PI82897: SECURITY OPTIONS FOR ODBM

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Provide more security options for ODBM:
  ISIS=N  ODBM read-only access DLI RRS=N
  

Local fix

• No fix
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All IMS V14 users of ODBM                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * The IMS parameter that is used to determine the level of     *
  * security used for ODBM APSB resource authorization checking  *
  * is dependent upon the value that is specified for the ODBM   *
  * RRS=parameter.                                               *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * INSTALL CORRECTIVE SERVICE FOR APAR/PTF                      *
  ****************************************************************
  Problem Summary
  The IMS parameter that is to be used to determine the security
  level used for ODBM APSB resource authorization is dependent
  upon the value that is specified for the ODBM RRS= parameter.
  
  When ODBM RRS=Y is specified, the IMS parameter ODBASE= is used
  to determine the PSB security level for ODBM.  If ODBASE=Y, the
  AIMS resource class is used to authorize ODBM APSB PSB
  resources.
  
  When ODBM RRS=Y and IMS ODBASE=N is specified, OR When ODBM
  RRS=N is specified, the IMS parameter ISIS= is used to determine
  the PSB security level for ODBM using the IIMS resource class.
  *** IMS KEYWORDS ***
  MSGDFS4585W ABENDU0166 IMSODBM
  

Problem conclusion

• New parameter, ODBMSECURE, is added for the IMS control region.
  It can be specified in either the DFSCGxxx member, or the
  DFSDFxxx member section <SECTION=COMMON_SERVICE_LAYER>.
  
  If you specify ODBMSECURE in both the DFSCGxxx member and the
  CSL section of the DFSDFxxx member, the values specified in the
  DFSCGxxx member override the values specified in the DFSDFxxx
  member.
  
  Recommendation: APAR PI82897 can be applied in a rolling fashion
  to all IMS V14 systems. However, to enable ODBMSECURE, both the
  IMS subsystem and ODBM must have PI82897 applied.
  
  ODBMSECURE=
  Specifies whether IMS should, for an ODBM thread at the time of
  the allocate PSB (APSB) request, perform security checking on
  the PSB resource. Any value other than 'I' will override the
  parameters ISIS=, and ODBASE= for APSB requests from an ODBM
  connector. The RACF resource class (RCLASS), AIMS/Axxxxxxx, is
  used for PSB resource checking.
  
  
  I
  Ignore - Specifies that the ODBMSECURE= parameter is to be
  ignored. This is the default.
  
  N
  None - Specifies that no security checking is to be performed
  for APSB requests from an ODBM thread.
  NOTE: This will override both the ISIS and ODBASE parms.
  
  A
  All - Specifies that both RACF and the IMS RAS user exit routine
  are to be called (options E and R) for PSB authorization. RACF
  is called first. The SAF return code, and the RACF return and
  reason codes, are passed to the IMS RAS user exit routine.
  
  
  E
  Exit - Specifies that the IMS RAS user exit routine is to be
  called for PSB authorization.
  
  R
  RACF - Specifies that RACF is to be called to perform PSB
  authorization using resource class AIMS/Axxxxxxx.
  
  Security for ODBM allocate PSB (APSB) requests
  
  Any PSB specified on an APSB request from an ODBM thread can be
  secured using the z/OS System Authorization Facility (SAF)
  and/or the IMS RAS user exit.
  
  Enabling security for ODBM is accomplished with one of the
  following methods:
  1. Specify ODBMSECURE= A, E, R.
     This applies to all ODBM connectors to  the respective IMS,
     irrespective of the ODBM RRS= setting. ISIS= and ODBASE= are
     overridden for all ODBM connections to IMS that specifies
     ODBMSECURE=N|A|E|R. The resource class of AIMS or Axxxxxxx
     is used to authorize APSB resources.
  2. Specify ISIS=A|C|R
     This applies to
     - ODBM RRS=Y connections with IMS ODBASE=N
     - ODBM RRS=N connections
     The resource class of IIMS or Ixxxxxxx is used to authorize
     APSB resources.
  3. Specify ODBASE=Y
     This applies to ODBM RRS=Y only
     The resource class of AIMS or Axxxxxxx is used to authorize
     APSB resources.
  
  After APSB SAF is security-enabled, IMS calls SAF to secure the
  PSB specified on an APSB call using the respective resource
  class, based on the user associated with the ODBM thread.
  Define to RACF (or the installation exit) the PSBs that are to
  be protected. Define them to AIMS or Axxxxxxx resource class
  when using ODBMSECURE= or ODBASE=, or IIMS or Ixxxxxxx when
  using ISIS=.
  
  RCLASS=IMS|xxxxxxx must be specified with an initialization
  EXEC parameter during IMS system definition.
  
  GEN:
  POSTREQ PH23908
  Modules:
  CSLDBR00 CSLDBR10 DFSAERG0 - update security failure return code
  from x'0C' (TRANAUTH) to x'50' (PSBNRACF) to match that of the
  same failure in RRS=No.
  CSLDCF00 - Indicate to DRA or ODBA caller is ODBM
  DFSAERA0 - DFSPRRC0 Check ODBM caller indicator
  DFSAERI0 - DFSPRA10 Add ODBM caller to SSOB call
  DFSCSL10 - Add ODBMSECURE grammar parsing logic
  DFSDASI0 - Support ODBM identify and ODBMSECURE processing
  DFSDASP0 - Use ODBMSECURE parm when ODBM
  DFSFMOD0 - Attach RCF tcbs for ODBMSECURE
  DFSIRAC0 - ODBMSECURE initialization code
  DFSXLIC0 - Load DFSSCHR0 and RAS user exit for ODBMSECURE
  DFSSCHR0 - New routine to service ODBMSECURE checking
  DFSUSX00 DFSUSX90 - Update DFS4585W to include ODBMSECURE
  DFSWCGDF DFSWCGH2 DFSWDRDF DFSWDRH2 DFSWBPVP - Syntax checker
  updates for ODBMSECURE
  
  Macros:
  CSLDPRP  - Add ODBM caller option flag
  DFSCSLA  - Add ODBMSECURE parm setting to CSLA block
  DFSDFCSL - Define ODBMSECURE grammar
  DFSIDT   - Flags for ODBMSECURE
  DFSPAC   - ODBM flag
  DFSPRP   - ODBM caller option
  DFSRASL  - New version (4, RASLVER4),
             functions (RASLODBI,RASLODBP),
             environment (RASLODBM), and
             flags (RASLODSE,RASLODSR)
  DFSSCHRW - ODBMSECURE functions and flags for call to RAS exit
  DFSSSOB  - New flags for Identify options
  DFSUSRXD - Update DFS4585W to include ODBMSECURE
  
  The following publication updates are described in further
  detail
  See hold card for changes
  Publications changed:
  GC19422600  System Definition
  SC19422500 System Administration
  SC19421700 Exit Routines
  GC18421900 Messages and Codes, Volume 1: DFS Messages
  GC18422200 Messages and Codes, Volume 4: IMS Component Codes
  

Temporary fix

Comments

• REPINNED RP20/04/07 (ATXT) TO ADD POSTREQ PH23908 INFO.
   **** PE20/04/07 PTF IN ERROR. SEE APAR PH23908 FOR DESCRIPTION
  ×**** PE20/03/31 FIX IN ERROR. SEE APAR PH23908  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PI78668

• APAR is sysrouted TO one or more of the following:

  PI94682 UI56323

Modules/Macros

• CSLDCODE CSLDQ020 CSLDCF00 CSLDQ050 CSLDDSI0 CSLDOCM0 CSLDU010
  CSLDIN10 CSLDIN00 DFSIRAC0 DFSFMOD0 DFSRASL  CSLDREG0 DFSDASI0
  DFSXLIC0 DFSUSRXD DFSCSL20 DFSAERA0 DFSPRP   DFSSSOB  DFSPRRC0
  CSLDBR00 DFSUSX90 DFSSCHRW DFSAERG0 DFSAERI0 DFSPRA10 DFSIDT
  DFSDASP0 CSLDU030 DFSSCHR0 DFSUSX00 CSLDBR10 DFSCSL10 DFSCSLA
  DFSWCGDF DFSWHC13 DFSWDRDF DFSWHD23 DFSWBPVP DFSPAT10 DFSEF05F
  

Fix information

• Fixed component name

  IMS V14

• Fixed component ID

  5635A0500

Applicable component levels

• R400 PSY UI56323

     UP18/06/09 P F806

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.