IBM zSecure 3.2 was announced on July 22, 2025 and is planned to become available on September 30, 2025. You can read the announcement letter here. This release provides enhanced administrative capabilities for Multi-Factor Authentication data and Custom Data fields in the RACF database, currency support for z/OS 3.2 (including support for new RACF functions such as User Quarantine, granular data set encryption policies, and identity token support with RSA-based signatures), support for IBM Threat Detection for z/OS and CL/SuperSession, integration between zSecure Admin and zSecure Command Verifier, enhanced support for compliance standards, and more.

Background

IBM Z hosts mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities and application-level resiliency. IBM z/OS has been the foundation for enterprises that need unmatched reliability, scalability and security. z/OS 3.2 is engineered to allow clients to integrate their applications and data into hybrid cloud environments, while leveraging the strengths of the mainframe to support today’s AI-driven workloads. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. CA ACF2 and CA Top Secret are alternative external security managers. IBM zSecure builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations, and reduce costs. IBM zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, MQ, and z/OS UNIX.

IBM zSecure Admin boosts productivity for RACF administrators and provides further security capabilities on top of RACF. zSecure Admin 3.1.1 introduced a web user interface that supersedes the former IBM Security zSecure Visual product. IBM zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM zSecure Alert is a real-time monitor for security events. The IBM zSecure Adapters for SIEM send enriched SMF information to security information and event management (SIEM) solutions such as IBM QRadar SIEM. 

IBM Z Multi-Factor Authentication (IBM Z MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process; it is designed to centralize the information of valid factors within RACF to help clients create a layered defense, accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.

IBM Threat Detection for z/OS is an Artificial Intelligence software product that identifies anomalies in data access that might indicate a potential cyber attack

The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and the Center for Internet Security (CIS) IBM z/OS with RACF benchmark.

IBM Z Security and Compliance Center (zSCC) 1.3 is designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of micro-services that run on the OpenShift Container Platform on Linux on Z, or on z Container Extensions. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is included in this product.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert,  zSecure Adapters for SIEM, and IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).

RACF User Quarantine

When you REVOKE a user in RACF, they are no longer able to start a new session—but they are still able to access system resources using their active sessions. In order to enable a user being blocked from continuing to access RACF-protected resources, RACF has therefore introduced the concept of quarantining (aka containing) a user.  Containment-aware services can help bolster system security by taking note of the fact that the user got CONTAINED.

When a user is CONTAINED, it is also REVOKED. Moreover, it is not possible to accidentally RESUME a CONTAINED user: the command must also explicitly indicate that the user should be uncontained as well, otherwise it will fail. The system maintains a list of contained user IDs. If a user ID is deleted while on the list, adding it back to the RACF database is also only allowed with an explicit indication that it should be uncontained.

Since zSecure automates a lot of RACF database administration, this raises some considerations for commands that should and should not be generated in a particular context. For example, when a CONTAINED user would be deleted, it could not be added back unless it also got uncontained. And while adding a NOCONTAIN keyword to an ADDUSER might help the command succeed, this is something that in general shouldn't be automatically done, as not managing containment consciously might defeat the effectiveness of the security feature.

zSecure Admin therefore takes the position that containment status should by default be protected. For RECREATE this means that for an ADDUSER that should logically be generated with a NOCONTAIN keyword to help it succeed, this NOCONTAIN keyword is commented out. If the user is indeed on the containment list of the system where the commands run the ADDUSER will fail. The RECREATE command also adds a comment into the command stream to explicitly point out that this kind of condition exists. 

The REMOVE and VERIFY functions will by default not generate a DELUSER for a CONTAINED user. If you are sure that you want to delete the user anyway, you can add the SUPPRESS PROTECT_CONTAIN CARLa command. (The user interface provides a checkbox for generating this.) MERGE has similar protections and also responds to SUPPRESS PROTECT_CONTAIN. The COPY function never copies the CONTAIN attribute.

In order to protect your important task user IDs from accidentally getting CONTAINED, RACF has also provided the NEVERCONTAIN attribute.  zSecure displays this new system authority together with SPECIAL, OPERATIONS, AUDITOR, and ROAUDITOR, while it displays CONTAINED together with the REVOKED, REVOKE_INACTIVE, RESTRICTED, and PROTECTED attributes.

The zSecure Server is containment-aware and will terminate an active session when the session owner gets contained, preventing further RACF commands from being issued in this way.

New out-of-the-box alerts are available to learn about CONTAIN events and the assignment of the NEVERCONTAIN attribute.

Benefits

IBM zSecure 3.2 provides the following enhancements:

• MFA administration support. On the detail panel of a RACF user ID you can now use the I(nsert) line command to select a dedicated panel for a particular MFA factor to guide you through the setup. Afterwards S(elect) and D(elete) are available for maintenance.

• Custom data support. You can use menu option SE.6 to configure where and how to display (some of) the available custom data fields in your RACF administration displays. (Also on the selection panels.)

• Support for RACF enhancements. New RACF command keywords are understood by zSecure Command Verifier, and new policies apply to them. New SMF events, fields, and keywords are interpreted. zSecure Admin allows changing the value by overtyping it, and has updates to COPY, REMOVE, RECREATE, MERGE, and VERIFY.
  
  RACF provides User Quarantine support as described above.
  
  RACF provides ENCRYPTTYPES in the DFP segment for DATASET profiles to allow specification of granular data set encryption policies. This is checked at the time the data set is allocated. The policy can be encrypt, do not encrypt, or do not decide (that is, let a decision be taken at another level) for a specific type of data set (sequential, PDS/E, or tape data set).
  
  RACF provides additional support for Identity Tokens, namely tokens with RSA-based signatures.
  
  RACF provides support for multiple alternate names in digital certificates.

• The zSecure Admin Web UI has been enhanced for these new features (except for custom data) as well.

• Additional support for IBM Threat Detection for z/OS: showing from SMF 1154-97 (z/OS compliance evidence for SMF sub-systems) when SMF 83-8 (anomaly detection) records are being written. (This information is written into SMF 1154-97 by the z/OS Compliance Integration Manager component of zSCC.

• Support for CL/Supersession SMF: These SMF records (which have a configurable type) generally contain multiple events. These are now split Into separate sub-records. These are also sent over to SIEM solutions.

• The zSecure Command Verifier Command Audit Trail recorded into RACF Userdata fields is now shown separately in zSecure Admin and Audit, formatted in the same way as shown in the RACF LISTUSER command by zSecure Command Verifier. 

• Menu option RE.U.F now allows selection on physical UNIX file attributes instead of the effective ones. 

• Only with a zSCC entitlement: In the Compliance reporting many controls have been added for the CIS benchmark for DB2. Some of these are based on new underlying CARLa report types DB2_ROLES and DB2_CONTEXT. 
  
  
• The zSecure Admin Access Monitor, zSecure Alert, and zSecure SMF extractor started tasks can now run under the MSTR subsystem to allow data collection to begin before JES2 is up. 

Migration

Note that zSecure 3.2 participated in the z/OS 3.2 Release Beta Program. The base FMIDs were cut in March 2025. Please have all PTFs cut before September 30 applied, so that you have all new function as described in the zSecure publications at general availability and will be in a supported configuration.

zSecure 3.2 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

Be aware that zSecure 3.2 has a new program object CKR8Z15 (a variant of the CARLa engine). If you use PROGRAM-controlled access, you might nede to make changes for this. The CKR4Z196 program is no longer available. Both CKR8Z12 and CKR8Z15 use 64-bit addressing. The option to use a 31-bit engine was removed from menu option SE.0 (SETUP RUN).

Please note that changes are required for the setup of the started tasks that can now run under the MSTR subsystem.

Additional migration considerations and details can be found in the Release Notes.

Further reading

Additional details can be found in What's New.

All zSecure documentation is available in IBM Documentation.

Edit: Added "For RECREATE" at the beginning of a sentence for clarity. Since the data source is the RACF database, zSecure cannot consider to add protection for a target of COPY TOUSER=, as it does not know that that user was contained.

If you have any questions, please post them here. The current zSecure for z/VM release is 2.5.1.

The IBM zSecure today article serves as a starting point to reach all the latest zSecure announcements.