Clone User ALIAS to Replace CMDEXIT

• Added a new ALIAS option to the Clone User command panel, as well as the option to select a User Catalog entry.
• If the new ALIAS methodology is not implemented, the DEFINE ALIAS process will continue to function via CMDEXIT.

Benefit

Vanguard Administrator now supports the automated ALIAS option to generate the ALIAS command when the Clone User feature is invoked, online and batch. This enhancement eliminates the need to execute the CMDEXIT procedure after a Clone User is performed.

LIDs in Rules Enhancement

Added a new LID in Rules Report section, which allows you to locate ACF2 access rules and/or resource rules that can potentially allow the specified LID access. It also contains an Include input section to help define which rule records to evaluate to see if an input LID gains access via a rule entry. This Include input section can generate reports based on the following:
• Dataset Access Rules
• Resources Rules
• UID(*) Rulelines Updated the Vanguard ACF2 Administration menu by adding option L for LID in Rules Report.

Benefit

Allows you to locate ACF2 access rules and/or resource rules that can potentially allow the specified LID access. The Vanguard ACF2 LID in Rules window contains an Include input section to help define which rule records to evaluate to see if an input LID gains access via a rule entry.

Vanguard Administrator for CA Top Secret (VAX) is an effective administrative tool that provides a wide range of Top Secret security administration, data mining and reporting. VAX allows you to view reports and perform administrative changes to Top Secret ACIDs, Profiles/Groups, Zones/Divisions/Departments and Resource Ownership.

Benefit

Vanguard Administrator for CA Top Secret makes it easier to report on Top Secret administration.
Available in 2.4 release via PTF number: VSCC215

Added Support to Allow Users to Specify a VSROPT00 Parameter of LSNAME(*)

This enhancement removes the requirement to specify whether SMF log streams or traditional MAN data sets are to be used for online processing in Live mode, creating an Extract File or running a batch report or utility. Customers cannot specify LSNAME(*) to indicated that the SMF log streams on the system where Advisor is running are to be automatically identified and used. They can still specify the two-character suffix of the LSNAMExx VIPOPTS member that contains the log stream names. They can omit the LSNAME parameter in which case Advisor will use the SMF log streams or traditional MAN data sets based on the customer’s specification of the SMF Recording Mode in their active SMFPRMxx Parmlib member.

Benefit

This additional information will help users identify what the type of event data is in the record so they can make a more informed decision on what to do with the event data.

Added Support for Active Alert 18 and Active Alert 19

Enhanced Active Alerts to send notifications for specific TCP/IP and zERT Initiation (AA18) and Termination (AA19) activity. All Active Alerts and SIEM notification options are available.

Active Alert 18 will send notifications for these events:
• TCP Connection Initiation
• zERT Connection Initiation
• TN3270E Telnet Server SNA Session Initiation
• TSO Telnet Client Connection Initiation
• FTP Server Logon Failure

Active Alert 19 will send notification for these events:
• TCP Connection Termination
• FTP Client Transfer Completion
• zERT Connection Termination
• TN3270E Telnet Server SNA Session Termination
• TSO Telnet Client Connection Termination
• FTP Server Transfer Completion

Note: All Active Alert and SIEM notification options are available.

Benefit

Customers can now be alerted when TCP/IP sessions are initiated on their system. By using masking, they can identify which characteristics of the session they are interested. The Termination alert allows them to track how long a session was active.

Enhanced the VAARTN Started Task Initialization and Notification Performance

Streamlined the VAARTN Task and Notification Initialization process to allow the alert process to be activated quicker.

Benefit

The Notification process can begin quicker after the VAARTN Task is started.

Added Support to Include the Event Code and Event Qualifier Code to Alerts 18 and 19 Events

Added Event Name, Event Name Code, Event Qualifier and Event Qualifier Code to Alerts 18 and 19 SIEM records.

Benefit

This additional information will help users identify what the type of event data is in the record so they can make a more informed decision on what to do with the event data.

Offload Delay Process is Available

Added ‘OFFLOAD DELAY’ as a new optional keyword in the VCPOPT00 member.

Benefit

Specifies the minutes for an offload delay. Default is one (1) minute.

Forced Abend Detection

Enhanced PC recovery to detect forced abnormal terminations.

Benefit

Improvements made to product productivity and performance.

Event Spiller Function

Added the Spiller function to retain uncommitted in-flight events during shutdown of the Vanguard Capture started task. Also, added the following operator commands:

• ‘P xxxxx NOUPDATE’ is a new Capture shutdown option. It skips the History Master File (HMF) updates during shutdown and retains the spill file.
• ‘P xxxxx KEEPSPILL’ is a new Capture shutdown option. It performs the History Master File updates during shutdown and retains the spill file.

Updated the VCPOPT00 member by adding ‘VCPSPLL’ as a new optional keyword. It specifies the spill file name and activates the event spiller function. Added VCPDEFS as a new Vanguard Sample Library (VANSAMP) member.

Benefit

Improvements made to product productivity and performance.

Expanded JESSPOOL Name Support

Updated FASTAUTH cross memory access list token usage.

Benefit

Updated the FASTAUTH rogue event reporting accuracies.

FASTAUTH Rogue Event Detection

Class filtering now processes expanded JESSPOOL names. Enhanced FASTAUTH rogue event diagnostic reporting. Updated the VCPFILTR member in the Vanguard Sample Library (VANSAMP).

Benefit

Improvements made to product productivity and performance.

Role Based Access Control (RBAC)

Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users.

Benefit

Most large organizations use role-based access control to provide their employees with varying levels of access based on their roles and responsibilities. This protects sensitive data and ensures employees can only access information and perform actions they need to do their jobs.

Added VPM SMF Mapping Macro

The mapping of the VPM SMF record is available in VANSAMP member VPMSMFR.

Benefit

Users can generate their own reports using the VPM SMF records.

Added Support for $NOMODIFY in Command and SETROPTS Policies

Added support for a new command $NOMODIFY name that allows you to restrict the use of:
• Any command that adds, modifies or deletes a profile
• Any parameter that adds, modifies or deletes a RACF Option using SETROPTS
• Any command that adds, modifies or deletes a profile using the $OWNER, $LEVEL and $HLQ policies
• A userid or group protected from modification when it used with the CONNECT and REMOVE commands and in the PERMIT ID parameter
Additional support was added to:
• Include any profile using either of the $NOMODIFY Policy profile formats if Option 7 ($NOMODIFY Policies) is selected from the Main menu and then Option 1
• Display All VPM Policy Profiles when Option C (List All VPM Policies) is selected from the Main menu

Benefit

This support gives you the option of creating one policy profile without having to create one for each command that adds, modifies or deletes a profile or one for each parameter that adds, modifies or deletes a RACF Option using SETROPTS.
The LISTDSD, LISTUSER, LISTGRP, RLIST, SEARCH and SETROPTS LIST (without additional parameters) commands are exempt from this compliance check.
More related Policy profiles can be view online Option 7 ($NOMODIFY Policies) is selected.
All VPM Policy Profiles when Option C (List All VPM Policies) is selected from the Main menu.

VCM Current with Latest Version of DoD DISA STIGs

For these DISA baselines:
• ACF2 supports 6.42, 6.43, 8.1 and 8.2
• Top Secret supports 6.42 and 6.43 (with 50 checks)
• RACF supports 6.42, 6.43, 7.1, 7.2, 7.3, 8.1, 8.2 and 8.3

Benefit

Maintaining VCM is an ongoing basis so that our customers always have the latest version of changes to the DISA STIGs without needing to know or track what changes were made. VCM is updated continuously and the interface notifies customers of the new check and modified check.

New Batch Reports

This Vanguard Compliance Manager enhancement created the following new batch reports:
• REPORTERRORS – Errors report for checks
• CATEXECUTE – Executes all checks in category
• CATREPORT – Detail report for category
• CATREPORTFINDINGS – Findings report for category
• CATREPORTNOFINDINGS – No Findings report for category
• CATREPORTERRORS – Errors report for category

Benefit

The benefit of this enhancement is that it allows users to generate six additional reports. For example, users now generate an error report for every check in a category, a detailed category report or a report that only contains error messages.

ACF2 VLDEXIT Support

• This is an optional feature that customers can enable if they have the VLDEXIT changing data set names during an access request.

Benefit

The benefit of this enhancement allows Vanguard Compliance manager to call the installed VLDEXIT and to capture modified dataset names, if any, before processing associated access rules. This feature is only looking for global dataset name changes. It does not consider changes based on LIDs, program names and/or access permission overridden in the exit.

Added VAD Aggregation to Collect and Report on PAM Events

Vanguard Aggregation and Delivery STC (VAD) provides new aggregation support to collect the Privileged Access Monitoring (PAM) events generated on the z/OS systems where the VCP Capture Server is running with the ‘VCP-VPA’ feature enabled. The events collected, track all activity for each user from the time they sign on to the time they sign off. The events contain detail information for the following activities.
• Dataset access
• General resource access
• System entry and exit activities such as, TSO logon, logoff, starting a started task, or stopping a started task
• ESM commands issued. RACF and ACF2 only
• z/OS commands issued
In addition, the events may be exported to CSV formatted reports using VAD’s VADUTIL Utility, where the data can be further exploited in other environments.

Benefit

In today’s online environment where cybersecurity concerns are growing, it is imperative to be proactive to prevent intentional or accidental misuse of enterprise resources. With VAD, the Privileged Access Events will assist security personnel on z/OS to learn what users are actually accessing and executing. The CSV reports generated from the VADUTIL utility will provide useful information to assist mainframe organizations to take action accordingly before a resource is compromised.

Added New PushReports Parameter

Allowed the ability to configure the VAD Master server (using the parameter) to transmit the summarized (CSV) format data to a Vanguard web server.

Benefit

Specified within the context of a section. This parameter determines whether the client should contact the distributed server for the purpose of pushing the Aggregation reports to the server (e.g. VCM summary data). A value of ‘Yes’ will cause the Master Controller to contact the Distributed Server to push the summary report data to the server.

The PushReports parameter is supported on the following platforms: z/Linux and z/OS Unix System Services (USS).

Updated and Added New Keywords to VEEEMNxx MemberDescription

Updated and added the following optional keywords:
• EMAILFROM – This keyword allows an installation to alter the contents pf the ‘From’ value in email messages. The default for this keyword, if omitted is: @
• EMAILMAILFROM – This keyword allows an installation to alter the contents pf the ’email from’ value in email messages. The default for his keyword, if omitted is: @
• Update of the keyword descriptions in the VEEEMNxx Samplib member.

Benefit

This enhancement provides more control over Email addresses to reduce possible conflicts with spam rules. Also, by updating the keyword descriptions within the VEEEMNxx Samplib member, it improved its usability.

Support for Long Profile Names (Greater than Forty-Four Characters)

This enhancement will support the 147 General Resource class profile and resource names whose maximum length exceeds forty-four characters. This will also support the long field values in various DFP and ICSF segments.

Benefit

This enhancement will provide a more complete support for all RACF profile and resource names. Also, selected long field values will also be supported for various DFP and ICSF segments.

Additional Enforcer Improvements

These additional improvements include the following:
• Increased error handling in main Enforcer started task module
• Additional trace capability in various sensor modules. Eventually, there will be a user interface (with security controls) as some of this information may be considered as containing critical information.

Benefits

The benefit for increased error handling improves diagnostics for percolated problems while the benefit for additional trace capability will be a user interface (with security controls) as XXXXX

Added VIPMAIN Started Task Support for TRANSIENT_SOCKET_TIMEOUT Parameter

Benefit

This enhancement allows you to set the length of time (in seconds) a transient (non-dedicated) socket remains open with no activity. The default is 03 (3 seconds) while a valid range is 3 to 60.

Microsoft Azure and Okta using the OpenID Connect (OIDC) Protocol Support

Using the Vanguard Multifactor Authentication (MFA) Web Portal via the OpenID Connect (OIDC) protocol, Vanguard Multifactor Authentication Suite now supports authentication for:

• Microsoft Azure Active Directory
• Okta

Benefit

The benefit of this enhancement is that you only need to enter your password to logon to a z/OS application after your z/OS user ID has been multifactor authenticated using the Vanguard MFA Web Portal.

RADIUS Challenge-Response Support

Vanguard Multifactor Authentication Suite now supports RADIUS Access Challenge Response authentication in RACF.

Benefit

This enhancement allows you to configure RADIUS servers for Access Challenge mode. This mode of authentication causes the MFA server to send a challenge to the end user. The end user must respond correctly to the challenge to complete the authentication process. When the response from the RADIUS server is accepted, the logon completes successfully.

Integrated Vanguard ez/PivCard into Vanguard Multifactor Authentication Suite

Vanguard ez/PivCard enhancements:

• Support for Virtual Smart Cards
Vanguard ez/PivCard now supports TPM based virtual PIV-Cards.

Benefit

This allows customers who want to take advantage of the built in virtual smart card technology to use Vanguard ez/PivCard without having a physical card.

• Support for ACF2 and Top Secret ESMs
Vanguard ez/PivCard now supports RACF, ACF2 and TSS host ESMs

Benefit

This expands the use of ez/PivCard into companies that have ACF2 or TSS.

• Support for LDAP Certificates
Vanguard ez/PivCard now supports LDAP certificate paths.

Benefit

This allows both HTTP and LDAP format certificate verification paths.

• Support for Single Time Server
Vanguard ez/PivCard now supports allows a single time server entry.

Benefit

For customers who only want to use a single time server entry, ez/PivCard now allows that.

Support for a Secondary ISTEXCAA User Exit

This enhancement allows you to:
• Manage ISTEXCAA structure entries
• Implement an ISTEXCAA user exit

Benefit

The benefits of this enhancement cover the following:
• Managing ISTEXCAA Structure Entries – You can increase the ISTEXCAA VTAM structure size if users begin to experience logon failures and the following message appears in the VMALOG.
• Implementing an ISTEXCAA User Exit – Can call an installation-written assembler module to validate (or reject) sessions that are attempting to logon.

LOGMODE Enhancements

This enhancement covers the following:
• Support for multifactor passphrase
• ALLOWLOGMODE parameter allows the user to specify a LOGMODE on the VMA logon screen
• CHECKLOGMODE parameter automatically verifies a LOGMODE that is entered on the VMA logon screen

Benefit

The benefits of this enhancement cover the following:
• Supports multifactor passphrase and the ability for users to specify a LOGMODE value on the logon screen.
• The ALLOWLOGMODE parameter allows users to specify the LOGMODE on the VMA logon screen, which will be passed to the follow on APPLID. If this parameter is set to NO, the LOGMODE in the LU bind image is used. This option can be dynamically modified by issuing the Following MODIFY command: F VMAAMFA,ALLOWLOGMODE=Y|N
• The CHECKLOGMODE parameter permits VMA to validate the user-specified LOGMODE name against a list of VTAM LOGMODE names. When set to YES, this check is performed even if ALLOWLOGMODE=NO. This check will not be performed if ISTEXCAA cannot build an in-storage LOGMODE table when it initializes. VMA only validates the LOGMODE name. It does not attempt to verify if the LOGMODE parameters are suitable for the LU or APPLID. This option can be dynamically modified by issuing the following MODIFY command: F VMAAMFA,CHECKLOGMODE=Y|N

RTP Protocol Support

Added new support for Rapid Transport Protocol (RTP).

Benefit

By supporting this protocol, it reduces single-point failures and improves thru input.

Miscellaneous Enhancements

This enhancement covers the following (SAF and Legacy except where noted):
• Support for ACF2 (SAF only)
• Support for Top Secret (SAF only)
• RADIUS challenge/response (SAF only)
• Expired passphrases/passwords are changed in VMA (SAF only)
• ALLOWPSWDVIEW parameter allows the display of passwords and passphrases
• Suppression of non-MFA user messages
• Allow relogon under TSO for users that have not gone through VMA

Benefit

This enhancement offers support for CA ACF2 and Top Secret in addition to IBM RACF.
• Added the following new members in Vanguard Sample Library:
• VMAACF2 – ACF2 commands to create started task IDs
• VMAACCF2N – ACF2 commands to create VMA ID for failed authentications
• VMATSS – TSS commands to create started task IDs
• VMATSSNM – TSS commands to create VMA ID for failed authentications
• VMAAVET – VMAAMFA started task program to support ACF2 and TSS
• New pre-processing exit: VMAETVER is available
• Support for RADIUS Challenge Response mode
• Support for expired password/passphrase resets within VMA
• Updated the Solutions Benefits section
• An Upgrade to ACF2 and TSS section has been added to the appendix for existing customers who wish to upgrade to the new version of VMA
• Other enhancements include:
• New VMAASCSO non-MFA user message suppression command option: SUPNONMFAMSGS, SUPNONMFAMSGSOFF
• New VMAASCSO return code 32: Unknown ESM, not RACF, ACF2 or Top Secret
• New VMAASCSO return code 40: VMAASCSO abended

Introducing VMA Web Portal

Vanguard Multifactor Authentication Web Portal (VMA Portal) is a Java-based web application that allows users to authenticate through a browser interface to IBM® RACF® on an IBM Z® mainframe with the following supported security protocols:
• Vanguard Multifactor Authentication (MFA) with support for DUO, RADIUS, SecurID, PingID, LinOTP and PivCard
• Microsoft Identity Platform (Microsoft Azure Active Directory) with OpenID Connect (OIDC)
• Okta Identity Platform with OpenID Connect (OIDC)

Benefit

The portal allows users to complete multifactor authentication and then have that authentication registered in VMA on defined host systems. The user can then access the mainframe applications using only userid and password. The portal supports two new MFA protocols, Azure OIDC and Okta OIDC. The portal also supports the protocols supported by VMA VTAM; DUO, Ping, RADIUS, SecurID, PivCard and LinOTP.

Introducing Vanguard Privileged Access Monitoring

Vanguard Privileged Access Monitoring™ (PAM) monitors and tracks access, task start, task end, ESM commands and z/OS command events.

Benefit
Vanguard Privileged Access Monitoring (PAM) has two functions: Create a Vanguard PAM Filtered HMF and Generate reports. Both of these functions can use filter criteria to select events that you or your organization feel should be reviewed to help maintain the integrity of your system’s security and operating systems. Events such as accesses to data sets or general resources, issuing RACF commands and issuing z/OS commands can be selected and reported on.

Support Privileged Access Monitoring

Support Privileged Access Monitoring from the Capture started task.

Added VIPMAIN Started Task Support for TRANSIENT_SOCKET_TIMEOUT Parameter

Added VIPMAIN started task support for the TRANSIENT_SOCKET_TIMEOUT parameter.

Benefit

This enhancement allows you to set the length of time (in seconds) a transient (non-dedicated) socket remains open with no activity. The default is 03 (3 seconds) while a valid range is 3 to 60.

Introducing Vanguard HelpDesk

Vanguard HelpDesk is a web application that maintains RACF user passwords and revokes, hard revokes and resumes of RACF user IDs. Vanguard HelpDesk performs the same functionality as Vanguard Identity Manager of Vanguard Administrator only through a web interface. It can access multiple hosts.
Vanguard HelpDesk web application supports the following functions:
• List information about a user
• Change a user’s password or password phrase
• Compress the password history (PWCLEAN)
• Hard revoke a user ID
• Remove a user registration from Vanguard PasswordReset
• Revoke a user ID and clear future revoke dates
• Revoke a user ID at a future date (pending revoke)
• Resume a revoked user ID and clear the future resume date
• Resume a revoked user at a future date
• Set a user’s password interval
• Send a registration confirmation email to the user’s email address

Benefit

This Vanguard HelpDesk web application assists administrators with managing RACF user IDs. These administrations are broken down into these groups:

Help Desk Administrators and Security Administrators – Help Desk Administrators (non-System SPECIAL) and Security Administrators (System SPECIAL) can perform the following functions on the Vanguard HelpDesk:
• Change a user’s password or password phrase (authority must be delegated to Help Desk Admin)
• List information about a user (authority must be delegated to Help Desk Admin)
• Resume a user ID and clear the future reset date
• Resume a user at a future date
• Revoke a user ID and clear the future revoke date
• Revoke a user ID at a future date (pending revoke)

Security Administrators Only – Because their user IDs has the System SPECIAL attribute, Security Administrators can perform the following additional tasks:
• Compress the password history (PWCLEAN)
• Hard revoke a user ID
• Remove a user registration from Password Reset
• Set a user’s password interval

Introducing Vanguard Self-Help Password Reset

Vanguard Self-Help Password Reset is a self-service web application that addresses the common problem of forgotten passwords. The user requests a reset, which triggers sending an email to their registered email address. The user clicks on a link in the email, which returns them to the web application for the user to enter a new password. Upon successfully entering a new password, the user’s password is changed and a confirmation email is sent to the user. It also supports these ESMs: RACF, ACF2 and Top Secret while all web-based password reset requests are secure and encrypted.

Benefit

Vanguard Self-Help Password Reset saves time and money by letting users reset their own passwords quickly and securely anytime without having to contact the help desk or security administrator. Vanguard Self-Help Password Reset operates on various web server technologies.

Improved New Settings

Improved Self-Help Password Reset by adding the following new settings to the config.txt file:
• emailDebug
• logLevel
• emailLocalhost
• emailEhlo

Benefit

The benefits of this enhancement allow you to set these new settings.
• emailDebug – Shows mail debug information in the console log. Valid values: True or False.
• logLevel – Controls the amount of logging output. Valid values are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER and FINEST. The values are listed in the order of control (highest to lowest). Each value represents a logging level that includes control represented by all the values listed before it. Default: INFO. In addition, you can specify level ALL to enable logging of all messages or level OFF to turn logging off.
• emailLocalhost – Local host name used in the SMTP HELO and EHLO commands. Default: InetAddress.getLocalHost(),getHostName().
• emailEhlo – Attempts to sign on with the EHLO command. Valid values: True or False.

Enhanced Emails Domains and Email Addresses

The description of this enhancement is to store, validate and manage email domains and full email addresses. Added the following new entries to the list of Web Configuration and Customization files:
• RACF Grouping Class JCL
• RALTER ADDMEM REXX JCL
Added the following new settings Config.txt file:
• emailAddressValidation
• emailAddressValidationClass

Benefit

The benefit of this enhancement allows you to set these new entries to the list of Web Configuration and Customization files:
• RACF Grouping Class JCL – Provides a sample set of JCL to assist if you choose to store the list of email addresses and domains in the ESM (RACF only).
• RALTER ADDMEM REXX JCL – Provides a sample set of JCL that includes REXX programming to assist with loading the initial list of email addresses if you choose to store the email addresses and domains in the ESM (RACF only).
This enhancement also allows you to set the Email Registration settings for:
• emailAddressValidation – Determines if and how SHPR validates email addresses during user self-registration. Valid values are:
• none – SHPR will not validate the email addresses.
• file – Entries listed in the ’email addresses and domains.txt’ file will be used for validation.
• esm – Entries stored in the ESM (RACF, ACF2, or TSS) will be used for validation.
• emailAddressValidationClass – The resource class name for the email domain when emailAddressValidation is set to “esm”. Important: The user ID specified in the adminUserid setting must have at least READ access to this class. Default: M$SHPREM.

Added the DDNAME Parameter to the CSV Tag in QuickGen

Allows you to specify the DDNAME for a batch report where ‘xxxxxxxx’ is the DDNAME. If left off, the default DDNAME is VSSQGCSV. This attribute is ignored for online reports. This attribute is optional.

Benefit

Added the DDNAME parameter to the CSV tag to route output to a file.