IBM Security Z Security

 View Only

IBM Security zSecure 2.3.0

By Jeroen Tiggelman posted Sat August 12, 2017 12:00 AM

IBM Security zSecure suite 2.3.0 was co-announced with IBM Z pervasive encryption capabilities on July 17, 2017 with a planned availability date of August 11, 2017. You can read the US announcement letter here. This release provides currency with z/OS V2R3, CICS V5R4, Db2 12, and DISA-STIG 6.31, adds or extends integration with IBM QRadar SIEM and HPE Security ArcSight, and extends support for Multi-Factor Authentication (MFA).


Mainframes continue to be the home for mission critical information and essential  business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. The IBM z14 enables the ultimate data protection of pervasive encryption – while being open and connected in the cloud to speed innovation at lower cost. z/OS V2R3 is designed to provide new policy-based encryption options that take full advantage of the improvements in the z14 platform and can help clients protect their critical business data. The new encryption capabilities and policies apply both to data at rest and to data in flight.

Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. When an access check occurs in a resource manager (i.e., a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).

IBM Security zSecure suite builds on the security support in IBM Z, z/OS and Resource Access Control Facility to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. Most of the products run on the z/OS operating system. The zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, and MQ.

IBM QRadar SIEM consolidates log source event data from thousands of devices, endpoints and applications distributed throughout a network. IBM Security zSecure allows sending z/OS, RACF, ACF2, Top Secret, Db2, and CICS events from the System Management Facilities (SMF) log to QRadar SIEM enriched with information from the security database and system snapshot (CKFREEZE) information.

zSecure has a very long track record of integrating with Security Information and Event Management (SIEM) solutions, starting with Consul/Enterprise Audit 2.1 in 1999 (a predecessor of Tivoli Security Information and Event Manager). In 2012 a similar integration was established between zSecure Audit and IBM QRadar SIEM. This integration was enhanced to allow real-time operation in zSecure 2.2.1 (2016). A complementary real-time integration between zSecure Alert and IBM QRadar SIEM had already been available since 2012 as well.

HPE Security ArcSight is a SIEM solution from Hewlett Packard.

IBM Multi-Factor Authentication for z/OS (MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process. It is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF to help clients accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.

zSecure provided initial support for IBM MFA in a service stream enhancement  in May 2016 and several enhancements in zSecure 2.2.1 (December).

IBM Operations Analytics for z Systems enables users to search, visualize and analyze the vast amounts of structured and unstructured operational data across IBM z Systems operating environments, including log, event and service request data, as well as performance metrics.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).

The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the  Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and GSD331/ISeC (a global services document with information security controls documentation) from IBM.




IBM Security zSecure 2.3.0 provides currency with:

  • z/OS V2R3, also co-announced with the new IBM Z pervasive encryption support on July 17, 2017, and planned to be available on September 29, 2017
  • CICS Transaction Server V5R4, announced on May 16, 2017 and available since June 16, 2017
  • Db2 12, announced on October 4, 2016 and available since October 21, 2016

Note that service stream enhancements in support of CICS V5R4 and Db2 12 have been available for prior zSecure releases for some time.

Notable features include:

  • Support for various z/OS V2R3 and RACF features for pervasive encryption, such as auditing data set encryption both statically and through SMF (including z Encryption Readiness Technology; zERT) and support for key labels
  • Support for other new z/OS V2R3 and RACF features, such as eight-character TSO user IDs, SMF record types above 255, SETROPTS ENHANCEDGENERICOWNER, the MFPOLICY segment in RACF, and the WAEMAIL field in the WORKATTR segment in RACF
  • Support for sending alerts from zSecure Alert to HPE Security ArcSight in Common Event Format (CEF) out of the box
  • Integration between zSecure Admin Access Monitor and IBM Operation Analytics for z Systems: zSecure Admin Access Monitor can now write pre-processed access records  for use in an analytics product. These are provided in CSV format in a z/OS UNIX file. Details can be found in this technote.
  • Support for MFA in zSecure Visual
  • New CARLa report types NJE_NODE, SYSTEM_VARIABLE (system symbols), ICSF_SYMKEY, ICSF_PUBKEY, RUN (current environment), and RUN_DD (allocated files)
  • Many new RE and IN menu suboptions
  • * Many new options for the HEADER keyword on NEWLIST and various related parameters to make it easier to generate output in a certain format, including HEADER=LEEF and HEADER=CEF
  • Many new CARLa fields in the SYSTEM report type for ICSF settings
  • Various productivity enhancements
  • New and updated compliance checks, including ACF2 data set related ACP compliance controls
  • New alerts

The STIG standard version level has been upgraded to 6.31.

Information from newly supported SMF record types is passed towards IBM QRadar SIEM.

The product that provides a subset of zSecure Audit functionality for integration with SIEM solutions has been renamed to IBM Security zSecure Adapters for SIEM.


If you maintain zSecure Alert configurations from zSecure 2.3, tables will be migrated to a new format that cannot be used with lower releases.

zSecure 2.3 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

Alert skeletons have been reorganized. If you have site specific alerts that imbed skeletons shipped with the product, verify that there is no impact.

The CARLa members implementing the RECREATE function have been reorganized. If you imbed them in your own CARLa, verify that there is no impact.

AU.R subsets are migrated to a new format. If you want to work with them in zSecure 2.2.0 or 2.2.1 afterwards, you need the PTFs for APAR OA53309.

If you are migrating from a release that did not have 64-bit addressing enabled and default, also check the migration instructions for zSecure 2.2.1.


Further reading

If you have any questions, please ask them here or on the zSecure support forum. The current zSecure for z/VM release is 1.11.2. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.


Edits: Modernized links