IRRSDL00
(R_datalib)
|
z/OS® V1R13 |
- A new private key type X’00000009’ for Elliptic Curve Crypto (ECC) key stored
in PKDS will be handled by functions DataGetFirst and DataGetNext
in R_datalib callable service.
|
- Extend the ECC support on hardware from RACF and PKI Services
to enhance the key security and to enhance the RACDCERT command to
handle the growing number of key types
|
IRRSCH00
(R_cacheserv)
|
z/OS V1R13 |
- Function code X’0007’ provides support for an extended read/write cache containing
both RACF and distributed user information. The function is further
defined by the Option parameter.
|
- Enhance z/OS Identity Propagation support by eliminating the need to
go to the RACF database for the retrieval of security relevant information.
|
IRRSCO00
(R_chown)
|
z/OS V2R1 |
- The R_chown service RACF authorization section has been updated.
|
- Clarify the user authority when CHOWN.UNRESTRICTED exists and
does not exist.
|
IRRSDL00 or IRRSDL64
(R_datalib)
|
z/OS V2R1 |
- Function code X’08’, DataPut, adds a certificate to the RACF database
(if it does not already exist), and connect it to a key ring.
- Multiple private_key_types have been updated for secure PKCS11
support.
|
- If the private key associated with the certificate is specified
in a DER-encoded format or as a key label, the certificate will be added
with the specified key types accordingly in the RACF database.
- Prevent the deletion of the private key and the certificate that has been used
to generate a request.
|
IRRSEQ00
(R_admin)
|
z/OS V2R1 |
- The R_admin service, Profile extract parameter list (input and
output) table is updated for length X’04000000’.
|
- The length X’04000000’ description has been enhanced for clarity.
|
IRRSGI00
(R_getinfo)
|
z/OS V1R13 |
- Update the R_getInfo service to return the value of the APPLDATA
fields of the caller specified profile in the REALM class.
|
- The r_getinfo service is updated to support an additional function
to retrieve certain information from the RACF database.
|
IRRSGM00
(getGMAP)
|
z/OS V2R1 |
- Update the getGMAP service usage notes when a new GID is assigned
and SETROPTS AUDIT(GROUP) is in effect.
|
- Determine if an SMF type 80 record is to be generated.
|
IRRSIA00
(InitACEE)
|
z/OS V2R1 |
- initACEE register and deregister return codes with reason code
28.
|
- The certificate cannot be deregistered because it has been used
to generate a request through RACDCERT GENREQ.
|
IRRSIM00
(R_usermap)
|
z/OS V1R13 |
- Function code X'0008' returns the RACF user ID associated with
the supplied user's Distinguished Name and Registry/Realm Name.
|
- The R_usermap support of Identity Propagation enables a user's
Distinguished Name and a Registry/Realm Name to be used to determine
the associated RACF user ID,
|
IRRSKA00
(ck_access)
|
z/OS V2R1 |
- If the user does not have the RACF Auditor attribute, and a file
system name was specified in the CRED, and the FSACCESS class is active
and RACLISTed, RACF will check for a profile in the FSACCESS class
that covers the file system name. If a matching profile is found and
the user does not have at least UPDATE authority, access is denied.
Otherwise, authorization is determined by subsequent checks.
|
- Check for proper authority.
|
IRRSKI00
(ck_IPC_access)
|
z/OS V2R1 |
- An audit record is optionally written, depending on the audit
options in effect for the system. If the audit function code in the
CREDIPC is AFC_WGETIPC, no audit record is written.
|
- Check audit function code to determine if an audit record is to
be written.
|
IRRSKP00
(ck_priv)
|
z/OS V2R1 |
- If the caller is not superuser and the audit function code is
listed, an authorization check is performed on the corresponding resource
name in the UNIXPRIV class. If the authorization check is successful,
the caller is treated as a superuser.
|
- Check for proper authority.
|
z/OS V1R13 |
- Update the UNIXPRIV class resource names used in ck_priv table
|
- Check for proper authority.
|
IRRSPX00
(R_PKIServ)
|
z/OS V2R1 |
- The R_PKIServ SAF callable service Parmlist_version parameter
is updated.
- CertPlist for GENCERT and REQCERT table is updated with new field
names.
|
- Provide granular authorization on PKI functions.
- PKI Services supports the creation of Extended Validation certificates.
|
IRRSQF00
(query_file_security
_options)
|
z/OS V2R1 |
- The query_file_security_options service Output_value parameter
note is updated with a new condition.
|
- If all conditions are true, then
_POSIX_CHOWN
_RESTRICTED
is not in effect.
|
IRRSUM00
(getUMAP)
|
z/OS V2R1 |
- Update the getUMAP service Flag parameter to search by user ID,
return z/OS UNIX user identifier (UID).
|
- The getUMAP service flag parameter is updated to not create a new
UID even if BPX.UNIQUE.USER is defined.
|