Release notes
IBM® Security zSecure™ V2.2.1 is available. Read this document to find important installation information. You can also learn about compatibility issues, limitations, and known problems.
For information about the new features for zSecure V2.2.1, see What's new for zSecure V2.2.1.
For information about the zSecure documentation and steps to obtain the licensed publications, see zSecure documentation.
If you are upgrading from a version of IBM Security zSecure that is older than V2.2.0, also see the Release Information for the versions that you skipped. You can find the documentation for all versions in the IBM Knowledge Center for IBM Security zSecure Suite.
Contents
Announcement
- Prerequisites
- Technical information
- Terms and conditions
- Ordering details
System requirements
Minimum | Advised | |
---|---|---|
Processor | CKR4Z: z800 or higher | IBM System z9® or z10TM Enterprise Class (EC) or z9® or z10™ Business Class (BC) |
CKR8Z196: z196 or higher | ||
Disk space | 300 MB | 450 MB |
Memory | 1 GB | 2 GB |
- Program Directory for IBM Security zSecure CICS Toolkit
- Program Directory for IBM Security zSecure Command Verifier
- Program Directory for IBM Security zSecure Admin RACF-Offline
Supported platforms and applications
- IBM z/OS version 1 release 13 (V1R13) through z/OS version 2 release 2 (V2R2)
- CICS Transaction Server version 3 release 1 (V3R1) through version 5 release 3 (V5R3)
- DB2 version 10 release 1 (V10R1) through DB2 version 11 release 1 (V11R1)
- IMS version 12 (V12) through version 14 (V14)
- WebSphere MQ version 7 release 1 (V7.1) through IBM MQ for z/OS version 9 (V9)
- CA ACF2 release 14 through 16
- CA Top Secret release 14 through 16
- Microsoft Windows Server 2008, 2012, and 2016
- zSecure Visual Client requires Microsoft Windows 7, 8, or 10
- All currently supported versions of WebSphere HTTP server
- Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77B1
- DB2 version 9 release 1 (V9R1)
- IMS V11
Installing IBM Security zSecure
- Program Directory for IBM Security zSecure Suite: CARLa-driven components
- Program Directory for IBM Security zSecure CICS Toolkit
- Program Directory for IBM Security zSecure Command Verifier
- Program Directory for IBM Security zSecure Admin RACF-Offline
- Program Directory for IBM Security zSecure Administration
- Program Directory for IBM Security zSecure Compliance and Administration
- Program Directory for IBM Security zSecure Compliance and Auditing
For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure V2.2.1, see the IBM Security zSecure CARLa-Driven ComponentsInstallation and Deployment Guide.
This documentation is available with the product at the IBM Knowledge Center for IBM Security zSecure Suite V2.2.1.
Incompatibility warnings
- Administration and operation
- For IPv4 FTP client (118-3) SMF records, the following fields for NEWLIST
TYPE=SMF are changed:
- DSTIP
- Now shows the local IP address instead of the remote IP address. So DSTIP is now an address of the local z/OS system writing the record, as it is with other FTP server and client SMF records.
- SRCIP
- Now shows the remote IP address instead of the local IP address. So SRCIP is now an address of the (remote) communication partner of the local z/OS system that is writing the record, as it is with other FTP server and client SMF records.
- USER
- Now shows the local user ID instead of the remote user ID, as it does for other FTP server and client SMF records.
- R_USER
- Now shows the remote user ID of 118-3 records.
- Recreate user
As a result of updates in the user scripts CKRXRUS and CKGXRUS (for APAR OA50610), recreate user scripts CKRXRUS and CKGXRUS have been updated.
- If RA.4.6 Recreate user option Use CKGRACF to update the user profile is
not selected:
- The recreated user IDs are always protected.
- The password interval settings of user IDs are not recreated.
- If RA.4.6 Recreate user option Use CKGRACF to update the user profile is selected, commands are generated to accurately recreate PROTECTED attributes and password interval settings.
- If RA.4.6 Recreate user option Use CKGRACF to update the user profile is
not selected:
- Calling CKR4Z directly
- If you disable 64-bit mode explicitly in zSecure 2.2.1 by calling CKR4Z directly, it might be necessary to set up Program Access to Data Sets (PADS) access for CKR4Z.
- z/OS APAR OA50672
For the 64-bit engine, be aware of z/OS APAR OA50672 against HFS 64-bit support. Without the fix, you might experience CKR0915 messages when writing to a UNIX file within an HFS with RC 157 (MVS environment error) or incorrect RC values. If this happens, switch to the 31-bit engine, apply the fix for APAR OA50672 if available, or allocate a zFS, instead of an HFS, for your UNIX output. Note that the LEEF integrations with IBM QRadar SIEM use UNIX files.
Migration issues
- Migrating QRadar SIEM feed from deprecated C2EQ* customization members to CKQ* customization members
- When converting from C2E to CKQ members, you must customize the SIMULATE USER_PRIV_GROUP command with the groups that were previously coded in C2EQRENV (by default that was SYS1 and OMVS*). As USER_PRIV_GROUPS does not support a generic specification, you must add groups other than SYS1 and OMVS explicitly in CKQRENV.
Limitations and known problems
- When installing RACF-Offline over 2.1.1 or an earlier release, you must run UCLIN as documented in the tech-support flash Link edit errors for LMODs B8RMNGR and B8RENVXX when applying UA90988 or UA90989.
Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general documentation technote lists all updates to the documentation of 2.2.1 since availability.
You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.