Last Updated: 16 June 2021


z/VM Security and Integrity

News Archive


Previous announcements regarding IBM security. Note that links are not guaranteed to function, though best effort will be given to validating them from time to time.


19 February 2019 -- z/VM 6.4 System SSL Cryptographic Module Receives FIPS 140-2 Certification

The z/VM V6.4 System SSL module, with the PTF for APAR PI99134, has been validated as conforming to the Federal Information Processing Standard FIPS) 140-2. This industry-recognized cryptographic standard mandates modern digital key sizes and integrity checking for TLS operations. z/VM 6.4 System SSL is used by both the z/VM LDAP Server and z/VM TLS/SSL Server. This satisfied the statement of direction made in the IBM Software Announcement dated October 25, 2016.


19 September 2018 -- z/VM V6.4 Achieves Common Criteria Certification

All certification activities for z/VM 6.4 are complete. The certifying body issued its certification on April 23, 2018. z/VM 6.4, with the SSI and RACF Security Server features enabled, has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).


03 August 2017 -- Whitepaper on Validating and Repairing RACF Database Integrity

A new TechDoc has been published for the RACF for z/VM Database. It covers how to detect integrity problems with your RACF database, as well as recommended steps one can take for corrective action when problems are reported. RACF database validation is highly recommended before and after applying service to RACF for z/VM, especially if the RACF database template will be upgraded.

Refer to the Security Publications page for a link to this whitepaper.


31 March 2017 -- z/VM 6.4 RACF Enhancements

The RACF Security Server for z/VM 6.4 has received additional enhancements to enable better security policy management. These include:

  • A new user role, Read-Only AUDITOR (ROAUDIT), has been added to RACF for z/VM. This role allows a user to access audit records without granting the authority to write to them.
  • RAC SETEVENT LIST output has been modified to display the current VMXEVENT profile(s) which RACF/VM is using to control and/or audit z/VM security events.
  • The XAUTOLOG..ON operand (Classes A and B) is now disabled automatically when RACF/VM is running. A generic profile can be created in RACF/VM to restore original behavior.

For more information, refer to APAR VM65930.


31 March 2017 -- CRYPTO APVIRT for the TLS/SSL Server

The TLS/SSL Server for z/VM TCP/IP has been enhanced to offload clear-key RSA operations to available z Systems Crypto Express hardware.

  • For usage information, refer to APAR PI72106
  • For performance implications, refer to z/VM Performance: TLS/SSL Server Changes (see bottom of page)


25 October 2016 -- Statement of Directions

See the Release for Announcement for z/VM V6.4 for more information:

  • FIPS Certification of z/VM V6.4

IBM intends to pursue an evaluation of the Federal Information Processing Standard (FIPS) 140-2 using National Institute of Standards and Technology's (NIST) Cryptographic Module Validation Program (CMVP) for the System SSL implementation utilized by z/VM V6.4.

  • Security Evaluation of z/VM V6.4

IBM intends to evaluate z/VM V6.4 with the RACF Security Server feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).


25 October 2016 -- z/VM V6.4 RACF Enhancements
  • A new option, NoAddCreator, which prevents the userid issuing RDEFINE commands from being automatically added to the access control list of profiles it creates
  • Updates to the DirMaint-RACF Connector exit to allow automatic conversion of the LINK and NICDEF statements to RACF security policy
  • Disabling the default use of the ICHRCX02 exit, in accordance with IBM best practices and recommendations
  • The z/OS 2.2 equivalency of the following updates, first released as APARs of z/VM 6.3:
    • A new password encryption option, KDFAES, which strenghens the RACF database against offline attacks
    • An ALTUSER command function to "clean up" password history after lowering the password history value
    • The ability to expire a userid's password without without changing its value
    • Helpdesk support, which allows security administrators to grant non-SPECIAL userids with the capability to reset and manage passwords
    • ALTUSER extensions to support the NOREVOKE and NORESUME keywords
    • Updates to the RACUT200 database management utility to allow it to execute in CST environments
    • A new option, MINCHANGE, which allows minimum password change intervals to be configured
    • A new Diagnose x'A0' subcode which allows for the generation of RACF Passtickets on z/VM
    • Support for 14 additional special characters in passwords

For more details on z/VM V6.4, please visit our z/VM V6.4 Resource page.


14 September 2015 -- z/VM V6.3 Releases Security Enhancement PTFs

IBM z/VM V6.3 has released PTFs which upgrade and enhance the security function within the hypervisor. More information about these updates to the z/VM TLS/SSL Server and RACF for z/VM can be found on the web page for z/VM 6.3 Additional Enhancements or at the APAR/PTF pages:

  • APAR VM65719 - Requires APAR VM65688
  • APAR PI40702

Please consult appropriate manuals and documentation about the use of these features.

Additionally, all z/VM releases under service have been updated to modify which TLS/SSL cipher suites are enabled by default. This change in cipher suites availability has been affected to keep z/VM in line with IBM's policies regarding legacy-mode encryption technologies. Please refer to updates in the z/VM 6.3 TCP/IP Planning and Customization Guide for more information as to which ciphers are now disabled by default, and instructions for enabling them if your installation requires any of them.


30 March 2015 -- z/VM V6.3 Achieves Common Criteria Certification

All certification activities for z/VM 6.3 are complete. The certifying body issued its certification on March 30, 2015. z/VM 6.3, with the SSI and RACF Security Server features enabled, has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).


30 April 2014 -- z/VM 6.3 System SSL Cryptographic Module Receives FIPS 140-2 Certification

The z/VM V6.3 System SSL module, with the PTF for APAR PI04999, has been validated as conforming to the Federal Information Processing Standard (FIPS) 140-2. This industry-recognized cryptographic standard mandates modern digital key sizes and integrity checking for SSL and TLS operations. z/VM 6.3 System SSL is used by both the z/VM LDAP Server and z/VM SSL-TLS Server. This satisfied the statement of direction made in the IBM Software Announcement dated July 23, 2013.


23 July 2013 -- Statement of Direction: FIPS Certification of z/VM V6.3

IBM intends to pursue an evaluation of the Federal Information Processing Standard (FIPS) 140-2 using National Institute of Standards and Technology's (NIST) Cryptographic Module Validation Program (CMVP) for the System SSL implementation utilized by z/VM V6.3.


23 July 2013 -- Statement of Direction: Security Evaluation of z/VM V6.3

IBM intends to evaluate z/VM V6.3 with the RACF Security Server feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).


20 February 2013 -- z/VM V6.1 Achieves Common Criteria Certification

All certification activities for z/VM 6.1 are complete. The certifying body issued its certification on February 20, 2013. z/VM 6.1 with the RACF Security Server optional feature has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).


26 June 2012 -- z/VM 6.1 System SSL Cryptographic Module Receives FIPS 140-2 Certification

All FIPS 140-2 certification work is complete. The z/VM V6.1 System SSL module has been validated as conforming to the Federal Information Protection Standard (FIPS) 140-2. This is the first time that z/VM has been certified to this industry-recognized cryptographic standard. z/VM System SSL is used by both the z/VM LDAP Server and z/VM SSL Server.


22 July 2010 -- Statement of Direction: EAL4 Certification for z/VM V6.1

IBM intends to evaluate z/VM V6.1 with the RACF Security Server optional feature, including labeled security, for conformance to the Operating System Protection Profile (OSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+).

Note: This statement of direction was made in a July 22, 2010 IBM announcement for z/VM V6.1. All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice.


06 October 2009 -- Solution Edition for Security Offering -- Securing your z/VM. and Linux. for System z environment

Consolidation, cost savings, and Green Initiatives are sweeping though all industries at an exponential pace. Securing a virtualized environment is a vital component of the enterprise security strategy. System z risk and security management controls provide differentiated advantage over alternative solutions. IBM's virtualization components have been integrated within hardware and software for over 30 years, and provide a robust set of unparalleled capabilities. Scalability, availability, and reliability controls are built within the infrastructure. Additional business value is included in centralized auditing and reporting functions, centralized security components and centralized infrastructure. The Solution Edition Offering for Security delivers the capabilities required to secure your virtualization environment.


18 September 2008 -- z/VM V5.3 Achieves Common Criteria Certification

All certification activities for z/VM V5.3 are complete. The certifying body issued its certification on July 28, 2008. z/VM V5.3 with the RACF Security Server optional feature has been certified to conform to the Controlled Access Protection Profile (CAPP) and Labeled Security Protection Profile (LSPP) of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4+ (EAL4+).


For more information on z/VM Security, whether it relates to service, certifications, configuration, best practices, or something else, please consult the links at the top of this page. If you have any questions or suggestions, please reach out to Brian Hugenbruch (z/VM Security Development Champion) at bwhugen@us.ibm.com.