IBM zSecure 2.3 -...

IBM zSecure 2.3.0New Features and Functions

Rob van Hoboken

zSecure architect

2017-11-08Session FH

based on original material created by Guus Bonnes

Slide 1 of 137

https://www.linkedin.com/groups/1741877

https://www.facebook.com/pages/Guide-Share-Europe-UK-Region/174907039241415

https://twitter.com/gseukc

© 2017 IBM Corporation2 IBM Security zSecure 2.3.0

IBM zSecure suite● Administration for RACF

– zSecure Admin

– zSecure Visual

– zSecure CICS Toolkit● Compliance enforcement for RACF

– zSecure Command Verifier● Real-time alert for RACF and ACF2

– zSecure Alert● Audit, Assessment and Compliance

for z/OS with RACF/ACF2/CA-TSS– zSecure Audit

● Near real-time SMF feed to SIEM– zSecure Adapters for SIEM

● RACF administration + reporting– zSecure Manager for RACF z/VM


Data presentation options

IBM QRadar SIEM

IBM Operations Analytics for z Systems

SIEM solutions like

zSecure 2.3.0 © 2017 IBM Corporation

Encryption support

Pervasive Encryption


Pervasive Encryption in z/OS

● Data sets on disk (VSAM, QSAM, BSAM) can be transparently encrypted

● zFS files and information can be transparently encrypted

● Data in the Coupling Facility can be transparently encrypted

● Communication Server links can be transparently encrypted

● See for details announcement: IBM z/OS Version 2 Release 3

https://www-01.ibm.com/common/ssi/rep_ca/6/897/ENUS217-246/ENUS217-246.PDF


Disk data set encryption (DFSMS support)

● Option at creation of the data set– Cannot be changed for existing data set

– Can be requested through● Information in dataset DFP segment

– In policy flag in reports● SMS dataclass● JCL parameter

– Encryption status kept in VVDS

– Encryption key itself is in CKDS

Collected by zSecure Collect


Disk data set encryption (zSecure support)

● Data is collected by new CKFCOLL– VVDS info included in existing data collection

– New CKFCOLL option to test if recorded key is usable● SYMKEYTEST=YES● Check SYSPRINT to detect reason for “untested”

CKF514I 00 CRME.AES.B128.DATA.OBEYFILE: encryption cell misses verification code

– CKDS/PKDS data set name obtained from ICSF

– Key label and key characteristics are stored in CKFREEZE● key itself is blanked out in CKFREEZE

– Can be disabled using CKDS/PKDS=NO


Disk data set encryption – ICSF_SYMKEY (RE.K.S)

● Overview display (left part)

# DFP segments with this key

# DFP SMSdataclasseswith this key

# datasetswith this key

Algorithm and key length

A=ArchivedP=Prohibit Archive

U=Used while archived


Disk data set encryption – ICSF_SYMKEY (RE.K.S)

● Overview display (right part)

Last referenceand Service Key validity Key archival

and recall

RACFkey protection


Disk data set encryption - ICSF_SYMKEY (RE.K.S)

● Detail display (bottom part)Algorithm and

key length

Merged Accessof (G)CSFKEYS

KDSR onlyinformation


Disk data set encryption - ICSF_PUBKEY (RE.K.P)

● Overview and detail display

Algorithm and key length

KDSR onlyinformation


New fields in DSN newlist (RE.K.D)

● Select data sets with– VVDS entry with key label– DFP segment with key label

● Overview display– Summarized by VVDS key label

Key label from VVDS Number of datasets Label in VVDS

matchesLabel in profile

Actual testresults


New fields in DSN newlist (RE.K.D)

● Detail displayUnique

identification of the data set

Key label Indicator if the data set can be decrypted.

Requires CKFCOLL SYMKEYTEST.


DFP Segment changes

● DFP segment selection and display include Datakey


CSFKEYS changes

● Conditional ACL for CSFKEYS

● Extra fields in ICSF segment (also available on select panel)


Command Verifier prevents changes to policy (1/2)

● RACF CommandALTDSD dsnprof

[ DFP( [ RESOWNER(userid or group-name) | NORESOWNER ] [ DATAKEY(CKDS key label) | NODATAKEY ])]

● New Command Verifier policy profiles– Managing the RESOWNER of a datasetC4R.DATASET.DFP.RESOWNER.<dsnprof>

– Managing DATAKEY of a datasetC4R.DATASET.DFP.DATAKEY.<dsnprof>


Command Verifier prevents changes to policy (2/2)

● RACF CommandPERMIT CSFKEYS ...

WHEN(CRITERIA(SMS(DSENCRYPTION)))

● New Command Verifier policy profiles– Specifying DSENCRYPTION as conditional accessC4R.<class>.CONDACL.SMS.<profile>


New fields for ICSF in SYSTEM newlist (AU.S)

● Added 54 fields about ICSF settings– ICSF_ACTIVE, ICSF_AES_MKVP, ICSF_ALLOW_CLEARKEY,

etc...

Etc...


New fields and support in SMF newlist

● Record types 14/15/62 – Field KEY_LABEL if DASD encryption extended information section

present in record

– Added MGMTCLAS, STORCLAS, DATACLAS

– Pick up STEPNAME, JOBID, SYSPLEX, PROGRAM if present.

● Pass on key label and bypass en/decryption flag to Qradar

● RECORDDESC extended with key label and bypass en/decryptionOutput activity for non-VSAM data set

BONNES.ZEDC.COMP.SML.DATA4 encryption BONNES.DATA.KEYVSAM data set RLSADSW.KILLER.VSAM92.PATH1 opened for

READ encryption CICS.VER1.MARCH2317


QRadar dashboard application


Encryption support

Encryption Readiness Technology


zERT– z Encryption Readiness Technology

● Monitor TCP and Enterprise Extender trafficWrite SMF records about encryption used

● New parameters in TCP/IP configuration file– GLOBALCONFIG (NO)ZERT

● Enable/disable zERTdiscovery (in memory data collection only)– SMFCONFIG (NO)ZERTDETail

● Enable/disable writing of SMF● New record type SMF 119-11 for known TLS/SSL, IPSEC, or SSH

security sessions over TCP connections.● Event types:

– Connection initiation– Protection State Change– Connection Termination– Short Connect Termination– zERTenabled– zERTdisabled

– MONITOR (NO)ZERTService● Enable/disable NMI retrieval of data



● Many (100+) new SMF fields supported for selection and reporting – SA_Event_Type,

SECURITY_PROTO_TLS_SSL, SECURITY_PROTOCOL_SSH,SECURITY_PROTOCOL_IPSEC,OUTBOUND_FILTER_BEHAVIOR, INBOUND_FILTER_BEHAVIOR,etc. etc.

● Available via selection on EV.I via “further selection”


zERT– z Encryption Readiness Technology● And subsequent selections (scrollable panels for multiple options)



● Example output (top portion of multi-page report)


QRadar report


QRadar Dashboard


Access Monitor / Analytics interface



● New function in zSecure Access Monitor– Intended for interaction with

IBM Operations Analytics for z Systems (IOAz)

– Compared to SMF, AM data offers more complete pictureof Verify, Auth, and Fastauth events

● CSV files are created in specified z/OS UNIX directory

● IOAz uses CDP to pick up latest file contents

● Internal format of CSV files currently not documented

● Also available on zSecure 2.2.1 through OA52273



C2PACMONstarted task

daily filesDyymmdd.Thhmm

RACF Exits

RACF Access Check

ICHRCX02ICHRFX04ICHRDX02ICHRIX02

.csv filesDyymmdd.Thhmm.csv

CDP started tasks

CDP started tasks

IOAzReporting

zFS Filesystem



● Overview of csv files created (ISPF 3.17)

● Sample contents of a file (not an intended interface)


IOAz reporting on Access Monitor data

● Search providing graph and list or table



● Dashboard, providing combination of graphs


Access Monitor / Analytics interface (AM-parameters)

● New keywords in C2PACMON configuration member


Access Monitor / Analytics interface (Configuration)

● New members in SCKRCARL/SCKRSAMP– C2PAMANZ Main CARLa query to create CSV file– C2PAMANC Configuration member for ALLOC of

CKFREEZE and RACF source.

● IOAz uses CDP to pull files from z/OS UNIX file system– Specify generic zFS file and file pattern/u/c2pacmon/AccMon.D??????.T????.csv

– Specify transform for CSV and UTF8– Specify TCPIP destination for IOAz (logstash)

● IOAz provides different reporting types– (Predefined) Search with graph and list or table– Dashboard with multiple predefined graphs


Access Monitor / Analytics interface (Availability)

● Availability– zSecure code also available on zSecure 2.2.1 through

OA52273

– Code for IOAz 3.1 available through Insight Pack 3.1.0.3-CSI-IOAz-IF0003


Alert changes


TCP for syslog message transport

● Now possible to specify UDP and TCP for “syslog” alerts– When using TCP, ensure syslog receiver is available.

All alerts are lost if one TCP destination does not respond.Events are lost if delay longer than 2*alert-interval.

● Use F C2POLICE,REFRESH to attempt recovery.


Support for HPE Security ArcSight

● New alert format (HP Common Event Format)– Available as a Unix syslog type destination

● Extra choice on Destination selection panel (W line command)


Support for HPE ArcSight

● Extra column on alert selection display


Add support for HPE ArcSight

● Existing alerts have been adapted to support CEF format

● Example CEF alert:

Jun 23 08:04:58 NMPIPL87 CEF:0|IBM|zSecure Alert|2.3.0|C2P1102|Logon_Emergency|2|act=RACINIT deviceProcessName=BPXAS dvcpid=STC00355 dvchost=PL87 duid=IBMUSER duser=TO BE REVOKED-LATER outcome=Success msg=Emergency user IBMUSER logged on - Successful logon or job submit with a userid meant for emergencies


Restructure Alert Configuration panels

● Panels have been reorganized to allow for extra destination


Alert identification in Destination panels

● Destination specification panels now identify selection


Extended Monitoring Alert selection

● EM alerts cannot be selected if EM has not been enabled.– If already selected, and EM disabled, status set to n/a


Other Alert Configuration enhancements

● Setup Alert (SE.A.A) has to issue z/OS operator command– Not everyone had CONSOLE authority

– Now uses CONSOLE or SDSF API● Authorized for CONSOLE command: use it● If not, try SDSF “ISFSLASH” and use if available

– Only used for DISPLAY and REFRESH commands.

●B line command on alert selection display is limited to browsing– Previously, you could change the action specification

– Action specification now restricted to E line command


Restructure Alert skeletons


Restructure Alert skeletons

● Alert message text specified once, at the beginning of skeleton

● Process to easily include systemid in alert message

● For predefined Extended Monitoring alerts, the compareopt has been moved to the alert skeleton, and removed from C2PSGLOB

● Date and time added to Extended Monitoring alerts

● WTO-based alerts now use SMFID instead of SYSNAME

● Email alerts now end with two empty lines (as separator)


Support for SMF record type > 255

● SMF now also supports record types 256-2047● New SMF exit IEFU86 for all record types

● zSecure Alert has been adapted– On z/OS 2.3 require IEFU86.

– If IEFU86 not enabled, fall back to IEFU83/4/5.● Events recorded through rectype 256-2047 are lost.

– User interface and FILTER statement updated to accept SMF record types 0-2047


Add new alerts

● UACC or ID(*)– For datasets, update existing alert 1202 and 1203

– For general resource, add alert 1304● Can be configured for desired resource classes

● Setting or changing the LEVEL field– 1216 for datasets, 1307 for general resources

● Warning attribute– 1215 for datasets, 1305 for general resources


Improved CARLa for alerts 1107, 1108, and 1121

● Alerts now use lookups to – User attributes

– User LJDATE

– User connect attributes

● Stage1 (preprocessing stage) has been removed

● Significant reduction in processing time and storage needs

● Backported to zSecure 2.1.1 through APAR OA51306


Corrected CARLa for alert 1212, 1213, 1214

● Alert 1214 uses configuration members– SENSMEMB List of UPDATE sensitive members in

specifc datasets

– SENSUPDT List of privileged users and groups

● Exclusion list did not support same user or group for multiple resources. Alert skeleton code has been corrected.

● Exclusion list for members of privileged user groups was not build correctly. Alert skeleton code has been corrected.

– Backported to zSecure 2.2.1 through APAR OA52942

● ACF2 selection in 2212/2213 corrected for non-datasets.● Alerts x212/x213 still apply to datasets and non-datasets


Changed alert content (message text)

● Detailed format of multiple alerts has changed– Now more consistent, showing additional information.

– Affected alerts:● 1302 (Audited program)● 1105/1106/2105/2106 (Attributes changed)● 1506/1507 (Dynamic CDT changes)

● WTO based alerts show multiple lines:● 1607 (SMF flooding)● 1604/1605 (Healthcheck messages)


Alert migration warning

● New table layout not downward compatible● Migration prompt on entry to SE.A.A


Compliance Monitoring


Compliance testing and reporting

● Updated supported level of STIG to 6.31

● Many new ACF2 controls have been implemented– Similar to existing RACF controls for

Access to the Control Program (ACP)

STIG STIGplus

GSD PCI-DSS

RACF 151 1 57 14

ACF2 103 13

TSS 40


User Interface for Compliance Testing

● AU.R option 2 allows creating and saving subsets.– Subsets were saved as separate members in CKACUST.

– Process has been improved to now use table SUB#SETS.

– Migration is automatic on first save of subset


ISPF User Interface changes


Restructure of Setup Output (SE.7) panels

● Allows easier selection and specification of allocation parameters– For review, or no-change press “ENTER” – Changes must be confirmed using “END”


Restructure of Setup Output (SE.7) panels

● Example allocation parameters


Alternative command layout for recreate

● Commands generated for RECREATE have been restructured– Existing support creates many commands.

Most attributes have their own command.– New support creates fewer commands.

Each command has multiple keywords, with each keyword on a continuation line.

● Existing support is easier for postprocessing● New support uses less resources to generate and execute

● New/updated SCKRCARL members:– CKRXC*

● Choice presented on Recreate option panels ...


Alternative command layout for recreate

● New choice on recreate option panel


Combined Base and DFP segment display

● New choice on dataset selection panel– Combine information from Base segment with DFP segment

● Columns from both segments in overview display

● Bottom of detail display


P line-command on connect and ACL display

● New P line-command in detail displays– RA.U and RA.G, list of connect entries– RA.D and RA.R, access list

● Shows regular USER or GROUP detail panel


Password expire option on P line-command

● Options panel has been clarified and enhanced– Represent possible expire options more clearly, through

uses of a “radio button” selection.– Support for generating RACF and CKGRACF commands.


Add resource related newlists to RE option

● Resource reporting restructured into RE option– Added new newlists– Added existing newlists previously not in UI– Added existing newlists previously only in AU.S


Add resource related newlists to RE option

● 2nd Level panels


New function to show field information (IN)

● ISPF option similar to FIELDS command– Now available as option IN.D/1

● Overview of fields actually present in allocated input files– Also includes example values

– Now available as option IN.D/2


New function to show file information (IN)

● Data elements (CARLa fields) in input records– Available as option IN.D


New function to show file information (IN)

● Overview of allocated files (name, type, created, #recs, ...)– Available as option IN.F


Enhancements for User displays

● AU.S Password age reporting– Now also considers Phrase age

● RA.U SR line command updated for recent RACF changes– Authentication info (Phrase, MFA),– Attributes (ROAUDIT)– More segments


CKRCARLA changes


Support for Encryption fields

● Show DATAKEY in dfp segment

● Show conditional access CRITERIA(SMS(DSENCRYPTION))

● Show CKDS and PKDS keylabels and how used

● Show encryption information for selected datasets

● See “Encryption Support” earlier in presentation


New Workattr Field for E-mail

● New WAEMAIL field in WORKATTR segment– Can be used for job identification and notification

● Selection– Filter patterns “*” and “**” work on “qualifiers”

[email protected] has three qualifiers

● Detail display


Support for RACF Enhancedgenericowner

● SETROPTS option to prevent generic addmem in grouping class ● New field in SYSTEM newlist

– racf_enh_genericowner


Additional fields showing RRSF DENYINBOUND

● RRSF has option to prevent incoming RACF commands● Three new fields show this setting

– LOCAL_DENYINBOUND

– TARGET_DENYINBOUD

– LOCAL_DENY_COUNT


Support for TSO 8-character userid

● Report enablement in SYSTEM newlist– Also added other TSO-related fields

● Widen UPT field for longer prefix


Support for SMF recordtypes 256-2047

● Extended record type ranges in SMFOPT newlist

● New SMF fields for more precise timestamp– EVENT_TOD, EVENT_TOD_TZ, EVENT_TOD_RUNTZ


Support for DB2 R12 (1/3)

● New fields in the DB2_REGION newlist– DB2_APPLCOMPAT ZPRM_UTILS_HSM_MSGDS_HLQZPRM_UTIL_DBBSG ZPRM_UTIL_LGBSGZPRM_SELECT_FOR_UNLOAD

● Updated fields in the DB2_TABLE newlist– *_ACL

Shows UNLOAD privilege as last column of SUIADRTXU– For older releases, U column value shown as “-”

● Added SMF support for IFCID 370, 371, 373, 404– Stepname, Recorddesc, full DB2_Connection, DB2_Object,

DB2_ObjectType

● Available in the ISPF UI● SMF for IFCID 343, 361, 362, 370, 371, 373, 404 is included in

LEEF data for QRadar



● New fields in the DB2_REGION newlist– In region overview, available far to the right.

– In detail display:



● Updated fields in the DB2_TABLE newlist


DB2 Reporting performance improvements

● Problem scenario– Data on DB2 is collected in CKFREEZE

– Data for requested report was retained in storage for all DB2 subsystems that are present in the CKFREEZE file

● Independent of select in CARLa● Solution

– For Tables and Packages, use pre-selection to skip DB2 data if it is determined to not be needed for the report.


MQ: New field for MCAUSER

● Existing support for Channel only showed Userid/Password for outgoing messages. Now also ID for incoming messages.


MQ: Longer remote queue manager names

● Remote queue manager name was truncated at 4 characters.– Overview now shows “>” if truncated– Detail shows full name

● Artificial example:


MQ: Corrected resource names for QSG-only

● Resources were always defined at QMGR and QSG level.– Switch profiles can deactivate checking on either level– Code has been changed to only define resources used by MQ

QSG-Onlysecurity

QMGR-Onlysecurity


MQ Resource names in Compliance Reports

● MQ Queue compliance report (ZWMQ0054) shows compliant and non-compliant queue names.

– The queue name does not include any reference to the SSID/QSG

– Resource name has been changed to include SSID/QSG


CICS: Terminal Read Timeout

● CICS provides a timeout mechanism for Transactions– Terminal READ time after which the task is terminated with

AKCT, AZCT or AZIG abend– Specified in the Transaction Profile– New field in CICS_TRANSACTION newlist

● TRAN_RTIMOUT


CICS: Improved display of CICS SMF records

● Some performance fields were shown as “garbage”.Now printed in hex, or interpreted.

NETUOWSX – network unit of work ID AE4BEC056D470001TRNGRPID – transaction group ID NLIBMCRM.CI54PL87 - 13 Jun 2017 09:57:18.424789


New newlist for JES NJE nodes (1/4)

● JES_NODE newlist– Complex, System, Ver, Nodename, Nodenum,Class, Resource, RACF_profile, etc(40 more)

● Example CARLa query in CKADQJN and CKALQJN● Also available in RE.J.N



● Displays provide insight in node settings and security (part 1)



● Displays provide insight in node settings and security (part 2)



● Fields Class, Resource, RACF_Profile show which profiles are used for input/output/command authorization.

● Resources are marked as sensitive (RESOURCE newlist)

– Use line command S (and P) to see details of profiles


New newlist for System Symbols/Variables

● SYSTEM_VARIABLE newlist– Complex, System, Ver, Variable, Value

● Example CARLa query in CKADQMV and CKALQMV– Intended for multi-system reports

● Also available in RE.O.V


New newlists for current environment (1/2)

● RUN newlist– HOSTNAME, HWNAME, LPAR, ESM, SYSNAME, SYSPLEX, SYSCLONE, SYSTEM,

VMUSERID, DATETIME, PROGRAM_STAMP, PROGRAM_VERSION, JOBID, JOBNAME, USERID


New newlists for current environment (2/2)

● RUN_DD newlist– COMPLEX, SYSTEM, VER, DATETIME, DDNAME, CONCAT, DEFTYPE,

INOUT, RECNO, SOURCE, TYPE, VOL_DSN_PATH

● Example CARLa in CKRDQEF and CKRLQEF● Also available in IN.F


Extra field-values in AS_DD and Resource newlist

● Fields in AS_DD and Resource newlist now have a value– CLASS, RESOURCE, PROFILE

● Previously empty for UR, TP, GRAPHIC, JESSPOOL– Mainly used for Compliance Reporting


Extra fields in newlists

● New fields in JOBCLASS newlist– DUPL_JOB_OK, GROUP, DESC, DSENQSHR_ALLOW, DSENQSR_AUTO, SCHENV, SYSSYM

● 54 new ICSF fields in SYSTEM newlist

● New fields in SYSTEMSubsystem information

– EMERGENCY_SUBSYS, PRIMARY_SUBSYS_TYPE

IPL parameter information– IPLPARM_RACF, IPLPARM_FXE, IPLPARM_IZU


Other enhancements

● QRadar support– Extra field providedTERMINAL for SMF 118/119

● CARLa output formatsHEXTOIP

– Only applies to TERMINAL if 8 hex characters (ipv4 address)

CEF_DT and CEF_DTZ – Intended for datetime fields in the header of syslog records,

as used by HPE Security ArcSight

● New field in SYSTEM newlistPRIMARY_SUBSYS_TYPE

– Shows JES2 or JES3


Other enhancements

● New SMF record types

– JES2 record type 84 with 11 new subtypes

● SMF record now includes SERVAUTH profile– If present in RACF relocate section

– If name can be derived from Security Token

– Also backported through APAR OA52766

● AT-TLS SMF records now include FIPS mode– Field FIPS_MODE with values Off/On/Lvl1/Lvl2/Lvl3

● New resource classes for Operational Decision Manager (ODM)– HBRADMIN, HBRCONN, and HBRCMD


Generating CSV

● Old stylenewlist type=smf nopage outlim=1 s event=racinit user:special sortlist 'Date,Time,User,Name,Terminal' newlist type=smf nopage s event=racinit user:special sortlist date(7) | ',”' | time(8) | '”,' | user(0), | ',"' | user:name(0) | '",' | terminal

● New stylenewlist type=smf header=csvt s event=racinit user:special sortlist date(7) time(8) user(0) user:name(0,"Name") terminal

● ResultDate ,Time ,User,Name,Terminal 25Oct17,"07:15:07",IBMUSER,"TO BE REVOKED-LATER", 25Oct17,"07:22:54",JOEUSER,"SUPER USER",NTCP0015 25Oct17,"07:23:46",JOEUSER,"SUPER USER", 25Oct17,"08:37:24",MARYJANE,"MARY JANE ADMIN",NTCP0017


Streamlining generation of Output records

● New values for HEADER in NEWLIST and OPTION statement– Existing values: COLUMN, PREFIX, NONE

– New values:● CEF prefix headers compatible with the HP Security

ArcSight Common Event Format (CEF)● LEEF prefix headers compatible with the Qradar

Log Event Extended Format (LEEF)● TSOCMD prefix headers compatible with TSO commands● CSV layout compatible with RFC4180 for

Comma Separated Value (CSV) format● CSVT CSV with a preceding “title” line● TSV[T] TAB Separated Values● RFC5424 prefix headers compatible with SYSLOG format● … See OPTION command for full list


Streamlining generation of Output records

● Individual formatting can be used independently– COND Makes output conditional (including headers)

– TRIM Strip trailing blanks

– FIELDSEP Defines field separator

– PREFIXSEP Defines separator between prefix and fieldvalue

– SUFFIXSEP Defines separator after fieldvalue

– QUOTE Quoting a fieldvalue

– QUOTE_TRIGGER When to quote

– QUOTE_REPLACE_CHAR How to quote

– REPLACE_CHAR Output editing

– PREFIXLEN Now allows long values and 0 (trim)● Some formatting options can be reversed on a field basis


Exploitation of Streamlined Output Generation

● HEADER=LEEF is used for QRadar (batch and NRT)– Uses significantly less CPU time compared to previous

CARLa query.


ACF2 related enhancements


ACF2 ACTIVE support for ACF2_LID

● Support PRIMARY ACTIVE allocation for ACF2LID

● Used when CARLa uses ACF2_LID newlist and select:– SELECT LID=abcd, a single logonid.

– SELECT LID=abc-, a single mask.

– SELECT LID>abc LID<=b, a range.

– SELECT LID=(abc,def), a list of logonids.

● Restrictions:– For other or more complex select, program falls back to

backup logonid database.

– The select is applied to all queries that use logonid database


ACF2 ACTIVE support for ACF2_LID

● Information is retrieved using ACF2 SVC.

● Benefit, compared to reading backup logonid database,is dependent on select statement:

– select of a single logonid is significantly faster

– select of many logonids is probably slower

● ACF2 access control is used for retrieval (scoping):

CKR2194 04 Access denied by ACF2: ACF02002 NOT AUTHORIZED FOR REQUEST


Other ACF2 related enhancements

● Implicit lookup to ACF2_LID now supported


Support for password/phrase recreatewhen using zSecure Server

...


Password/phrase recreate support

● zSecure UNLOAD process replaces sensitive information, like passwords, phrases, and encryption keys by asterisks.

– Poses a problem when using a zSecure server.– Sensitive data can not be “recreated”.

● New support to include sensitive information from zSecure server– Communication between servers must be encrypted, or

server must be local server (self-connect)– User must have UPDATE on CKNDSN.RACF.<zsecnode>.<zsecsys>.<source>

– New internal keyword on UNLOAD statement:SERVER_SECURED

– New field in RACF newlist: HAS_SENSITIVE_FIELDS– New field in ZSECNODE newlist: CONNECTION_SECURE

● Available in zSecure 2.2.0 through APAR OA51224


CKGRACF enhancements

...


Enhancement of CKGRACF RDELETE function

● Block delete commands can now be executed in single CKGRACF command


Access Monitor changes


Reduce CPU overhead

● New working mode for AM-RACF exits: FastStore– Uses cellpool services in user address space

(below the bar, but above the line)– Less CPU usage in high activity Websphere installations– Available on zSecure 2.2.1 through OA51549– FastStore is now the default mode

● New option: PreConsolidate– Identical events are recorded using a single buffer record

● contains incremented count + latest timestamp– Can provide significant reduction of CPU and buffer usage

● installations with FSACCESS active – Available on zSecure 2.2.1 through OA51551

– PreConsolidate is now the default


Improve zIIP exploitation

● zSecure Access Monitor installs RACF exits to intercept events– Exits need working storage to build Access records

– Obtaining working storage can lead to “drop out of zIIP”

– Access Monitor itself does not exploit zIIP processors

● New working mode for AM-RACF exits: FastStore– New exit routines C2PRxY0x– Combination of router exit (C2XRxX0x or C2XRxZ0x)

and functional routine (C2PRxX0x)– Uses cellpool services in user address space

(below the bar, but above the line)– Improved zIIP exploitation, less CPU usage– Will be available on zSecure 2.2.1 through OA51549– FastStore is now the default mode


Access Monitor PreConsolidation

● zSecure Access Monitor collects event data for RACF events– Some events occur very often

● e.g. FASTAUTH for FSACESS– Significant burden on buffer usage

and CKRCARLA summary process

● New option: PreConsolidate● Identical events are recorded using a single buffer record

– Buffer record is updated with ● incremented count● latest timestamp

– Can provide significant reduction of CPU and buffer usage● depending on system workload

– Will be available on zSecure 2.2.1 through OA51551– PreConsolidate is now the default


New configuration options:

● New keywords on C2PAMP OPTION statement


Code fix for OA51577

● zSecure Access Monitor and zSecure Alert Program Call– Needs working storage for updating in-storage buffers

– On busy systems, coding error might result in abends

– Program call code is present in C2PACMON and C2POLICE

● Module C2PSMFPC has been updated to use cellpool storage in started task address space

– Small CPU improvement during data collection

– No new parameters/interface

– Is also available on zSecure 2.2.0 through OA51577 plus OA53468


Exclude deleted IDs

● Reporting interface AM.1 and AM.2 now have option to ignoreIds that are (no longer) present in the current RACF source.

– Reduces number of differences in AM.2


Essential/Redundant Groups

● Select/exclude access in AM.1 via essential groups– are these the only remaining groups that provide access?

● Two types of reports– Essential group: No other group grants access– Not using group: Show access allowed only via other groups

● Use when moving access from one or more (old) groups to a new group


Command Verifier changes


Changed generation of Random Passwords

● Previously, generated password only used subset of characters– Uppercase alphabetics, Numerics, National chars

● Logic has been changed to use all available characters based on SETROPTS settings

– Generated password has always length 8

– Password rules that force particular character are ignored.All password characters are randomly selected from all available characters.

● Always Uppercase, numerics, national● Mixedcase Lowercase alphabetics can be used● Specialchars Special characters can be used


CKFCOLL Improvements


Improve support for shared dasd

● CKFCOLL collects environment data in CKFREEZE data sets. – When used in shared DASD environment, information from DASD is

retrieved multiple times. – Best practice is to used SHARED=Y on only one system, and SHARED=N

on all other systems.– Some information is still processed multiple times.

● Data collection code has been improved to further reduce “duplicate” processing of VTOC information.

– Reduced I/O load on shared DASD devices

● Backported to zSecure 2.2.0 through APAR OA51889.


New keywords for Pervasive Encryption

● New keyword to activate testing the dataset encryption key label in the VVDS

SYMKEYTEST={YES|NO}Requires VVDS=YES

● DEBUG messages throughDEBUGSYMKEYTEST


Support for Multi-factor Authentication


Support for MFA policies

● MFA 1.2 supports the definition of POLICYs:– Can be used for out-of-band authentication

● First authenticate out-of-band to MFA server– Login using userid and password/phrase

– Policy in user profile points to POLICY in MFADEF

– Policy in MFADEF points to factors

– Factor uses TAG information in USER profile

– User provides information for factors (pin, token, ...)● MFA-server provides a Token● Token can be used to logon to application


Factor names in profile displays

● New MFPOLICY segment in MFADEF resource class– New fields:mftimeo mfreuse mffctrs

– Segment available in UI in presence/absence/display list

Two factors in this policy


Policy name in USER displays

● New POLICY information in USER profile– New fields:mfapolnm

– Policy selection available in UI on “Other fields”

– Detail MFA information in user display


Command Verifier support for POLICY

● MFA now supports the definition of POLICYs:– Can be used to authenticate using an MFA POLICY.

● First authenticate out-of-band to MFA server● MFA-server provides a Token● Token can be used to logon to RACF● Policy specifies how out-of-band authentication is done

● zSecure Command Verifier can control management of – MFADEF fields in MFPOLICY segment

– POLICY information in user profile


Command Verifier controls POLICY in USER profiles

● RACF CommandALTUSER userid MFA(

[ ADDPOLICY(polname …) | DELPOLICY(polname … | * )])

● New Command Verifier policy profiles– Managing POLICY for a userC4R.USER.MFA.POLICY.<polname>.<owner>.<userid>

– As usual, an asterisk is replaced by a plus in the CV policy C4R.USER.MFA.POLICY.+.SYS1.IBMUSER


Command Verifier protects policy profiles

● RACF CommandRALTER polprof [MFPOLICY(

[FACTORS(factname …) | ADDFACTOR(factname …) | DELFACTORS(factname …) | NOFACTORS][TOKENTIMEOUT(timeout-seconds)][REUSE(YES | NO)] )]

● New Command Verifier policy profiles– Managing FACTORs for POLICYC4R.<class>.MFPOLICY.FACTOR.<factname>.<polprof>

– NOFACTORS is treated as DELFACT(*) C4R.MFADEF.MFPOLICY.FACTOR.+.POLICY.MYFACT

– Managing TOKENTIMEOUT or REUSEC4R.<class>.MFPOLICY.ATTR.TOKENTIMEOUT.<polprof>C4R.<class>.MFPOLICY.ATTR.REUSE.<polprof>


zSecure Visual user display

● Display and manage MFA FACTOR and POLICY for users

PasswordPhraseMFA

Protected

PasswordFallback

if no-MFA

MFA context menu items


zSecure Visual user attributes

● Add/Delete MFA POLICY, FACTOR and FACTOR TAGs

Factors

Policies

AddFactor

EditFactor-Tags


zSecure Visual MFADEF profiles

● Manage MFADEF profiles and segments

Factors

Policies

EditFactor-Tags


Other changes and Currency


Currency support

● z/OS 2.1, 2.2, 2.3– All supported z/OS releases

● CICS TS 5.4

● ICSF release HCR77C0

● STIG release 6.31

● Out of support– ACF2 14, TSS 14

Session feedback

• Please submit your feedback online at:

http://conferences.gse.org.uk/2017/feedback/FH

• Paper feedback forms also available from the Chair person

• This session is FH

IBM zSecure 2.3 -...

Documents

Transcript of IBM zSecure 2.3 -...