A fix is available
APAR status
Closed as new function.
Error description
Provide more security options for ODBM: ISIS=N ODBM read-only access DLI RRS=N
Local fix
No fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All IMS V14 users of ODBM * **************************************************************** * PROBLEM DESCRIPTION: * * The IMS parameter that is used to determine the level of * * security used for ODBM APSB resource authorization checking * * is dependent upon the value that is specified for the ODBM * * RRS=parameter. * **************************************************************** * RECOMMENDATION: * * INSTALL CORRECTIVE SERVICE FOR APAR/PTF * **************************************************************** Problem Summary The IMS parameter that is to be used to determine the security level used for ODBM APSB resource authorization is dependent upon the value that is specified for the ODBM RRS= parameter. When ODBM RRS=Y is specified, the IMS parameter ODBASE= is used to determine the PSB security level for ODBM. If ODBASE=Y, the AIMS resource class is used to authorize ODBM APSB PSB resources. When ODBM RRS=Y and IMS ODBASE=N is specified, OR When ODBM RRS=N is specified, the IMS parameter ISIS= is used to determine the PSB security level for ODBM using the IIMS resource class. *** IMS KEYWORDS *** MSGDFS4585W ABENDU0166 IMSODBM
Problem conclusion
New parameter, ODBMSECURE, is added for the IMS control region. It can be specified in either the DFSCGxxx member, or the DFSDFxxx member section <SECTION=COMMON_SERVICE_LAYER>. If you specify ODBMSECURE in both the DFSCGxxx member and the CSL section of the DFSDFxxx member, the values specified in the DFSCGxxx member override the values specified in the DFSDFxxx member. Recommendation: APAR PI82897 can be applied in a rolling fashion to all IMS V14 systems. However, to enable ODBMSECURE, both the IMS subsystem and ODBM must have PI82897 applied. ODBMSECURE= Specifies whether IMS should, for an ODBM thread at the time of the allocate PSB (APSB) request, perform security checking on the PSB resource. Any value other than 'I' will override the parameters ISIS=, and ODBASE= for APSB requests from an ODBM connector. The RACF resource class (RCLASS), AIMS/Axxxxxxx, is used for PSB resource checking. I Ignore - Specifies that the ODBMSECURE= parameter is to be ignored. This is the default. N None - Specifies that no security checking is to be performed for APSB requests from an ODBM thread. NOTE: This will override both the ISIS and ODBASE parms. A All - Specifies that both RACF and the IMS RAS user exit routine are to be called (options E and R) for PSB authorization. RACF is called first. The SAF return code, and the RACF return and reason codes, are passed to the IMS RAS user exit routine. E Exit - Specifies that the IMS RAS user exit routine is to be called for PSB authorization. R RACF - Specifies that RACF is to be called to perform PSB authorization using resource class AIMS/Axxxxxxx. Security for ODBM allocate PSB (APSB) requests Any PSB specified on an APSB request from an ODBM thread can be secured using the z/OS System Authorization Facility (SAF) and/or the IMS RAS user exit. Enabling security for ODBM is accomplished with one of the following methods: 1. Specify ODBMSECURE= A, E, R. This applies to all ODBM connectors to the respective IMS, irrespective of the ODBM RRS= setting. ISIS= and ODBASE= are overridden for all ODBM connections to IMS that specifies ODBMSECURE=N|A|E|R. The resource class of AIMS or Axxxxxxx is used to authorize APSB resources. 2. Specify ISIS=A|C|R This applies to - ODBM RRS=Y connections with IMS ODBASE=N - ODBM RRS=N connections The resource class of IIMS or Ixxxxxxx is used to authorize APSB resources. 3. Specify ODBASE=Y This applies to ODBM RRS=Y only The resource class of AIMS or Axxxxxxx is used to authorize APSB resources. After APSB SAF is security-enabled, IMS calls SAF to secure the PSB specified on an APSB call using the respective resource class, based on the user associated with the ODBM thread. Define to RACF (or the installation exit) the PSBs that are to be protected. Define them to AIMS or Axxxxxxx resource class when using ODBMSECURE= or ODBASE=, or IIMS or Ixxxxxxx when using ISIS=. RCLASS=IMS|xxxxxxx must be specified with an initialization EXEC parameter during IMS system definition. GEN: POSTREQ PH23908 Modules: CSLDBR00 CSLDBR10 DFSAERG0 - update security failure return code from x'0C' (TRANAUTH) to x'50' (PSBNRACF) to match that of the same failure in RRS=No. CSLDCF00 - Indicate to DRA or ODBA caller is ODBM DFSAERA0 - DFSPRRC0 Check ODBM caller indicator DFSAERI0 - DFSPRA10 Add ODBM caller to SSOB call DFSCSL10 - Add ODBMSECURE grammar parsing logic DFSDASI0 - Support ODBM identify and ODBMSECURE processing DFSDASP0 - Use ODBMSECURE parm when ODBM DFSFMOD0 - Attach RCF tcbs for ODBMSECURE DFSIRAC0 - ODBMSECURE initialization code DFSXLIC0 - Load DFSSCHR0 and RAS user exit for ODBMSECURE DFSSCHR0 - New routine to service ODBMSECURE checking DFSUSX00 DFSUSX90 - Update DFS4585W to include ODBMSECURE DFSWCGDF DFSWCGH2 DFSWDRDF DFSWDRH2 DFSWBPVP - Syntax checker updates for ODBMSECURE Macros: CSLDPRP - Add ODBM caller option flag DFSCSLA - Add ODBMSECURE parm setting to CSLA block DFSDFCSL - Define ODBMSECURE grammar DFSIDT - Flags for ODBMSECURE DFSPAC - ODBM flag DFSPRP - ODBM caller option DFSRASL - New version (4, RASLVER4), functions (RASLODBI,RASLODBP), environment (RASLODBM), and flags (RASLODSE,RASLODSR) DFSSCHRW - ODBMSECURE functions and flags for call to RAS exit DFSSSOB - New flags for Identify options DFSUSRXD - Update DFS4585W to include ODBMSECURE The following publication updates are described in further detail See hold card for changes Publications changed: GC19422600 System Definition SC19422500 System Administration SC19421700 Exit Routines GC18421900 Messages and Codes, Volume 1: DFS Messages GC18422200 Messages and Codes, Volume 4: IMS Component Codes
Temporary fix
Comments
REPINNED RP20/04/07 (ATXT) TO ADD POSTREQ PH23908 INFO. **** PE20/04/07 PTF IN ERROR. SEE APAR PH23908 FOR DESCRIPTION ×**** PE20/03/31 FIX IN ERROR. SEE APAR PH23908 FOR DESCRIPTION
APAR Information
APAR number
PI82897
Reported component name
IMS V14
Reported component ID
5635A0500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-06-09
Closed date
2018-06-07
Last modified date
2020-04-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI94682 UI56323
Modules/Macros
CSLDCODE CSLDQ020 CSLDCF00 CSLDQ050 CSLDDSI0 CSLDOCM0 CSLDU010 CSLDIN10 CSLDIN00 DFSIRAC0 DFSFMOD0 DFSRASL CSLDREG0 DFSDASI0 DFSXLIC0 DFSUSRXD DFSCSL20 DFSAERA0 DFSPRP DFSSSOB DFSPRRC0 CSLDBR00 DFSUSX90 DFSSCHRW DFSAERG0 DFSAERI0 DFSPRA10 DFSIDT DFSDASP0 CSLDU030 DFSSCHR0 DFSUSX00 CSLDBR10 DFSCSL10 DFSCSLA DFSWCGDF DFSWHC13 DFSWDRDF DFSWHD23 DFSWBPVP DFSPAT10 DFSEF05F
GC18422200 | SC19421700 | SC19422500 | GC19366000 |
Fix information
Fixed component name
IMS V14
Fixed component ID
5635A0500
Applicable component levels
R400 PSY UI56323
UP18/06/09 P F806
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPH2","label":"IMS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"14.1","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
01 December 2023