IBM Security Z Security

z/OS V2.4 was announced on July 23, 2019 with a planned availability date of September 30, 2019. Toleration fixes have been made available for zSecure 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, and 2.3.1 in relation to new RACF classes and profile segments. Some of these are for the Identity Token support[1] for Multi-Factor Authentication that has also been made available for z/OS V2.2 and V2.3 through RACF APAR OA55926 and SAF APAR OA55927.

Background

The IBM Security zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure. zSecure V2.4 was also announced on July 23, 2019 with a planned availability date of September 30, 2019. However, compatibility fixes are sometimes provided for earlier zSecure releases.

The z/OS V2R4 announcement contains the following: "RACF authentication processing is enhanced to support generation and validation of Identity Tokens. The Identity Token contains various claims that contain authentication state information and is in the format of a JSON Web Token (JWT). This Identity Token support allows z/OS applications and RACF to link together multiple authentication API calls and to replay proof of authentication. This capability is exploited by TSO/E to improve the user experience for certain IBM Z Multi-Factor Authentication logon flows." The zSecure V2.4 announcement observes: "Support for IBM WebSphere Application Server enhancements, specifically, protection for new JSON Web Token support." The technote provided with APAR OA55926 notes: "For more information on JSON Web Tokens, refer to [RFC 7519]."

The zSecure V2.4 announcement furthermore points out:

• Support for enhanced security and data protection. These enhancements are designed to improve management of access and privileges in RACF. Clients can extend the RACF schema to store security-relevant information within the RACF database, where existing reporting tools and programming interfaces can be used to manage and retrieve the data.
• Support for new JES2 functions.

This support also adds profile segments to RACF classes that previously did not have them. zSecure releases that do not expect these conditions will respond with messages like when reading an up-level RACF database.

Delivery vehicle

APAR OA57892 against the "zSecure Base" component (FMID HCKRvrm) provides

• PTF UJ00192 for zSecure for z/OS 2.1.0
• PTF UJ00198 for zSecure for z/OS 2.1.1
• PTF UJ00207 for zSecure for z/OS 2.2.0
• PTF UJ00208 for zSecure for z/OS 2.2.1
• PTF UJ00209 for zSecure for z/OS 2.3.0
• PTF UJ00216 for zSecure for z/OS 2.3.1

This component is a part of zSecure Admin, zSecure Audit, zSecure Visual, zSecure Alert, zSecure Adapters for SIEM, and (all) solution packages that encompass those components.

Further consideration

These fixes do not prevent warning messages CKF372I, CKR1400, and CKR1403 (for running on an unsupported operating system) from being issued. You can suppress the messages via the CARLa statement SUPPRESS MSG=(1400,1403) or the CKFCOLL parameter SUPMSG=372 if required. You can also consider using CARLa statement OPTION NOWARNING or CKFCOLL parameter NOWARNINGRC to prevent the program return code for CKRCARLA and CKFCOLL, resp., from returning 4.

These fixes stop CKR1322 from being issued. However, please note that there is no implication that the new segments are fully processed.

Full support for z/OS V2.4 requires zSecure V2.4.

If you have any questions, please post them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

[1] You can download the Identity Token information from ftp://ftp.software.ibm.com/s390/zos/racf/pdf/oa55926.pdf