IBM is constantly enhancing functions or adding new functions to RACF. Read on:
IBM’s System z Security Just Got Stronger!
RACF for z/OS 1.12 has achieved Common Criteria certification at Evaluation Assurance Level 5 (EAL5) under the Common Criteria Evaluation and Certification Scheme. Common Criteria is an internationally approved set of security standards that provides an assessment of products’ ability to meet security standards, providing a yardstick to help customers with their security decisions.
EAL5 is the highest commercial grade assurance level and exceeds what other commercial platforms offer. Now this advantage which existed with PR/SM also extends to RACF.
z/OS Version 1 Release 13
z/OS V1.13 is available! This release includes these new RACF functions:
TCP/IP support for the RACF Remote Sharing Facility (RRSF)
Support hardware-generated Elliptic Curve Cryptography (ECC) secure keys
RACF support is planned for generating Elliptic Curve Cryptography (ECC) secure keys using the Crypto Express3 Cryptographic Coprocessors (CEX3C) available for zEnterprise servers.
z/OS Version 1 Release 12
z/OS V1.12 is available! This release includes these new RACF functions:
Generic profile load performance enhancements
"Ghost" generics detection and elimination
Additional SAFTRACF filtering
z/OS Version 1 Release 11
z/OS V1.11 is available! This release includes these new RACF functions:
Program object signature verification
Logon statistics suppression
R_admin extract support for general resources
LDAP change logging for general resources
Automatic creation of OMVS segments for users and groups
RACROUTE REQUEST=FASTAUTH honors the TRUSTED and PRIVILEGED attributes
Profile name in authorization exits
IRRADU00 support for WAS and TKLM
RACDCERT multi-byte character improvements
z/OS Version 1 Release 10
z/OS V1.10 is available! This z/OS release includes these new RACF functions:
Support for RACF password phrases by TSO/E logon, z/OS UNIX functions, OpenSSH, and the IBM Tivoli Directory Server (also know as the z/OS LDAP server).
Custom fields are planned for RACF USER and GROUP profiles, with corresponding administration support using RACF commands, ISPF panels, and LDAP. This support is designed to allow you to add fields using a new RACF CFIELD class to define the new fields to be added to USER or GROUP profiles and the labels you want to use for them.
RACF password administration design will be changed to allow more selective authority for resetting passwords to be granted. This support is designed to allow you to grant individuals the capability to reset passwords for one or more users or the users that are members of one or more groups without having the system-wide RACF SPECIAL attribute or access to the system-wide IRR.PASSWORD.RESET profile in the FACILITY class.
RACDCERT will be able to generate 4096-bit RSA keys through software, in addition to the hardware capability of generating keys with such length.
Support for additional characters from the UTF8 character set for certificates supported by PKI Services is planned for z/OS V1.10, adding to the support made available in RACF in z/OS V1.9.
RACDCERT and PKI Services are planned to be able to generate and display the IPv6 type Internet Protocol address (IP address), in addition to the IPv4 format, in the certificate Subject Alternate Name extension.
PKI Services is planned to support three additional Distinguished Name attribute types: Domain Component, Distinguished Name Qualifier, and User ID.
IBM plans to provide an additional IBM Tivoli Directory Server for z/OS extended operation to support group access checking in addition to user access checking.