IBM Security zSecure, Version 2.2.1

Release notes

IBM® Security zSecure™ V2.2.1 is available. Read this document to find important installation information. You can also learn about compatibility issues, limitations, and known problems.

For information about the new features for zSecure V2.2.1, see What's new for zSecure V2.2.1.

For information about the zSecure documentation and steps to obtain the licensed publications, see zSecure documentation.

If you are upgrading from a version of IBM Security zSecure that is older than V2.2.0, also see the Release Information for the versions that you skipped. You can find the documentation for all versions in the IBM Knowledge Center for IBM Security zSecure Suite.

Announcement

The zSecure V2.2.1 announcement (ENUSZP16-0596) includes information about the following topics:
  • Prerequisites
  • Technical information
  • Terms and conditions
  • Ordering details

System requirements

This section lists the minimum and advised processor, disk space, and memory requirements for the zSecure V2.2.1 products and solutions:
  Minimum Advised
Processor CKR4Z: z800 or higher IBM System z9® or z10TM Enterprise Class (EC) or z9® or z10™ Business Class (BC)
CKR8Z196: z196 or higher
Disk space 300 MB 450 MB
Memory 1 GB 2 GB
For programming and space requirements for CICS Toolkit, Command Verifier, and RACF-Offline, see the following Program Directories: All other CARLa-driven components of zSecure have a common Program Directory: Program Directory for IBM Security zSecure Suite: CARLa-driven components.

Supported platforms and applications

IBM Security zSecure products are supported on the following platforms and applications:
  • IBM z/OS version 1 release 13 (V1R13) through z/OS version 2 release 2 (V2R2)
  • CICS Transaction Server version 3 release 1 (V3R1) through version 5 release 3 (V5R3)
  • DB2 version 10 release 1 (V10R1) through DB2 version 11 release 1 (V11R1)
  • IMS version 12 (V12) through version 14 (V14)
  • WebSphere MQ version 7 release 1 (V7.1) through IBM MQ for z/OS version 9 (V9)
  • CA ACF2 release 14 through 16
  • CA Top Secret release 14 through 16
  • Microsoft Windows Server 2008, 2012, and 2016
  • zSecure Visual Client requires Microsoft Windows 7, 8, or 10
  • All currently supported versions of WebSphere HTTP server
  • Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77B1
zSecure no longer supports the following platforms and applications:
  • DB2 version 9 release 1 (V9R1)
  • IMS V11

Installing IBM Security zSecure

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure V2.2.1, see the IBM Security zSecure CARLa-Driven ComponentsInstallation and Deployment Guide.

This documentation is available with the product at the IBM Knowledge Center for IBM Security zSecure Suite V2.2.1.

Incompatibility warnings

Administration and operation
For IPv4 FTP client (118-3) SMF records, the following fields for NEWLIST TYPE=SMF are changed:
DSTIP
Now shows the local IP address instead of the remote IP address. So DSTIP is now an address of the local z/OS system writing the record, as it is with other FTP server and client SMF records.
SRCIP
Now shows the remote IP address instead of the local IP address. So SRCIP is now an address of the (remote) communication partner of the local z/OS system that is writing the record, as it is with other FTP server and client SMF records.
USER
Now shows the local user ID instead of the remote user ID, as it does for other FTP server and client SMF records.
R_USER
Now shows the remote user ID of 118-3 records.
Recreate user

As a result of updates in the user scripts CKRXRUS and CKGXRUS (for APAR OA50610), recreate user scripts CKRXRUS and CKGXRUS have been updated.

  • If RA.4.6 Recreate user option Use CKGRACF to update the user profile is not selected:
    • The recreated user IDs are always protected.
    • The password interval settings of user IDs are not recreated.
  • If RA.4.6 Recreate user option Use CKGRACF to update the user profile is selected, commands are generated to accurately recreate PROTECTED attributes and password interval settings.
Calling CKR4Z directly
If you disable 64-bit mode explicitly in zSecure 2.2.1 by calling CKR4Z directly, it might be necessary to set up Program Access to Data Sets (PADS) access for CKR4Z.
z/OS APAR OA50672

For the 64-bit engine, be aware of z/OS APAR OA50672 against HFS 64-bit support. Without the fix, you might experience CKR0915 messages when writing to a UNIX file within an HFS with RC 157 (MVS environment error) or incorrect RC values. If this happens, switch to the 31-bit engine, apply the fix for APAR OA50672 if available, or allocate a zFS, instead of an HFS, for your UNIX output. Note that the LEEF integrations with IBM QRadar SIEM use UNIX files.

Migration issues

Migrating QRadar SIEM feed from deprecated C2EQ* customization members to CKQ* customization members
When converting from C2E to CKQ members, you must customize the SIMULATE USER_PRIV_GROUP command with the groups that were previously coded in C2EQRENV (by default that was SYS1 and OMVS*). As USER_PRIV_GROUPS does not support a generic specification, you must add groups other than SYS1 and OMVS explicitly in CKQRENV.

Limitations and known problems

At the time of publication of this Release Notes document, the following problem exist:

Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general documentation technote lists all updates to the documentation of 2.2.1 since availability.

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.



Feedback