IBM Security Z Security

 View Only

IBM Security zSecure 2.5: IBM Z Security and Compliance Center 1.1, IMS reporting, and more

By Jeroen Tiggelman posted Mon June 13, 2022 08:06 AM

On June 8, 2022 a new service stream enhancement (SSE) to zSecure 2.5 has become generally available, providing support for IBM Z Security and Compliance Center 1.1, reporting for additional IMS sub-systems, and more.


IBM Z continues to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance Z security capabilities.

IBM Security zSecure Audit helps review the security of the system in various ways, for example by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The zSecure Collect component collects system snapshot information. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM Security zSecure Alert is a real-time monitor for security events.  IBM Security zSecure Admin boosts productivity for RACF administrators. The Access Monitor component of zSecure Admin can also see security events that are not being logged and summarize all access requests. The CKGRACF component can update information in the RACF database.

IBM Z Security and Compliance Center 1.1 is a recently announced new software product designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of microservices that run on the OpenShift Container Platform on Linux on Z. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is available with the new product.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for SIEM, and the z/OS Compliance Integration Manager component of IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).


Besides support for IBM Z Security and Compliance Center, the SSE for zSecure 2.5 released in June 2022 provides
- reporting for the IMS Connect and IMS Operations Manager sub-systems (ISPF menu options RE.M.C and RE.M.O)
- reporting on CICS Db2 entries and CICS Db2 transactions
- a new out-of-the-box alert 1616/2616 for deactivation of an SMF record type
- new fields for CICS 6.1 settings (toleration support for CICS 6.1 was provided earlier, also for older zSecure releases)
- various SMF and cryptographic enhancements
- additional STIG automation (with a focus on ACF2) and support for STIG 6.52
- various usability and serviceability enhancements for zSecure Admin Access Monitor, zSecure Alert, zSecure Collect, and the SMF collector CKQEXSMF
and more

The zSecure 2.5.0 documentation was refreshed. There is a new "(June 2022)" section in What's new with additional detail.
A technote summarizes which books were updated.

These enhancements primarily apply to zSecure Audit and zSecure Alert, and secondarily to zSecure Admin and zSecure Adapters for SIEM.


To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.5, or one of the zSecure Compliance solutions
* PTFs UJ08291, UJ08571, and UJ08572 for APARs OA63173, OA63332, and OA63333 (this updates code shared among most zSecure components)
* PTF UJ08292 for APAR OA63174 (this updates code specific to the ACF2 features)
* PTF UJ08576 for APAR OA63338 (this updates code specific to zSecure Audit for RACF)
* PTF UJ08577 for APAR OA63339 (this updates code specific to zSecure Audit for ACF2)
* PTF UJ08589 for APAR OA63352 (this updates code specific to zSecure Audit for Top Secret)
* PTF UJ08588 for APAR OA63353 (this updates code specific to zSecure Adapters for RACF)
* PTF UJ08600 for APAR OA63365 (this updates code specific to zSecure Adapters for ACF2)
* PTF UJ08601 for APAR OA63366 (this updates code specific to zSecure Adapters for Top Secret)


This SSE ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

The CC_SERIAL field in the SMF report type has become a repeated field. This means that it will by default now be shown on the detail display. If you use this in your own queries, you can use a BOTH, MORE, or NODETAIL modifier if that is not what you want.

The CKGRACF component now supports managing USRDATA for discrete profiles. This has a resulted in a command syntax change: a GENERIC keyword must now be used with fully qualified generic profiles.

If you install the new IBM Z Security and Compliance Center product into the same SMP/E zone as zSecure Audit (or zSecure Adapters for SIEM)--and you do not specifically disable the product--then the zSecure engine will register to product registration services that the new product is running instead of (not: in addition to) the zSecure Audit features. This same mechanism already held true for zSecure Audit over zSecure Adapters for SIEM.

Note that the new product does not have separate RACF, ACF2, and Top Secret features, but all external security managers (ESMs) are enabled. Which ESMs are enabled influences the default mask type used in evaluating CARLa select statements that could apply to multiple ESMs. In particular, if you have a zSecure Audit for ACF2 only installation and you add RACF enablement to that installation, you might see in places that ACF2 style masking changes to RACF Enhanced Generic Naming. You might want to control these via an OPTION MASKTYPE=ACF2 statement. (Note: the zSecure Compliance and Auditing solutions have all ESMs enabled by default, so if you have those and use the default settings, you should not see any changes.)

If you install the new IBM Z Security and Compliance Center product into the same SMP/E zone as zSecure components that use the ISPF user interface (zSecure Admin, zSecure Audit, zSecure Alert, and zSecure Visual), the user interface will identify itself in panel titles as "zSecure Suite". If you install the new product into its own SMP/E zone, the user interface will show "Z Security Compliance Center". Note that the message issued when the user interface starts will list all relevant entitlements by listing the program identifiers (PIDs) (with the understanding that for the zSecure Compliance solutions the PIDs for the individual "point products" contained will be listed instead of the solution PID).

If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

1 comment



Tue June 14, 2022 12:08 PM

Great update, thanks Jeroen!