This document describes the documentation updates as a result of the zSecure enhancements for compliance automation and usability (for APAR numbers OA60419 and OA60459 - December 2020):
* PTFs UJ04501 and UJ04557 for APAR OA60419: this updates code shared among most zSecure components.
* PTF UJ04502 for APAR OA60459: this updates code specific to the ACF2 features.
- More control automation for RACF, and some for ACF2 and Top Secret.
- Upgrade to STIG Version 6 Release 47 (6.47).
- New library: SCKACUST
In previous zSecure versions, following a PTF, customers had to run job CKAZCUST to create new CKACUST members in the customer's Site and User CKACUST data sets. Starting with this SSE, the new SCKACUST library is added to the concatenation for DDname CKACUST. New CKACUST members that are introduced in compliance controls are now automatically provided in SCKACUST. Following specification of the relevant zSecure configuration information, these new members are automatically copied from SCKACUST to the customer's Site or User CKACUST data sets.
- New library: SCKACUSV
The CKACUST data set has records that are limited to 80 characters. The CKACUSV data set allows specifying longer values. The issuer name of a digial certificate is an example of a value that can be much longer. Your zSecure configuration (by default, C2R$PARM) must define which data set is to be used as the CKACUSV data set, or it must be set up manually through option Setup Command files (SE.8).
- Additional VM events for SIEM.
- Background run capabilities for RA.3.2, AM.8, and AM.9 (for RACF).
- Support for SMF relocate section 443 and ID token extensions.
- New report types:
A record in the TYPE=CERTIFICATE report type describes a digital certificate as it is present on a particular system.
The IOAENV report type shows the security settings of active BMC INCONTROL IOA environments, and it includes information on the IOA, Control-D, Control-M, and Control-O products.
The IP_INETD report type shows configuration of network services that the inetd daemon manages.
The JES_DEVICE report shows the available JES2 devices and the information that is used to secure them.
The JES_REMOTE report shows the available remote JES2 workstations, and the information that is used to secure them.
The SSH_DAEMON report shows the configuration of the z/OS OpenSSH SSH daemons that run in the UNIX address spaces in the system.
The SUPSESS_REGION_CP newlist type can be used to report about IBM CL/SuperSession. Each record in the TYPE=SUPSESS_REGION_CP report describes a Network Access Manager Control Point.
For details, see the documentation updates for the zSecure CARLa Command Reference.
- New ACF2_SENSDSN_ACCESS fields link logonids with started tasks to better determine their authorization.
- Enhancements for parsing parameter members.
- zSecure Alert provides an option to exploit a CKRCARLA internal restart to refresh environment information while retaining job information.
- The ability to run CKXLOGID authorized.
|zSecure CARLA-Driven Components Installation and Deployment Guide||SSE_V240_Dec'20-Install(1).pdf|
|zSecure Messages Guide||SSE_V240_Dec'20-MsgsGd(1).pdf|
|zSecure Admin and Audit for RACF User Reference Manual||Link|
|zSecure Audit for ACF2 User Reference Manual||Link|
|zSecure Audit for Top Secret User Reference Manual||Link|
|zSecure CARLa Command Reference||Link|
|zSecure Alert User Reference Manual|
- "CA Roscoe Interactive Environment" to "Advantage CA-Roscoe"
- "Tivoli NetView" to "Z NetView"
- "Whitelist" to "allowlist".
- Referenced topics that have not changed are not included in this document. You can find them in the publication that the chapter applies to.
- The zSecure (Admin and) Audit User Reference Manuals and the zSecure CARLa Command Reference are available to licensed clients only. To access the zSecure V2.4.0 licensed documentation, you must sign in to the IBM Security zSecure Suite Library with your IBM ID and password. If you do not see the licensed documentation, your IBM ID is probably not yet registered. Send a mail to zDoc@nl.ibm.com to register your IBM ID.
HOLD data in SMPE
- Stop CKQEXSMF and/or C2POLICE with F procname,SIPL
Then restart as normal.
- If you did not perform the above step when stopping the tasks, start CKQEXSMF and/or C2POLICE with S procname,,,FORCE
If an IPL is used to make the maintenance live on the system, neither of these steps are required.
New SCKACUST and SCKACUSV libraries
- New SCKACUST and SCKACUSV libraries are distributed as part of the PTF package.
- CKACUST and CKACUSV data sets can be created through new job SCKRSAMP(CKAZSITE) for usage by a particular user. This new construction eliminates the need for maintaining Site (or customized) CKACUST instances through the CKAZCUST job for every PTF.
- For this update (only), a Site CKACUSV data set must be created and a reference to it must be added to the zSecure configuration (C2R$PARM).
- For a new installation, Site (or customized), CKACUST and CKACUSV data sets are created by using CKRZPOST; the zSecure configuration (C2R$PARM) includes provisions for both.
- Run the pre-apply job.
- Apply the PTFs.
- Rename the existing CKACUST to CKACUST.OLD if you do not have any existing customization you wish to keep.
If you have existing customization in your existing CKACUST data set, you can omit this step.
- Run CKAZSITE to create new CKACUST and CKACUSV datasets (or only CKACUSV if you omitted step 3).
- Add to the existing C2R$PARM: SET CKACUSV='your.prefix.CKACUSV'
06 April 2021