IBM Support

IBM Security zSecure enhancements for compliance automation and usability (APARs OA60419 and OA60459)

News


Abstract

This document describes the documentation updates as a result of the zSecure enhancements for compliance automation and usability (for APAR numbers OA60419 and OA60459 - December 2020):
* PTFs UJ04501 and UJ04557 for APAR OA60419: this updates code shared among most zSecure components.
* PTF UJ04502 for APAR OA60459: this updates code specific to the ACF2 features.

Content

The following enhancements were made:
  • More control automation for RACF, and some for ACF2 and Top Secret.
  • Upgrade to STIG Version 6 Release 47 (6.47).
  • New library: SCKACUST
    In previous zSecure versions, following a PTF, customers had to run job CKAZCUST to create new CKACUST members in the customer's Site and User CKACUST data sets. Starting with this SSE, the new SCKACUST library is added to the concatenation for DDname CKACUST. New CKACUST members that are introduced in compliance controls are now automatically provided in SCKACUST. Following specification of the relevant zSecure configuration information, these new members are automatically copied from SCKACUST to the customer's Site or User CKACUST data sets.
  • New library: SCKACUSV
    The CKACUST data set has records that are limited to 80 characters. The CKACUSV data set allows specifying longer values. The issuer name of a digial certificate is an example of a value that can be much longer. Your zSecure configuration (by default, C2R$PARM) must define which data set is to be used as the CKACUSV data set, or it must be set up manually through option Setup Command files (SE.8).
  • Additional VM events for SIEM.
  • Background run capabilities for RA.3.2, AM.8, and AM.9 (for RACF).
  • Support for SMF relocate section 443 and ID token extensions.
  • New report types:
    • CERTIFICATE
      A record in the TYPE=CERTIFICATE report type describes a digital certificate as it is present on a particular system.
    • IOAENV
      The IOAENV report type shows the security settings of active BMC INCONTROL IOA environments, and it includes information on the IOA, Control-D, Control-M, and Control-O products.
    • IP_INETD
      The IP_INETD report type shows configuration of network services that the inetd daemon manages.
    • JES_DEVICE
      The JES_DEVICE report shows the available JES2 devices and the information that is used to secure them.
    • JES_REMOTE
      The JES_REMOTE report shows the available remote JES2 workstations, and the information that is used to secure them.
    • SSH_DAEMON
      The SSH_DAEMON report shows the configuration of the z/OS OpenSSH SSH daemons that run in the UNIX address spaces in the system.
    • SUPSESS_REGION_CP
      The SUPSESS_REGION_CP newlist type can be used to report about IBM CL/SuperSession. Each record in the TYPE=SUPSESS_REGION_CP report describes a Network Access Manager Control Point.

      For details, see the documentation updates for the zSecure CARLa Command Reference.
  • New ACF2_SENSDSN_ACCESS fields link logonids with started tasks to better determine their authorization.
  • Enhancements for parsing parameter members.
  • zSecure Alert provides an option to exploit a CKRCARLA internal restart to refresh environment information while retaining job information.
  • The ability to run CKXLOGID authorized.
The documentation updates apply to V2.4.0 zSecure Admin, zSecure Audit, and zSecure Alert. The following publications were
updated:
zSecure CARLA-Driven Components Installation and Deployment Guide SSE_V240_Dec'20-Install(1).pdf
zSecure Messages Guide SSE_V240_Dec'20-MsgsGd(1).pdf
zSecure Admin and Audit for RACF User Reference Manual Link
zSecure Audit for ACF2 User Reference Manual Link
zSecure Audit for Top Secret User Reference Manual Link
zSecure CARLa Command Reference Link
zSecure Alert User Reference Manual
The following product name and terminology changes were applied throughout the zSecure documentation:
  • "CA Roscoe Interactive Environment" to "Advantage CA-Roscoe"
  • "Tivoli NetView" to "Z NetView"
  • "Whitelist" to "allowlist".

Note:
  • Referenced topics that have not changed are not included in this document. You can find them in the publication that the chapter applies to.
  • The zSecure (Admin and) Audit User Reference Manuals and the zSecure CARLa Command Reference are available to licensed clients only. To access the zSecure V2.4.0 licensed documentation, you must sign in to the IBM Security zSecure Suite Library with your IBM ID and password. If you do not see the licensed documentation, your IBM ID is probably not yet registered. Send a mail to zDoc@nl.ibm.com to register your IBM ID.
Installation requirement
HOLD data in SMPE
APAR OA60419 is fixed by UJ04501, which includes a pre-installation job (in cover letter and ++HOLD(ACTION)). Change this job to meet your site's installation standards and then run it prior to installation.
For ease, a copy of the job is included here: UJ04501_pre_apply_job.txt
Migration considerations
CKQEXSMF and C2POLICE users who apply maintenance without an IPL
Changes made by UJ04501 and UJ04557 require that users of CKQEXSMF and C2POLICE, who apply these PTFs without performing an IPL, perform either of the following steps:
  • Stop CKQEXSMF and/or C2POLICE with F procname,SIPL
    Then restart as normal.
  • If you did not perform the above step when stopping the tasks, start CKQEXSMF and/or C2POLICE with procname,,,FORCE
If you do not perform one of these steps, CKQEXSMF issues message CKQ0183E and C2POLICE issues message C2P0183E when you restart these tasks. You can then restart the tasks using the FORCE option.
If an IPL is used to make the maintenance live on the system, neither of these steps are required.

New SCKACUST and SCKACUSV libraries
  • New SCKACUST and SCKACUSV libraries are distributed as part of the PTF package.
  • CKACUST and CKACUSV data sets can be created through new job SCKRSAMP(CKAZSITE) for usage by a particular user. This new construction eliminates the need for maintaining Site (or customized) CKACUST instances through the CKAZCUST job for every PTF.
  • For this update (only), a Site CKACUSV data set must be created and a reference to it must be added to the zSecure configuration (C2R$PARM).
  • For a new installation, Site (or customized), CKACUST and CKACUSV data sets are created by using CKRZPOST; the zSecure configuration (C2R$PARM) includes provisions for both.
The following list shows example migration steps for an existing set up:
  1. Run the pre-apply job.
  2. Apply the PTFs.
  3. Rename the existing CKACUST to CKACUST.OLD if you do not have any existing customization you wish to keep.
    If you have existing customization in your existing CKACUST data set, you can omit this step.
  4. Run CKAZSITE to create new CKACUST and CKACUSV datasets (or only CKACUSV if you omitted step 3).
  5. Add to the existing C2R$PARM: SET CKACUSV='your.prefix.CKACUSV'

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"ARM Category":[{"code":"a8m0z000000GoZlAAK","label":"zSecure Admin->Documentation"}],"Platform":[{"code":"PF035","label":"z/OS"}],"Version":"2.4.0"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSPN95","label":"IBM Security zSecure Audit"},"ARM Category":[{"code":"a8m0z000000GoYsAAK","label":"zSecure Audit->Documentation"}],"Platform":[{"code":"PF035","label":"z/OS"}],"Version":"2.4.0"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSCHPT","label":"IBM Security zSecure Adapters for SIEM"},"ARM Category":[{"code":"a8m0z000000GoWNAA0","label":"zSecure Data Preparation for SIEM->Documentation"}],"Platform":[{"code":"PF035","label":"z/OS"}],"Version":"2.4.0"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSPLQS","label":"IBM Security zSecure Alert"},"ARM Category":[{"code":"a8m0z000000GoZHAA0","label":"zSecure Alert->Documentation"}],"Platform":[{"code":"PF035","label":"z/OS"}],"Version":"2.4.0"}]

Document Information

Modified date:
06 April 2021

UID

ibm16352999