Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


Share this Page URL
Help

Chapter 1. z/OS V1R12 enhancements > Security Server - Pg. 35

1.19 Security Server The need for strong platform security is a core attribute and one of the basic values of the z/OS platform. The mainframe is an ideal security hub for the enterprise. A security-rich holistic design helps protect the system from malware, viruses, and insider threats. Also, z/OS system and virtualization integrity features mean you can confidently place data, applications, and mixed workloads on System z. Flexible, centralized role-based access controls resource access to the System z. Encryption solutions integrated into z/OS help secure data from theft or compromise, both on the network or on storage media. Built on the time-tested System z encryption infrastructure, availability, disaster recovery, and access controls, z/OS encryption solutions are more robust, resilient, and scalable than encryption solutions that are pieced together from disparate technologies. Also, a tamper-resistant encryption System z hardware module can protect encryption keys from detection and tampering with the highest certification at FIPS 140-2 Level 4. In addition to encryption, z/OS can provide end-to-end security solutions for your enterprise. z/OS can provide centralized, highly secure and resilient key management for IBM tape encryption across the enterprise. Create and manage an enterprise-wide user registry with the help of IBM Tivoli® Directory Server for z/OS. Be your own enterprise-wide digital certificate authority with full life cycle management with z/OS PKI Services. z/OS can also help you address your compliance needs with more confidence. Extensive audit capabilities of z/OS can facilitate regulatory compliance. Add Tivoli Compliance Insight Manager for integrated audit, monitoring and compliance for an enterprise scope. Independent Common Criteria certifications attest that z/OS and System z solutions have been methodically designed, tested, and reviewed for secure operations. RACF XTIOT support In z/OS V1R12, RACF now supports extended task I/O tables (XTIOTs), uncaptured UCBs, and DSABs above 16 MB for data sets allocated by programs. RACF RAS enhancements A discrete general resource profile with generic characters (*,%,&) in its name, defined in a class enabled for generics (GENCMD or GENERIC) is often called a "ghost" profile. Such profiles are not referenced by RACF for authorization checking. However, when defined, they can confuse and annoy RACF administrators and system programmers. In z/OS V1R12, RACF provides a new NOGENERIC keyword for the RDELETE command to enable you to delete these profiles. Also a GENERIC=N option is implemented for R_admin DELETE. Generic profile load performance Support is added to z/OS V1R12 that improves performance when loading large numbers of generic profiles, and allows you to modify the number of generic anchor tables that are kept per address space. Digital certificate long distinguished name support In z/OS V1R12, RACF and PKI Services now support longer distinguished names in digital certificates. For certificates with distinguished names longer than 246 characters that use MD2, MD5, SHA224, SHA256, SHA384, and SHA512 hash algorithms, a new format for the profile string supports distinguished names of up to 1,024 characters in length. This is intended to support your use of certificates with very long distinguished names. Chapter 1. z/OS V1R12 enhancements 35