zSecure 2.4 updateszSecure in batch jobs (3) Licensed material © 2020 IBM Corporation 8 JCLLIB tells MVS where to find C2R$PARM and C2RC members Use a dsname without version/release

zSecure 2.4 updates

Rob van HobokenzSecure [email protected]

Session 2AC

mailto:[email protected]

3Licensed material © 2020 IBM Corporation

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice and at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Please note

Agenda


1. JCL2. Db23. SSEs and how to find out more4. DISA STIG automation5. Using STIGs6. zSecure Adapters for SIEM7. zSecure Alert

JCL


Used in zSecure for:

zSecure Started TasksProduction/job scheduler jobs(Virtual) tape reporting and long running reports

Where:

STC JCL members in SCKRPROCSamples in CKRJOBS (copied from SCKRSAMP)Generated in ISPF with SUB or “Background run”

zSecure in batch jobs (1)


Easy to generate JCL from the standard zSecure ISPF panels:

//ZSECROBZ JOB ,CERTIFICATE-WARNING,TIME=1,MSGCLASS=Q,NOTIFY=&SYSUID //* //* Generated by zSecure Suite for ZSECROB on 20/10/30 16:07 //* //*complex set //* : Active primary RACF data base //* : daily CKFREEZE //* //CKRCARLA EXEC PGM=CKRCARLA,REGION=64M,PARM='I DD=CKRSPROF' //STEPLIB DD DISP=SHR,DSN=SYS1.CKR240.SCKRLOAD //CKRCARLA DD DISP=SHR,DSN=SYS1.CKR240.SCKRCARL //SYSPRINT DD SYSOUT=* //CKREPORT DD SYSOUT=* //CKRCMD DD SYSOUT=* //CKR2PASS DD SYSOUT=* //C2IOC0 DD DSN='SYSSEC.PRDA.RECENT0.CKFREEZE', // DISP=SHR //CKRCMD02 DD SYSOUT=* //* Standard profile for zSecure Suite run //CKRSPROF DD DATA,DLM='\/' PRINT DD=CKREPORT SUP MSG=(2225,2226,2844,2239); IMBED MEMBER=CKRXDEF1 NOLIST \/ //* //SYSIN DD DATA,DLM='\/' /* Active primary RACF data base */ alloc type=RACF primary active /* daily CKFREEZE */ alloc type=CKFREEZE DD=C2IOC0 alloc type=CKRCMD DD=CKRCMD02



JCL has hard coded dsnamesMaybe with release number in qualifier

Excessive DDs

Inelegant allocation of input files

Two separate SYSIN streams

//ZSECROBZ JOB ,CERTIFICATE-WARNING,TIME=1,MSGCLASS=Q,NOTIFY=&SYSUID //* //* Generated by zSecure Suite for ZSECROB on 20/10/27 16:07 //* //*complex set //* : Active primary RACF data base //* : daily CKFREEZE //* //CKRCARLA EXEC PGM=CKRCARLA,REGION=64M,PARM='I DD=CKRSPROF' //STEPLIB DD DISP=SHR,DSN=SYS1.CKR240.SCKRLOAD //CKRCARLA DD DISP=SHR,DSN=SYS1.CKR240.SCKRCARL //SYSPRINT DD SYSOUT=* //CKREPORT DD SYSOUT=* //CKRCMD DD SYSOUT=* //CKR2PASS DD SYSOUT=* //C2IOC0 DD DSN='SYSSEC.PRDA.RECENT0.CKFREEZE', // DISP=SHR //CKRCMD02 DD SYSOUT=* //* Standard profile for zSecure Suite run //CKRSPROF DD DATA,DLM='\/' PRINT DD=CKREPORT SUP MSG=(2225,2226,2844,2239); IMBED MEMBER=CKRXDEF1 NOLIST \/ //* //SYSIN DD DATA,DLM='\/' /* Active primary RACF data base */ alloc type=RACF primary active /* daily CKFREEZE */ alloc type=CKFREEZE DD=C2IOC0 alloc type=CKRCMD DD=CKRCMD02



JCLLIB tells MVS where to find C2R$PARM and C2RC membersUse a dsname without version/release numbers

C2RC catalogued procedure ships in SCKRPROC

C2RC includes C2R$PARM member from CKRPARM to find dsname prefixesUse CONFIG=MY$PARM for other members

Input data sets can be allocated with ALLOC DSN= command, or using a DD statement and ALLOC DD=

Short and simple.

//ZSECROBZ JOB ,CERTIFICATE-WARNING,TIME=1,MSGCLASS=Q,NOTIFY=&SYSUID //*//JCLLIB JCLLIB ORDER=(SYS2.CKRPARM,// SYS1.SCKRPROC)//*//STEP1 EXEC C2RC //SYSIN DD DATA,DLM=‘\/’/* Active primary RACF data base */ alloc type=RACF primary active/* daily CKFREEZE */alloc type=CKFREEZE DSN=SYSSEC.PRDA.RECENT0.CKFREEZE

N n=DIGTCR51 s=certdata,tt="RACF class ",st="Certificate with cert end between TODAY and TODAY+7",empty="No expiring certificates next week" s c=digtcert s=certdata (certend>=TODAY and certend

zSecure Started Task JCL


According to Installation and Deployment manual:

Copy several members to a PROCLIB, fromCKRPARM(C2R$PARM)SCKRPROC(C2POLICE)SCKRPROC(C2PCOLL)SCKRPROC(C2PAMON)SCKRPROC(C2RC)etc.

If needed, customize these members.After PTFs or new release install:

compare with original members in SCKRPROC

Ensure C2R$PARM changes are applied to CKRPARM copy (for ISPF users) and to PROCLIB

Result:

Customer running zSecure 2.4.0 C2POLICE JCL still from initial install with 1.11.0

Missing LRECL overrideTruncated messages

New version/release numbers applied to CKRPARM but not in PROCLIB, STCs and batch jobs use older release zSecure

Use IEFJOBS data set


IEFJOBS data set is allocated in MSTRJCL:

//IEFJOBS DD DSN=SYS1.STCJOBS,DISP=SHR

Contains whole job image, including JOB cards, JCLLIB and SET commands

You can even use an STC name different from the PROC name, without changing SCKRPROC

Builds STC JCL after MVS START command,uses STARTED profile to set STC user ID

Alternative for SYS1.PROCLIB, when SCKRPROC is not part of PROCLIB/STCPROC concatenation

See Using IEFJOBS to define started tasks

SYS1.IEFJOBS(CKRCOLL)

//CKRCOLL JOB ,COLLECT-FOR-ALERTS,TIME=1,MEMLIMIT=NOLIMIT//*//JCLLIB JCLLIB ORDER=(SYS2.CKRPARM,// SYS1.SCKRPROC)//*// INCLUDE MEMBER=C2R$PARM// SET DPREF=CKRALERT.DATA// SET SYS=&SYSNAME//*//CKRCOLL EXEC C2PCOLL,CONFIG=C2R$VOID,FOCUS='ALERT,AUDIT’

JCLLIB tells MVS where to find C2R$PARM and C2PCOLL members

CONFIG=C2R$VOID prevents overwriting JCL symbols DPREF and SYS inside the proc

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.ieae200/ieae20021.htm

Db2


Report about Db2 activity: EV.DSMF records (type 102) produced by Db2 AUDIT facility

Display (and analyze) Db2 regions: RE.D.RDisplay Db2 tables + access controls: RE.D.TB

Combines internal (GRANT, ZPARM) and external (SAF)Etc.

Real-time SMF records to SIEM (CKQRADAR, CKQCEF)

Monitor DB2 (region) settings and SMF records using zSecure AlertRequires some handy work to write a custom alert

Db2 status (changes)


SMF 102 IFCid 106

10 new DB2_ZPRM_xxx fields in SMF newlist

System parameters printed in RECORDDESCIncluded in syslog messages to SIEM

2 fields in DB2_REGION newlistDB2_ZPRM_REVOKE_DEP_PRIVDB2_ZPRM_TCPALVER

(2020 Q2 SSE)

DB2 DBC2 SYSOPR Startup options db2auth extsecnosepsec notcpalver revokedep(SQL) noauditstat(1,3:6) acct(1:3,7:8) nomonitor noglobalsysadm(SYSADM,JOESPROG) sysopr(USER1,USER2) secadm(IBMUSER,SYSADM) access(DSNX@XAC) authid(DSN3@ATH) signon(DSN3@SGN)

DB2_ACCESS newlist (1)


Field Description LenACF2_RULE_ENTRY Complete rule entry 512ACF2_RULE_SUBJECT_MASK ACF2 rule subject mask 24ACF2_RULE_SUBJECT_TYPE ACF2 rule subject type 4C SAF Resource class 8CLASS SAF Resource class 8COMPLEX Complex name 8DB2_OBJECT_DATABASE Object database 128DB2_OBJECT_NAME Object name 128DB2_OBJECT_SCHEMA Object schema 128DB2_OBJECT_TYPE Object type 16DB2AUTH DB2 internal authority 3DB2AUTH_GRANT DB2 internal GRANT authority 3DB2AUTH_GRANTEE DB2 internal grantee 128DB2AUTH_GRANTOR DB2 internal grantor 128DB2AUTH_HOWGOT DB2 internal how got 1DB2AUTH_TIMESTAMP Grant timestamp 15DB2AUTH_TIMESTAMP_DB2 Grant timestamp 19DB2AUTH_USE DB2 internal USE authority 3DB2ID DB2 System identification 4DB2ZPRM DB2 install (ZPRM) authority 3GRANT Effective GRANT authority 3ID Permit id or mapped authid 8OBJECT_CLASS Object class 8OBJECT_RESOURCE Object resource name 39PRIVILEGE Privilege / action 17RESOURCE SAF Resource name 64SAF_DEFINED SAF protected object 3SYSTEM System name 8USE Effective USE authority 3USERID User id or grantee type 8VER Version from ALLOC 4WHEN_CLASS When condition class 8WHEN_CONDITION When condition/object 44

Covers all Db2 object typesdatabase, plan, table/view, userauth, zprm

Combines internal (DB2AUTH, DB2ZPRM) DB2AUTH_GRANTEE, DB2AUTH_HOWGOT

and external (SAF_DEFINED)CLASS, OBJECT_RESOURCE, USERID

One record for each ID, for each object, for each privilege

Sample CARLa: CKRDQDP

DB2_ACCESS newlist (2)


DB2I Object name Grantee Privilege DB1K

SYSCOLAUTH DSNACPRU

SELECT PUBLIC

SELECT SYSCOLDIST

DSNX7MON SELECT

PUBLIC DELETE SELECT UPDATE

RUNSTATS SELECT

newlist type=db2_access,title="Db2 internal security GRANTs"select db2_object_type=Table/View db2authsum db2id, * db2_object_name(32), * db2auth_grantee(12), * privilege count(nondispl)

or

select db2_object_type=Table/View,grantee=PUBLIC,privilegeSELECT

Write your own compliance test (intro)


DOMAIN dname SELECT(newlist type(field=value …))

RULE rname DOMAIN(dname) CAPTION(‘short desc’) DESC(‘long desc’) SET(sname)

TEST tname.1 type(field=value) DESC(‘description’)

TEST tname.2 type(field=value) OTHERWISE(,

TEST tname.3a type(field=value) (2020 Q2 SSE)

TEST tname.3b type(field=value))

TEST tname.4 type(field=value) NONCOMPLIANT

TEST tname.5 type(field=value) N/A

ENDRULE

Example: Db2 (production) region privileges


domain db2_prod_sysadm_privilege, select(db2_access(db2id=P*,

db2_object_type=userauth, privilege=sysadm)),

desc('SYSADM privilege granted, permitted or ZPARM')

rule db2_prod_sysadm_privilege, domain(db2_sysadm_privilege), caption('SYSADM priv'), desc('SYSADM should be tightly controlled')

test approved_SYSADM, db2_access(id=(SYSDBADM,PRODDBA)), desc('Unverified SYSADM privilege')

endrule

Example: Db2 access to RACF defined user/group only via SAF


domain db2_table_privs, select(db2_access(db2_object_type='table/view'))

rule db2_access_not_via_grant, domain(db2_table_privs),

desc('Security should be via external (SAF) rules') test GRANT_used,

db2_access(userid=(, -other-, -undef-, -pkg-, -plan-, -public-, -pubrmt-, -role-, -rvkdep-)),

desc('Internal security (GRANT) used to an internal id'), otherwise(,

test EXTERNAL db2_access(saf_defined) otherwise(, test INTERNAL db2_access(userid" ") noncompliant, desc('Internal security (GRANT) used to a RACF user or GROUP')))

endrule

SSE = Service Stream Enhancement

zSecure’s take on Continuous Delivery.

Planned packaging frequency is roughly quarterly.

Also separate APARs for urgent fixes or RFEs.


SSE has an APAR number, ships as one or more big PTFs


For zSecure 2.4.0:

2019 Q4: OA58799 OA58801 OA58802 OA58804

2020 Q1: OA59004 OA59006

2020 Q2: OA59807 OA59823 OA59861 OA59862

2020 Q4: OA60419 OA60420

Read slide 2 again

New functionality, round-up of fixes.

APARs for:

– CARLa engine and ISPF application

– ACF2 special features

– zSecure Client for CICS

– zSecure Command Verifier

How to find outabout SSEs


IBM Security Z Security GroupOn IBM CommunitiesBlogs section

Search the IBM Support pages

Follow links on the zSecure home pagezSecure today or Technotes: zSecure V2.4.0 documentation updates

Subscribe to product notifications in My Support

Did you know about theKnowledge Center?

https://community.ibm.com/community/user/security/communities/community-home?communitykey=44eb7c0d-9bc2-419b-9158-ad693e734065&tab=groupdetailshttps://community.ibm.com/community/user/security/communities/community-home/recent-community-blogs?communitykey=44eb7c0d-9bc2-419b-9158-ad693e734065&tab=recentcommunityblogsdashboardhttps://www.ibm.com/support/pages/ibmsearch?q=zsecure%20ssehttps://community.ibm.com/community/user/security/blogs/jeroen-tiggelman/2018/11/09/ibm-security-zsecure-todayhttps://www.ibm.com/support/pages/node/1075515https://www.ibm.com/systems/support/myview/subscription/css.wss/?locale=en_ZZhttps://www.ibm.com/mysupport/s/https://www.ibm.com/support/knowledgecenter/SS2RWS_2.4.0/com.ibm.zsecure.doc_2.4.0/welcome.html

DISA STIG automation


Focus for development team in zSecure 2.4

zSecure Collect reads and parses selected members from PARMLIB (2020 Q2 SSE)In addition to z/OS control blocks

zSecure Collect reads z/OS UNIX files to evaluate UNIX services (2020 Q4 SSE)

SENSTYPE values ending in _ for installation specified dsnames and module names

Many more STIG controls and more automated evaluations

2020 Q2 SSE find unusable data sets in MVS PARMLIB

Parse LPALSTxx, LNKLSTxx, IEALPAxx, IEAFIXxx, and PROGxx members selected by IPL parms and andnew sensitivity types to automate AAMV0325 and AAMV0350:

LPAnoDS / LPAnoMC / LPAnoMnt / LPAnoVar returned for LPALSTxx inaccessible data sets

LPAnoDS / LPAnoMC / LPAnoMnt / LPAnoVar returned for IEALPAxx inaccessible data sets

LPAnoDS / LPAnoMC / LPAnoMnt / LPAnoVar returned for IEAFIXxx inaccessible data sets

LPAnoDS / LPAnoCat / LPAnoMnt / LPAnoVar returned for PROGxx LPA statement inaccessible data sets

EXITnoDS / EXITnoCat / EXITnoMnt / EXITnoVar returned for PROGxx EXIT statement inaccessible data sets

LNKnoDS / LNKnoMC / LNKnoMnt / LNKnoVar returned for LNKLSTxx inaccessible data sets but only if there is no LNK(LST) ACTIVATE in PROGxx

LNKnoDS / LNKnoCat / LNKnoMnt / LNKnoVar returned for PROGxx LNK statement inaccessible data sets

noDS – Data set not in VTOC / noMC – Must be in master catalog but is not / noMnt – volume not mounted / noVar – variable name but not resolved

Licensed material © 2020 IBM Corporation

Configurable sensitivity types


Documented in Appendix of CARLa syntax manualending in _dsnames that can’t be determined automatically

SIMULATE CLASS=DATASET,SENSTYPE=SDSFinst_,RESOURCE=SYSPROG.BUILD.SDSF.**

ASSERT AS(CONFIG) CLASS(DATASET),SENSTYPE(SMFdmp_bkp_),RESOURCE(SMF.DAILY.**),VERSION(1)

Use in control members ACPCNFG, FTPCNFGor use AU.R.C, option Configuration of resource names

See “Preparation for CKACUST members” in URM

Using STIGs


Run evaluation, process “non compliant” results:

Look at test results to determine the applicable approve config members

Add user IDs and groups into named config member in CKACUST

Override test


If you disagree with a test, you can override the test decision:

Use O line command on the test:

Override for this resource (data set) is saved in ASSERT output file for future runs

Each resource (data set) needs a separate O action

OVERRIDE command


You can also use the OVERRIDE CARLa command

OVERRIDE TEST(1f.UACC_NONE),RULE_SET(ACP00110),AS(COMPLIANT) BY('Audit compliance manager'),ENDDATE(2021-12-31) VERSION(1)

Applies to any data set covered by this rule set

Or add RESOURCE(USER.LINKLIB) for more granularity (repeat for each applicable data set)

Execute OVERRIDE commands once with ASSERT file allocated

saved for future usereport using AU.R.H “History log”

Replace test


If you do not use ASSERT files:

Add to CKACUST(C2RG@IDF)or to member imbedded from C2RG@IDF

OVERRIDE TEST(1.interval_le_60),RULE_SET(RACF0580) VERSION(1),AS(COMPLIANT) BY('Audit compliance manager'),COMMENT('90 day password interval approved’)

Add to CKACUST(CKAG@INS):

imbed m=MYAGR580 /* password interval 90 */

Replace test


Add member CKACUST(MYAGR580):

imbed m=ckagr580 nodup

RULE MY_RACF0580_interactive_users,DOMAIN(RACF_interactive_userids), SET(RACF0580)

TEST 1.interval_le_90,racf(PASSINT_EFFECTIVE

Heads up


2020 Q4 SSE

Approve list for certificate labels, GLOBAL profilesDoes not fit in 72 positionsNew data set CKACUSV (variable length)

2 new SMPE target data setSCKACUST (FB: empty approve list members)SCKACUSV (VB: empty members)

CKAZCUST job no longer used to copy (new) empty members into CKACUST

CKAZSITE job to allocate (one time) the site CKACUST/CKACUSV data sets

Check you JCL if you run STIG reports in batch:

//ZSECROBT JOB ,ROB,MSGCLASS=Q,NOTIFY=&SYSUID //* //CKRCARLA EXEC PGM=CKRCARLA,MEMLIMIT=NOLIMIT//STEPLIB DD DISP=SHR,DSN=SYS1.CKR240.SCKRLOAD //CKRCARLA DD DISP=SHR,DSN=ZSECROB.WORK.CKACUST // DD DISP=SHR,DSN=ZSECROB.WORK.CARLA // DD DISP=SHR,DSN=ZSEC.TEAM.CKACUST // DD DISP=SHR,DSN=SYS1.CKR240.SCKACUST // DD DISP=SHR,DSN=SYS1.CKR240.SCKRCARL //CKA@CUST DD DISP=SHR,DSN=ZSECROB.WORK.CKACUST // DD DISP=SHR,DSN=ZSEC.TEAM.CKACUST // DD DISP=SHR,DSN=SYS1.CKR240.SCKACUST //CKA@CUSV DD DISP=SHR,DSN=ZSEC.TEAM.CKACUSV // DD DISP=SHR,DSN=SYS1.CKR240.SCKACUSV //SYSPRINT DD SYSOUT=* //CKREPORT DD SYSOUT=* //CKRCMD DD SYSOUT=* //CKR2PASS DD SYSOUT=*

Adapters for SIEM


Translate SMF records into structured syslog messages

40+ SMF record types supported out of the box

LEEF formatted for consumption by QRadar and SplunkCEF formatted for transmission to ArcSight

Also included with zSecure Audit

Real-time STC or batch job based

Using UDP (send and forget) or TCP (connection based)

TCP connect reliability


PTFs for APAR OA58509

Adds high availability support for TCP connections:

If primary node does not respond, send message to alternate node

Add keep alive messages:

Designed to keep path through firewall alive

Check member CKQSPECL for syntax clues

Destination QRadarHA, primary=MY.QRADAR.BOX, alternate=MY.FALLBACK.QRADAR.BOX

Option syslogtcp=QRadarHA

Option tcp_keepalive_interval=240 /* seconds */

zSecure Alert


Support to TCP Keep Alive option via SE.A.A – E line command

PTFs and SSEs


Be sure to read the documentation updates on Support Pages

Please submit your session feedback!

Do it online at http://conferences.gse.org.uk/2020/feedback/2AC

This session is 2AC

http://conferences.gse.org.uk/2020/feedback/nn

Notices and disclaimers


© 2018 International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights — use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. This document is distributed “as is” without any warranty, either express or implied. In no event, shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted per the terms and conditions of the agreements under which they are provided.

IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer follows any law.

36

Notices and disclaimerscontinued


Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products about this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a purpose.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com and [names of other referenced IBM products and services used in the presentation] are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at: www.ibm.com/legal/copytrade.shtml.

37

http://www.ibm.com/legal/copytrade.shtml

© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Follow us on:

ibm.com/security

securityintelligence.com

ibm.com/security/community

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

Thank you

https://www.ibm.com/security/mainframe-security/zsecure

https://www.ibm.com/us-en/marketplace/ibm-multifactor-authentication-for-zos

https://community.ibm.com/community/user/security/communities/zsecurity

https://www.ibm.com/securityhttps://securityintelligence.com/https://www.ibm.com/security/communityhttps://exchange.xforce.ibmcloud.com/https://twitter.com/IBMSecurity?ref_src=twsrc%5egoogle|twcamp%5eserp|twgr%5eauthorhttps://www.youtube.com/ibmsecurityhttps://www.ibm.com/security/mainframe-security/zsecurehttps://www.ibm.com/us-en/marketplace/ibm-multifactor-authentication-for-zoshttps://community.ibm.com/community/user/security/communities/zsecurity

Documents

zSecure 2.4 updateszSecure in batch jobs (3) Licensed material © 2020 IBM Corporation 8 JCLLIB tells MVS where to find C2R$PARM and C2RC members Use a dsname without version/release