Release notes

Announcement

System requirements

Supported platforms and applications

Installing IBM Security zSecure

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure 3.1.0, see the IBM Security zSecure CARLa-Driven ComponentsInstallation and Deployment Guide.

Incompatibility warnings - zSecure 3.1.0 Service Stream Enhancements

Compliance members renamed (October 2024)

The CARLa member that stored the CIS Benchmark control 3.13 Ensure all software on your system is supported was renamed to CKAHR3D to follow the naming convention for the RACF CIS IBM z/OS RACF Benchmark standard. In addition, the CARLa member that stored RACF-FT-000070, ACF2-FT-000120, and TSS0-FT-000130 controls was renamed to C2RHF070 to better reflect the FAMILY group of the controls.

Control	Original member name			Renamed member name
	RACF	ACF2	TSS	RACF	ACF2	TSS
CIS 3.13	CKAHR313			CKAHR3D
RACF-FT-000070 ACF2-FT-000120 TSS0-FT-000130		C2RHO470			C2RHF070

Certificate signing algorithm RSASSA-PSS split into 6 values (September 2024)

The CERTIFICATE_SIGNING_ALG field in TYPE=RACF and TYPE=CERTIFICATE no longer reports the value RSASSA-PSS. Instead, it reports one of the following values or, if the key length was not recognized, the value specifiedRSAPSS.

sha1RSAPSS sha224RSAPSS

sha256RSAPSS sha384RSAPSS

sha512RSAPSS

The default output length of the field changed from 11 to 12.

UPDATE access (September 2024)

It is no longer sufficient to grant UPDATE access to administrators to manage all aspects of non-base segments. Deleting non-base segments is possible only for administrators that have CONTROL access to the C4R.class.segname.=RACUID or the C4R.class.segname policy profile. UPDATE access does not allow deleting a segment. UPDATE access to the policy profile still allows adding and setting a value for non-base segments.

Running the zSecure Access Monitor, Alert, and SMF Collector STCs under the MSTR subsystem (April 2024)

The current release of zSecure supports running the Access Monitor, Alert, and SMF Collector STCs under the MSTR subsystem. This allows starting the STC earlier in the IPL process. Several changes have been made to the startup JCL and to the configuration data sets. An updated example member is provided in SCKRPROC. The most visible change is that the SYSTSPRT ddname is replaced by the C2PTSPRT or CKQTSPRT ddname. You must change the STC procedure, according to the description in the Migrating from a previous release sections for your products in the zSecure CARLa-Driven Components Installation and Deployment Guide.

Incompatibility warnings - zSecure 3.1.0 (September 2023)

Version changes in DISA z/OS STIGs

z/OS STIG (Security Technical Implementation Guides) included z/OS specific and z/OS Products specific controls. With z/OS STIG release Version 6, Release 43 (V6R43), DISA split z/OS STIG into two separate standards: z/OS Products STIG and IBM z/OS STIG. A new version 8 for z/OS STIG was introduced, while the z/OS Products STIGs continued to follow version 6. The release number can vary among products.

To run a full STIG evaluation, use both the options z/OS RACF/ACF2/TSS STIG and z/OS Products STIG simultaneously.

CIS IBM z/OS RACF Benchmark standard replaced GSD compliance standard

IBM GSD 331 standard for Strategic Outsourcing (SO) customers is no longer in support and, as a result, it is removed from the zSecure Audit 3.1.0 AU.R user interface menu.

The individual GSD CARLa members that were part of the GSD standard are still available to facilitate customers to migrate to the equivalent controls in the CIS z/OS RACF Benchmark standard. The intention is that all GSD-related members will be removed in future releases of zSecure.

If your organization uses GSD-related members in a locally defined compliance standard or batch job, you can migrate to using a CIS Benchmark equivalent control instead. Most of the GSD-related controls have an equivalent requirement in a control that is part of the CIS IBM z/OS RACF Benchmark standard.

The following table lists the corresponding requirements for the obsolete GSD controls in CIS IBM z/OS RACF Benchmark standard. Minor differences can exist between requirements of a GSD control and the CIS equivalent. However, the essence of the check is similar.

Note:

• GSD controls F.1.4.2, F.1.4.3, and F.1.4.4 are obsolete by default since the checked classes (DATASET, GROUP, and USER) are always active.
• GSD control F.1.4.8 corresponds to DISA STIG SDSF product control ZISFR038 that is implemented in CARLa member CKAHSF38.
• GSD control F.1.4.13 partially corresponds to DISA z/OS STIGv8 control RACF-US-000130 that is implemented in CARLa member CKAHU130.

GSD Control ID	Description	CIS Control ID	zSecure CARLa member (CIS control)
F.1.1.1	SETROPTS PASSW INTERVAL(90)	1.1.1	CKAHR111
F.1.1.2	SETROPTS PASSW HISTORY(8)	1.1.2	CKAHR112
F.1.1.3	SETROPTS PASSW REVOKE(4)	1.1.5	CKAHR115
F.1.1.4	SETROPTS PASSW NORULES	1.1.3	CKAHE770
F.1.1.5	SETROPTS PASSW MINCHANGE(1)	1.1.4	CKAHR114
F.1.1.6	SETROPTS PASSW INACTIVE(180)	1.2.1	CKAHR121
F.1.1.7	RVARY PASSW changed	1.2.13	CKAHE550
F.1.4.1	SETROPTS BATCHALLRACF	8.4.2	CKAHE440
F.1.4.10	TAPEVOL class active	no equivalent
F.1.4.11	UNIXPRIV class active	9.7	CKAHR97
F.1.4.12	OPERCMDS class RACLISTed	1.2.6	CKAHR126
F.1.4.13	UNIXPRIV class RACLISTed	no equivalent
F.1.4.14	DATASET class GENERIC	2.2.2	CKAHR222
F.1.4.15.1	SETROPTS PROTECTALL FAIL	2.3.3	CKAHE570
F.1.4.15.2	SETROPTS WHEN(PROGRAM)	2.1.3	CKAHE610
F.1.4.16.1	RVARY SWITCH PASSW changed	1.2.13	CKAHE550
F.1.4.16.2	RVARY STATUS PASSW changed	1.2.13	CKAHE550
F.1.4.17.1	SETROPTS INITSTATS	3.5	CKAHR35
F.1.4.17.2	SURROGAT with LOGOPT(ALWAYS)	2.4.3	CKAHR243
F.1.4.19	SETROPTS CMDVIOL	3.1	CKAHR31
F.1.4.2	DATASET class active	obsolete
F.1.4.20	SETROPTS SAUDIT	3.2	CKAHE520
F.1.4.21	SETROPTS OPERAUDIT	3.4	CKAHE470
F.1.4.22	DATASET class AUDIT	3.3	CKAHR33
F.1.4.23	GROUP entity AUDIT	3.3	CKAHR33
F.1.4.24	USER entity AUDIT	3.3	CKAHR33
F.1.4.25	OPERCMDS class AUDIT	3.3	CKAHR33
F.1.4.26	TSOAUTH class AUDIT	3.3	CKAHR33
F.1.4.27	SDSF class AUDIT	3.3	CKAHR33
F.1.4.28	FACILITY class AUDIT	3.3	CKAHR33
F.1.4.29	UNIXPRIV class AUDIT	3.3	CKAHR33
F.1.4.3	GROUP entity active	obsolete
F.1.4.31.1	PROCESS class AUDIT	3.3	CKAHR33
F.1.4.31.2	Active class LOGOPT(FAIL)	9.25	CKAHR9P
F.1.4.39.1	MCS consoles LOGON	1.2.11	C2RHE680
F.1.4.4	USER entity active	obsolete
F.1.4.41	DFHSM privileges	no equivalent
F.1.4.5	TEMPDSN class active	2.1.7	CKAHE120
F.1.4.6	OPERCMDS class active	1.2.6	CKAHR126
F.1.4.7	TSOAUTH class active	no equivalent
F.1.4.8	SDSF class active	no equivalent
F.1.4.9	FACILITY class active	1.2.8	CKAHR128
F.1.7.3.1	UNIX user unique HOME directory	9.6	CKAHU250
F.1.7.3.5	UID(0) shared home directory	9.6	CKAHU250
F.1.8.32	STGADMIN ENDUSER	2.1.1	CKAHR211
F.1.8.35	STGADMIN DELGDG	no equivalent
F.1.8.48.1	TSOAUTH ACCT	2.4.2	CKAHR242
F.1.8.48.2	TSOAUTH CONSOLE	2.4.2	CKAHR242
F.1.8.48.3	TSOAUTH OPER	2.4.2	CKAHR242
F.1.8.48.4	TSOAUTH PARMLIB	2.4.2	CKAHR242
F.1.8.48.5	TSOAUTH TESTAUTH	2.4.2	CKAHR242
F.1.8.61	OPERCMDS SETPROG	2.2.8	CKAHE340
F.1.8.62	OPERCMDS SET.PROG	2.2.8	CKAHE340
F.1.8.63	OPERCMDS MVS.UNKNOWN	no equivalent
F.1.8.66	OPERCMDS TCPIP.OBEYFILE	no equivalent
F.1.8.67	FACILITY BPX.DAEMON	9.15	CKAHR9F
F.1.8.68	FACILITY BPX.DEFAULT.USER	9.15	CKAHR9F
F.1.8.69	FACILITY BPX.FILEATTR.APF	9.15	CKAHR9F
F.1.8.70	FACILITY BPX.FILEATTR.PROGCTL	9.15	CKAHR9F
F.1.8.73	FACILITY BPX.SMF	9.15	CKAHR9F
F.1.8.74	FACILITY BPX.STOR.SWAP	9.15	CKAHR9F
F.1.8.75	FACILITY BPX.SUPERUSER	9.15	CKAHR9F
F.1.8.76	FACILITY BPX.WLMSERVER	9.15	CKAHR9F
F.1.8.95	RRSF profiles	no equivalent
F.1.8.96	VTAMAPPL <RRSF acbname>	no equivalent

Removal of support for z/OS STIG version 6.43 and single standard syntax z/OS Product STIGs

The DISA STIG release 6.43 is no longer published and is considered obsolete by DISA. Therefore, zSecure has also deprecated the standard from zSecure Audit. Starting with zSecure 3.1.0, z/OS STIG v6 is no longer available for selection as an evaluation standard under the AU.R option, and a multi standard syntax equivalent replaces the single standard syntax z/OS Product STIGs. As a result, the following updates are made to the user interface and to the STIG related CARLa scripts.

User interface (UI)

DISA z/OS STIG v6.43 and single syntax z/OS Products STIG controls are no longer available as supported standards under options AU.R.C (Configure), and AU.R.E (Evaluate), and AU.R.S (Subsets). Individual SCKRCARL members that contain the STIG v6.43 control CARLa scripts are still available in zSecure 3.1.0. These scripts can still be run under AU.R.T by entering the member name and selecting S for Single standard syntax.

CARLa scripts

The single standard syntax CARLa members that contain the scripts of the DISA controls are replaced with corresponding multi standard syntax members. For example, control ZAIDR001, that is implemented in the single standard syntax CKAGAA01 member, has corresponding multi standard syntax member CKAHAA01. The letter H in the fourth position of the member name indicates that this control uses multi standard syntax.

Note: The G by H character replacement in the member name applies only to z/OS Products STIGs. DISA z/OS STIG version 8 follows the new naming convention that DISA introduced for controls.

The following SCKRCARL and SCKACUST multi standard syntax members are introduced as alternatives to members that contain single standard z/OS STIG version 6 and z/OS Products scripts.

Table 1. Multi standard syntax SCKRCARL and SCKACUST member alternatives for single standard members

Data set	Single standard member	Multi standard member	Description
SCKRCARL	CKAG@DEF	CKAH@DEF	DEFINE statements for variables that are used in STIG multi syntax RACF-specific controls.
	C2AG@DEF	C2AH@DEF	DEFINE statements for variables that are used in STIG multi syntax ACF2-specific controls.
	C2RG@DEF	C2RH@DEF	DEFTYPE, ALLOC, and DEFINE statements for customization members. Defines DEFINE statements for variables that are used in STIG multi syntax RACF, ACF2, and TSS controls. DEFSENS statements for configurable sensitivity types.
	C2RG@ CKAG@6 C2AG@6 CKTG@6	C2RH@	Multi standard syntax z/OS and Products STIGs STANDARD members.
	CKAG@6OS CKTG@6OS C2AG@6OS C2RG@6OS		No replacement members; only apply to single standard syntax STIG z/OS Products v6 controls.
	CKAG@TMP CKTG@TMP C2AG@TMP		No replacement members.
SCKACUST	CKAG@INS CKTG@INS C2AG@INS	C2RH@INS	Site controls to extend compliance standards that use multi standard syntax.
	C2RG@IDF	C2RH@IDF	DEFTYPE and DEFINE statements for extra population or classification for STIG or other compliance standards that use the multi standard syntax.

Important: Single standard syntax SCKRCARL and SCKACUST members will be removed in future releases of zSecure. For local- or company-defined compliance standards or batch jobs that still use STIG z/OS and z/OS Products single standard syntax members, it is suggested that you convert these standards/batch jobs. For example, you can decide to use a similar or equivalent multi standard syntax control member from the STIG z/OS and z/OS Products version 8 or CIS RACF Benchmark version 1.0.0.

Members with site standards

The members with site standards that could be specified in AU.R.C or AU.R.E have been moved to SE.C. See also Migration consideration.

Default output length increased of SMF fields USAGE_COUNT, USAGE_COUNT_ID, USAGE_COUNT_TYPE_ID

The default output length of the following SMF newlist fields has increased as follows:

• USAGE_COUNT: increased from 10 to 20 characters
• USAGE_COUNT_ID: increased from 13 to 22 characters
• USAGE_COUNT_TYPE_ID: increased from 30 to 49 characters

STIG members renamed

STIG ID ZCICR021 was renamed to STIG ID ZCICR038 as specified in the z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide. Also, SCKRCARL member CKAHWM53 was for RACF only but now also applies to ACF2 and Top Secret. The SCKRCARL members were renamed accordingly.

Control	Original member name	Renamed member name
	RACF only	RACF	ACF2	Top Secret
ZCICR021	CKAGCI21	CKAGCI38	n/a	n/a
ZWMQ0053	CKAHWM53	C2RHWM53	C2RHWM53	C2RHWM53

FILEFORMAT=XML output fields

In previous releases, header strings on the LIST family of commands for FILEFORMAT=XML output fields were ignored. With zSecure 3.1.0, these strings are used as overriding XML element names. This is similar as for FILEFORMAT=JSON, except that the XML has more restrictions on what these strings can be. For more information, see FILEFORMAT= (for the FILEOPTION statement) in the zSecure CARLa Command Reference.

TYPE=SMF field IP_VIPA_OPTIONS

With SMF 119 subtype 4 records, the SMF newlist field IP_VIPA_OPTIONS now includes the option MOVEABLE_WHENIDLE or MOVEABLE_DISRUPTIVE when applicable.

SAF profile change

The SAF resources in the XFACILITY class that control the line action commands in the RA.5.0 display report have been changed as follows:

Former resource names:	Current resource names:
CKR.ACTION.CE.$.S	CKR.ACTION.CE.S.S
CKR.ACTION.CE.$.P	CKR.ACTION.CE.S.P

Code updates for zSecure 2.5.0 Service Stream Enhancements (SSEs) part of zSecure 3.1.0

The following APAR number apply to the 2.5.0 Service Stream Enhancements (SSEs) and enhancements for PHRASEINT support:

Migration consideration

zSecure 3.1.0 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID. See also Members with site standards in Incompatibility warnings - zSecure 3.1.0 (September 2023).

At the time of publication of this Release notes topic, no other migration considerations exist.

Limitations and known problems

At the time of publication of this Release notes topic, no problems exist.

Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general technote with Significant documentation updates for zSecure 3.1.0 lists all updates to the documentation of 3.1.0 since availability (October 2024).

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.

Documentation

The zSecure Suite 3.1.0 documentation includes the former licensed documentation:

• zSecure (Admin and) Audit User Reference Manual for RACF, ACF2, and Top Secret
• zSecure CARLa Command Reference

Significant documentation updates since the general availability of zSecure Suite 3.1.0 (September 2023) are published in Significant documentation updates for zSecure 3.1.0.