Last Updated: 13 February 2026


z/VM Security and Integrity

News Archive


Previous announcements regarding IBM security. Note that links are not guaranteed to function, though best effort will be given to validating them from time to time.

26 January 2021 -- OCSP Support now available for z/VM V7.2

With the PTF for APAR PH28216, z/VM V7.2 has been enabled to support the Online Certificate Status Protocol (OCSP) for the TLS/SSL server. This support will enable a fine-tuning of certificate validation by allowing the TLS server to check client certificates against external databases for last-minute revocation status. More information can be found on the z/VM 7.2 New Function Webpage.

18 September 2020 -- z/VM V7.2 General Availability

z/VM Version 7 Release 2.0 is now available! It includes all security enhancements and security fixes previously released in the service stream for earlier releases. Please visit the main z/VM 7.2 website to learn more!

In addition to z/VM V7.2 functionality, a Statement of Direction has been issued to withdraw support for multiple RACFVM machines inside a single z/VM system:

z/VM 7.2 is intended to be the last release to support multiple RACF for z/VM servers running concurrently in a single z/VM system. This support was implemented to enable greater throughput in handling security policy requests and updates against a single RACF database. However, modern I/O speeds and processing power have rendered this support superfluous. This statement has no bearing on RACFVM multiconfiguration virtual machines in a z/VM Single System Image cluster or on the RACMAINT virtual machine used in support and service.

Please refer to the following website for more information: https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/5/897/ENUS220-305/index.html&request_locale=en#sodx

16 June 2020 -- CMS Pipelines TLS/SSL Enhancements now available for z/VM V7.1

With the PTF for APAR VM66365, z/VM V7.1 has been enabled to support new CMS Pipelines for Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. These allow CMS-based applications to take advantage of IBM Z and IBM LinuxONE hardware encryption, and the TLS/SSL server, to connect securely to other applications inside and outside of z/VM. More information can be found at the z/VM 7.1 New Function page.

03 June 2020 -- TLS/SSL Certificate Validation now availabile for z/VM V7.1

With recent PTFs, z/VM V7.1 has been updated to enable Client Certificate validation for implicit TLS connections. This support also extends client certificate authentication to other implicit-TLS TCP/IP services, such as FTPS or SMTP. More information can be found at the z/VM 7.1 New Function page.

20 May 2020 -- IBM Z Multi-factor Authentication Support for z/VM V7.1 RACF and Broadcom CA VM:Secure

With the PTF for APAR VM66338, z/VM V7.1 with an External Security Manager (ESM) now supports the IBM Z Multi-factor Authentication V2.1 product. This new product allows for an authentication server to serves as a Policy Decision Point for z/VM authentication policy. By enabling this support, out-of-band evaluation of factors other than passwords or password phrases -- digital certificates, RSA SecurID, TOTPs, ldap-binds, and more -- is now possible. For more information, please visit the z/VM 7.1 New Function page.

14 April 2020 -- IBM z/VM V7.2 Preview Announce and Statements of Direction

As part of the preview announce for z/VM V7.2, the following Statement of Direction has been issued:

z/VM V7.2 is intended to be the last z/VM release to support sharing RACF databases between z/VM and z/OS systems. While databases may remain compatible, sharing between operating systems is discouraged due to the distinct security and administration requirements of different platforms. A future z/VM release will be updated to detect whether a database is flagged as a z/OS database and reject its use if so marked. Sharing of databases between z/VM systems, whether in a Single System Image cluster or in stand-alone z/VM systems, is not affected by this statement.

Please refer to the following website for more information: https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS220-088/index.html&request_locale=en#sodx

19 February 2019 -- z/VM 6.4 System SSL Cryptographic Module Receives FIPS 140-2 Certification

The z/VM V6.4 System SSL module, with the PTF for APAR PI99134, has been validated as conforming to the Federal Information Processing Standard (FIPS) 140-2. This industry-recognized cryptographic standard mandates modern digital key sizes and integrity checking for TLS operations. z/VM 6.4 System SSL is used by both the z/VM LDAP Server and z/VM TLS/SSL Server. This satisfied the statement of direction made in the IBM Software Announcement dated October 25, 2016.

19 September 2018 -- z/VM V6.4 Achieves Common Criteria Certification

All certification activities for z/VM 6.4 are complete. The certifying body issued its certification on April 23, 2018. z/VM 6.4, with the SSI and RACF Security Server features enabled, has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

03 August 2017 -- Whitepaper on Validating and Repairing RACF Database Integrity

A new TechDoc has been published for the RACF for z/VM Database. It covers how to detect integrity problems with your RACF database, as well as recommended steps one can take for corrective action when problems are reported. RACF database validation is highly recommended before and after applying service to RACF for z/VM, especially if the RACF database template will be upgraded.

Refer to the Security Publications page for a link to this whitepaper.

31 March 2017 -- z/VM 6.4 RACF Enhancements

The RACF Security Server for z/VM 6.4 has received additional enhancements to enable better security policy management. These include:

  • A new user role, Read-Only AUDITOR (ROAUDIT), has been added to RACF for z/VM. This role allows a user to access audit records without granting the authority to write to them.
  • RAC SETEVENT LIST output has been modified to display the current VMXEVENT profile(s) which RACF/VM is using to control and/or audit z/VM security events.
  • The XAUTOLOG..ON operand (Classes A and B) is now disabled automatically when RACF/VM is running. A generic profile can be created in RACF/VM to restore original behavior.

For more information, refer to APAR VM65930.

31 March 2017 -- CRYPTO APVIRT for the TLS/SSL Server

The TLS/SSL Server for z/VM TCP/IP has been enhanced to offload clear-key RSA operations to available z Systems Crypto Express hardware.

  • For usage information, refer to APAR PI72106
  • For performance implications, refer to z/VM Performance: TLS/SSL Server Changes (see bottom of page)

25 October 2016 -- Statement of Directions

See the Release for Announcement for z/VM V6.4 for more information:

  • FIPS Certification of z/VM V6.4

IBM intends to pursue an evaluation of the Federal Information Processing Standard (FIPS) 140-2 using National Institute of Standards and Technology's (NIST) Cryptographic Module Validation Program (CMVP) for the System SSL implementation utilized by z/VM V6.4.

  • Security Evaluation of z/VM V6.4

IBM intends to evaluate z/VM V6.4 with the RACF Security Server feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

25 October 2016 -- z/VM V6.4 RACF Enhancements
  • A new option, NoAddCreator, which prevents the userid issuing RDEFINE commands from being automatically added to the access control list of profiles it creates
  • Updates to the DirMaint-RACF Connector exit to allow automatic conversion of the LINK and NICDEF statements to RACF security policy
  • Disabling the default use of the ICHRCX02 exit, in accordance with IBM best practices and recommendations
  • The z/OS 2.2 equivalency of the following updates, first released as APARs of z/VM 6.3:
    • A new password encryption option, KDFAES, which strenghens the RACF database against offline attacks
    • An ALTUSER command function to "clean up" password history after lowering the password history value
    • The ability to expire a userid's password without without changing its value
    • Helpdesk support, which allows security administrators to grant non-SPECIAL userids with the capability to reset and manage passwords
    • ALTUSER extensions to support the NOREVOKE and NORESUME keywords
    • Updates to the RACUT200 database management utility to allow it to execute in CST environments
    • A new option, MINCHANGE, which allows minimum password change intervals to be configured
    • A new Diagnose x'A0' subcode which allows for the generation of RACF Passtickets on z/VM
    • Support for 14 additional special characters in passwords

For more details on z/VM V6.4, please visit our z/VM V6.4 Resource page.

14 September 2015 -- z/VM V6.3 Releases Security Enhancement PTFs

IBM z/VM V6.3 has released PTFs which upgrade and enhance the security function within the hypervisor. More information about these updates to the z/VM TLS/SSL Server and RACF for z/VM can be found on the web page for z/VM 6.3 Additional Enhancements or at the APAR/PTF pages:

  • APAR VM65719 - Requires APAR VM65688
  • APAR PI40702

Please consult appropriate manuals and documentation about the use of these features.

Additionally, all z/VM releases under service have been updated to modify which TLS/SSL cipher suites are enabled by default. This change in cipher suites availability has been affected to keep z/VM in line with IBM's policies regarding legacy-mode encryption technologies. Please refer to updates in the z/VM 6.3 TCP/IP Planning and Customization Guide for more information as to which ciphers are now disabled by default, and instructions for enabling them if your installation requires any of them.

30 March 2015 -- z/VM V6.3 Achieves Common Criteria Certification

All certification activities for z/VM 6.3 are complete. The certifying body issued its certification on March 30, 2015. z/VM 6.3, with the SSI and RACF Security Server features enabled, has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

30 April 2014 -- z/VM 6.3 System SSL Cryptographic Module Receives FIPS 140-2 Certification

The z/VM V6.3 System SSL module, with the PTF for APAR PI04999, has been validated as conforming to the Federal Information Processing Standard (FIPS) 140-2. This industry-recognized cryptographic standard mandates modern digital key sizes and integrity checking for SSL and TLS operations. z/VM 6.3 System SSL is used by both the z/VM LDAP Server and z/VM SSL-TLS Server. This satisfied the statement of direction made in the IBM Software Announcement dated July 23, 2013.

23 July 2013 -- Statement of Direction: FIPS Certification of z/VM V6.3

IBM intends to pursue an evaluation of the Federal Information Processing Standard (FIPS) 140-2 using National Institute of Standards and Technology's (NIST) Cryptographic Module Validation Program (CMVP) for the System SSL implementation utilized by z/VM V6.3.

23 July 2013 -- Statement of Direction: Security Evaluation of z/VM V6.3

IBM intends to evaluate z/VM V6.3 with the RACF Security Server feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

20 February 2013 -- z/VM V6.1 Achieves Common Criteria Certification

All certification activities for z/VM 6.1 are complete. The certifying body issued its certification on February 20, 2013. z/VM 6.1 with the RACF Security Server optional feature has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

26 June 2012 -- z/VM 6.1 System SSL Cryptographic Module Receives FIPS 140-2 Certification

All FIPS 140-2 certification work is complete. The z/VM V6.1 System SSL module has been validated as conforming to the Federal Information Protection Standard (FIPS) 140-2. This is the first time that z/VM has been certified to this industry-recognized cryptographic standard. z/VM System SSL is used by both the z/VM LDAP Server and z/VM SSL Server.

22 July 2010 -- Statement of Direction: EAL4 Certification for z/VM V6.1

IBM intends to evaluate z/VM V6.1 with the RACF Security Server optional feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

Note: This statement of direction was made in a July 22, 2010 IBM announcement for z/VM V6.1. All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice.

06 October 2009 -- Solution Edition for Security Offering -- Securing your z/VM. and Linux. for System z environment

Consolidation, cost savings, and Green Initiatives are sweeping though all industries at an exponential pace. Securing a virtualized environment is a vital component of the enterprise security strategy. System z risk and security management controls provide differentiated advantage over alternative solutions. IBM's virtualization components have been integrated within hardware and software for over 30 years, and provide a robust set of unparalleled capabilities. Scalability, availability, and reliability controls are built within the infrastructure. Additional business value is included in centralized auditing and reporting functions, centralized security components and centralized infrastructure. The Solution Edition Offering for Security delivers the capabilities required to secure your virtualization environment.

18 September 2008 -- z/VM V5.3 Achieves Common Criteria Certification

All certification activities for z/VM V5.3 are complete. The certifying body issued its certification on July 28, 2008. z/VM V5.3 with the RACF Security Server optional feature has been certified to conform to the Controlled Access Protection Profile (CAPP) and Labeled Security Protection Profile (LSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4+ (EAL4+).

For more information on z/VM Security, whether it relates to service, certifications, configuration, best practices, or something else, please consult the links at the top of this page. If you have any questions or suggestions, please reach out to Brian Hugenbruch (z/VM Security Development Champion) at bwhugen@us.ibm.com.