IBM zCX with Red Hat OpenShift AI and z/OS 3.2 4Q 2025 Enhancements — Building AI Where Mission-Critical Workloads Reside
Enterprises are accelerating AI adoption to drive automation, predictive analytics, and real-time decision-making. For organizations running core workloads on IBM Z, the challenge is integrating AI without introducing latency, security risks, or operational complexity. IBM addresses this with two key innovations:
- IBM zCX with Red Hat OpenShift AI—a containerized platform for AI/ML workloads on z/OS.
- z/OS 3.2 enhancements—security, performance, and developer tooling improvements that enable AI at scale.
Architecture Overview
zCX Foundation for Red Hat OpenShift provides an Enterprise ready Kubernetes-based environment on IBM Z, enabling Red Hat OpenShift AI services to run on z/OS. This architecture allows:
- AI inferencing co-located with transactional data reducing data movement and latency.
- Driving innovation by deploying LLMs on-premises for intelligent applications close to your data
- Secure container orchestration leveraging IBM Z’s isolation and encryption capabilities.
- Integration with z/OS subsystems (CICS, IMS, Db2) for real-time analytics.
Key Enhancements in z/OS 3.2
IBM z/OS 3.2 was announced on July 22nd, 2025 and made generally available September 30th, 2025. By following the traditional z/OS continuous delivery (CD) model, z/OS 3.2 delivers new features and enhanced capabilities quarterly, allowing organizations to embrace new technologies quickly and drive greater business value. The following enhancements have been delivered for z/OS 3.2 in 4Q 2025.
Please note: These z/OS announcements will now be published on this z/OS Community page. To stay up to date, please ‘Join Community’ to ensure you don’t miss an announcement!
Overview
Enhancing the resilience and availability of zCX workloads helps organizations ensure continuous operation and reducing the risk of downtime. zCX with Red Hat OpenShift AI (basic support) Enables an AI platform on z/OS for containerized AI/ML workload deployments on z/OS using zCX Foundation for Red Hat OpenShift.
Strengthening the security posture of z/OS environments helps protect sensitive data, reduce the risk of security breaches, and ensure compliance with regulatory requirements, ultimately safeguarding an organization’s reputation and assets. The z/OS 3.2 release includes several significant security enhancements that directly support this goal, including improvements to password management, security checking, and cryptography, as outlined below:
- RACF Password Phrase Self-Service simplifies the transition to password phrases for end-users.
- RACF optional phrase syntax rules enable consistent password quality rules across the enterprise.
- Security checking for VSAM data sets enforces System Authorization Facility (SAF) checking during supervisor state or protection key 0.
- Advancing Quantum-safe and trusted security enables clients to utilize post-quantum cryptography.
With data immutability and versioning, organizations can now confidently meet regulatory requirements, protect against data loss or corruption, and ensure business continuity, thereby reducing the risk of non-compliance and associated costs. DFSMSdss (DSS) Direct to Cloud enhancements provide data immutability and versioning for backups in the cloud.
Streamlining the development and debugging process empowers developers to deliver high-quality application data more efficiently, reducing the time and effort required to resolve issues. EzNoSQL Enhanced ResultSet Java APIs provides improved usability and serviceability with more precise diagnostic information.
Leveraging AI to unlock new levels of transaction processing capacity, responsiveness, and cost savings helps organizations drive business growth and innovation. AI-powered network outbound packet batching optimizes the communications between the TCP/IP stack and the OSA network interface, helping to reduce network CPU overhead with minimal impact to transaction latency.
Automating routine tasks and providing modern, intuitive interfaces can enable more efficient work, reduce the risk of human error, and allow for greater focus on optimizing system performance and delivering strategic value. Automated access to IBM Z Security Portal HOLDDATA allows permitted users to automatically retrieve SMP/E information when acquiring service.
By combining the benefits of LLVM community innovations with IBM XL C/C++ compiler technology, this release enables organizations to unlock the full potential of their z17 architecture, improve application performance, and simplify the development process, ultimately driving greater efficiency and competitiveness in their z/OS environments. Open XL C/C++ has been enhanced with added support for the latest z17 architecture, z/OS subsystems (CICS, IMS), C++20 language standard, and debugging improvements.
Description
zCX with Red Hat OpenShift AI (basic support)
zCX for OpenShift will now allow Red Hat OpenShift AI offering to be used in zCX hosted Red Hat OpenShift clusters. This ability will allow AI applications running in containers in OpenShift to have access to the underlying AI accelerators. The AI accelerators that will be opened up will be CPU, Telum I, and Telum II workloads. This product is licensed and can be purchased through Shopz.
RACF Password Phrase Self-Service
RACF allows end-users to assign themselves their initial password phrase while authenticating to a z/OS application with their password. This greatly simplifies the transition to password phrases by eliminating the need for a security administrator to assign an initial secure phrase and securely communicate this to their end users, who may number in the hundreds of thousands. With the PTF for APAR OA68301, this support will be available on z/OS 3.1 and 3.2.
RACF optional phrase syntax rules
RACF allows the built-in password phrase syntax rules to be selectively bypassed, allowing you to enforce a consistent set of password quality rules across the entire enterprise. With the PTFs for APARs OA67750 and OA67751, this support will be available on z/OS 3.1 and 3.2.
Security checking for VSAM data sets
VSAM OPEN routines bypass security checking if the program issuing OPEN is in supervisor state or protection key 0. Previous enhancements with APARs OA67032 and OA66738 provided the capability to log jobs, via SMF type 80 records, that were bypassing System Authorization Facility (SAF) checking for VSAM data sets while running in supervisor state or protection key 0. With z/OS 3.2, a behavior change will enforce SAF checking, unless ACBBYPSS or other bypass mechanism is specified, or if a new FACILITY class profile, STGADMIN.IGG.AUTO.BYPASS.ALLOW, has been specified to allow the previous behavior of bypassing SAF checking to continue for users with READ authority to the new class profile. If the new SAF check returns a failing return code, the OPEN will now fail. This change will provide improved security for clients who run applications in supervisor state or key 0 and wish to enforce authorization checking for VSAM data sets being opened.
Advancing Quantum-safe and trusted security
IBM continues its commitment to advance IBM Z and IBM® LinuxONE security. z17 and IBM® LinuxONE 5 deliver quantum-safe cryptography and AI-powered security and compliance tools. These enhancements enable clients to utilize National Institute of Standards and Technology (NIST) standardized post-quantum cryptography (PQC) for EP11 mode of the Crypto Express8S hardware security module (HSM). These capabilities reinforce IBM Z and IBM® LinuxONE’s leadership in secure, purpose-built computing.
Find out more about IBM Spyre Accelerator and 4Q 2025 Enhancements for IBM Z® and IBM® LinuxONE in the hardware announcement made 7 October 2025.
DFSMSdss (DSS) Direct to Cloud enhancements
More than ever, IBM z/OS clients are integrating cloud object storage into their classic disk and tape environments to create a hybrid storage architecture. Many clients want to leverage native cloud object storage features like object lock and versioning to help meet regulatory or compliance requirements that require WORM storage or to add another layer of protection against object changes or deletion. Immutable storage can protect data against threats like ransomware, accidental deletion, or internal threats and is indispensable for secure backups, regulatory compliance, and building true cyber resilience. Enhancements to DSS and DFSMSdfp Cloud Data Access (CDA) provide a measure of data immutability with the ability to store a recurring backup in the cloud, creating a separate version with each new backup, that cannot be overwritten and to restore the current version or any specified previous version. For those clients needing additional immutability for regulatory or compliance requirements, S3 object lock can be leveraged with CDA. With DSS APAR OA67510 and CDA APAR OA67781, this support will be available on z/OS V3.1 and above. See the "Game Changing" blog series for more information on Cloud Data Access and Object Immutability.
EzNoSQL Enhanced ResultSet Java APIs
The initial Java API design provided a careful balance between performance and usability based on Java conventions. However, there are scenarios in which users may benefit from having diagnostic return statements similar to what is provided with the EzNoSQL C APIs. New ResultSet APIs offer a custom return object with additional return information. Users will be able to retrieve C-style return codes and diagnostic messages from NextResult, ReplaceResult, and DeleteResult return objects improving usability and serviceability. This enhancement is available on z/OS 3.1 and above with APAR OA67886.
AI-Powered Network Outbound Packet Batching
AI-powered network outbound packet batching optimizes the communications between the TCP/IP stack and the OSA network interface, helping to reduce network CPU overhead with minimal impact to transaction latency. As announced in the z/OS 3.2 announcement, AI-powered network outbound packet batching function will be available by end of year with APARs OA67784, PH66976, PH67238, and PH67239.
Automated access to IBM Z Security Portal HOLDDATA
Addressing a longstanding customer requirement, as of October 16th, 2025 when an SMP/E RECEIVE ORDER request is sent to the IBM server for a user that is permitted to the IBM Z and LinuxONE Security Portal, the order content will automatically include the IBM Confidential SECINT HOLDDATA and ASSIGN statements. See https://www.ibm.com/support/pages/node/7248201 for more information.
IBM Open XL C/C++ 2.2 for z/OS
IBM Open XL C/C++ 2.2 for z/OS became available on 31 October 2025. It combines the benefits and innovations from the LLVM community with IBM XL C/C++ compiler technology to deliver leading-edge application performance for the latest z17 architecture. Open XL C/C++ 2.2 for z/OS introduces support for integrated CICS translator and IMS subsystems for clients to protect and leverage investments on IBM Z and reduce business and IT risks. Open XL C/C++ 2.2 also adds support for the C++20 language standard to improve compatibility of C++ applications across platforms, and is designed for easy migration of C and C++ applications from distributed platforms to z/OS. Usability has been enhanced with the addition of debug information storing in side-files as well as the initial rollout of listing file support in Open XL C/C++. Open XL C/C++ 2.2 is available at no additional charge for clients that have enabled the optionally priced XL C/C++ compiler on z/OS 3.2. It is available as a web deliverable from the IBM C/C++ for z/OS website.
AI Integration Workflow
- Model Development: Data scientists use open-source AI tools (Jupyter, TensorFlow, PyTorch) within zCX containers.
- Model Deployment: Models are served via OpenShift AI inference endpoints, integrated with z/OS applications through REST APIs or MQ.
- Monitoring & Governance: Leverage z/OS security controls and Red Hat OpenShift observability for compliance and performance tracking.
Use Case Examples
- Financial Services: Real-time fraud detection using AI models deployed on zCX, analyzing transactions without external data movement.
- Healthcare: Predictive analytics for patient outcomes, leveraging secure co-location with EHR data.
- Retail: Dynamic pricing algorithms integrated with ERP systems on IBM Z for real-time inventory optimization.
Why This Matters for Enterprise Leaders
This integration delivers:
- Low-latency AI inferencing by eliminating cross-platform data transfers.
- Enterprise-grade security with RACF, PQC, and immutable backups.
- Optimized performance for AI workloads through network and compiler enhancements as well as future access to the underlying AI on chip accelerators.
- Developer agility with modern APIs and automated maintenance.
Next Steps
🔗 IBM zCX with Red Hat OpenShift AI Announcement
📺 Watch the architecture deep-dive webinar
📄 Explore z/OS