IBM Security zSecure, Version 2.3.1

Release notes for V2.3.1

IBM® Security zSecure™ V2.3.1 is available. Read this document to find important installation information. You can also learn about compatibility issues, limitations, and known problems.

For information about the new features for zSecure V2.3.1, see What's new for zSecure V2.3.1.

For information about the zSecure documentation and steps to obtain the licensed publications, see zSecure documentation.

If you are upgrading from a version of IBM Security zSecure that is older than V2.3.0, also see the Release Information for the versions that you skipped. You can find the documentation for all versions in the IBM Knowledge Center for IBM Security zSecure Suite.

Contents

Announcement

The zSecure V2.3.1 announcement (ENUS218-349) includes information about the following topics:
  • Prerequisites
  • Technical information
  • Ordering information
  • Terms and conditions

System requirements

This section lists the minimum and advised processor, disk space, and memory requirements for the zSecure V2.3.1 products and solutions:
  Minimum Advised
Processor A supported IBM z Systems server that is capable of supporting z/OS V2.2 or later.
The CKR8Z196 program requires z196 or newer hardware.
Disk space 300 MB 450 MB
Memory 1 GB 2 GB
For programming and space requirements for CICS Toolkit, Command Verifier, and RACF-Offline, see the following Program Directories: All other CARLa-driven components of zSecure have a common Program Directory: Program Directory for IBM Security zSecure Suite: CARLa-driven components.

Supported platforms and applications

IBM Security zSecure products are supported on the following platforms and applications:
  • IBM z/OS version 2 release 2 (V2R2) through z/OS version 2 release 3 (V2R3)
  • CICS Transaction Server version 4 release 1 (V4R1) through version 5 release 4 (V5R4)
  • DB2 version 11 release 1 (V11R1) through DB2 version 12 release 1 (V12R1)
  • IMS version 13 (V13) through version 15 (V15)
  • IBM MQ version 8 (V8) through IBM MQ version 9 (V9)
  • CA ACF2 release 16
  • CA Top Secret release 16
  • Microsoft Windows Server 2008, 2012, and 2016
  • zSecure Visual Client requires Microsoft Windows 7, 8, or 10
  • All currently supported versions of WebSphere HTTP server
  • Integrated Cryptographic Services Facility (ICSF) is supported up to HCR77C1
zSecure no longer supports the following platforms and applications:
  • z/OS V2R1
  • DB2 version 10 release 1 (V10R1)
  • CA ACF2 release 15
  • CA Top Secret release 15

Installing IBM Security zSecure

For installation instructions, see the Program Directories:

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure V2.3.1, see the IBM Security zSecure CARLa-Driven ComponentsInstallation and Deployment Guide.

This documentation is available with the product at the IBM Knowledge Center for IBM Security zSecure Suite V2.3.1.

Incompatibility warnings

Top level compliance rules renamed
The top level compliance rule members and their primary site customization members have been renamed:
Standard Top level member in SCKRCARL Site customization DEFTYPEs etc. in CKACUST
  Former member name New member name Former member name New member name
DISA STIG CKAG@ C2RG@ CKAG@IDF C2RG@IDF
PCI-DSS CKAPC@ C2RP@ CKAP@IDF C2RP@IDF
ISeC / GSD331 CKAO@ C2RO@ CKAO@IDF C2RO@IDF
zSecure Extra (former STIG Plus) CKAG@PLS C2RZ@ CKAG@IDF C2RG@IDF
If you have customized one of the CKA%@IDF CKACUST members, all customization must be forwarded to the new C2R%@IDF member. The CKAZCUST job copies the CKA%@IDF members to their new names and adds skeletons for all new CKACUST members.
STIG members renamed
For zSecure Audit V2.3.1, members were renamed. Some CKAG* and C2AG* members were renamed to C2RG* because they contain common specifications for the RACF, ACF2, and Top Secret standards. Others were renamed to CKAZ*, CKTZ*, C2AZ*, or C2RZ* with the rename of the STIGPlus standard to zSecure Extra.
Former member name New member name Former member name New member name
CKAGC340 C2RGC340 CKAGPL01 CKAZTM03
CKAGCI30 C2RGCI30 CKAGSD10 C2RGSD10
CKAGCR21 CKAGCI21 CKAGSM22 C2RGSM22
CKAGCR41 CKAGCI41 CKAGSM32 C2RGSM32
CKAGF020 C2RGF020 CKAGTC20 C2RGTC20
CKAGF030 C2RGF030 CKAGTC30 C2RGTC30
CKAGF040 C2RGF040 CKAGTN10 C2RGTN10
CKAGF050 C2RGF050 CKAGTN50 C2RGTN50
CKAGF060 C2RGF060 CKAGTN60 C2RGTN60
CKAGF070 C2RGF070 CKAGTS20 C2RGTS20
CKAGF100 C2RGF100 CKAGWM20 C2RGWM20
CKAGF110 C2RGF110 CKAGWM51 C2RGWM51
CKAGFE11 C2RGFE11 CKAGZU11 C2RGZU11
CKAGFE12 C2RGFE12 CKAGZU13 C2RGZU13
CKAGFE13 C2RGFE13 CKAG@ C2RG@
CKAGIU20 C2RGIU20 CKAG@DEF C2RG@DEF
CKAGM010 C2RGM010 CKAG@PLS C2RZ@
CKAGM014 C2RGM014 CKAG@6PL CKAZ@1
CKAGM018 C2RGM018 CKAO@ C2RG@
CKAGM030 C2RGM030 CKAP@DEF C2RP@DEF
CKAGM040 C2RGM040 CKAPC@ C2RP@
CKAGM050 C2RGM050 CKTG@6PL CKTZ@1
CKAGM160 C2RGM160 C2AGF020 C2RGF020
CKAGM380 C2RGM380 C2AGF030 C2RGF030
CKAGM400 C2RGM400 C2AGSM32 C2RGSM32
CKAGM420 C2RGM420 C2AGTC20 C2RGTC20
CKAGM430 C2RGM430 C2AG@6PL C2AZ@1
CKAGM440 C2RGM440    
CKAGM450 C2RGM450    
PCI-DSS and GSD331 standards renamed
The following standards have been renamed:
Former name New name
ACF2-PCI-DSS ACF2_PCI-DSS
RACF-PCI-DSS RACF_PCI-DSS
GSD331 RACF_GSD331
Preparing for rule-based compliance evaluation
To define variables for rule-based compliance evaluation (AU.R), the DEFINE statements are now required to be included in the C2RG@IDF customization member (instead of ACPCNFG). For more information, see section Definitions of variables in the C2RG@IDF customization member in the zSecure (Admin and) Audit User Reference Manual for your product.
CKQRADAR, C2POLICE JCL
The following updates were made for CKQRADAR and C2POLICE JCL:
  • The LRECL of a few files in C2POLICE was increased to reduce the chance of truncation.
  • The C2RSYSLG file in C2POLICE now receives syslog alerts that could not be delivered to any UDP or TCP destination (in UTF8).
  • The C2RSYSLG file in CKQRADAR is now commented out and writing to it is suppressed by default. If writing to it is accidentally not suppressed, syslog messages that could not be delivered to any destination are redirected to C2RSYSLG.
BUFLOCK
New debug option has been added to C2POLICE, C2PACMON, and CKQEXSMF. BUFLOCK creates a system dump for the current task at the moment that the task cannot write the event record.
ALLOCATE command
The CDP option for the ALLOCATE command and the FMID that is associated with the CDP component have been removed.
COMPLEX
The default complex for allocations that use ZSECNODE or ZSECSYS to obtain data from the zSecure server has changed. Instead of using the RRSF node name (for RACF systems) or the SYSPLEX or SYSNAME value, it now uses the ZSECNODE name as default complex. For more details, see the descriptions of the COMPLEX fields in zSecure CARLa Command Reference.
TYPE=DSN SENSTYPE/SENSITIVITY
In the DSN newlist, the SENSTYPE/SENSITIVITY field is now a repeating field. Therefore, it is necessary to add a FIRSTONLY modifier to be able to combine it in a summary key with another field, or to add a summary level.
TYPE=RESOURCE PRIV_SENSTYPE
The PRIV_SENSTYPE field in the RESOURCE newlist no longer returns sensitivity types exceeding the documented maximum length of 11 characters. If you have explicit SELECT statements to test for these sensitivity types, they must be adjusted to use the new, shorter name. The following sensitivity types have been replaced:
Former sensitivity type New sensitivity type
SetAutoReply SetAutoRepl
SetConDelete SetConDel
UNIXdebugAPF UNIXdbgAPF
NEWLIST TYPE=SMF field USAGE_COUNT
USAGE_COUNT has become a repeating field.
TYPE=TRUSTED USERID_PRIVILEGE
For the USERID_PRIVILEGE field in the TRUSTED newlist, the value Operation has changed to Operations. If you have written your own TRUSTED queries, you might need to adjust the SELECTion.
OA54485: Using SUMMARY CARLa function, fixed values are repeated for each level of output
As a result of this code change, literal values are no longer repeated on each summary level, but are only included on the level were they are used in the code.
Consistent casing of "ACF2 BLPpgm" and "ACF2 maint"
Inconsistent use of all uppercase and mixedcase sensitivities for ACF2 BLPpgm and ACF2 maint has been corrected. Only the mixed case values are now used in the program.
CDP support removed
zSecure V2.3.1 no longer supports Common Data Provider (CDP). If you use the SMF Exit Collection method for near real-time QRadar support, see the CARLa-Driven Components Installation and Deployment Guide to set up the CKQEXSMF started task.
One UNLOAD allocation allowed per complex-version combination
zSecure V2.3.1 supports only one security database source per complex name. Use different complex names for different security databases or single UNLOAD statements.

Migration considerations

zSecure Access Monitor, zSecure Alert, and SMF Collector
IPL between release changes, or shutdown using F product,SIPL, where product is either C2PACMON (for Access Monitor), C2POLICE (for Alert), or CKQEXSMF (for SMF Collector). C2POLICE and CKQEXSMF share the same exit routines; when upgrading, both must be shutdown. Ensure that the latest RACF exits are used. You might need to run C2XACTV job as documented in zSecure CARLa-Driven Components Installation and Deployment Guide. Also make sure that no previous versions of the zSecure RACF/SMF exits are present in active linklist or lpalist data sets.
New level of NLS table
If you customized the options or menus using SE.D.N in your previous version, use option SE.D.N to trigger migration of your customization to the new NLS table.
Compliance framework
Rerun CKAZCUST to add new configuration members. Some existing configuration members will be copied/renamed for new naming convention. Perform a manual update or cleanup of FTPCNFG to use only the file names as they are now determined by CKFCOLL.
IFAPRDxx
Entry in IFAPRDxx is not needed to enable zSecure products. If you use IFAPRDxx to disable installed zSecure products and you use specific numbers in IFAPRDxx, be aware that the version, release, and modification numbers have changed as follows: VERSION(2) RELEASE(3) MOD(1)

Limitations and known problems

At the time of publication of this Release Notes document, the following problems exist:
  • Using the default MEMSIZE=8G for the CKQRADAR STC, after running some 62.5 million jobs, causes message CKR0438 16 SMF input terminated: out of memory.
  • Events sent near real-time using TCP/IP over a low bandwidth connection can be silently delayed.
  • Selection on Assertions due in nn days in Compliance Evaluation is incorrect.

Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at www.ibm.com/mysupport. A general documentation technote lists all significant updates to the documentation of 2.3.1 since availability.

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.

zSecure Admin zSecure CICS® Toolkit
zSecure Audit zSecure Command Verifier
zSecure Alert for RACF® zSecure Visual (Server and Client)
zSecure Alert for ACF2 zSecure Manager for RACF z/VM®

Feedback