zSecure Suite Version 2.1 - IBM€¦ · Chapter 1. What's new IBM® Security zSecure™ V2.1.0 enhances mainframe security intelligence and automates compliance auditing: v Extra

zSecure SuiteVersion 2.1.0

Release Information

��

zSecure SuiteVersion 2.1.0

Release Information

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 35.

September 2013

This edition applies to version 2, release 1, modification 0 of IBM Security zSecure products and to all subsequentreleases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. What's new . . . . . . . . 1

Chapter 2. Release notes for IBMSecurity zSecure 2.1.0 . . . . . . . . 3Documentation updates . . . . . . . . . . 5

CKGRACF option of the CKGRACF CMDcommand . . . . . . . . . . . . . . 6Digital certificates tabular display . . . . . . 7Layout change JOBCLASS . . . . . . . . . 8Line commands on profile displays . . . . . . 9Messages . . . . . . . . . . . . . . 9Naming conventions . . . . . . . . . . 10NEWLIST TYPEs . . . . . . . . . . . 12

Object property lookup . . . . . . . . . 25PACKED numerical format . . . . . . . . 26RA.S SETTINGS - SETROPTS and class settings 27Scripts in the CARLa library. . . . . . . . 27STANDARD command in the CARLa commandreference . . . . . . . . . . . . . . 29SUPPRESS CKFREEZE . . . . . . . . . 30

Chapter 3. System requirements. . . . 33

Notices . . . . . . . . . . . . . . 35Trademarks . . . . . . . . . . . . . . 37

© Copyright IBM Corp. 2013 iii

iv Release Information

Chapter 1. What's new

IBM® Security zSecure™ V2.1.0 enhances mainframe security intelligence andautomates compliance auditing:v Extra IBM DB2® compliance analysis and reportingv Ability to ease compliance reporting. This includes a user interface for the

Defense Information Systems Agency (DISA) Security Technical ImplementationGuide (STIG) (DISA-STIG) for z/OS RACF and ACF2 and IBM outsourcingGSD331/iSeC, IBM's primary information security controls documentation forStrategic Outsourcing customers.

v Extra integration with IBM Security QRadar® Security Information and EventManager. For example, the following Communications Server V2R1 events arenow passed to IBM Security QRadar Security Information and Event Manager:– SMF 119-24 Telnet profile information (TN3270)– SMF 119-71 FTP daemon configuration data

v New digital certificates management for improved security and reducedcomplexity, including ease of creation, administration, customization of digitalcertificates and improved auditing

v Extensions to the Access Monitor component for user ID tracking and accesssimulation to support user and group ID usage reporting and accessrestructuring

v Currency with IBM z/OS® version 2 release 1v zSecure Visual clients and servers can now operate in NIST 800-131A compliant

mode. This standard uses cryptographic algorithms that provide better securitythan similar algorithms of earlier clients and servers

v Various interface improvements, for example, in working with multiple systemssimultaneously

For more information about the new functions, see “Announcement” on page 3.

© Copyright IBM Corp. 2013 1

2 Release Information

Chapter 2. Release notes for IBM Security zSecure 2.1.0

IBM Security zSecure V2.1.0 is available. Read this document to find importantinstallation information. You can also learn about compatibility issues, limitations,and known problems.

If you are upgrading from a version of IBM Security zSecure that is older thanversion 1.13.1, also see the Release Information for the versions that you skipped.You can retrieve the Release Information documents, starting with IBM SecurityzSecure version 1.13.1, and read starting with the oldest version:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_1.13.1/welcome.htm.

Contentsv “Announcement”v “Compatibility with earlier versions”v “System requirements”v “Installing IBM Security zSecure”v “Incompatibility warnings” on page 4v “Limitations and known problems” on page 5v “Documentation updates” on page 5

Announcement

The IBM Security zSecure V2.1.0 announcement (ENUS213-293) is available athttp://www.ibm.com/common/ssi/index.wss. See the announcement for thefollowing information:v Prerequisites and technical informationv Terms and conditions and ordering details

Compatibility with earlier versions

IBM Security zSecure V2.1.0 no longer provides service for:v z/OS version 1 release 10v IBM Information Management System (IMS™) version 10v Omegamon on z/OS version 4 release 1v Microsoft Windows XP or Vista

System requirements

For information about hardware and software compatibility, see the detailedsystem requirements document at Chapter 3, “System requirements,” on page 33.

Installing IBM Security zSecure

For installation instructions, see the following topics:v "Program directories" at http://publib.boulder.ibm.com/infocenter/tivihelp/

v2r1/topic/com.ibm.zsecure.doc_2.1/landing/programdirectory.html


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_1.13.1/welcome.htm

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_1.13.1/welcome.htm

http://www.ibm.com/common/ssi/index.wss

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/programdirectory.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/programdirectory.html

v "Installation and deployment" at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/landing/installandconfig.html

v "zSecure CICS Toolkit" at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/cics_tk.html

v "zSecure Command Verifier" at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/cmd_ver.html

v "zSecure Visual Client" at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/landing/visualclient.html

Incompatibility warnings

Installation and deploymentVisual server version 2.1 can be configured to work with older clientversions, but older versions of the Visual server (version 1.13.1 and lower)cannot be configured to work with version 2.1 of the Visual client. Thefollowing rules and exceptions apply:v Version 2.1 clients cannot communicate with version 1.13.1 (and lower)

servers.v Version 1.13.1 (and lower) clients that are not NIST 800-131A-enabled

cannot be configured for V2.1 servers.v Version 1.13.1 (and lower) clients that are already configured for a

version 1.13.1 (or lower) server can continue to use the server after theserver is upgraded, if the server is not reinitialized.

NIST 800-131A cryptography standard succeeded the FIPS 140-2 standards.If you are upgrading, do not set C2RW131A to ON until all clients areupgraded to at least the 2.1 level of the zSecure Visual client software, andthen have their certificates upgraded during the client/server connection.See "Installation and deployment" at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/landing/installandconfig.html.

Administration and operation

SIM_VIA field for NEWLIST TYPE=ACCESSThe default output length for this field increased from 8 to 10.

CLASS field for NEWLIST TYPE=JOBCLASSThe default output length for this field increased from 1 to 8.

Field value manipulation: PARSE behaviorIn previous releases, if the end delimiter (end separator) wasspecified but not found, the result was empty. Now, the enddelimiter is optional and the result is not empty unless for anotherreason.

Reporting

Date format change for DB2 NEWLIST TYPEsEffective with IBM Security zSecure V2.1.0, the default outputlength of some DB2 NEWLIST TYPEs changed from 13 to 15. Thedate format changed to ddMMMyyyy hh:mm. These changes avoidambiguity between the month and year values. Reports show asmuch information as possible in the available output length. As aresult, the output for the following fields that are generated byIBM Security zSecure V2.1.0 might be different from reports thatare generated with Security zSecure V1.13.1 and earlier:


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/landing/installandconfig.html



http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/cics_tk.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/cics_tk.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/cmd_ver.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/cmd_ver.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/landing/visualclient.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_2.1/landing/landing/visualclient.html




Table 1. DB2 NEWLIST types and fields that have date and time information

NEWLIST TYPE Field

DB2_PACKAGE BIND_TIMESTAMP

DB2_PLAN BIND_TIMESTAMP

DB2_TABLE ALTER_TIMESTAMP

DB2_TABLE CREATE_TIMESTAMP

Limitations and known problems

At the time of publication, there are no limitations or known problems to reportfor IBM Security zSecure V2.1.0.

Limitations and problems that arise after publication of this Release Informationdocument are documented in technotes. Therefore, regularly scan for updates onIBM Security zSecure at http://www.ibm.com/search/csass/search?q=zSecure&;sn=spe&;lang=en&;filter=collection:stgsysx,dblue,ic,pubs,devrel1&;prod=V008058Y19555A42#q%253dzSecure%2526filter%253d%252bibmcontenttypeid%253aCT741%2520%252bcollection%253astgsysx%252cdblue%252cic%252cpubs%252cdevrel1%2526prod%253dV008058Y19555A42~0%2526sn%253dspe%2526lang%253den%2526sortby%253d%2526o%253d0.

Documentation updates

For information about documentation updates, see “Documentation updates.”

Documentation updatesThis section contains messages updates and documentation updates for IBMSecurity zSecure V2.1.0 User Reference Manuals.v “CKGRACF option of the CKGRACF CMD command” on page 6v “Digital certificates tabular display” on page 7v “Layout change JOBCLASS” on page 8v “Line commands on profile displays” on page 9v “Messages” on page 9v “Naming conventions” on page 10v NEWLIST TYPEs:

– “NEWLIST TYPE=CICS_PROGRAM: CICS programs” on page 12– “NEWLIST TYPE=CICS_REGION: CICS regions” on page 12– “NEWLIST TYPE=CICS_TRANSACTION: CICS transactions” on page 13– “NEWLIST TYPE=ICSF_TOKEN: Token and certificate data from TKDS” on

page 13– “NEWLIST TYPE=ID: User IDs and groups” on page 14– “NEWLIST TYPE=IMS_PSB: IMS program specification blocks” on page 14– “NEWLIST TYPE=IMS_TRANSACTION: IMS transactions” on page 14– “NEWLIST TYPE=IP_FTP_REGION: FTP daemon settings” on page 15– “NEWLIST TYPE=IP_TELNET_PORT: TelnetParms settings” on page 15– “NEWLIST TYPE=JOBCLASS: JES2 job classes” on page 17– “NEWLIST TYPE=RACF: RACF profiles” on page 18

Chapter 2. Release notes for IBM Security zSecure 2.1.0 5

http://www.ibm.com/search/csass/search?q=zSecure&%3bsn=spe&%3blang=en&%3bfilter=collection:stgsysx,dblue,ic,pubs,devrel1&%3bprod=V008058Y19555A42#q%253dzSecure%2526filter%253d%252bibmcontenttypeid%253aCT741%2520%252bcollection%253astgsysx%252cdblue%252cic%252cpubs%252cdevrel1%2526prod%253dV008058Y19555A42~0%2526sn%253dspe%2526lang%253den%2526sortby%253d%2526o%253d0






– “NEWLIST TYPE=RACF_ACCESS_ID: User IDs and groups” on page 18– “NEWLIST TYPE=SMF: SMF record types” on page 18– “NEWLIST TYPE=SYSTEM: System-wide options” on page 25

v “Object property lookup” on page 25v “PACKED numerical format” on page 26v “RA.S SETTINGS - SETROPTS and class settings” on page 27v “Scripts in the CARLa library” on page 27v “STANDARD command in the CARLa command reference” on page 29v “SUPPRESS CKFREEZE” on page 30

CKGRACF option of the CKGRACF CMD commandThis topic describes the changes for section "CKGRACF command reference" in the"CKGRACF Command Language" chapter of the IBM Security zSecure UserReference Manual.

Applies to:

v IBM Security zSecure Admin and Audit for RACF User Reference Manual

The following information was changed in the "CMD" section to include theCKGRACF command:

The CMD command is used to run or queue native RACF® commands. Thecommand is also used to send CKGRACF commands to other zSecure nodes. TheCMD can take the following forms:v CMD ASK

v CMD REQUEST

v CMD EXECUTE

The CMD ASK and REQUEST forms use the CKGRACF defined scope andmultiple-authority possibilities. See the "USER" section. The CMD EXECUTEcommand form uses the RACF scope.

The REMOVE, CONNECT, and PERMIT commands can also be reversed after acertain time period.

The CMD command has the following syntax:

A trailing plus sign (+) is used to indicate that the RACF (or CKGRACF) commandis continued on the next line, called a "continuation line." Blanks after a trailingplus sign and at the beginning of continuation lines are ignored. Significant blanksmust be placed in front of a trailing plus sign.

The action EXECUTE runs the command under the current userid, with the user'sown permissions. Most RACF commands, the CKGRACF command, and HELPcan be run in this manner. A notable exception is the RVARY command.

The following information was added to the "Command access checks forCKGRACF CMD" table:

CMD [ options ] command

options Any CMD option; see belowcommand Any valid and supported RACF (or CKGRACF) command (may be continued

on next line by a trailing +)


Table 2. Command access checks for CKGRACF CMD

Command Action Resource name checked Accessrequired

CKGRACF EXECUTE CKG.CMD.CMD.EX.CKGRACF UPDATE

The following information was added to the "Restrictions" section:

CKGRACF is allowed only in a CMD command with the NODE(node) option.

The following information was removed from the "Restrictions" section:

CKGRACF can be employed only in a CMD command if the command has aNODE(node) option.

Digital certificates tabular displayThis topic describes the changes for section "Digital certificates tabular display" inthe "RACF Administration Guide" chapter of the IBM Security zSecure UserReference Manual.

Applies to:


The following information was changed:

By scrolling to the right, more fields are displayed:

Field Description

Subject's distinguished name The distinguished name of the subject of the certificate. Forexample, the user for whom the certificate was issued.

Serial number The serial number of the certificate.

Key Type The type of the private key, which is stored in this digitalcertificate.

Size The size of the private key, which is stored in this digitalcertificate.

PKDS When the private key is stored in the PKDS, the PKDSlabel is displayed on the detail display.

TKDS When the private key is stored in the TKDS, the TKDSlabel is displayed on the detail display.

Issuer's distinguished name The distinguished name of the issuer of the certificate.


Descriptions of the new fields were added to the "Digital certificates detail displayfields" table:

Table 3. Digital certificates detail display fields

Field Description

Ring name A list of full names (userid and keyringname) of the keyrings to which this digital certificate is connected.

PKDS token label Label of the PKDS entry if the private key is stored in thePKDS.

TKDS token label Label of the TKDS entry if the private key is stored in theTKDS.

Layout change JOBCLASSThis topic describes the changes for section "Auditing Job Classes" in the "SystemAudit Guide" chapter of the IBM Security zSecure User Reference Manual.

Applies to:


v IBM Security zSecure Audit for ACF2 User Reference Manual

v IBM Security zSecure Audit for Top Secret User Reference Manual

zSecure Suite DIGTCERT CERTDATA segments Line 1 of 32Command ===> ______________________________________________ Scroll===> CSR_All certificates 29 Dec 2004 01:50

Digital certificate labelsforConnectSITEUser Tru

_ irrsitec YesSubject’s distinguished nameCN=forConnectSITEIssuer’s distinguished nameCN=forConnectSITESerial number00

_ CERTDATA segment PRODCertificate startdate 5Sep2000 22:59Certificate enddate 6Sep2001 22:59Private Key Type non-ICSFPrivate Key Size 0000Certificate lser 0000

subjectAltName extensionCertificate AltName emailCertificate AltName domainCertificate AltName IP addrCertificate AltName URI

keyUsage extensionRACF format CERTSIGNX509 format keyCertSign cRLSign

Ringname_ CERT005.ringforConnectSITE

Key data set label informationPKDS token labelTKDS token label

******************************* BOTTOM OF DATA ********************************

Figure 1. Digital certificates detail display panel


The job class overview displays panel was updated:

Line commands on profile displaysThis topic describes the changes for section "Line commands on profile displays" inthe "RACF Administration Guide" chapter of the IBM Security zSecure UserReference Manual.

Applies to:


D or DD - DeleteThe following information was added:

To make it easier for you to delete profiles, users, or groups across RACFdatabases, the D line command is also available on summary levels that containthe profiles, users, or groups where the individual profile level contains thecomplex.

MessagesThis topic describes the changes for the IBM Security zSecure Messages Guide.

Applies to:

v IBM Security zSecure Messages Guide

The following information was changed in the Messages Guide:

CKN223INegotiated TLS cipher cipher is not compliant with NIST 800-131A

Explanation: This message indicates that the negotiated TLS cipher cipher isnot compliant with NIST Special Publication 800-131A.

User response: See the Cipher Suite Definitions topic in z/OSCryptographic Services System SSL Programming for a description of thecipher. Specify a list of NIST 800-131A-compliant ciphers in the AT-TLSpolicy rules with the TTLSCipherParms statement.

JES2 Job Class parameters (e.g. MVS command auth / BLP) Line 1 of 36Command ===> _________________________________________________ Scroll===> CSR_

22 Jul 2013 00:45Complex System Subsys Classes Audit concerns PriorityNMPIPL84 IPO1 JES2 36 36 20Pri Class Command Auth commands BLP HOLD ACCT Time Regio SWA PL

s_ 20 A DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 20 B DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 20 C DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 20 D DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 20 E DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 20 I DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 20 S DISPLAY ALL BLP 000060,00 0001M BELOW 00__ 15 F VERIFY ALL 000030,00 0001M BELOW 00__ 15 G VERIFY ALL 000030,00 0001M BELOW 00__ 15 H VERIFY ALL 000030,00 0001M BELOW 00__ 15 J VERIFY ALL 000030,00 0001M BELOW 00__ 15 K VERIFY ALL 000030,00 0001M BELOW 00__ 15 L VERIFY ALL 000030,00 0001M BELOW 00__ 15 M VERIFY ALL 000030,00 0001M BELOW 00__ 15 N VERIFY ALL 000030,00 0001M BELOW 00__ 15 O VERIFY ALL 000030,00 0001M BELOW 00__ 15 P VERIFY ALL 000030,00 0001M BELOW 00


Severity: 04

CKN900IIDENTIFY RC=rc for task taskaddr

Explanation: The IDENTIFY service returned the indicated rc for theindicated task.

Severity: 00

C2P0702Iaddress hexdata *chardata*

Explanation: This message is issued multiple times. These messages showinternal diagnostic data. The value address shows only the last four digitsof the address. The complete address is shown in message C2P0701I.

C2P0703Iaddress hexdata *chardata*

Explanation: This message shows internal diagnostic data. It is issued if thehexdata does not fill the complete 16 bytes of hexdata. More data is shownas trailing zeros. The value address shows only the last four digits of theaddress. The complete address is shown in message C2P0701I.

CKR2444RULE_SET name DESCription is longer than 132 characters and might betruncated

Explanation: This message indicates that the RULE_SET description mightbe truncated in the report output because of its length. This same messagecan also apply to RULE, if no RULE_SET is specified.

Severity: 00

CKR2445SET(setname) was specified, but no RULE_SET setname exists

Explanation: A SET(setname) was specified in the RULE statement but noRULE_SET with the same name exists.

Severity: 12

Naming conventionsThis topic describes the changes for section "Using the scripts in the IBM SecurityzSecure CARLa library" section in the "Calling zSecure" chapter of the IBMSecurity zSecure User Reference Manual.

Applies to:




In the "Naming conventions" section, the following information was added to the"Product prefixes for CARLa scripts" table:

Table 4. Product prefixes for CARLa scripts

Prefix Component or feature

CKT zSecure Audit for Top Secret


The following new sections were added:v “Naming conventions for DISA STIG SCKRCARL members”v “Naming conventions for GSD members” on page 12

Naming conventions for DISA STIG SCKRCARL members

The last four characters of the SCKRCARL member are reserved and used touniquely identify the controls or rules of a standard. The design is as shown inTable 5. Beginning with the fifth character, the IDs in the table define specificcompliance control members. For example, in the IFTP0xxx rule identifier, the letterF is in the fifth position of the member name CKAGFxxx.

Note: This convention does not cover TSSxxxx controls from TSS STIG.

Table 5. Naming convention for RACF STIG, ACF2 STIG, and TSS STIG SCKRCARLmembers

Rule Identifier Category Category ID

AAMV0xxx Audit Management M

ACF0xxx ACF2 A

ACP0xxx Access Control C

IFTP0xxx FTP F

ISLG00xx Syslog Daemon SD

ITCP00xx TCP TC

ITNT00xx Telnet TN

IUTN00xx UNIX Server IU

RACF0xxx RACF* R*

ZCIC00xx CICS® CI

ZDBM0010 DBMS DB

ZFEP00 FEP FE

ZIDM00xx IDMS ID

ZJES00xx JES JE

ZSMS00xx SMS SM

ZTSO00xx TSO TS

ZUSS00xx UNIX (Access control) ZU

ZVTM00xx VTAM® VT

ZWAS00xx WAS WA

WMQ00xx WebSphere MQ WM

ZCICR0xx CICS REGION CR

If x = 2 digits (xx), the first 2 characters identify the rule category, that is, the category ID.The last 2 characters identify the rule number (xx).

If x = 3 digits (xxx), the first character identifies the category ID. The remaining charactersidentify the rule number.* CKAG* of RACF STIG members also apply to ACF2 STIG and TSS STIG if they arecommon to all the three Standards.


Naming conventions for GSD members

Every rule name is specified in the following form: F.x.y.z.w

The member name covers positions F through z. For example, the rule F.1.4.3.1 isin the CKAO143 member.

GSD control identifiers are used to uniquely identify GSD control members.Sometimes several GSD controls are merged into one member when the controlsare interrelated and their control IDs exceed 4 characters. In this case, the first fourcharacters of the control ID are used for naming the SCKRCARL member. Forexample, rules F.1.8.48.1, F.1.8.48.2, F.1.8.48.3, F.1.8.48.4, and F.1.8.48.5 are listed inthe control member named CKAO1848.

NEWLIST TYPEs

NEWLIST TYPE=CICS_PROGRAM: CICS programsThis topic describes the changes for section "CICS_PROGRAM: CICS programs" inthe "SELECT/LIST fields" chapter of the IBM Security zSecure User ReferenceManual.

Applies to:




The following information was added to the introduction:

If ESM security is used and scoping applies due to restricted mode or use of theNEWLIST SCOPE= parameter, output is limited to transactions to which the userhas at least READ access. If the result of the access control simulation is"unknown" (SAF RC4), the transaction is suppressed. If either of the SEC_ESM orSEC_TRN settings is false, no suppression is done.

The following field was added to the field descriptions:

CATEGORYThe security category of the transaction (typically called CAT1, CAT2, orCAT3) as a decimal number:

1 The transaction is only meant to be run by the region user ID.

2 The transaction must be protected because it might bypass someform of security.

3 The transaction is usable by everybody and no security check isdone to prevent execution.

NEWLIST TYPE=CICS_REGION: CICS regionsThis topic describes the changes for section "CICS_REGION: CICS regions" chapterof the IBM Security zSecure User Reference Manual.

Applies to:





The following field was added:

PROPCNTLThis flag field indicates whether automatic propagation of the (highlyauthorized) CICS region user ID to batch jobs submitted from CICS isprevented. This field is only present if the external security monitor is RACF.

If it is false, a risk exists that users can increase their authority. For instance, bytriggering a print job with some extra 'baggage' that then runs with theauthority of the CICS region instead of the presumably much lower authorityof the user. The SAF class PROPCNTL was introduced to mitigate this risk.

For the propagation protection to be effective, the following three conditionsmust be true and they must be tested before you set the flag to true:v The PROPCNTL class must be active and RACLISTed, andv The CICS region user ID must be covered by a profile in that class, andv This profile can be generic only if GENERIC is active for the class.

NEWLIST TYPE=CICS_TRANSACTION: CICS transactionsThis topic describes the changes for section "CICS_TRANSACTION: CICStransactions" in the "SELECT/LIST fields" chapter of the IBM Security zSecure UserReference Manual.

Applies to:





If ESM security is used and scoping applies due to restricted mode or use of theNEWLIST SCOPE=parameter, output is limited to programs to which the user hasat least READ access. If the result of the access control simulation is "unknown"(SAF RC4), the program is suppressed. If either of the SEC_ESM or SEC_PPTsettings is false, no suppression is done.

NEWLIST TYPE=ICSF_TOKEN: Token and certificate data fromTKDSThis topic describes the changes for section "ICSF_TOKEN: Token and certificatedata from TKDS" in the "SELECT/LIST fields" chapter of the IBM Security zSecureUser Reference Manual.

Applies to:




The following field description was changed:

RESOURCEThis field contains the resource names used to protect the token. For eachtoken, there are several resources in the CRYPTOZ class for controlling accessto tokens:v The resource USER.token-name controls the access of the User role to the

token.


v The resource SO.token-name controls the access of the Security Officer (SO)role to the token.

v The resource CLEARKEY.token-name controls the authority to create clearkeys for the token.

The RESOURCE field forms a repeat group with CLASS. By displaying thefields CLASS RESOURCE on the detail display panel, the action command Sis activated to show how the resource is protected.

NEWLIST TYPE=ID: User IDs and groupsThis topic describes the changes for section "ID: User IDs and groups" in the"SELECT/LIST fields" chapter of the IBM Security zSecure User Reference Manual.

Applies to:





The ID NEWLIST (NEWLIST TYPE=ID) is used to link together information for asecurity ID. It is constructed so that a lookup can be done from ID to TYPE=RACFor TYPE=ACF2_LID, both in SELECT/EXCLUDE processing and in outputcommands (LIST, SORTLIST, DISPLAY, SUMMARY, and DISPLAYSUMMARY). Conversely,the NEWLIST TYPEs from which a lookup to ID can be done are RACF_ACCESS,RACF_ACCESS_ID, REPORT_STC, REPORT_SCOPE, and REPORT_PROFILE.

The number of records that are shown in this NEWLIST can vary with the fieldsrequested.

For some fields, a CKFREEZE file is required.

NEWLIST TYPE=IMS_PSB: IMS program specification blocksThis topic describes the changes for section "IMS_PSB: IMS program specificationblocks" in the "SELECT/LIST fields" chapter of the IBM Security zSecure UserReference Manual.

Applies to:





If ESM security is used and scoping applies due to restricted mode or use of theNEWLIST SCOPE=parameter, output is limited to programs to which the user hasat least READ access. If the result of the access control simulation is "unknown"(SAF RC4), the program is shown.

NEWLIST TYPE=IMS_TRANSACTION: IMS transactionsThis topic describes the changes for section "IMS_TRANSACTION: IMStransactions" in the "SELECT/LIST fields" chapter of the IBM Security zSecure UserReference Manual.

Applies to:






If ESM security is used and scoping applies due to restricted mode or use of theNEWLIST SCOPE=parameter, output is limited to transactions to which the userhas at least READ access. If the result of the access control simulation is"unknown" (SAF RC4), the transaction is shown.

NEWLIST TYPE=IP_FTP_REGION: FTP daemon settingsThis topic describes the changes for section "IP_FTP_REGION: FTP daemonsettings" in the "SELECT/LIST fields" chapter of the IBM Security zSecure UserReference Manual.

Applies to:





JOBIDThis field contains the JES job ID of the FTP daemon. The default width is 8characters.

NEWLIST TYPE=IP_TELNET_PORT: TelnetParms settingsThis topic describes the changes for section "IP_TELNET_PORT: TelnetParmssettings" in the "SELECT/LIST fields" chapter of the IBM Security zSecure UserReference Manual.

Applies to:




The following fields were removed:v ALLOWAPPL_LUv RESTRICTAPPL_LUv RESTRICTAPPL_LUG

The following fields were added to the field descriptions:

ALLOWAPPL_LU_GROUPThe name of an LUGROUP or PRTGROUP specified on an ALLOWAPPL LUGparameter. This allows an application to a LUGROUP or PRTGROUP, whereany LU in the group can be used to establish a session with the named VTAMhost application. If the same name defines both an LUGROUP and aPRTGROUP, the LUGROUP is used. The group can be a new group thatconsists of a combination of names or range list names from existingLUGROUPs and PRTGROUPs. This allows both terminals and printers to beon the same ALLOWAPPL statement. This field is part of the ALLOWAPPL_*repeat group. The field has a default and maximum width of 8.


ALLOWAPPL_LU_RULEThis eight-character field represents the rangerule that is specified to describethe LU range. It's 'FFFFFFFF' if the range contains only a single LU. This fieldis part of the ALLOWAPPL_* repeat group. The rangerule represents thevariant for use with wildcards. For example:TCP000A0..TCP9F$ZZ..FFFNX?AB, where:

F The position is fixed and does not change.

A Alphabetic range.

N Numeric range.

B Alphanumeric range.

X Hexadecimal range.

? Alphanumeric, including national characters @, #, and $.

ALLOWAPPL_LU_BEGINLowerRange of LU names span. This field is part of the ALLOWAPPL_* repeatgroup. The field has a default and maximum width of 8.v LowerRange must be lower than the UpperRange.v The lengths of LowerRange or UpperRange, and rangerule must be the same

and each must be less than or equal to eight characters.v All LUs in the range must be valid and defined to VTAM for a successful

session.v The number of LU names in one range is limited to 4,294,967,295. The total

number of LU names in the group is also limited to 4,294,967,295. Storage isnot used until the LU-name is assigned to the connection.

ALLOWAPPL_LU_ENDUpperRange of LU names span. This field is part of the ALLOWAPPL_* repeatgroup. The field has a default and maximum width of 8.v UpperRange must be greater than the LowerRange.v The lengths of LowerRange or UpperRange, and rangerule must be the same




RESTRICTAPPL_LU_GROUPThe name of an LUGROUP or PRTGROUP specified on a RESTRICTAPPLLUG parameter. This restricts the application to an LUGROUP or PRTGROUP,where any LU in the group can be used to establish a session with the namedVTAM host application. If the same name defines both an LUGROUP and aPRTGROUP, the LUGROUP is used. The group can be a new group thatconsists of a combination of names or range list names from existingLUGROUPs and PRTGROUPs. This allows both terminals and printers to beon the same RESTRICTAPPL-USER statement. This field is part of theRESTRICTAPPL_* repeat group. The field has a default and maximum widthof 8.

RESTRICTAPPL_LU_RULEThis eight-character field represents the rangerule that is specified to describethe LU range. It's 'FFFFFFFF' if the range contains only a single LU. This field


is part of the RESTRICT_* repeat group. The rangerule represents the variantfor use with wildcards. For example: TCP000A0..TCP9F$ZZ..FFFNX?AB,where:

F The position is fixed and does not change.

A Alphabetic range.

N Numeric range.

B Alphanumeric range.

X Hexadecimal range.

? Alphanumeric including national characters @, #, and $.

RESTRICTAPPL_LU_BEGINLowerRange of LU names span. This field is part of the RESTRICT_* repeatgroup. The field has a default and maximum width of 8.v LowerRange must be lower than the UpperRange.v The lengths of LowerRange or UpperRange, and rangerule must be the same




RESTRICTAPPL_LU_ENDUpperRange of LU names span. This field is part of the RESTRICT_* repeatgroup. The field has a default and maximum width of 8.v UpperRange must be greater than the LowerRange.v The lengths of LowerRange or UpperRange, and rangerule must be the same




NEWLIST TYPE=JOBCLASS: JES2 job classesThis topic describes the changes for section "JOBCLASS: JES2 job classes" in the"SELECT/LIST fields" chapter of the IBM Security zSecure User Reference Manual.

Applies to:




The following field was changed:

CLASSThis field describes the class name (up to 8 characters).

When combined with the SUBSYSTEM and SYSTEM fields, the CLASS fielduniquely identifies an entry in this NEWLIST type.


NEWLIST TYPE=RACF: RACF profilesThis topic describes the changes for section "RACF: RACF profiles" in the"SELECT/LIST fields" chapter of the IBM Security zSecure User Reference Manual.

Applies to:



CERTGREQThis flag field indicates that the certificate was used to generate a certificaterequest with RACDCERT GENREQ. The certificate cannot be deleted byRACDCERT DELETE unless the FORCE parameter is specified. This field isonly available in the CERTDATA segment of the DIGTCERT class, for z/OS 2.1and up.

NEWLIST TYPE=RACF_ACCESS_ID: User IDs and groupsThis topic describes the changes for section "RACF_ACCESS_ID: User IDs andgroups" in the "SELECT/LIST fields" chapter of the IBM Security zSecure UserReference Manual.

Applies to:



In restricted mode or when you use the NEWLIST SCOPE=parameter, IDs arelimited to those IDs in the user's scope.

NEWLIST TYPE=SMF: SMF record typesThis topic describes the changes for section "SMF: SMF record types" in the"SELECT/LIST fields" chapter of the IBM Security zSecure User Reference Manual.

Applies to:





MEMBERThe MEMBER field returns the name of a member that was changed. Thisfield is supported in the following SMF record types:v The MEMBER field returns the name of a member that was changed. This

field is supported in the following SMF record types:v DFSMS statistics and configuration records (SMF record type 42, subtypes

21, 24, 25, and 26)v INPUT or RDBACK data set Activity (SMF record type 14)v OUTPUT, UPDAT, INOUT, or OUTIN data set Activity (SMF record type 15)v TCP/IP statistics record (SMF record type 118 subtypes 3, 70, 71, 73, 74, 75,

76, and 239)v TCP/IP profile event record (SMF record type 119, subtype 4 and 48)

For SMF records that are created by DFSMS Statistics and Configurationchange or rename events (SMF record type 42, subtypes 21, 24, 25, and 26), this


field returns the name of a PDS or PDSE member that was changed orrenamed. The action that caused the change is reported in the ACTION field.

For SMF type 119 subtype 4 and subtype 48 records, MEMBER is a repeatedfield. With each field entry is a member name, which is found, betweenbrackets, after a profile information data set name. The data set name can befound in the DATASET field. With SMF 119 subtype 4 records, the data setfollowed by the member between brackets can be found in the IP_DSNMEMfield. There are three possibilities:v Each IP_DSNMEM entry was specified on an OBEYFILE command, orv It is the default library that is found in the standard search sequence, orv It was specified on an INCLUDE statement

The following fields were added to the field descriptions:

TN_CONNTYPE

This field is valid only for a SECUREPORT or TTLSPORT. This character fieldcan have the following values, in this order for security compliance:

BASICIndicates that a basic (non-SSL) connection is used.

ANYIndicates that the client can connect as secure or basic. Telnet first tries astandard SSL handshake. If the handshake times out, negotiated SSL (seeCONNTYPE NEGTSECURE) is attempted. If the client is willing to enter asecure connection, SSL protocols are used for all subsequentcommunication. If the client is not willing to enter a secure connection, abasic connection is used.

NEGTSECUREIndicates that a TN3270 negotiation with the client determines whether theclient is willing to enter a secure connection. If the client agrees, SSLprotocols are used for all subsequent communication. If the client does notagree, the connection is closed.

SECUREIndicates that the traditional SSL handshake is used to start the SSLconnection. If the client does not start the handshake within the time thatis specified by SSLTIMEOUT, an attempt is made to do a negotiated SSLhandshake. If the client rejects the negotiated attempt, the connection isclosed. Telnet is initialized for secure ports SECUREPORT or TTLSPORTwith CONNTYPE SECURE and for basic ports with CONNTYPE BASIC.

NONEIndicates that any client connection request is rejected.

TN_DATETIME_STARTED

This field provides the date and time that the Telnet server was started. Theformat of this field is DATETIME.

TN_DSNMEM

This repeated field contains a profile information entry for each data set namefollowed by a member name between brackets [membername]. The data setname entries can originate from the following sources: a VARYTCPIP,tnproc,OBEYFILE command, the default library that is found in thestandard search sequence (PROFILE DD), or an INCLUDE statement.

TN_EXPRESSLOGON


This flag indicates whether EXPRESSLOGON (Yes) or NOEXPRESSLOGON(No) was configured. The EXPRESSLOGON parameter statement is used toallow a user at a workstation with a Telnet client and an X.509 certificate to logon to an SNA application without entering a user ID or password. IfNOEXPRESSLOGON is specified, EXPRESSLOGON function is not available tothe client.

TN_INACTIVE

This field gives the value of the INACTIVE Telnet parameter statement. It isused to define the terminal SNA session inactivity timeout, in seconds. Aconnection that has no client VTAM session activity for the specified time isdropped. The INACTIVE statement applies to a KEEPOPEN connection onlywhen an SNA session, with the VTAM application, is active. The default fieldoutput width is 5.

TN_LAST_CHANGE_DATETIME

This field provides the date and time that the Telnet server profile was lastchanged. The format of this field is DATETIME.

TN_MAXREQSESS

The MAXREQSESS parameter statement is used to limit the number of sessionrequests that are received by Telnet in a 10-second period. For this parameter, aBIND received by Telnet defines a session request. If the number of BINDsreceived in a 10-second period exceeds the limit, the connection is droppedand an error is reported. Using the MAXREQSESS statement can mitigate someforms of attacks.

TN_MSG07

This flag field is true if error information is returned over the connectioninstead of just dropping the connection when a session attempt to the targetapplication fails. Just dropping the connection provides an attacker with lessinformation, which is safer, although it makes problem diagnosis moredifficult.

TN_NACUSERID

This field is the user ID that is used for Network Access Control instead of theTelnet server user ID.

TN_PASSWORDPHRASE

This flag field is true if space is reserved on the Telnet solicitor screen forentering either a password or a password phrase in case RESTRICTAPPL isactive.

TN_PORT

The decimal TCP port number where the Telnet region is listening. There is aseparate record in this NEWLIST type for every listening port and qualifyingIP address or network link (see TN_PORT_QUAL_IP andTN_PORT_QUAL_LINK). The type of port (insecure, TLS, or SSL) is returnedin field TN_PORT_TYPE. The default display width is 5.

TN_PORT_INDEX

An internal number that is used to identify a set of port security settings. It isused inside SMF records to link fields to the appropriate port. The defaultdisplay width is 5.

TN_PORT_QUAL_IP


This optional character field shows an IP address that qualifies the port. Thesettings in this record apply only to TCP sessions that come from this IPaddress to the port indicated in PORT. See also TN_PORT_QUAL_LINK.

TN_PORT_QUAL_LINK

This optional character field shows an interface (link) qualifying the port. Thesettings in this record apply only to network connections that come from thisnetwork link to the port indicated in TN_PORT. See also TN_PORT_QUAL_IP.

TN_PORT_TYPE

This field has one of the following values:

TTLSPORTUses AT-TLS security as defined in AT-TLS policy. TTLSPORT is consideredto be a safer choice than SECUREPORT, but it actually depends on theAT-TLS policy and other TLS parameter settings.

SECUREPORTUses SSL protocol directly in Telnet.

PORTUnsecured port. It is more secure to have an encrypted port. PORT isconsidered an unsafe setting in practically any standard.

TN_REGION_USER

This field specifies the user ID that the Telnet region is running under.

TN_SECPORT_CLIENTAUTH

This field is only valid for a SECUREPORT. The equivalent function for aTTLSPORT is defined in the AT-TLS policy. It is a character field with thepossible values:

SAFCERTSpecifies that the SSL handshake process authenticates the client certificate.Before connection negotiation is completed, extra access control is providedthrough the installation's SAF-compliant security product (for example,RACF) as follows:v Verifies that the client certificate has an associated user ID defined to the

security product. The certificate must first be defined to the securityproduct to obtain this validation.

v For security products that support the SERVAUTH class, installationscan also obtain a more granular level of access control. If the installationactivated the SERVAUTH class and provided a profile for the port in theSERVAUTH class, only users that are specified in the profile are allowedto connect into the port.

SSLCERTSpecifies that the SSL handshake process authenticates the client certificateand the server certificate. This check verifies that the client received acertificate from a trusted certificate authority (CA).

NONENo client authentication checks are to be done. The field is missing if theport is not a SECUREPORT.

TN_SECPORT_CRLLDAPSERVER

This repeating field is used only for ports that are defined as SECUREPORT.The field can contain up to five LDAP server specifications in the form of IP


addresses or DNS names that are optionally suffixed with a colon and portnumber. The default field output width is 64. The maximum width is 255.

TN_SECPORT_ENCRYPTION

This repeated field is valid only for a SECUREPORT. The equivalent functionfor a TTLSPORT is defined in the AT-TLS policy. The character field returns allencryption algorithms that are allowed to connect to the port. The followingvalues are possible:v SSL_RC4_SHAv SSL_RC4_MD5v SSL_AES_256_SHAv SSL_AES_128_SHAv SSL_3DES_SHAv SSL_DES_SHAv SSL_RC4_MD5_EXv SSL_RC2_MD5_EXv SSL_NULL_SHAv SSL_NULL_MD5v SSL_NULL_NULL

TN_SECPORT_KEYRING_HFS

The HFS keyring file path name, if any. This field is only valid for aSECUREPORT. The equivalent function for a TTLSPORT is defined in theAT-TLS policy. This field is filled only if KEYRING HFS path is specified in theTelnet configuration. The field is 64 characters wide by default.

TN_SECPORT_KEYRING_MVS

The MVS™ keyring file path name, if any. This field is only valid for aSECUREPORT. The equivalent function for a TTLSPORT is defined in theAT-TLS policy. This field is filled only if KEYRING MVS path is specified in theTelnet configuration. The field is 8 characters wide by default.

TN_SECPORT_KEYRING_SAF

The SAF keyring name, if any. This field is only valid for a SECUREPORT. Theequivalent function for a TTLSPORT is defined in the AT-TLS policy. This fieldis filled only if KEYRING SAF keyring is specified in the Telnet configuration.The field is 8 characters wide by default.

TN_SECPORT_SSLV2

This field is only valid for a SECUREPORT. The equivalent function for aTTLSPORT is defined in the AT-TLS policy. The flag is true if the SSLV2protocol can be used in the SSL handshake. If the flag is off, only SSLV3 andTLS can be used.

TN_SMFINIT_TYPE118_SUBTP

Specifies the format 118 SMF record subtype for LOGON records as set by theSMFINIT Telnet parameter. Valid values are integers in the range 0 - 255. Avalue of 0 for SMFINIT indicates that no SMF record is written for thatfunction.

TN_SMFINIT_TYPE119

This flag field indicates whether ‘Telnet SNA Session Initiation or LOGON’SMF 119-20 records are being written.


TN_SMFPROFILE

This flag field reflects the SMFPROFILE parameter statement that is used toconfigure Telnet to write SMF configuration records. The Telnet configurationrecords are written as type 119, subtype 24. Telnet is initialized with a value ofNOSMFPROFILE. The flag is true if SMFPROFILE NOGROUPDETAIL orSMFPROFILE GROUPDETAIL is specified.

TN_SMFTERM_TYPE118_SUBTP

Specifies the format 118 SMF record subtype for LOGOFF records as set by theSMFTERM Telnet parameter. Valid values are integers in the range 0 - 255. Avalue of 0 for SMFTERM indicates that no SMF record is written for thatfunction.

TN_SMFTERM_TYPE119

This flag field indicates whether ‘Telnet SNA Session Termination or LOGOFF’SMF 119-21 records are being written.

TN_SSLTIMEOUT

This field contains the value of the SSLTIMEOUT Telnet parameter, in seconds.The default width is 3. The SSLTIMEOUT Telnet parameter statement is usedto provide a unique timeout value for SSL handshake processing. This timeoutlimits the time SSL handshake processing waits for a client response.

TN_STACK

The STACK field provides the stack name, which is the name of the startedtask procedure that is running the stack.

TN_TELNET_CONFIG

This repeated field contains a character representation of the Telnetconfiguration member. The field provides symmetry with TYPE=SMF, but it isnot meant for selection. Use the other fields and TYPE=IP_TELNET_PORT forselection, if possible.

TN_TKOGENLU

This field is empty (missing) if NOTKOGENLU is configured. Otherwise, itcontains the number of seconds Telnet waits to check whether a response wasreceived from the original client before Telnet allows takeover by a new Telnetconnection. Valid values are in the range 0 - 99,999,999. The value 0 is a specialcase value. If 0 is shown in the TKOGENLURECON field, Telnet always takesover, whether the original session is active or not. The field is configured withthe TKOGENLURECON parameter statement.

TN_TKOGENLU_KEEPONTMRST

This flag field reflects the TKOGENLURECON KEEPONTMRESET setting.True means that if a reset is received from the target during takeover, thesession is saved and transferred to the taker. Without KEEPONTMRESET or ifNOKEEPONTMRESET is specified, the session is dropped if a reset is receivedfrom the target.

TN_TKOGENLU_SAMECONNTYP

This flag field reflects the TKOGENLURECON SAMECONNTYPE setting. If itis true, Telnet requires that the taker has the same basic or secure connectiontype as the target. If the SAMECONNTYPE parameter is not specified, or if theNOSAMECONNTYPE parameter is specified, a taker with a secure connectioncan take over a target with a basic connection. The original connection type is


forwarded to the application as part of the CINIT CV64 information. Thechanged connection type from basic to secure is not forwarded to theapplication, which might cause reporting errors.

TN_TKOGENLU_SAMEIPADDR

This flag field reflects the TKOGENLURECON SAMEIPADDR setting. If it istrue, Telnet requires that the taker has the same IP address as the target.Without SAMEIPADDR or if NOSAMEIPADDR is specified, a taker with adifferent IP address can take over the target. The changed IP address is notforwarded to the application, which might cause reporting errors.

TN_TKOSPECLU

This field is empty (missing) if NOTKOSPECLU is configured. Otherwise, itcontains the number of seconds Telnet waits before to check whether aresponse was received from the original client before Telnet allows takeover bya new Telnet connection that tries to reconnect to the specific LU name. Validvalues are in the range 0 - 99,999,999. The value 0 is a special case value. If youcode 0 in the sec field, Telnet always performs the takeover, whether theoriginal session is active or not. The field is configured with theTKOSPECLURECON parameter statement. When specific LU takeover isallowed, Telnet LU lookup suspends a new connection request that specifies analready active LU name. After the new connection is suspended, a TIMEMARKis sent to the original connection that is using the requested LU name. Afterthe specified time, Telnet checks whether there was a response to theTIMEMARK. If a response or any data is received by the original connectionsince the TIMEMARK was sent out, Telnet fails the new connection takeoverattempt by indicating the LU name is already in use. If no response is received,the target connection is dropped and the new taker connection is establishedwith the specified LU name. If TKOSPECLU is in effect, the session is alsodropped. If TKOSPECLURECON is in effect, the session is transferred to thetaker connection.

TN_TKOSPECLU_KEEPONTMRST

This flag field reflects the TKOSPECLURECON KEEPONTMRESET setting.True means that if a reset is received from the target during takeover, thesession is saved and transferred to the taker. Without KEEPONTMRESET or ifNOKEEPONTMRESET is specified, the session is dropped if a reset is receivedfrom the target.

TN_TKOSPECLU_SAMECONNTYP

This flag field reflects the TKOSPECLURECON SAMECONNTYPE setting. If itis true, Telnet requires that the taker has the same basic or secure connectiontype as the target. If the SAMECONNTYPE parameter is not specified, or if theNOSAMECONNTYPE parameter is specified, a taker with a secure connectioncan take over a target with a basic connection. The original connection type isforwarded to the application as part of the CINIT CV64 information. Thechanged connection type from basic to secure is not forwarded to theapplication, which might cause reporting errors.

TN_TKOSPECLU_SAMEIPADDR

This flag field reflects the TKOSPECLURECON SAMEIPADDR setting. If it istrue, Telnet requires that the taker has the same IP address as the target.Without SAMEIPADDR or if NOSAMEIPADDR is specified, a taker with adifferent IP address can take over the target. The changed IP address is notforwarded to the application, which might cause reporting errors.


TN_TNSACONFIG_ENABLED

This flag field reflects whether the Telnet SNMP subagent is enabled.

TN_TNSACONFIG_SNMP_AGENT

This field provides the destination port that is used by the Telnet SNMPsubagent to contact the main SNMP agent.

NEWLIST TYPE=SYSTEM: System-wide optionsThis topic describes the changes for section "SYSTEM: System-wide options" in the"SELECT/LIST fields" chapter of the IBM Security zSecure User Reference Manual.

Applies to:





NGROUPS_MAXThe maximum number of POSIX group IDs stored per process. The list ofstored group IDs is used when RACF list-of-groups checking (SETROPTSGRPLIST) is active. If the field's value is zero, UNIX does not use RACF foraccess checks.

On z/OS, this value was taken from the sysconf service (BPX1SYC)SC_NGROUPS_MAX value. On z/VM®, the value is taken from either theSYSNGMAX field in the SYSCM control block (when the CKFREEZE fieldwas created by a class E user ID), or from the ICNGMAX field in theHCPRWA control block.

Object property lookupThis topic describes the changes for section "DEFINE" in the "CARLa CommandLanguage" chapter of the IBM Security zSecure User Reference Manual.

Applies to:


The following information was changed in the "Indirect reference or lookup"section:

Object property lookupThis lookup is used to request properties of a security object. It is specified as:

:targetfield

The target field is retrieved from the security database. The object propertylookup is supported only from the ACCESS, COMPLIANCE, RACF,RACF_ACCESS, RACF_ACCESS_ID, REPORT_SCOPE, SMF, and TRUSTEDNEWLISTs. The applicable security database is determined automatically basedon the available information, for example, from CKFREEZE files. The key thatlinks the target field to the source object consists of the combination of thecomplex, class, and RACF profile that covers the resource. The target field canbe only an existing field in the target database. It is also possible to use one ofthe target record identification fields (CLASS, PROFILE, and KEY) as the targetfield. If the target field specification is ambiguous (for example, present inmultiple segments), the field value that is shown is not predictable. Definedvariables are not supported.


PACKED numerical formatThis topic describes the changes for the numerical format PACKED in the "CARLaCommand Language" chapter and the "SELECT/LIST Fields" chapter of the IBMSecurity zSecure User Reference Manual.

Applies to:




The following information was added to the "CARLa Command Language"chapter in the section "LIST family of commands" > "Controlling report anddisplay output for LIST family commands" > "Format names."

PACKEDFormats packed decimal numbers of up to 16 bytes. Its output is a characterstring of at most 32 characters (including the optional negative sign). All signnibbles are supported (A, C, E, and F indicate a positive number, B and Dindicate a negative number). If the packed decimal has an invalid sign nibble,or an invalid digit, the format prints a question mark (?). If the number islarger than the width of the field, the format prints all asterisks (*).

The following information was changed in the "CARLa Command Language"chapter in the section "LIST family of commands" > "SELECT and EXCLUDE" >"Selecting with a field-field compare."

Usage notes field compare operations are subject to the following restrictions:v For character fields, the field contents is compared excluding trailing spaces.v Substring operations and field lookups can be used on both sides of the doubled

relational operator.– Both fields must have the same format, two character fields for example. Only

the character, numerical, hexadecimal, and date formats are supported. Fieldswith numerical format PACKED (packed decimal) cannot be used forfield-field comparisons.

– At most one of the fields can be repeated. That is, you cannot compare two(potentially) repeated fields.

– The maximum field length is 255 characters.– You cannot use the substring scan operator (=:) because it is not supported.

The following information was changed in the "DB2_SEQUENCE" section in the"SELECT/LIST Fields" chapter:

The following statement applies to the reporting fields listed below:

The maximum width is 32 characters. If the output width is too short for thenumber, all asterisks (*) are printed. This field cannot be selected on with afield-field compare.v INCREMENTv MAXASSIGNEDVALv MAXVALUEv MINVALUEv RESTARTWITH


v START

RA.S SETTINGS - SETROPTS and class settingsThis topic describes the changes for section "RA.S SETTINGS - SETROPTS andclass settings" in the "RACF Audit Guide" chapter of the IBM Security zSecureUser Reference Manual.

Applies to:


The following information was changed:

Menu option RA.S produces three reports, showing:v The SETROPTS settingsv The class information from both the SETROPTS settings and the class descriptor

table (CDT)v The nodes that are defined to the RACF remote sharing facility (RRSF)

The first two are a convenient way to change SETROPTS settings and classattributes.

The SETROPTS detail display is identical to "SETROPTS - RACF settings report".

The RSSF displays are identical to "RRSFNODE - RACF Remote Sharing Facilitysettings".

Scripts in the CARLa libraryThis topic describes the changes for section "Standard CARLa scripts" in the"Calling zSecure" chapter of the IBM Security zSecure User Reference Manual.

Applies to:




For RACF

The following standard CARLa scripts were added:

CKAG@615 - zSecure Audit z/OS RACF STIG Version 6 Release 15This member defines the full STIG version 6.15 standard for RACF, embeddingall the relevant CARLa members for the individual external rules. See AU.RRule-based compliance evaluation in chapter 5.

zSecure Suite Display SelectionCommand ===> __________________________________________________________________

Name Summary Records Title_ SETROPTS 2 2 RACF SETROPTS system settings_ RACFCLAS 512 512 RACF class settings_ RRSFNODE 1 5 RACF remote sharing facility nodes************************************ Bottom of Data ***************************

Figure 2. SETROPTS settings and class information


CKAG* - zSecure Audit z/OS RACF STIG related membersThese other members include rule sets for the various DISA STIG compliancyrequirements that can be used to audit RACF and are used in AU.R. See AU.RRule-based compliance evaluation in chapter 5.

CKAO* - zSecure Audit z/OS RACF GSD331/ISEC related membersThese members include rule sets for the various GSD331/ISEC compliancyrequirements that can be used to audit RACF and are used in AU.R. See AU.RRule-based compliance evaluation in chapter 5.

For ACF2

The "Character indicating type of CARLa script" table was changed as follows:

Table 6. Character indicating type of CARLa script

Type code Use

D Interactive display queries (some can also be used to produce batch reports)

G Members containing DISA STIG rules (US Government)

L Batch reports (not intended for interactive use)

O Members containing GSD 331 / ISEC rules for systems that are outsourced toIBM

R Default layouts for CARLa REPORT commands (compatibility with earlierversions)

S Inclusion members with CARLa DEFINE statements for SMF or other logs

V Verify commands

X Used from the Security zSecure ISPF interface


C2AG@615 - zSecure Audit for ACF2 STIG Version 6 Release 15This member defines the full STIG version 6.15 standard for ACF2, embeddingall the relevant CARLa members for the individual external rules. See AU.RRule-based compliance evaluation in chapter 5.

C2AG* - zSecure Audit for ACF2 STIG related membersThese other members include rule sets for the various DISA STIG compliancyrequirements that can be used to audit ACF and are used in AU.R. See AU.RRule-based compliance evaluation in chapter 5.

For Top Secret (TSS)


CKTG@615 - zSecure Audit TSS STANDARD and IMBEDs TSS STIG v6 R15This member defines the full STIG version 6.15 standard for TSS, embeddingall the relevant CARLa members for the individual external rules. See AU.RRule-based compliance evaluation in chapter 2.

CKTG* - zSecure Audit TSS zSecure Audit for TSS STIG ComplianceThese other members include rule sets for the various TSS STIG compliancyrequirements that can be used to audit TSS and are used in AU.R. See AU.RRule-based compliance evaluation in chapter 2.


STANDARD command in the CARLa command referenceThis topic describes the changes for section "STANDARD" in the "CARLaCommand Language" chapter of the IBM Security zSecure User Reference Manual.

Applies to:




The following information was changed in the introduction:

You can implement this in CARLa through DEFTYPE lookups and DEFINEstatements.

The easiest way to check compliance with the STANDARD statement is throughthe AU.R option in the user interface. See the "AU.R Rule-based complianceevaluation" section in the User Reference Manual, which also contains moreexamples of the STANDARD statement.

The STANDARD statement starts with STANDARD and ends withENDSTANDARD. Inside, there is a sequence of RULE definitions. Each rule startswith a RULE statement and ends with an ENDRULE statement. The RULEstatement can specify a SET parameter to group multiple rules into a RULE_SET.Optionally, such a set of rules can be preceded by a RULE_SET statement with aspecific DESCRIPTION. If the SET parameter is not specified on the RULE, theRULE implicitly creates a RULE_SET with an identical rule name andDESCRIPTION as the RULE.

The RULE_SET statement defines a rule set name and description, both of whichtypically originate in a "paper" standard. The individual RULE statements aretypically smaller parts of the "paper" standard rules and identify a DOMAIN ofobjects to which the rule applies. The RULE statement is followed by a set of TESTspecifications that must all be satisfied for the object to be in compliance with therule. A TEST specification identifies a test variable, a relational operator, and thecompliant test value. Also, an EXEMPT subset of a domain can be identified. Theset of TEST statements for a RULE is ended with an ENDRULE statement.

The following information was changed in the "Syntax" section:

All names that are defined for STANDARD, RULE_SET, DOMAIN, RULE, andTEST must be unique within their context.v The context for a TEST is a RULE.v The context for a RULE is a STANDARD.v The context for a RULE_SET is a STANDARD.v The context for a DOMAIN is a STANDARD.v A STANDARD name is global (run level).

The following information was changed in the "Domain specifications" section:

When you write rule domain definitions for a standard with External SecurityMonitor (ESM) that use the DOMAIN SUMMARY parameter, sufficient key fieldsmust be specified to determine the COMPLEX and VERSION (field VER). Thesekey fields must be specified as the last key fields on the SUMMARY specification;a statistic field such as COUNT might still follow.


The following information was changed in the "Standard specifications" section:

The standard is identified by a case-sensitive name and a version identifier that isconverted to uppercase. A version identifier is always required. The maximumlength of the standard name is 24. However, it is preferable to limit the standardname length to 16, as that is the visible part in the user interface and samplereports. The maximum length of the version specification is also 24. The standardname is optional on the ENDSTANDARD statement. The version cannot bespecified on the ENDSTANDARD statement. The standard and version togethermust be unique in the CKRCARLA run. The optional DESCRIPTION parametercan be 255 long. The DESCRIPTION keyword supports three kinds of quotationmarks, but the begin and end quotation marks must match and cannot be presentwithin the string. The optional ESM parameter can be used to limit the scope ofthe standard to complexes that have the indicated External Security Monitor. Incontrast to a similar parameter on the NEWLIST statement, only a single value canbe specified. The parameters on the standard statement can be abbreviated up to aminimum of three characters; VER and DESC are expected to be used most often.The following example shows an empty STANDARD statement:

The following information was changed in the "Rule set specifications" section:

The RULE_SET statement can be used to define a set of rules with a description onthe rule set level. Rules can be grouped in sets by using the SET keyword on theRULE statement. A RULE_SET statement is necessary only if you want adescription on the RULE_SET level. The maximum length of <set> is 64 bytes.However, it is preferable to limit the name of the rule set to 16 characters; that iswhat is shown in the user interface and sample reports. The maximum length ofthe <description> is 255.

The following information was changed in the "Rule test specifications" section:

Lookup of a field value is also allowed. For example:DOMAIN stc SELECT(R_STC)RULE stc_user_def DOMAIN(stc),

DESC("users associated with started tasks must have the PROTECTED attribute and be OWNED by STCGROUP")TEST protected R_STC(userid:protected=yes)TEST owner_stcgroup R_STC(userid:owner=STCGROUP)

ENDRULE

The following information was changed in the "Writing tests to flag absence ofsomething as noncompliant" section:

This can, for example, be used to report the absence of a password exit asnoncompliant:define type=exit count count where exitname=ichpwx0domain RACF_password_exit_in_system select(exit),

summary(exit(system complex ver count))rule RACF_password_exit_exists domain(RACF_password_exit_in_system),desc("there must be an active password exit.")test exists_in_system exit=1endrule

SUPPRESS CKFREEZEThis topic describes the changes for SUPPRESS CKFREEZE in the "ProblemDetermination Guide" chapter and the "CARLa Command Language chapter" ofthe IBM Security zSecure User Reference Manual.

Applies to:





The following information was changed in the "SUPPRESS command options"section of the "CARLa Command Language" chapter:

CKFREEZEIOCONFIG

Suppress the use of a CKFREEZE file with catalog information. If a cursoryanalysis is sufficient, omitting the CKFREEZE file saves time. This option isuseful for commands that can provide useful information without aCKFREEZE file. For VSAM profiles, CKFREEZE data is needed to generatecomplete and correct report information for VSAM data sets. For zSecure Auditfor RACF, this parameter is ignored for NEWLIST TYPE=SMF in restrictedmode and message CKR0521 is issued.

The following information was added to the "Commands not allowed in restrictedmode" section of the "Problem Determination Guide" chapter:

SUPPRESS CKFREEZE (only forbidden with SMF NEWLIST)



Chapter 3. System requirements

This section lists the processor, space, and memory requirements for IBM SecurityzSecure V2.1.0 and the supported platforms and applications.

Requirements

Minimum and advised processor, disk space, and memory requirements for IBMSecurity zSecure V2.1.0 and IBM Security zSecure Compliance, Auditing, andAdministration solutions V2.1.0:

Minimum Advised

Processor Z800 IBM System z9® or z10TM Enterprise Class (EC) or z9® orz10™ Business Class (BC)

Disk space 300 MB 450 MB

Memory 1 GB 2 GB

For programming and space requirements, see the following zSecure programdirectories:v The zSecure Admin RACF-Offline component has its own Program Directory: IBM

Security zSecure Admin RACF-Offline.v All other CARLa-driven components of zSecure have a common Program

Directory: IBM Security zSecure CARLa-Driven Components.

These program directories are available with the product at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_2.1/welcome.html.

For a complete installation roadmap on all steps to install, configure, and deploy anew installation of zSecure or an upgrade to IBM Security zSecure V2.1.0, see theIBM Security zSecure CARLa-Driven Components Installation and Deployment Guide.

Supported platforms and applications

IBM Security zSecure products are supported on the following platforms andapplications:v IBM z/OS version 1 release 12 through z/OS version 2 release 1; there is a

standard support extension for z/OS V1R11.v CICS Transaction Server version 3 release 1 through version 5 release 1.v DB2 version 8 release 1 through DB2 version 10 release 1.v IMS version 11 through version 12.v CA ACF2 release 14 and 15.v CA Top Secret release 14 and 15.v Tivoli® Compliance Insight Manager Enabler for z/OS 2.1 works with Tivoli

Security Information and Event Manager version 2 and Tivoli ComplianceInsight Manager version 8 release 5.

v zSecure Visual Client requires Microsoft Windows 7, Windows 8. See also the“Incompatibility warnings” on page 4.


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_2.1/welcome.html




Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Web


sites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have not


been thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM‘s application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “Copyright andtrademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, Acrobat, PostScript, and the PostScript logo are eitherregistered trademarks or trademarks of Adobe Systems Incorporated in the UnitedStates, and/or other countries.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium and the Ultrium Logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.

Notices 37


��

Printed in USA

Documents

zSecure Suite Version 2.1 - IBM€¦ · Chapter 1. What's new IBM® Security zSecure™ V2.1.0 enhances mainframe security intelligence and automates compliance auditing: v Extra