PQ87041: RECOMMENDED SERVICE FOR TCP/IP FOR VSE/ESA 1.5 (SERVICE PACK E / TCPIP15E / SERV150E)

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • Before installing Service Level E, be sure to read the Problem
    Summary, especially the Security section. This outlines
    additional commands that MUST be added to your initialization
    deck (unless a security exit is actively used, and the scripts
    and jobs sets the user IDs and passwords).
    .
    The following problems are also fixed with this APAR:
    .
    - ZP15E201 - FTPBATCH hangs when transferring a TYPE=VSAMCAT
      file. When using TYPE=VSAMCAT, a problem with the DEFINE
      CLUSTER process of IPNFVCAT might cause one of the following
      conditions:
      (1) FTPBATCH abend,
      (2) FILE NOT FOUND after a DEFINE,
      (3) DEFINE ERROR.
    .
    - ZP15E202 - DBCS translation fails with IPN944E message.
      An incorrect test is being performed on DBCS translation
      buffers.
    .
    New security request types are added in the SXBLOK.A member:
    X'17' SXTYSCAN  23 - HTTPD SCANBLOCK request
    X'18' SXTYMKD   24 - Make directory
    X'19' SXTYRMD   25 - Remove directory
    X'1A' SXTYCWDL  26 - Last CWD
    X'1B' SXTYSTAU  27 - Startup-auto-exit
    X'1C' SXTYSHAU  28 - Shutdown-auto-exit
    X'1D' SXTYFCMD  29 - FTP command check
    X'1E' SXTYCGI   30 - CGI call via HTTP
    If you are using the IBM supplied security exit BSSTISX you need
    to add the following lines to the exception list BSSTIXE:
      DC    XL2'1400'        - SXTYLOGI  allow FTPD LOGIN message
      DC    XL2'1A00'        - SXTYCWDL  allow FTP subdirectoriesge
      DC    XL2'1D00'        - SXTYCWDL  allow FTP commands
    Please also refere to
    Chapter 4. Security Manager Exploitation by TCP/IP for VSE/ESA
    in TCP/IP for VSE/ESA V1R5.0 IBM Program Setup and Supplementary
    Information SC33-6601-08 on http://
    publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/IESTCE31/1.4
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All TCP/IP for VSE users                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: TCP/IP for VSE/ESA                      *
    *                      Release 1.5.0 E                         *
    *                      ( TCPIP15E SERV150E )                   *
    ****************************************************************
    * RECOMMENDATION: APPLY THE PROVIDED PTF.                      *
    ****************************************************************
    This APAR provides Service Pack E for
    TCP/IP for VSE/ESA 1.5.
    *
    New functions descrided in the following sections:
    In APAR PQ87041:
    - Security (new commands, automatic security)
    In APAR II14121:
    - Stack (changes to provide faster, more reliable connections)
    - Customize (System Messages and Customized Logging)
    - Compatability (Pre-Compiler API, SOCKET MACRO, BSD / C API)
    - FTP (new FTP server with numerous improvements)
    - Email (new features and facilities and PDF converter)
    In APAR II14130:
    - LPR (changes and many additions to the LPR and LPD facilities)
    .
    Large System Effect
    Portions of the internal TCP/IP dispatcher and Telnet Daemon
    have been modified to reduce the CPU consumed due to the "large
    systems effect".
    Previously, defining large numbers of Telnet Daemons would cause
    CPU overhead to grow more than in a linear fashion, even if they
    were not being used. The overhead also extended to all other
    operations.
    .
    Authorization Codes
    All known problems with mixed IBM/CSI product keys have been
    corrected.
    In addition, all authorization code checking has been improved
    to provide the following benefits:
    1. Individual TCP/IP components no longer issue multiple
       "expiration" messages.
    2. At startup, all product components that have invalid keys,
       expired keys, or keys that will expire within one month are
       listed via a non-rollable console message.
    3. Once every 24-hours, TCP/IP will produce a non-rollable
       message indicating expired and expiring (within one month)
       keys and invalid product keys.
    4. A "QUERY PRODKEYS  ,ALL " command has been added.
    .
    **************
    *  Security  *
    **************
    Service Pack E provides a considerable increase in the security
    available to VSE users. Although we have made every attempt to
    provide backward compatibility with Service Level D, we highly
    encourage you to examine the new commands and facilities and use
    them to provide a secure environment for your data processing.
    .
    Incompatabilities:
    .
    All processes now run under user IDs and passwords, either
    explicitly or by default. If you make no other changes, you MUST
    provide the following commands in your initialization deck
    (unless a security exit is actively used, and the scripts and
    jobs sets the user IDs and passwords):
    .
    DEFINE USER,ID=$WEB,PASSWORD=$WEB,WEB=YES
    DEFINE USER,ID=$LPR,PASSWORD=$LPR,LPR=YES
    DEFINE USER,ID=$EVENT,PASSWORD=$EVENT,LPR=YES
    DEFINE USER,ID=$LPD,PASSWORD=$LPD,LPD=YES
    .
    Security Enhancements:
    1. Logging: Results of security "decisions" can now be written
       to the log (routing code SECURITY). Modes available are: All,
       Failed, and None.
    2. All changes to security parameters are logged.
    3. Security can be operated in "Fail" and "Warn" modes.
    4. Overhead has been reduced.
    5. "Automatic" security is now available for all files, based
       upon the values provided with DEFINE USER commands.
    6. Control and monitoring of security functions consolidated in
       the SECURITY and QUERY SECURITY commands.
    7. The user-provided Security Exit may send messages to the
       security log via an address vector passed in the SXBLOK.
    8. Security settings can be "locked" to prevent tampering.
    9. FTPBATCH security no longer relies on loading the user exit
       into the FTPBATCH partition. This potential security exposure
       is eliminated by having FTPBATCH pass security calls to the
       target stack partition, using the "protected" libraries and
       routines. Logging and control is automatically handled by the
       stack routines and stack-based user exit, using the security
       settings established by the customer.
    10. The installation-provided security exit may now contain
        identifying information that will be verified when the phase
        is loaded.
    11. UserIDs can now be associated with specific uses. For
        example, having valid ID for TN3270 access does not
        automatically permit FTP access.
    12. Security requests passed to the user exit will now contain
        the type of usage requested. For example, FTP or LPR.
    13. Specification of POWER userid and password can be done with
        SET POWERUSERID= and SET POWERPASSWORD=. The default user ID
        remains SYSTCPIP and the default password remains XL8'00'
    14. Automation (event) processing now uses a default userID /
        password of $EVENT/$EVENT. These values may be overridden
        via DEFINE EVENT. This default it passed to client processes
        and is used for security calls unless overridden in a
        script.
    15. LPR processing now sets a default userID/password of $LPR/
        $LPR. These values are passed to security processing unless
        overridden by the user, either explicitly or via script.
    .
    Flow of a security request:
    1. Application (eg, FTP) creates an SXBLOK
    2. UserID/password (if present) is checked against DEFINE USER
       information. Result set in SXBLOCK along with a default
       return code.
    3. "Automatic" processing is performed, if specified. Result
       set in SXBLOK and overrides return code set in #2.
    4. User Exit processing is performed, if specified. The user
       exit may consider the result of the preceeding steps, or may
       override it.
    .
       Note that 1.5D security exits see the same data as before and
       have exactly the same interface requirements. Modifications
       need be made ONLY if use of new features is desired.
    .
    "DIAGNOSE SECEXIT" Command
    This command causes a flag bit to be set in each SXBLOK passed
    to the user-supplied security exit. The programmer may use this
    flag to control diagnostic messages coded into the exit.
    .
    "QUERY SECURITY" Command
     IPN253I << TCP/IP TCP/IP Security Settings >>
     IPN750I    Security Processing: Disabled
     IPN750I    ARP Checking:        Disabled
     IPN750I    IP Address Checking: Disabled
     IPN751I    Auto Data:           Undefined
     IPN751I    Exit Data:           Undefined
     IPN750I    Automatic Security:  Disabled
     IPN750I    Security Exit:       Undefined
     IPN750I    Batch Security:      Disabled
     IPN752I    Security Mode: Fail Log: Fail Dump: Fail
    This display, generated with both RESPONSE and SECURITY
    routings, summarizes all security information.
    The "QUERY OPTIONS" command no longer shows the now redundant
    security information.
    "QUERY ALL" includes the security settings.
    .
    "SECURITY" Command
    This command contains one or more options (separated by blanks
    or commas) that will define or modify current security settings.
    Options:
      ON/OFF       Controls global security processing
      BATCH=ON/OFF Control security usage by batch partitions, eg,
                FTPBATCH
      PHASE=    Specifies the name of the Security Exit Phase
      XDATA=    Specifies a 40-byte character string to be passed
                to the Security EXIT (if specified by the PHASE=
                parameter) on each invokation.
      ADATA=    Specifies a 40-byte character string to be passed to
                the Automatic security routine with each call.
      ASMDATE=  Assembly date of the security exit (1-8 characters).
      ASMTIME=  Assembly time of the security exit (1-8 characters).
      VERSION=  Version of the security exit (1-8 characters).
      LEVEL=    Modification level of the security exit (1-8
                characters).
      AUTO=ON/OFF  Controls automatic checking of user authority
      EXIT=ON/OFF  Controls loading and activation of the Security
                Exit.
      ARP=ON/OFF   Controls ARP request checking.
      IP=ON/OFF    Controls IP address checking.
      MODE=WARN/FAIL  Control whether security failures will be
                allowed with a "warning".
      LOGGING=ALL/FAIL/NONE  Controls logging of security requests.
                Note that the user-supplied Security Exit may set a
                flag to force logging of specific requests.
      DUMP=ALL/FAIL/NONE  Controls dumping of the entire SXBLOK
                following a failed security request. NONE suppresses
                dumping, FAIL causes dumping when a security failure
                occurs, and ALL causes dumping of failures in both
                FAIL and WARN modes.
      LOCK      Once issued, all security settings are locked to to
                their current values.
    .
    "DEFINE USER" command
    This command now supports additional parameters, as follows:
     FTP=YES/NO      Controls FTP access by this user
     LPR=YES/NO      Controls LPR access by this user
     WEB=YES/NO      Controls Web page access by this user
     TELNET=YES/NO   Controls Telnet menu access by this user
    If NONE of the above options is explicitly coded, that ALL
    functions are permitted. This provides backward compatibility.
    If ANY of the above options are used, then the default for all
    un-coded options is "NO".
    For example
      DEFINE USER ID=ABC,PASS=XYZ
             User will have access to everything
      DEFINE USER ID=ABC,PASS=XYZ,FTP=YES
             User will have access ONLY to FTP
      DEFINE USER ID=ABC,PASS=XYZ,FTP=NO
             User will have NO access to anything.
    .
    "DEFINE HTTPD" command
    Two parameters, USERID= and PASSWORD=, have been added to the
    DEFINE HTTPD command. These permit the specification of a
    default user ID and password that will be used for "unsecured
    pages". The defaults for both are "$WEB". This userID and
    password must be defined via DEFINE USER, with an access
    attribute of "WEB=YES"
    .
    Commands, as defined on previous releases, are still valid.
    Existing initialization decks and procedures will continue to
    function as always have. However, they can all be replaced with
    the "SECURITY" command, as follows:
    DEFINE SECURITY    =>    SECURITY PHASE=nnn XDATA=xxx EXIT=ON
    DELETE SECURITY    =>    SECURITY EXIT=OFF
    SECURITYARP        =>    SECURITY ARP=
    SET SECURITYARP=   =>    SECURITY ARP=
    SECURITYIP         =>    SECURITY IP=
    SET SECURITYIP=    =>    SECURITY IP=
    SECURITY ONX       =>    SECURITY ON BATCH=ON
    For example, the following command sequence:
    DEFINE SECURITY,DRIVER=USEREX,DATA='ABCD'
    SET SECURITY_ARP=ON
    SET SECURITY_IP=ON
    SET SECURITY ON
    Can be replaced with:
    SECURITY ON,PHASE=USEREX,XDATA='ABCD',ARP=ON,IP=ON, EXIT=ON
    .
    "Automatic" security is activated with the SECURITY AUTO=ON
    command. Automatic security means that many users will not need
    to create and maintain their own security exits.
    The ASECUrity (ASECU = minimum abbrevation) command provides
    control for system-level resources where no userid/password has
    been established.
    ASECUrity ICMP=YES/NO FTPD=YES/NO WEBL=YES/NO SCAN=YES/NO
              HARD=YES/NO IPAV=YES/NO FTPC=YES/NO
    ASECUrity ICMP=YES/NO
    Can be used to allow or prevent VSE from responding to incoming
    ICMP PING requests. This is useful to stop "ping sweeps",
    commonly used to find active machines on a TCP/IP network.
    ASECUrity FTPD=YES/NO
    Controls connection requests to the FTP Daemon. This can be used
    to temporarily stop new FTP sessions from being accepted by the
    VSE FTP Daemon.
    Normally when a foreign client connects to the FTP Daemon a
    "220-welcome" message is immediately sent to the foreign client.
    Executing ASECUrity FTPD=NO prevents sending the 220 message and
    the connection request is simply terminated. This can be useful
    for the prevention of "banner grabbing" to find out where an FTP
    service is active.
    It also may be used to temporarily stop new FTP sessions without
    deleting your FTP Daemons. Note that already-established FTP
    session are not affected by this command.
    ASECUrity HARD=YES/NO
    Requires SECURITY ARP=ON to already be in effect. Specifying
    HARD=NO will prevent TCP/IP from responding to inbound ARP
    requests. We are not sure why or when this would be useful.
    ASECUrity IPAV=YES/NO
    Requires SECURITY IP=ON to already be in effect. Specifying
    IPAV=NO will immediately prevent processing of all incoming IP
    datagrams. This is a drastic step, but one that might prove
    useful if you are in the thick of an Internet attack.
    ASECUrity FTPC=YES/NO
    This command is similar to ASECURITY FTPD=, except that
    openning a control session is permitted, but all commands that
    can be issued prior to userID/password validation are rejected
    with "500 Command rejected".
    The commands that are NOT allowed are: USER, PASS, ACCT, QUIT,
    REIN, SYST, HELP, NOOP, PBSZ, PROT, AUTH.
    Automatic Security can be used in conjunction with the existing
    DEFINE USER command to allow/prevent specific user access to
    data. To take advantage of this feature, you specify a string
    of Y/N characters with the DATA= parameter to indicate allowed
    and forbidden actions, based on the equates normally passed to
    the user security exit.
    The following list is reproduced from the SXBLOK, as mapped by
    the SXBLOK macro. Each equate number corresponds to the same
    * * SXTYPASS EQU 1   - Password Check
    * * SXTYREAD EQU 2   - Read Check
    * * SXTYWRIT EQU 3   - Write Check
    * * SXTYUPDT EQU 4   - Update Check
    * * SXTYSTRT EQU 5   - Startup Security
    * * SXTYSHUT EQU 6   - Shutdown Security
    * * SXTYHARD EQU 7   - Hardware Address Verify
    * * SXTYIP   EQU 8   - IP Address Verify
    * * SXTYCMD  EQU 9   - SITE Command check
    * * SXTYDEL  EQU 10  - Delete check
    * * SXTYREN  EQU 11  - Rename check
    * * SXTYCRT  EQU 12  - Create check
    * * SXTYEXEC EQU 13  - EXEC command check
    * * SXTYAPPE EQU 14  - APPEND check
    * * SXTYOPDI EQU 15  - OPDIR check
    * * SXTYRDD  EQU 16  - RDDIR check
    * * SXTYCWD  EQU 17  - CWD Check
    * * SXTYSHEL EQU 18  - SHELL Check
    * * SXTYICMP EQU 19  - ICMP check
    * * SXTYLOGI EQU 20  - Daemon LOGIN request
    * * SXTYRPC  EQU 21  - RPC Request
    * * SXTYWEBL EQU 22  - Web Logon Screen Request
    * * SXTYSCAN EQU 23  - HTTPD SCANBLOCK request
    * * SXTYMKD  EQU 24  - Make directory
    * * SXTYRMD  EQU 25  - Remove directory
    * * SXTYCWDL EQU 26  - Last CWD
    * * SXTYxxxx EQU 27  - Auto exit startup
    * * SXTYxxxx EQU 28  - Auto exit shutdown
    * * SXTYFCMD EQU 29  - FTPD command
    Here are three examples of userID definitions:
    Superman can do anything:
    DEFINE USER,ID=SUPERMAN,PASSWORD=LOIS123, -
           DATA=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
    An FTP read-only user can be defined by permitting only the
    functions for SXTYPASS, SXTYREAD, SXTYCMD, SXTYOPDI, SXTYRDD,
    SXTYCWDL, SXTYCWD, and SXTYFCMD.
    DEFINE USER,ID=FTPREADO,PASSWORD=READONLY, -
           DATA=YYNNNNNNYNNNNNYYYNNNNNNNNYNNYNNNNNNNNNNN -
           ROOT='/POWER/LST/A',FTP=YES
    By adding SXTYWRIT, SXTYDEL, SXTYREN, SXTYCRT, SXTYAPPE,
    SXTYMKD, and SXTYRMD functions, we have a userID that can also
    write and "control" files and directories.
    DEFINE USER,ID=FTPWRITE,PASSWORD=WRITETOO, -
           DATA=YYYNNNNNYYYYNYYYYNNNNNNYYYNNYNNNNNNNNNNN -
           ROOT='/HFS001/CSIVSEDW',FTP=YES
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PQ87041

  • Reported component name

    TCP/IP FOR VSE

  • Reported component ID

    5686A0400

  • Reported release

    1OQ

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function

  • Submitted date

    2004-04-01

  • Closed date

    2006-11-02

  • Last modified date

    2008-05-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK19329 UK19330

Modules/Macros

  • $SOCKDBG $SOCKLST $SOCKOPT ABOR     ACCT
    ASCII    ASOCKET  BIMEOPTN BINARY   BLDARG   BYE      CD
    
    ***This field was truncated.  To obtain the full apar record, please contact your local support center.***
    

Fix information

  • Fixed component name

    TCP/IP FOR VSE

  • Fixed component ID

    5686A0400

Applicable component levels

  • R7IP PSY UK19329

       UP06/11/11 I 1000

  • R8TP PSY UK19330

       UP06/11/11 P E313

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

z/VSE family

Software version:

1OQ

Operating system(s):

VSE/ESA

Reference #:

PQ87041

Modified date:

2008-05-30

Translate my page

Machine Translation

Content navigation