Last Updated: 01 February 2024
z/VM Security and Integrity
Recent z/VM Security News
Here are the latest announcements regarding z/VM Security and Integrity.
01 December 2023 -- z/VM uplifts System SSL support to z/OS 2.5 equivalency
z/VM Version 7 Release 2.0 and 7.3 have completed an uplift of their relevant cryptographic libraries to mirror z/OS 2.5 equivalency. This upgrade will provide foundational support both for future enablement of TLS 1.3, as well as a basis for an eventual FIPS 140-3 validation. (A formal validation has not been announced at this time, and will be included as a Statement of Direction, in accordance with IBM policy around future-looking statements.)
For more on z/VM System SLL, visit: https://www.vm.ibm.com/newfunction/#sys-ssl
01 July 2023 -- z/VM V7.3 delivers multiple new security and compliance-relevant facilities
z/VM Version 7 Release 3.0 has released three new pieces of functionality which improve z/VM security and compliance posture. These are:
- z/VM Compliance Utility - this new set of EXECs will gather security and compliance relevant data for a z/VM system, with the intent of gathering data in a single interface or "single pane of glass." This information is available either via command-line execution, or via API call. For more information, visit: >https://www.vm.ibm.com/newfunction/#qsecK
- z/VM KEYVAULT Utility - this new function will encrypt key/value pairs inside a single z/VM virtual machine. This is a first step toward local encryption of data inside CMS applications, with the first exploiter being z/VM Centralized Service Management and the z/VM FTPS function. For more information, visit: https://www.vm.ibm.com/newfunction/#keyvault
- Guest Secure IPL - available on the IBM z16 with appropriate millicode levels, z/VM now support signature verification of a guest operating system during the Initial Program Load (IPL, or "boot") process. This vital function allows a system programmer to assure that the code they're loading is the code they intended to load. For more information, visit: https://www.vm.ibm.com/newfunction/#gsipl
10 June 2022 -- z/VM V7.2 achieves Common Criteria certification with NIAP protection profile
z/VM Version 7 Release 2.0 has completed a second Common Criteria evaluation as of June 10, 2022. This certifies the product in accordance with the NIAP Virtualization Protection Profile (VPP), with Server Virtualization Extended Package. The successful certification affirms z/VM's continued commitment to the meeting the newest security and integrity requirements in the IT industry.
The Certification Report can be found at https://ocsi.isticom.it/documenti/certificazioni/ibm/zvm/cr_zvm_v7r2_vpp_v1.0_en.pdf
10 December 2021 -- Improved LGR for Mixed-Level Crypto Environments now available for z/VM V7.2
With the PTF for APAR PH40080, z/VM V7.2 has been enabled to introduce a new CERTMGR command which allows for ease-of-use in querying certificates and chains thereof stored in a gskkyman-managed certificate database. More information can be found on the z/VM New Function Webpage at: https://www.vm.ibm.com/newfunction/#qgskkyman
31 August 2021 -- Improved LGR for Mixed-Level Crypto Environments now available for z/VM V7.2
With the PTF for APAR VM66496, z/VM V7.2 has been updated to remove restrictions placed upon relocating virtual machines when target hardware is not of the same Crypto Express functional level. This reduces impediments to relocating workload and enables a smoother migration path to different Crypto Express hardware. More information can be found on the z/VM New Function Webpage at: https://www.vm.ibm.com/newfunction/#lgr-apvirt
12 August 2021 -- z/VM V7.2 achieves FIPS 140-2 validation
The z/VM V7.2 System SSL Module has been validated as conforming to the Federal Information Processing Standard (FIPS) 140-2. This industry-recognized cryptographic standard mandates modern digital key sizes and integrity checking for TLS operations. z/VM 7.2 System SSL is used by both the z/VM LDAP Server and z/VM TLS/SSL Server. This satisfies the second portion of a Statement of Direction from April 2020 regarding security certification and assurance.
- Certificate: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4007
- Security Policy: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4007.pdf
The Common Criteria evaluation to the NIAP Virtualization Protection Profile is on-going, per previous IBM Statements of Direction. More information will be posted here and in other venues when this have been achieved.
30 April 2021 -- z/VM V7.2 achieves EAL 4+ Common Criteria certification
z/VM Version 7 Release 2.0 has completed a Common Criteria evaluation as of April 30, 2021. This certifies the product in accordance with the Operating System Protection Profile (with Virtualization and Labeled Security extensions) at an assurance level of EAL 4+. The successful certification affirms z/VM's continued commitment to the security and integrity requirements in the IT industry.
The Certification Report can be found at https://ocsi.isticom.it/documenti/certificazioni/ibm/zvm/cr_zvm_v7r2_v1.0_en.pdf
FIPS 140-2 validation, and a second Common Criteria evaluation to the NIAP Virtualization Protection Profile, are still on-going, per previous IBM Statements of Direction. More information will be posted here and in other venues when these have been achieved.
26 January 2021 -- OCSP Support now available for z/VM V7.2
With the PTF for APAR PH28216, z/VM V7.2 has been enabled to support the Online Certificate Status Protocol (OCSP) for the TLS/SSL server. This support will enable a fine-tuning of certificate validation by allowing the TLS server to check client certificates against external databases for last-minute revocation status. More information can be found on the z/VM New Function Webpage at: https://www.vm.ibm.com/newfunction/#ocsp
18 September 2020 -- z/VM V7.2 General Availability
z/VM Version 7 Release 2.0 is now available! It includes all security enhancements and security fixes previously released in the service stream for earlier releases. Please visit the main V7.2 website at https://www.vm.ibm.com/zvm720/ to learn more!
In addition to z/VM V7.2 functionality, a Statement of Direction has been issued to withdraw support for multiple RACFVM machines inside a single z/VM system:
z/VM 7.2 is intended to be the last release to support multiple RACF for z/VM servers running concurrently in a single z/VM system. This support was implemented to enable greater throughput in handling security policy requests and updates against a single RACF database. However, modern I/O speeds and processing power have rendered this support superfluous. This statement has no bearing on RACFVM multiconfiguration virtual machines in a z/VM Single System Image cluster or on the RACMAINT virtual machine used in support and service.
Please refer to the following website for more information: https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/5/897/ENUS220-305/index.html&request_locale=en#sodx
16 June 2020 -- CMS Pipelines TLS/SSL Enhancements now available for z/VM V7.1
With the PTF for APAR VM66365, z/VM V7.1 has been enabled to support new CMS Pipelines for Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption. These allow CMS-based applications to take advantage of IBM Z and IBM LinuxONE hardware encryption, and the TLS/SSL server, to connect securely to other applications inside and outside of z/VM. More information can be found at https://www.vm.ibm.com/newfunction/#pipelines-ssl
03 June 2020 -- TLS/SSL Certificate Validation now availabile for z/VM V7.1
With recent PTFs, z/VM V7.1 has been updated to enable Client Certificate validation for implicit TLS connections. This support also extends client certificate authentication to other implicit-TLS TCP/IP services, such as FTPS or SMTP. More information can be found at https://www.vm.ibm.com/newfunction/#ssl-cert-ver
20 May 2020 -- IBM Z Multi-factor Authentication Support for z/VM V7.1 RACF and Broadcom CA VM:Secure
With the PTF for APAR VM66338, z/VM V7.1 with an External Security Manager (ESM) now supports the IBM Z Multi-factor Authentication V2.1 product. This new product allows for an authentication server to serves as a Policy Decision Point for z/VM authentication policy. By enabling this support, out-of-band evaluation of factors other than passwords or password phrases -- digital certificates, RSA SecurID, TOTPs, ldap-binds, and more -- is now possible. For more information, please visit https://www.vm.ibm.com/newfunction/#mfa
14 April 2020 -- IBM z/VM V7.2 Preview Announce and Statements of Direction
As part of the preview announce for z/VM V7.2, the following Statement of Direction has been issued:
z/VM V7.2 is intended to be the last z/VM release to support sharing RACF databases between z/VM and z/OS systems. While databases may remain compatible, sharing between operating systems is discouraged due to the distinct security and administration requirements of different platforms. A future z/VM release will be updated to detect whether a database is flagged as a z/OS database and reject its use if so marked. Sharing of databases between z/VM systems, whether in a Single System Image cluster or in stand-alone z/VM systems, is not affected by this statement.
Please refer to the following website for more information: https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS220-088/index.html&request_locale=en#sodx
Old news archives are available for reference here.
For more information on z/VM Security, whether it relates to service, certifications, configuration, best practices, or something else, please consult the links at the top of this page. If you have any questions or suggestions, please reach out to Brian Hugenbruch (z/VM Security Development Champion) at bwhugen@us.ibm.com.