What's new in RACF?

IBM is constantly enhancing functions or adding new functions to RACF. Read on:

• z/OS V.11
  
  z/OS V1.11 is available! This release includes these new RACF functions:
  • Program object signature verification
  • Logon statistics suppression
  • Identity propagation
  • R_admin extract support for general resources
  • LDAP change logging for general resources
  • Automatic creation of OMVS segments for users and groups
  • RACROUTE REQUEST=FASTAUTH honors the TRUSTED and PRIVILEGED attributes
  • Profile name in authorization exits
  • IRRADU00 support for WAS and TKLM
  • RACDCERT multi-byte character improvements

• z/OS V.10
  
  z/OS V1.10  is available! This z/OS release includes these new RACF functions:

  • Support for RACF password phrases by TSO/E logon, z/OS UNIX functions, OpenSSH, and the IBM Tivoli Directory Server (also know as the z/OS LDAP server).

  • Custom fields are planned for RACF USER and GROUP profiles, with corresponding administration support using RACF commands, ISPF panels, and LDAP. This support is designed to allow you to add fields using a new RACF CFIELD class to define the new fields to be added to USER or GROUP profiles and the labels you want to use for them.

  • RACF password administration design will be changed to allow more selective authority for resetting passwords to be granted. This support is designed to allow you to grant individuals the capability to reset passwords for one or more users or the users that are members of one or more groups without having the system-wide RACF SPECIAL attribute or access to the system-wide IRR.PASSWORD.RESET profile in the FACILITY class.

  •  RACDCERT will be able to generate 4096-bit RSA keys through software, in addition to the hardware capability of generating keys with such length.

  • Support for additional characters from the UTF8 character set for certificates supported by PKI Services is planned for z/OS V1.10, adding to the support made available in RACF in z/OS V1.9.

  • RACDCERT and PKI Services are planned to be able to generate and display the IPv6 type Internet Protocol address (IP address), in addition to the IPv4 format, in the certificate Subject Alternate Name extension.

  • PKI Services is planned to support three additional Distinguished Name attribute types: Domain Component, Distinguished Name Qualifier, and User ID.

  • IBM plans to provide an additional IBM Tivoli Directory Server for z/OS extended operation to support group access checking in addition to user access checking.
    

• z/OS V1.9
  
  z/OS V1.9 is available! This z/OS release includes these new RACF functions:

  • Support for RACF pass phrases from 9 to 13 characters in length

  • Kerberos AES support

  • Java RACF User and Group administration interface

  • Writable SAF Keyring support

  • An reaffirmation of the  z/OS Statement of Integrity

• z/OS V1.8
  
  z/OS V1.8  is available! This z/OS release includes these new RACF functions:

  • Support for RACF pass phrases from 14 to 100 characters in length

  • Support for virtual key rings

  • New RACF checks for the IBM Health Checker for z/OS and enhancements to the RACF_SENSITIVE_RESOURCES check

  • Support for DB2 Version 9

  • IRRUT200 and IRRUT400 Enhancements

  • Group Change Logging

  • Remote Authorization and Audit (EIM)

  • PKI Services Enhancements

• z/OS Common Criteria Certification
  
  In May, 2007, z/OS Version 1 Release 8 was certified at Evaluated Assurance Level 4, augmented by ALC_FLR1, using the CAPP and the LSPP protection profiles.  
  
  http://www.ibm.com/security/standards/st_evaluations.shtml contains a list of the IBM security evaluations.
  

This page was last updated  November 2009.