z/VM 6.2 has been announced! The RACF Security Server for z/VM, function level 620, has been enhanced to provide the following:
- Support for z/VM Single System Image (SSI) clusters. When RACF is used in a z/VM SSI cluster, all member systems will share the RACF database, providing z/VM guests with a common and consistent security image. RACF support for SSI includes the following:
- RACF validates the security configuration when a system joins the SSI, thus preventing mistakes that would otherwise go undetected in a traditional database-sharing configuration, and preventing the corruption which would otherwise occur.
- Automatic propagation of SETROPTS, RVARY, and SETEVENT commands across all RACF servers on all members of the SSI. Even outside of an SSI configuration, this function works among multiple servers on a single system, which is an improvement over previous releases.
- Updates to the RPIDIRCT exec to support the new security-related CP directory statements pertaining to SSI.
- Infrastructure to establish a new security environment when a Linux guest is relocated to another member of the SSI, and cleanup on the source system.
- Establishment of a security environment for a CP command issued on one system and directed to another using the new CP AT command, with an audit trail showing where the command originated.
- Support for defining protected user IDs. Protected user IDs are protected from being used to log on to the system and from being revoked through inactivity or unsuccessful attempts to access the system using incorrect passwords and password phrases. Prior to 6.2, RACF could only protect against incorrect password and password phrase attempts. With 6.2, RACF also protects against inactivity, and the externals are now consistent with those on RACF for z/OS.
- Mandatory access control and discretionary access control for z/VM real devices (CP ATTACH and GIVE commands).
- Mandatory access control for the CP SET SECUSER and SET OBSERVER commands.
- ALTER access to a VMMDISK (minidisk) profile no longer confers management rights upon the profile itself, thus improving security.
- New interface to query security product configuration information.
- Simplified Program Directory.
- RPIDIRCT improvements to processing of special password values in the CP directory.
- The requirement for having the high level assembler to make local modifications to the RACF configuration has been removed.
In addition, the Tivoli Directory Server (LDAP) has also been upgraded to the z/OS V1.12 level. Among the enhancements provided, the following relate directly to RACF:
- Support for management and change logging of general resource profiles in RACF.
- Enhanced password processing. In particular, the password expiration processing improved the usability of the Pluggable Authentication Module (PAM) on Linux. This benefit applies regardless of whether the password is an LDAP password or a RACF password.
Prior releases of RACF for z/VM include:
- z/VM 6.1. While there are no functional RACF enhancements from V5.4, this release includes a roll-up of service items and a restructure of the RACF Security Administrator's Guide specifically for the z/VM client.
- The RACF Security Server Function Level 540 (FL540) for z/VM 5.4. This release provides password and password phrase enveloping and LDAP change logging of user and group profile updates. These enhancements, along with an upgrade of the LDAP server to the z/OS V1.10 level allow you to retrieve updates, including password changes, from z/VM and securely propagate them across the enterprise.
- RACF Security Server feature Function Level 530 (FL530) for z/VM V5.3. This release of the RACF feature provides:
- All function and service in the z/OS V1.10 release. This includes the z/VM guest LAN and virtual switch support shipped in 1.10 APARs VM63452 (base support) and VM63750 (sniffer support).
- Mixed case password support.
- Passwords can now contain lower case alphabetic characters.
- Enablement of mixed case support, and updated password syntax rules, managed with the SETROPTS command.
- Password phrase support.
- A mixed-case password that is from 9 to 100 characters in length that can include blanks and other special characters.
- Can be used to logon to CP using local terminals or telnet and with FTP.
- Many password-related SETROPTS options apply to password phrases as well.
- Sample new-password-phrase exit ICHPWX11 which calls a REXX exec in which additional quality rules may be coded.
- Support for the new z/VM LDAP server. This allows LDAP clients (such as a Linux image) to:
- update and query information in RACF user and group profiles,
- authenticate to the LDAP server using a RACF password, and
- use LDAP services to submit remote authorization and audit requests to the RACF server.
- Various improvements to user related processing.
- Support for NOPASSWORD users. Such a user could still have a password phrase, and be forced to authenticate using it. Or, the user could have neither a password, nor a phrase, as an additional control for service virtual machines. RACF has been changed to create NOPASSWORD users by default, rather than setting the initial password to the user's default group.
- Improved auditing of password changes.
- Ability to specify NOEXPIRED on the ALTUSER command so that the password assigned does not need to be changed at LOGON. This is helpful to user management and password synchronization applications.
- Improved ALTUSER command places the user's current password in the password history list before changing the password.
- The SMF data unload utility can emit XML output so that it can be loaded to any XML-enabled application for analysis.
- Protection for the CP FOR command, and for DIAGNOSE X'88'.
- The RACF class descriptor table has increased the number of POSIT values available for use, resulting in the ability to add more customer-defined classes.
- Simplification of the documentation library by removal of information pertinent to only MVS (z/OS).
Starting with z/VM 5.3, RACF releases are specific to the release of the operating system, much like the Security Server for z/OS. That is, the RACF Security Server feature FL530 is supported only on z/VM 5.3, and is not planned to be supported on any other z/VM release.
Do you need a copy of the program directory for RACF for z/VM? No problem! Check out http://www.vm.ibm.com/progdir/ for a complete set of program directories for all supported z/VM releases.
This page was last updated October, 2011.