Release notes for V2.3.1
IBM® Security zSecure™ V2.3.1 is available. Read this document to find important installation information. You can also learn about compatibility issues, limitations, and known problems.
For information about the new features for zSecure V2.3.1, see What's new for zSecure V2.3.1.
For information about the zSecure documentation and steps to obtain the licensed publications, see zSecure documentation.
If you are upgrading from a version of IBM Security zSecure that is older than V2.3.0, also see the Release Information for the versions that you skipped. You can find the documentation for all versions in the IBM Knowledge Center for IBM Security zSecure Suite.
Contents
Announcement
- Prerequisites
- Technical information
- Ordering information
- Terms and conditions
System requirements
Minimum | Advised | |
---|---|---|
Processor | A supported IBM z Systems server that is capable of supporting z/OS V2.2 or later. | |
The CKR8Z196 program requires z196 or newer hardware. | ||
Disk space | 300 MB | 450 MB |
Memory | 1 GB | 2 GB |
- Program Directory for IBM Security zSecure CICS Toolkit
- Program Directory for IBM Security zSecure Command Verifier
- Program Directory for IBM Security zSecure Admin RACF-Offline
Supported platforms and applications
- IBM z/OS version 2 release 2 (V2R2) through z/OS version 2 release 3 (V2R3)
- CICS Transaction Server version 4 release 1 (V4R1) through version 5 release 4 (V5R4)
- DB2 version 11 release 1 (V11R1) through DB2 version 12 release 1 (V12R1)
- IMS version 13 (V13) through version 15 (V15)
- IBM MQ version 8 (V8) through IBM MQ version 9 (V9)
- CA ACF2 release 16
- CA Top Secret release 16
- Microsoft Windows Server 2008, 2012, and 2016
- zSecure Visual Client requires Microsoft Windows 7, 8, or 10
- All currently supported versions of WebSphere HTTP server
- Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77C1
- z/OS V2R1
- DB2 version 10 release 1 (V10R1)
- CA ACF2 release 15
- CA Top Secret release 15
Installing IBM Security zSecure
- Program Directory for IBM Security zSecure Suite: CARLa-driven components
- Program Directory for IBM Security zSecure CICS Toolkit
- Program Directory for IBM Security zSecure Command Verifier
- Program Directory for IBM Security zSecure Admin RACF-Offline
- Program Directory for IBM Security zSecure Administration
- Program Directory for IBM Security zSecure Compliance and Administration
- Program Directory for IBM Security zSecure Compliance and Auditing
For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure V2.3.1, see the IBM Security zSecure CARLa-Driven ComponentsInstallation and Deployment Guide.
This documentation is available with the product at the IBM Knowledge Center for IBM Security zSecure Suite V2.3.1.
Incompatibility warnings
- Top level compliance rules renamed
- The top level compliance rule members and their primary site customization members have been
renamed:If you have customized one of the CKA%@IDF CKACUST members, all customization must be forwarded to the new C2R%@IDF member. The CKAZCUST job copies the CKA%@IDF members to their new names and adds skeletons for all new CKACUST members.
Standard Top level member in SCKRCARL Site customization DEFTYPEs etc. in CKACUST Former member name New member name Former member name New member name DISA STIG CKAG@ C2RG@ CKAG@IDF C2RG@IDF PCI-DSS CKAPC@ C2RP@ CKAP@IDF C2RP@IDF ISeC / GSD331 CKAO@ C2RO@ CKAO@IDF C2RO@IDF zSecure Extra (former STIG Plus) CKAG@PLS C2RZ@ CKAG@IDF C2RG@IDF - STIG members renamed
- For zSecure Audit V2.3.1, members were renamed. Some CKAG* and C2AG* members were
renamed to C2RG* because they contain common specifications for the RACF, ACF2, and Top Secret
standards. Others were renamed to CKAZ*, CKTZ*, C2AZ*, or C2RZ* with the rename of the STIGPlus
standard to zSecure Extra.
Former member name New member name Former member name New member name CKAGC340 C2RGC340 CKAGPL01 CKAZTM03 CKAGCI30 C2RGCI30 CKAGSD10 C2RGSD10 CKAGCR21 CKAGCI21 CKAGSM22 C2RGSM22 CKAGCR41 CKAGCI41 CKAGSM32 C2RGSM32 CKAGF020 C2RGF020 CKAGTC20 C2RGTC20 CKAGF030 C2RGF030 CKAGTC30 C2RGTC30 CKAGF040 C2RGF040 CKAGTN10 C2RGTN10 CKAGF050 C2RGF050 CKAGTN50 C2RGTN50 CKAGF060 C2RGF060 CKAGTN60 C2RGTN60 CKAGF070 C2RGF070 CKAGTS20 C2RGTS20 CKAGF100 C2RGF100 CKAGWM20 C2RGWM20 CKAGF110 C2RGF110 CKAGWM51 C2RGWM51 CKAGFE11 C2RGFE11 CKAGZU11 C2RGZU11 CKAGFE12 C2RGFE12 CKAGZU13 C2RGZU13 CKAGFE13 C2RGFE13 CKAG@ C2RG@ CKAGIU20 C2RGIU20 CKAG@DEF C2RG@DEF CKAGM010 C2RGM010 CKAG@PLS C2RZ@ CKAGM014 C2RGM014 CKAG@6PL CKAZ@1 CKAGM018 C2RGM018 CKAO@ C2RG@ CKAGM030 C2RGM030 CKAP@DEF C2RP@DEF CKAGM040 C2RGM040 CKAPC@ C2RP@ CKAGM050 C2RGM050 CKTG@6PL CKTZ@1 CKAGM160 C2RGM160 C2AGF020 C2RGF020 CKAGM380 C2RGM380 C2AGF030 C2RGF030 CKAGM400 C2RGM400 C2AGSM32 C2RGSM32 CKAGM420 C2RGM420 C2AGTC20 C2RGTC20 CKAGM430 C2RGM430 C2AG@6PL C2AZ@1 CKAGM440 C2RGM440 CKAGM450 C2RGM450 - PCI-DSS and GSD331 standards renamed
- The following standards have been renamed:
Former name New name ACF2-PCI-DSS ACF2_PCI-DSS RACF-PCI-DSS RACF_PCI-DSS GSD331 RACF_GSD331 - Preparing for rule-based compliance evaluation
- To define variables for rule-based compliance evaluation (AU.R), the DEFINE statements are now
required to be included in the C2RG@IDF customization member (instead of ACPCNFG). For more
information, see section
Definitions of variables in the C2RG@IDF customization member
in the zSecure (Admin and) Audit User Reference Manual for your product. - CKQRADAR, C2POLICE JCL
- The following updates were made for CKQRADAR and C2POLICE JCL:
- The LRECL of a few files in C2POLICE was increased to reduce the chance of truncation.
- The C2RSYSLG file in C2POLICE now receives syslog alerts that could not be delivered to any UDP or TCP destination (in UTF8).
- The C2RSYSLG file in CKQRADAR is now commented out and writing to it is suppressed by default. If writing to it is accidentally not suppressed, syslog messages that could not be delivered to any destination are redirected to C2RSYSLG.
- BUFLOCK
- New debug option has been added to C2POLICE, C2PACMON, and CKQEXSMF. BUFLOCK creates a system dump for the current task at the moment that the task cannot write the event record.
- ALLOCATE command
- The CDP option for the ALLOCATE command and the FMID that is associated with the CDP component have been removed.
- COMPLEX
- The default complex for allocations that use ZSECNODE or ZSECSYS to obtain data from the zSecure server has changed. Instead of using the RRSF node name (for RACF systems) or the SYSPLEX or SYSNAME value, it now uses the ZSECNODE name as default complex. For more details, see the descriptions of the COMPLEX fields in zSecure CARLa Command Reference.
- TYPE=DSN SENSTYPE/SENSITIVITY
- In the DSN newlist, the SENSTYPE/SENSITIVITY field is now a repeating field. Therefore, it is necessary to add a FIRSTONLY modifier to be able to combine it in a summary key with another field, or to add a summary level.
- TYPE=RESOURCE PRIV_SENSTYPE
- The PRIV_SENSTYPE field in the RESOURCE newlist no longer returns sensitivity types exceeding
the documented maximum length of 11 characters. If you have explicit SELECT statements to test for
these sensitivity types, they must be adjusted to use the new, shorter name. The following
sensitivity types have been replaced:
Former sensitivity type New sensitivity type SetAutoReply SetAutoRepl SetConDelete SetConDel UNIXdebugAPF UNIXdbgAPF - NEWLIST TYPE=SMF field USAGE_COUNT
- USAGE_COUNT has become a repeating field.
- TYPE=TRUSTED USERID_PRIVILEGE
- For the USERID_PRIVILEGE field in the TRUSTED newlist, the value Operation has changed to Operations. If you have written your own TRUSTED queries, you might need to adjust the SELECTion.
- OA54485: Using SUMMARY CARLa function, fixed values are repeated for each level of output
- As a result of this code change, literal values are no longer repeated on each summary level, but are only included on the level were they are used in the code.
- Consistent casing of "ACF2 BLPpgm" and "ACF2 maint"
- Inconsistent use of all uppercase and mixedcase sensitivities for ACF2 BLPpgm and ACF2 maint has been corrected. Only the mixed case values are now used in the program.
- CDP support removed
- zSecure V2.3.1 no longer supports Common Data Provider (CDP). If you use the SMF Exit Collection method for near real-time QRadar support, see the CARLa-Driven Components Installation and Deployment Guide to set up the CKQEXSMF started task.
- One UNLOAD allocation allowed per complex-version combination
- zSecure V2.3.1 supports only one security database source per complex name. Use different complex names for different security databases or single UNLOAD statements.
Migration considerations
- zSecure Access Monitor, zSecure Alert, and SMF Collector
- IPL between release changes, or shutdown using F product,SIPL, where product is either C2PACMON (for Access Monitor), C2POLICE (for Alert), or CKQEXSMF (for SMF Collector). C2POLICE and CKQEXSMF share the same exit routines; when upgrading, both must be shutdown. Ensure that the latest RACF exits are used. You might need to run C2XACTV job as documented in zSecure CARLa-Driven Components Installation and Deployment Guide. Also make sure that no previous versions of the zSecure RACF/SMF exits are present in active linklist or lpalist data sets.
- New level of NLS table
- If you customized the options or menus using SE.D.N in your previous version, use option SE.D.N to trigger migration of your customization to the new NLS table.
- Compliance framework
- Rerun CKAZCUST to add new configuration members. Some existing configuration members will be copied/renamed for new naming convention. Perform a manual update or cleanup of FTPCNFG to use only the file names as they are now determined by CKFCOLL.
- IFAPRDxx
- Entry in IFAPRDxx is not needed to enable zSecure products. If you use IFAPRDxx to disable installed zSecure products and you use specific numbers in IFAPRDxx, be aware that the version, release, and modification numbers have changed as follows: VERSION(2) RELEASE(3) MOD(1)
Limitations and known problems
- Using the default MEMSIZE=8G for the CKQRADAR STC, after running some 62.5 million jobs, causes
message
CKR0438 16 SMF input terminated: out of memory
. - Events sent near real-time using TCP/IP over a low bandwidth connection can be silently delayed.
- Selection on Assertions due in nn days in Compliance Evaluation is incorrect.
Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at www.ibm.com/mysupport. A general documentation technote lists all significant updates to the documentation of 2.3.1 since availability.
You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.