IBM Security Z Security

 View Only

IBM Security zSecure 2.5

By Jeroen Tiggelman posted Tue October 26, 2021 01:23 PM


IBM Security zSecure Suite 2.5 was announced on July 27, 2021 with a planned availability date of September 30, 2021. You can read the US announcement letter here. This release provides enhanced access monitoring capabilities, end-to-end event correlation for z/OS Connect, CICS, and Db2 events, extended STIG coverage, enhanced support for custom data fields and digital certificates, currency for z/OS 2.5, ICSF HCR77D2, and DISA-STIG 6.50, and more.


IBM Z hosts mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities and application-level resiliency. z/OS V2.5 continues to strengthen the security, integrity, and privacy of data, while enabling innovative development to support hybrid cloud and AI. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. CA ACF2 and CA Top Secret are alternative external security managers. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations, and reduce costs. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, MQ, and z/OS UNIX.

IBM Security zSecure Admin boosts productivity for RACF administrators and provides further security capabilities on top of RACF. IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. The IBM Security zSecure Adapters for SIEM send enriched SMF information to security information and event management (SIEM) solutions such as IBM QRadar SIEM. IBM Z Multi-Factor Authentication (IBM Z MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process; it is designed to centralize the information of valid factors within RACF to help clients create a layered defense, accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.

The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and for GSD331/ISeC (a global services document with information security controls documentation from IBM).

IBM z/OS Connect allows CICS programs to be called via JavaScript Object Notation (JSON), thus providing a simple and intuitive way to API enable your mainframe.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).


IBM Security zSecure 2.5 provides
* access monitor enhancements, including the ability to collect program access events, UNIX file access events, and data for non-global RACLISTed resource classes
* end to end event correlation between IBM z/OS Connect, CICS and Db2 events
* custom data support in zSecure CICS Toolkit
* support for lookup to custom fields in the CARLa engine
* support for enhanced security and data protection in connection with enhancements in RACF as provided with z/OS 2.5 and the IBM Integrated Cryptographic Service Facility (ICSF) HCR77D2; this includes support for the new RACF option to store its database in a Virtual Storage Access Method (VSAM) linear data set
* support for new ICSF policy settings and master key age, and other enhancements to reporting on ICSF
* new policies to trigger a command when UID(0) or OWNER is assigned in zSecure Command Verifier
* the capability to run multiple pre- or post-commands from zSecure Command Verifier policy profiles
* various enhancement to the Command Audit Trail
* various improvements to the Compliance Audit Framework
* additional STIG compliance control automation
* support for STIG 6.50
* new controls in the zSecure Extra standard to supplement controls for passwords to also consider pass phrases
* greatly extended support for tape data sets, including recognition of sensitive tape data sets
* important performance improvements for ACF2 processing
* support for z/OS Connect, ssh, and additional Db2 and ICSF events, plus enhancements for z/VM events; also for the events feeds to SIEM solutions
* various TCP/IP related enhancements, for example for keeping connections alive or for only making them when required
* several new out-of-the-box alerts
* various enhancements to the data passed in alerts
* batch jobs to ease upgrade, maintenance, test, and roll-out of zSecure Alert configuration changes
* a new report type CERTIFICATE to make it easier to work with digital certificates; accessible through the RA.5 menu option
* support for certificate fingerprints
* new menu options RE.Q.AI and RE.Q.CA for MQ authentication information objects and channel authentication records
* extensions to other MQ reports (about regions, channels, and initiators)
* various new report types dealing with JES2 devices and remote work stations, inetd and OpenSSH daemon configurations, and IBM CL/SuperSession and BMC INCONTROL IOA environments; accessible through the RE menu
* the ability to run CKXLOGID (the TSO command to specify ticket information for the Command Logging function) authorized
* selection capabilities on audit and global audit settings in the RA.D and RA.R (RACF data sets and resources) menu options
* other ISPF menu enhancements
* support for SMF relocate section 443 and ID token extensions
* new CARLa functions SMF_SECTION_INDEX and SMF_SECTION12_INDEX for use with the DEFINE command, providing more options to process SMF data
* extensions to the CONVERT function of the DEFINE command, providing more options to convert and print time stamps
* support for CICS 5.6
* support for z/VM 7.2
* a new compliance configuration setup that eliminates the need to re-run the CKAZCUST job to create new configuration members on future upgrades

Note that zSecure 2.5 participated in the z/OS 2.5 Release Beta Program. The base FMIDs were cut in March 2021. It is strongly recommended that you ensure that you have all PTFs cut before September 30 applied, so that you have all new function as described in the zSecure publications at general availability.

This release provides SCKACUST and SCKACUSV libraries. The SCKACUST library is concatenated behind your CKACUST library, so that maintenance providing new configuration members for compliance checking can be applied without the need to run the CKAZCUST job afterwards. The CKAZCUST job has been removed. The SCKACUSV library allows for longer records than SCKACUST (for example, to specify the issuer name of a digital certificate). Your zSecure configuration (by default, C2R$PARM) must define which data set is to be used as the CKACUSV data set, or it must be set up manually through option Setup Command files (SE.8). Note: This update was also provided in the zSecure 2.4 service stream in December 2020.

zSecure 2.5 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

To activate the proper auditing of various product resources for newly automated STIG controls, review what SIMULATE SUBSYS specifications are needed to indicate the configurations of the products. (Note: if you already installed the April 2020 Service Steam Enhancement for zSecure 2.4, this might already have been done.)

To make sure that the newly supported SMF events make it to your SIEM solution, verify that you log those SMF records.

If you use your own translations (CARLa LANGUAGE statement) with Double-Byte Character Set (DBCS) characters, review the incompatibility warning for changes in the interpretation of literal strings containing DBCS that cross line boundaries.

Additional migration considerations and details can be found in the Release Notes.

Further reading

Additional details can be found in What's New.

The zSecure unlicensed documentation is available in IBM Documentation. Note that the CARLa Command Reference and the User Reference Manuals (for RACF, ACF2, and Top Secret) for zSecure Admin and Audit are licensed publications.

All zSecure documentation is available in the IBM Security zSecure Suite Library Version 2.5.0. If you do not have access to (or see) the licensed publications, send an email to; be sure to include required information such as your IBM customer number. (If you participate in the zSecure 2.5 Release Beta Program (RBP) and your IBM ID is registered, you should already have access to these licensed publications.)

If you have any questions, please post them here or on the zSecure support forum. The current zSecure for z/VM release is 1.11.2.
The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

Edit: Meanwhile, IBM Security zSecure for RACF z/VM 2.5.1 has become available.