Release notes

IBM® zSecure 3.2.0 is available. Read this document to find important installation information. You can also learn about compatibility issues, limitations, and known problems.

For information about the new features for zSecure 3.2.0, see What's new for zSecure 3.2.0.

If you are upgrading from a version of IBM zSecure that is earlier than 3.1.0, also see the Release notes for the versions that you skipped for IBM zSecure.

This document consists of the following sections:

Announcement
Supported platforms and applications
System requirements
Installing IBM zSecure
Incompatibility warnings
For the incompatibility warnings relating to significant enhancements to zSecure 3.1, see Incompatibility warnings - zSecure 3.1 Service Stream Enhancements.
Migration consideration
Limitations and known problems
zSecure z/VM Documentation

Announcement

The zSecure 3.2.0 announcement includes the following information:

Overview of the zSecure 3.2.0 features
Terms and conditions
Technical support
Entitled software

System requirements

This section lists the minimum and advised processor, disk space, and memory requirements for the zSecure 3.2.0 products and solutions:

	Minimum	Advised
Processor	IBM Z server that supports IBM z/OS 2.5, or later. / CKR8Z15 requires z15® or later. Although zSecure 3.2 includes CKR8Z12, it no longer supports z12.
Disk space	1 GB	1.5 GB
Memory	1 GB	2 GB

For programming and space requirements for CICS® Toolkit, Command Verifier, and RACF®-Offline, see the following Program Directories:

All other components (the CARLa-driven components) of zSecure have a common Program Directory: Program Directory for IBM zSecure: CARLa-driven components.

Supported platforms and applications

IBM zSecure products are supported on the following platforms and applications:

IBM z/OS 2.5 through z/OS 3.2
IBM z/VM® 7.3 and 7.4
CICS Transaction Server 5.5 through 6.3
Db2® 12.1 and 13.1
IMS 15.3 through 15.5
IBM MQ 9.2 through 9.4
CA ACF2 Release 16
CA Top Secret Release 16
All currently supported versions of WebSphere® HTTP server
Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77F0

zSecure no longer supports the following platforms and applications:

IBM z/OS 2.4
IBM z/VM 7.2
CICS TS 5.4
IMS Version 15.1 and 15.2
IBM MQ 9.1

Installing IBM zSecure

For installation instructions, see the Program Directories:

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure 3.2.0, see the zSecure CARLa-Driven Components Installation and Deployment Guide.

Incompatibility warnings - zSecure 3.2

RACF field FLAG4: The RACF field FLAG4 is no longer modifiable. Default output format is hexadecimal.
New interpretation of line continuation characters: If any CKGRACF command input line ends with a plus sign + or minus sign -, that sign is now interpreted as a continuation character. The command or comment in the line is continued in the next line, called a continuation line. A plus sign at the end of a line is now interpreted as a continuation character even if it occurs outside of a CKGRACF CMD RACF (or CKGRACF) command. A minus sign at the end of a line is now interpreted as a continuation character while it used to be interpreted as a regular character.
Access requirements for RACF-Offline with SETROPTS APPLAUDIT: When SETROPTS APPLAUDIT is turned on and the APPL class is active and RACLISTed, RACF-Offline users need READ access to the APPL B8RACF resource to log on to the Offline RACF database.
SMF fields SPECIALTYPE, SUBRECNO, SUBRECORD, and SUBTYPE: The SMF newlist fields SPECIALTYPE, SUBRECNO, SUBRECORD, and SUBTYPE now require a CKFREEZE data set to be allocated or a SUPPRESS CKFREEZE statement to be present.

Incompatibility warnings - zSecure 3.1 Service Stream Enhancements

Compliance members renamed (October 2024)

The CARLa member that stored the CIS Benchmark control 3.13 Ensure all software on your system is supported was renamed to CKAHR3D to follow the naming convention for the RACF CIS IBM z/OS RACF Benchmark standard. In addition, the CARLa member that stored RACF-FT-000070, ACF2-FT-000120, and TSS0-FT-000130 controls was renamed to C2RHF070 to better reflect the FAMILY group of the controls.

Control	Original member name			Renamed member name
	RACF	ACF2	TSS	RACF	ACF2	TSS
CIS 3.13	CKAHR313			CKAHR3D
RACF-FT-000070 ACF2-FT-000120 TSS0-FT-000130	C2RHO470			C2RHF070

Certificate signing algorithm RSASSA-PSS split into 6 values (October 2024)

The CERTIFICATE_SIGNING_ALG field in TYPE=RACF and TYPE=CERTIFICATE no longer reports the value RSASSA-PSS. Instead, it reports one of the following values or, if the key length was not recognized, the value specifiedRSAPSS.

sha1RSAPSS
sha224RSAPSS

sha256RSAPSS
sha384RSAPSS

sha512RSAPSS

The default output length of the field that is changed from 11 to 12.

UPDATE access (October 2024)

It is no longer sufficient to grant UPDATE access to administrators to manage all aspects of non-base segments. Deleting non-base segments is possible only for administrators that have CONTROL access to the C4R.class.segname.=RACUID or the C4R.class.segname policy profile. UPDATE access does not allow deleting a segment. UPDATE access to the policy profile still allows adding and setting a value for non-base segments.

Running the zSecure Access Monitor, Alert, and SMF Collector STCs under the MSTR subsystem (April 2024)

The current release of zSecure supports running the Access Monitor, Alert, and SMF Collector STCs under the MSTR subsystem. This allows starting the STC earlier in the IPL process. Several changes have been made to the startup JCL and to the configuration data sets. An updated example member is provided in SCKRPROC. The most visible change is that the SYSTSPRT ddname is replaced by the C2PTSPRT or CKQTSPRT ddname. You must change the STC procedure, according to the description in the Migrating from a previous release sections for your products in the zSecure CARLa-Driven Components Installation and Deployment Guide.

Migration consideration

At the time of publication of this Release notes topic, no migration considerations exist.

Limitations and known problems

At the time of publication of this Release notes topic, no problems exist.

Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM zSecure at IBM's Search support and downloads site. A general technote with IBM zSecure 3.2 Significant Documentation Updates lists all updates to the documentation of 3.2.0 since availability (November 2025).

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.

zSecure Admin	zSecure CICS Toolkit
zSecure Audit	zSecure Command Verifier
zSecure Alert for RACF	zSecure Manager for RACF z/VM
zSecure Alert for ACF2	z/OS Compliance Integration Manager

zSecure z/VM Documentation

A list of the zSecure 2.5.1 documentation is available at zSecure Documentation.