SSE, zSecure Audit incorporates the changes that DISA introduced into the implementation of the STIG standard. As a result of this split, the following changes are observed in zSecure:

  • The reported version in z/OS RACF/ACF2/TSS STIG version 6 drops from 6.52 to 6.43. Release 43 is the last applicable release for z/OS RACF/ACF2/TSS STIG version 6.
  • z/OS Products STIG continues to be updated under version 6. The release is now reported as LATEST, because the release number can vary among products.
  • z/OS RACF/ACF2/TSS STIG version 8 is introduced.
To run a full STIG version 6 evaluation, use both the options z/OS RACF/ACF2/TSS STIG v6 and z/OS Products STIG simultaneously.
BMC INCONTROL IOA (February 2023)
The following DISA STIG controls no longer require the use of a SIMULATE SUBSYS statement to simulate an active INCONTROL IOA environment for the BMC INCONTROL family of products. zSecure now has the capability to automatically detect INCONTROL IOA resources and assign a sensitivity. As a result, existing configurations in the C2RG@IDF customization member are no longer needed and will be ignored when the controls are evaluated.
CSSMTP_TS_TYPE default output length increased (February 2023)
The default output length of the SMF newlist field CSSMTP_TS_TYPE has been increased from 6 to 7 characters.
LIST USER statements (July 2022)
The LIST USER TAG field U-PASSINT now shows NONE (instead of 255) for non-protected users that have no password interval. The output of LIST USER commands without a TAG option has a changed layout (and can show more information than before). The layout is not intended to be a programming interface.
CKGRACF (June 2022)
When manipulating USRDATA through CKGRACF for fully qualified generic dataset profiles, it is now required to explicitly mark the profile as a GENERIC profile. Previously, all profiles that were not explicitly marked as either generic or discrete were assumed to be generic. Discrete profiles were not supported. With this update, discrete profiles are supported, but generic profiles without generic characters must be marked explicitly as generic.
SMF field CC_SERIAL is a repeated field (June 2022)
The NEWLIST TYPE=SMF field CC_SERIAL has become a repeated field. This implies that the field is shown on the detail display by default.
Support dropped for configurable sensitivity types BMCMVSTC_ and BMCIOASTC_
zSecure Audit now supports automatic determination of the data set names that belong to the started tasks of the BMC Integrated Operations Architecture (IOA) and BMC MainView products. As a consequence, the support for the configurable sensitivity types BMCMVSTC_ (used in rule set ZMVZR001) and BMCIOASTC_ (used in rule set ZIOAR001) was dropped. Be aware that these configurable assertions are now silently ignored in the compliance evaluation of the rule sets ZMVZR001 and ZIOAR001. If BMCMVSTC_ and BMCIOASTC_ configurations were specified in the past, these specifications will still be reported from the assertion history log (option AU.R.H).
The following changes apply:
  • Users are no longer required to specify the started task data set names for the configurable sensitivity types BMCMVSTC_ and BMCIOASTC_
  • The zSecure user interface no longer produces the CONFIGS and CONFIGX reports for controls CKAGOA01 and CKAGMV01 to enable configuration of sensitivity types BMCMVSTC_ and BMCIOASTC_
  • Remaining SIMULATE statements for sensitivity types BMCMVSTC_ and BMCIOASTC_ in member ACPCNFG can be removed; these are ignored.
Generated output no longer held in spool
Sample procedures for the zSecure started tasks have been changed to no longer generate HELD output. If you require output to be HELD, modify the sample procedures to specify a different output class, or add the HOLD=YES specification to the SYSOUT file.
TN3270 Telnet SMF records sent to SIEM
In the representations of TN3270 Telnet server and client SMF records (record type 118 with subtypes 4, 20, 21, 200, and 201, and record type 119 with subtypes 20, 21, 22, and 23) that are sent to SIEM applications (for example, IBM QRadar® SIEM) using CARLa scripts CKQLEEF and CKQLEEFL, the cmd field was replaced with the action field.
action field replaces cmd field
Previous situation: cmd field values Current® situation: action field values

In the representations of TN3270 Telnet server and client SMF records SMF (record type 118, subtype 4, 20, 21, 200, 201, and record type 119, subtypes 20, 21, 22, and 23) that are sent to Micro Focus ArcSight using CARLa script CKQCEFG, the information that the request field used to convey is now found in the header of a record representation.

Header information replaces request field
type-subtype Previous situation:
request field value
Current situation:
header value
118-4 LGON logon TN3270 client
118-4 LGOF logoff TN3270 client
118-20, 119-20 LOGN (or missing) logon TN3270 server
118-21, 119-21 LOGF (or missing) logoff TN3270 server
119-22 (missing) init TN3270 client
119-23 (missing) term TN3270 client
PROTECTED_ZVM was removed
The PROTECTED_ZVM variable was removed from the C2RXDEF1 include member. PROTECTED_ZVM was the equivalent of the PROTECTED variable for RACF for z/VM databases. You can now use the built-in field PROTECTED for both z/VM and z/OS.
The CKXLOGID primary command was changed to CKXLOG to avoid confusion with the CKXLOGID TSO command.
zSecure Admin RACF Access Monitor: retain jobname information
In previous versions of RACF Access Monitor, it was possible to retain jobname information for user IDs that are a proper substring of another user ID, while removing jobname information for that second user ID. For example:
  • Retain jobname information for user ID XYZZY
  • Drop jobname information for user ID XYZZYZ
The use of a user ID that is a proper substring of an other user ID is generally strongly discouraged. Current versions of RACF Access Monitor do not allow retention of jobname information for the shorter ID (XYZZY) independent of that for the longer ID (XYZZYZ).
STIG members renamed
Several SCKRCARL members were renamed, either from a generic name to a member name that is specific to an External Security Manager (ESM), or from an ESM-specific member name to a general member name.
Table 1. SCKRCARL generic member names renamed for RACF, ACF2, and Top Secret systems
Control Original member Renamed members
    RACF ACF2 Top Secret
AAMV0410 C2RGM410 CKAGM410 C2AGM410 CKTGM410
AAMV0420 C2RGM420 CKAGM420 C2AGM420 CKTGM420
Table 2. SCKRCARL member names for RACF, ACF2, and Top Secret systems renamed to generic member name
Control Original members Renamed member
  RACF ACF2 Top Secret  
STIG ID ZCICR021 was renamed to STIG ID ZCICR038 as specified in the z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide. The SCKRCARL member was renamed accordingly.
Table 3. SCKRCARL member name renamed for RACF
Control Original member Renamed RACF member
Multi-line mixed SBCS/DBCS strings
With previous versions of CARLa and CKGRACF, within a string literal crossing a line boundary, if a line ended with a shift-in character and an optional space, and if the next line started with a shift-out character, the shift-in character, optional space, and shift-out character were trimmed away by the parser. This trimming behavior has been extended as follows.

Within a string literal crossing a line boundary, if a continuation line starts with a shift-out (SO) character, optionally preceded by SBCS (Single-byte Character Set) space characters, lines immediately preceding this line are trimmed away if they entirely consist of SBCS spaces. Trailing SBCS spaces in the line before these blank lines, if any, are trimmed away as well. If the trimmed line ends with a shift-in (SI) character and the continuation line starts with an SO character, these SI and SO characters are trimmed away, too.

For more information, see Syntax rules in zSecure CARLa Command Reference.

The BMC_MAINVIEW_STC variable in NEWLIST TYPE=REPORT_STC cannot be used anymore to specify which non-default BMC MainView started tasks are defined on a system. Instead, the CKAGMV30 and CKAGMV32 (for RACF), and C2AGMV30 (for ACF2) DISA STIG controls use the names of started tasks that are specified in a customization member.
zSecure Audit for RACF and ACF2 automatically checks the following default BMC MainView started tasks:

To further specify non-default BMC MainView started tasks, use the MVPROC customization member. For more information about customization members, see section Preparation for CKACUST members in the zSecure (Admin and) Audit User Reference Manual.

Sensitivity types
DspSysCfg (class SDSF, with audit concern text Can display system configuration information in SDSF) was changed to SDSFAppInfo (with audit concern text In SDSF, can display regular operation information). For more information, see Predefined sensitivity types related to newlists in zSecure CARLa Command Reference.

Migration consideration

To activate the proper auditing of various product resources, review what SIMULATE SUBSYS specifications are needed to indicate the configurations of the following products:
  • IBM Z NetView®
  • BMC MainView
  • Advantage CA-Roscoe
  • Compuware Abend-AID
  • Rocket Software Catalog Soluton

Limitations and known problems

At the time of publication of this Release Notes® document, no problems exist.

Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general documentation technote lists all updates to the documentation of 2.5.0 since availability.

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.