While IBM has recently announced a Preview of z/OS 3.1, the z/OS V2.5 continuous delivery (CD) model is not yet through!

The z/OS V2.5 2Q 2023 CD announcement contains new key features and functional enhancements to help further the many capabilities of z/OS V2.5. Learn more below and read the full announce for more details.

**Please note: The IBM RFA delivery mechanisms has changed. Announcements will now be published on the IBM Documentation page. **

--------------------- What’s new ---------------------

IBM z/OS Change Tracker enhancements 

IBM z/OS Change Tracker, an optional priced feature, is a comprehensive configuration change management tool for tracking, controlling, and managing changes in software libraries and configuration data in real-time. 

Now delivered as a z/OSMF plug-in, uses have an interactive graphical user interface to perform various tasks to monitor their resources, such as setting desired protection attributes, viewing detailed information of data sets and members, creating and browsing backups and recovery options, and more. With the PTF for APAR PH49337, this support is available on z/OS V2.5. 

In addition, a 90-day trial for IBM z/OS Change Tracker is now available with the PTF for APAR PH51954.  Clients can have a full z/OS Change Tracker user experience for up to 90 days without having to purchase the feature code.

To learn more about z/OS Change Tracker, see the IBM z/OS Change Tracker content solution page.

Digital signatures for z/OSMF ServerPac and CBPDO software packages

To provide higher standards for security and integrity of z/OS software packages delivered to clients, IBM is digitally signing z/OS product software packages by exploiting the digital signature feature of SMP/E introduced in the PTFs for APAR IO28360 on z/OS V2.4 and later. 

The packages produced for the following IBM offerings are signed: 

• z/OSMF ServerPac portable software instances, all electronic and DVD packages for all products in all SRELs 
• CBPDO – all electronic and DVD packages for all products in all SRELs. See the ‘Statement of Direction’ section below for information about PTF package signing.

Digital signature verification of signed software packages is optional. See the Preparing to verify signatures for GIMZIP packages web page to learn how to verify signatures.

z/OS UNIX syslogd support for secure logging over TCP 

A z/OS system programmer can benefit from configuring the z/OS syslog daemon to act as a more highly secure accessible central collection point for syslog messages from other syslog daemons running on other z/OS and non-z/OS nodes in the network. The z/OS UNIX syslog daemon (syslogd) has been enhanced to support network connectivity to other syslogd instances over TCP, with or without TLS protection. Previously, syslogd only supported UDP connectivity. With the PTF for APAR PH47666, this support is available on z/OS V2.5.

New union file system (UFS) 

A UFS, commonly found on other platforms, is now provided on z/OS. It works on top of other file systems and enables a user to obtain a merged view of one or more directories. This merged view is obtained by accessing the union mount point and gives a single coherent and unified view of files and directories. Union file systems are used extensively by containers. They allow many containers to use one image without having to make multiple copies, thereby saving on disk space. Rather than porting, this UFS is purposefully built for z/OS. With the PTF for APAR OA61759, this support is available on z/OS V2.5.

Data set file system enhancement

An enhancement has been made to the data set file system that allows specification of multiple data set qualifiers for the high-level qualifier (HLQ) directory, designed to make it easier to manage and use data sets that are part of a large set under a single high-level qualifier. This is useful by reducing the scope of data sets being accessed by the application. With the PTF for APAR OA63218, this support is available on z/OS V2.5.

Enhancements to z/OS UNIX utilities 

Minor enhancements have been provided to the following existing utilities: 

• The su utility has been enhanced to write messages to the system log, viewable by syslogd, for every successful and failed attempt to switch users. This enhancement provides an auditing element to the su utility. With the PTF for APAR OA62850, this support is available on z/OS V2.4 and later.
• The date utility now supports Julian date conversion. With the PTF for APAR OA64061, this support is available on z/OS V2.4 and later.
• The find utility can now separate filenames in the output with a null character (a zero byte), thereby allowing filenames to be interpreted correctly when containing spaces or newlines. With the PTF for APAR OA64061, this support is available on z/OS V2.4 and later.

zIIP enablement of IBM Open Enterprise SDK for Python

z/OS is enhanced to allow IBM Open Enterprise SDK for Python to be zIIP enabled. With IBM Open Enterprise SDK for Python on z/OS, advanced data analysis can be performed, with popular Python packages, natively on z/OS where the data is stored. zIIP enablement of Python on z/OS provides a competitive option for running Python workloads, and up to 70% of Python will be eligible to run on a zIIP. This support is available with the PTFs for APARs PH52983 and OA63406 on z/OS V2.4 and later.

zlib Compression library enhancement

The zlib compression library has been enhanced to support the CRC-32 checksum, a practical algorithm commonly used in digital networks and storage devices to detect accidental changes to digital data. This new support takes advantage of high performance computing facilities in IBM Z hardware known as single instruction multiple data (SIMD) vector instructions. With the PTF for APAR OA60361, this support is available on z/OS V2.4 and later.

Encryption and compression bypass mode 

A new interface for VSAM- encrypted data sets and sequential encrypted extended format data sets has been delivered that provides the capability to optimize copying from a source to target encrypted data set where both have the same key label, while making the copy operation more secure because the data remains encrypted throughout the copy. Not having to decrypt the data on input and then re-encrypting the data on output can allow for a performance benefit.

This enhancement also provides the capability to optimize copying sequential extended format compressed data sets using BSAM so that the data does not have to be decompressed and recompressed. There can also be a performance benefit to not having to decompress the data on input and then recompress it on output. Similar support for VSAM is already available. With the PTF for APAR OA63434, this support is available on z/OS V2.5

ICSF support for the IBM z16

ICSF delivers support for Common Cryptographic Architecture (CCA) Release 8.1, which allows the application developer to create, manage, and locally use symmetric cryptographic key material encapsulated in a TR-31 key block as described in ANSI X9.143.

A new callable service, CSNBT31C TR-31 Create, has been added to allow the generation of key blocks, and the existing service CSNBT31X TR-31 Translate has been updated to allow the migration of traditional CCA key tokens to TR-31 key blocks and vice versa.

Most existing services that implement symmetric key algorithms (DES, AES, and HMAC) have been updated to accept a TR-31 key block as the input key identifier, and the ICSF key data set management services have been updated to support storing key blocks in the Cryptographic Key Data Set (CKDS).

This support is available with the PTF for APAR OA61978 for z/OS V2.5.

Validated Boot for z/OS

With the IBM z16 and the accompanying z/OS 2.5 operating system support, IBM is providing basic support for performing a Validated Boot (IPL) of z/OS systems, using IPL volumes defined and built on ECKD DASD devices. The solution uses digital signatures to provide an IPL time check that the z/OS system, including z/OS nucleus and LPA load module executables, is intact, untampered with, and originates from a trusted source from the time it was built and signed. This enables the detection of subsequent unauthorized changes to those software executables, whether those changes be accidental or malicious in nature.

When the target system is built and digitally signed as part of the client’s secure build process, the target system can be IPLed using List-Directed IPL (LD-IPL) with digital signature validation in either Enforce or Audit mode, or IPLed without digital signature validation using CCW-IPL. In Enforce mode, an IPL will terminate if there are validation failures for any of the load modules protected by Validated Boot or if the necessary configuration requirements are not met; in Audit mode, the IPL will continue, but audit records will be produced to describe the validation problems encountered.

Note: The use of Validated Boot for z/OS IPLs is entirely optional and at the discretion of the client. A z/OS system can continue to be built without supporting or being signed for use with Validated Boot. Also, a z/OS system that has been built and signed for use with Validated Boot can be IPLed either with or without signature validation performed for it.

z/OS support for Validated Boot on z/OS V2.5 requires the installation of PTFs associated with FIXCAT IBM.Function.ValidatedBoot.

To learn more about Validated Boot for z/OS, see the Validated Boot for z/OS content solution page.

Customized Offering Driver

The Customized Offerings Driver was updated to include support for the IBM z16 A02 server and to provide the certificate and keyring required to optionally verify the digital signature of z/OSMF ServerPac portable software instances and CBPDO order packages.

Hold DFSMSrmm housekeeping enhancement

Under certain circumstances, including disaster recovery or upgrade processing, RMM clients have requested the ability to limit RMM housekeeping functions to avoid accidentally expiring data. A new option, ‘HSKP’ with values ALL (default) or LIMITED, in PARMLIB member, EDGRMMxx, provides the flexibility to allow housekeeping to perform all functions or to limit housekeeping function such as EXPROC, VRSEL, DSTORE, and CATSYNC but allow BACKUP and RPTEXT. With the PTF for APAR OA64912, this support is available on z/OS V2.4 and later.

--------------------- Statements of General Direction ---------------------

IBM z/OS Change Tracker enhancements 

IBM plans to deliver new functions within the IBM z/OS Change Tracker z/OSMF plug-in in which users can intuitively compare resources and view their comparison summaries. This new comparison ability is intended to give users granular insight into the differences that exist between selected data sets or members.

Digital signatures for electronic PTF orders and SMP/E RECEIVE ORDER

IBM plans to sign packages for electronic Shopz PTF orders and SMP/E RECEIVE ORDER. See the "Digital signatures for z/OSMF ServerPac and CBPDO software packages" topic in the section above for additional details on available product package signing options.

Additional z/OSMF ServerPac portable software instance support for z/OS Validated Boot

z/OSMF ServerPac portable software instances that include the z/OS V2.5 product provide assistance for Validated Boot by providing optional support in the PostDeploy workflow steps to set up IPL text, stand-alone dump text, and sign in-scope z/OS executables. IBM intends to extend this existing support for signing in-scope executables to all other z/OSMF ServerPac portable software instances where z/OS V2.5 has not been included in the order.

National Information Assurance Partnership (NIAP) OS Protection Profile (OSPP) certification

IBM intends to pursue obtaining NIAP OSPP 4.3 certification for z/OS V2.5 and IBM z16. Customers operating in industries which must meet stringent security certifications may then be able to rely on the tamper-protection that the certification ensures, including operating system kernel boot integrity validation for their z/OS operating system images. It is intended that this will better enable customers’ z/OS deployments to comply with specific government or industry requirements.

Statements by IBM regarding its plans, directions, and intent are subject to change or withdrawal without notice at the sole discretion of IBM. Information regarding potential future products is intended to outline general product direction and should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for IBM products remain at the sole discretion of IBM.

Additional Resources:

Full z/OS V2.5 2Q23 Announce

z/OS 3.1 Preview Announce

z/OS homepage

z/OS Documentation