IBM is constantly enhancing functions or adding new functions to RACF. Read on:

• z/OS V.10
  
  z/OS V1.10  is available! This z/OS release includes these new RACF functions:

  • Support for RACF password phrases by TSO/E logon, z/OS UNIX functions, OpenSSH, and the IBM Tivoli Directory Server (also know as the z/OS LDAP server).

  • Custom fields are planned for RACF USER and GROUP profiles, with corresponding administration support using RACF commands, ISPF panels, and LDAP. This support is designed to allow you to add fields using a new RACF CFIELD class to define the new fields to be added to USER or GROUP profiles and the labels you want to use for them.

  • RACF password administration design will be changed to allow more selective authority for resetting passwords to be granted. This support is designed to allow you to grant individuals the capability to reset passwords for one or more users or the users that are members of one or more groups without having the system-wide RACF SPECIAL attribute or access to the system-wide IRR.PASSWORD.RESET profile in the FACILITY class.

  •  RACDCERT will be able to generate 4096-bit RSA keys through software, in addition to the hardware capability of generating keys with such length.

  • Support for additional characters from the UTF8 character set for certificates supported by PKI Services is planned for z/OS V1.10, adding to the support made available in RACF in z/OS V1.9.

  • RACDCERT and PKI Services are planned to be able to generate and display the IPv6 type Internet Protocol address (IP address), in addition to the IPv4 format, in the certificate Subject Alternate Name extension.

  • PKI Services is planned to support three additional Distinguished Name attribute types: Domain Component, Distinguished Name Qualifier, and User ID.

  • IBM plans to provide an additional IBM Tivoli Directory Server for z/OS extended operation to support group access checking in addition to user access checking.
    

• z/OS V1.9
  
  z/OS V1.9 is available! This z/OS release includes these new RACF functions:

  • Support for RACF pass phrases from 9 to 13 characters in length

  • Kerberos AES support

  • Java RACF User and Group administration interface

  • Writable SAF Keyring support

  • An reaffirmation of the z/OS Statement of Integrity

• z/OS V1.8
  
  z/OS V1.8 is available! This z/OS release includes these new RACF functions:

• Support for RACF pass phrases from 14 to 100 characters in length

• Support for virtual key rings

• New RACF checks for the IBM Health Checker for z/OS and enhancements to the RACF_SENSITIVE_RESOURCES check

• Support for DB2 Version 9

• IRRUT200 and IRRUT400 Enhancements

• Group Change Logging

• Remote Authorization and Audit (EIM)

• PKI Services Enhancements

• z/OS V1.7
  
  z/OS V1.7   contains these new RACF functions:

  • Mixed-case passwords. Resource managers which support mixed-case passwords include:

    • z/OS V1R7
      • TSO/E
      • Console logon
      • JOB statements
      • z/OS UNIX functions
        

    • CICS Transaction Server 3.1

    • CICS Transaction Server 2.3 (with PTF)

    • CICS Transaction Server 2.2 (with PTF)

    • z/OS V1R7 Communications Server
      • FTP server
      • rshd 
      • rexecd 
      • RXSERVET
      • TN3270 server (for RestrictAppl and Unformated System Services (USS) functions)
      • telnet server
      • LPD server

    • DB2 V7 (with APAR PK23736)

    • DB2 V8 (with APAR PK23736)

    • DB2 V9

    • RMF Performance Monitoring Java Technology Edition

  • Creation of SMF type 80 records during user logon (RACROUTE
    REQUEST=VERIFY,ENVIR=CREATE) when you have SETR AUDIT(USER) specified and the user changes his/her password

  • Delegated resources (allowing access to some resources, e.g. crypto services/keys, based on the server identity rather than the client identity)

  • Keeping revoke dates in user profiles during ALTUSER ... RESUME processing

  • RACF support for IBM Health Checker for z/OS

  • Improved programming interfaces for PassTicket generation and evaluation, including Java support

  • Automatic RVARY SWITCH to backup RACF DB if RACF detects an I/O error on the primary and the device is marked as offline

  • Improved auditing and messages for the z/OS UNIX getpsent function to improve availability

  • Improved SETR INACTIVE processing, to allow SETR INACTIVE to apply to users who have never logged on if you created them with z/OS R7

  • New "extract" functions of R_admin to allow programs to perform LISTUSER and LISTGRP functions and get the output back in a form that is: 

    • complete (no 4096 line limit)

    • easier to process (structured, rather than unstructured output as you get from the command processors today)

    • defined as a programming interface
      
      

• z/OS Common Criteria Certification
  
  In May, 2007, z/OS Version 1 Release 8 was certified at Evaluated Assurance Level 4, augmented by ALC_FLR1, using the CAPP and the LSPP protection profiles.  
  
  http://www.ibm.com/security/standards/st_evaluations.shtml contains a list of the IBM security evaluations.
  

• Guest LAN and Virtual Switch Protection in RACF for z/VM
  
  With RACF for z/VM APAR VM63452, and z/VM V5R1 (generally available as of September 24, 2004), virtual networking on z/VM is more secure than ever! RACF for z/VM can provide Guest Lan and Virtual Switch authorization, including Virtual LAN (VLAN) assignment. For more information on Guest LANs and Virtual Switches, see z/VM Version 5 Release 1 Connectivity  in the z/VM Version 5 Release 1 library. For more information on the RACF protection, see RACF Version 1 Release 10 Security Administrator's Guide  in the RACF Version 1 Release 10 library .
  
  
  

This page was last updated  March 2008.