IBM Vault Self-Managed for Z and LinuxONE overview

IBM Vault Self-Managed for Z and LinuxONE extends HashiCorp Vault Enterprise to IBM mainframe environments, providing standardized enterprise secrets management with the security, resiliency, and scalability of IBM Z and IBM LinuxONE platforms.

What is HashiCorp Vault?

HashiCorp Vault is an identity-based secrets and encryption management system. It provides a unified interface to securely store and access secrets, such as API keys, passwords, certificates, and encryption keys. Vault provides tight access control and maintains a detailed audit log of all secret access and modifications.

Key characteristics of Vault include:

  • Centralized secrets management: Single source of truth for all secrets across your infrastructure.
  • Dynamic secrets generation: Creates credentials on-demand with automatic expiration.
  • Data encryption: Encrypts data in transit and at rest using industry-standard algorithms.
  • Identity-based access: Authenticates users and applications before granting access to secrets.
  • Detailed audit logging: Records every interaction with secrets for compliance and security analysis.
  • Secrets revocation: Automatically revokes secrets when they are no longer needed.

IBM Vault Self-Managed for Z and LinuxONE

IBM Vault Self-Managed for Z and LinuxONE brings enterprise-grade secrets management to IBM mainframe environments. This solution combines the proven capabilities of HashiCorp Vault Enterprise with the security, reliability, and performance characteristics of IBM Z and IBM LinuxONE systems.

The solution addresses the unique requirements of mainframe environments while maintaining compatibility with modern DevOps and cloud-native workflows. Organizations can manage secrets consistently across distributed systems and mainframe platforms using a single, unified secrets management solution.

Key features and capabilities

IBM Vault Self-Managed for Z and LinuxONE version 2.0.0 provides the following enterprise features:

RACF LDAP integration

The LDAP secrets engine generates valid IBM z/OS Security Server RACF login credentials dynamically from Vault. This capability eliminates the need for statically configured RACF passwords and passphrases, reducing security risks associated with long-lived credentials.

Key capabilities include:

  • Automatic generation of RACF passwords (1-8 characters) and passphrases (9-100 characters).
  • Configurable password policies that comply with RACF security requirements.
  • Automated credential rotation on configurable schedules.
  • Support for both password and passphrase authentication methods.
  • Integration with existing RACF security infrastructure.

This feature enables organizations to implement zero-trust security models for mainframe access, where credentials are generated just-in-time and automatically expire after use.

SSH secrets engine for z/OS USS

The Vault SSH secrets engine generates SSH keys for secure access to IBM z/OS Unix System Services (USS). This capability supports infrastructure automation and DevOps workflows on z/OS platforms.

Key capabilities include:

  • Dynamic SSH key generation using modern ED25519 algorithm.
  • Certificate-based SSH authentication for z/OS USS.
  • Vault acts as SSH Certificate Authority for signing certificates.
  • Short-lived certificates with automatic expiration.
  • Seamless integration with automation tools and CI/CD pipelines.
  • Eliminates need for static SSH key management.

Organizations using automation tools for infrastructure management or DevOps on z/OS can integrate Vault SSH secrets engine to provide secure, auditable access to z/OS environments without managing long-lived SSH keys.

Vault Secrets Operator support

IBM Vault Self-Managed for Z and LinuxONE supports Vault Secrets Operator (VSO) for clients running Red Hat OpenShift on IBM Z and IBM LinuxONE. VSO provides native Kubernetes integration for secrets management.

Key capabilities include:

  • Direct synchronization of secrets from Vault to Kubernetes secrets.
  • Automatic secret updates when Vault secrets change.
  • Centralized secrets management across OpenShift clusters.
  • Reduces secrets sprawl by eliminating duplicate secret storage.
  • Native Kubernetes custom resources (VaultAuth, VaultStaticSecret).
  • Support for multiple authentication methods (AppRole, Kubernetes, JWT).

This feature enables cloud-native applications running on OpenShift to consume Vault secrets natively through Kubernetes, maintaining consistency with modern application deployment patterns.

Native z/OS deployment with zCX

IBM Vault Self-Managed for Z and LinuxONE supports deployment of Vault servers natively in z/OS using IBM z/OS Container Extensions (zCX). This deployment option allows z/OS clients to manage secrets securely within their z/OS environment.

Key capabilities include:

  • Docker-based deployment on z/OS container extensions.
  • High availability configuration with 3-node Raft cluster.
  • Integrated storage using Raft consensus protocol.
  • HAProxy load balancer for distributing API requests.
  • Native z/OS integration without requiring separate Linux systems.
  • Leverages z/OS security, reliability, and performance characteristics.

By deploying Vault servers on zCX, organizations can keep secrets management infrastructure within the z/OS security boundary while maintaining compatibility with standard Vault APIs and tools.

Core Vault capabilities

In addition to IBM Z-specific features, IBM Vault Self-Managed for Z and LinuxONE includes all standard HashiCorp Vault Enterprise capabilities:

  • Multiple secrets engines: Key-value storage, database credentials, PKI certificates, cloud provider credentials.
  • Authentication methods: LDAP, AppRole, Kubernetes, JWT, username/password, and more.
  • Access control policies: Fine-grained path-based policies using HashiCorp Configuration Language (HCL).
  • Encryption as a service: Encrypt and decrypt data without storing it in Vault.
  • Audit logging: Comprehensive logging of all requests and responses.
  • High availability: Multi-node clusters with automatic failover.
  • Disaster recovery: Snapshot and restore capabilities for business continuity.
  • Namespaces: Multi-tenancy support for organizational isolation.
  • Replication: Performance and disaster recovery replication across data centers.