OA23893: DOCUMENT IOSAS SET-UP INFORMATION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as documentation error.

Error description

  • 1.  Refer to PTFs for APAR OA15690 & OA18229 ++HOLD ACTION
    regarding:
    
    Add an OMVS segment for IOSAS (IOS address space).  OMVS segment
    is for TCP/IP connectivity only and UID(0) or superuser ability
    is not required.  An IPL is Required to implement this OMVS
    segment.
    
    This ++HOLD(ACTION) is needed only if you intend to implement
    3592 tape encryption with MVS IN-Band support.   Further
    clarification is needed in the publications regarding the
    OMVS segment.   As documented in the DFSMS Software Support for
    IBM System Storage TS1120 Tape Drive (3592) manual
    (SC26-7514-03) in section 1.13.3 Other Administration Tasks in
    support of MVS In-Band Tape Encryption there are three examples
    on establishing the IOSAS security permissions for a USS
    segment.  This book implies that superuser authority "UID(0)" is
    required, however it is NOT.  UID(xxxx) is illustrated in the
    following examples which implement non-superuser authority.
    Additionally, the home directory is ('/').
    " In RACF, issue:
    "        ADDUSER IOSAS OMVS(UID(xxxx) HOME('/'))
    "
    " In CA-Top Secret Security for z/OS or eTrust, issue:
    "        TSO TSS ADD(IOSAS) UID(xxxx) HOME('/')
    "
    " In CA-ACF2 Security for z/OS authorization, issue:
    "        TSO ACF INSERT IOSAS NAME(IOSAS ID) UID(xxxx) HOME(/)
    
    
    2.  APAR OA09050 implements the SETIOS STORAGE,IOSBLKS=31
    command.  IBM recommends (as per your security product) that
    IOSAS be setup as a TRUSTED address space in order for IOSAS to
    automatically set IOSBLKS=31.  If IOSAS is not given the proper
    authority for the SETIOS command the following failure will
    result and blocks will remain in 24-bit storage.
    
     SETIOS STORAGE,IOSBLKS=31
     IEE345I SETIOS AUTHORITY INVALID, FAILED
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users at HBB7720 and above                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Documentation updates are being made for the following:
    
    1. To indicate that the exploitation of EKM requires that
       the IOSAS has security permision for a USS segment.
    
    2. To indicate that the IOSAS needs to be defined as a
       TRUSTED address space to utilize the SETIOS STORAGE
       command.
    

Problem conclusion

  • Documentation updates will be made to the following
    publications:
    
    - MVS Initialization and Tuning Reference (SA22-7592), to
      chapter on IECIOSxx, section on EKM, as follows:
    
        EKM
    
        Specify the encryption key management ...
        ... the sockets are not opened.
    
      | In-band tape encryption requires that the IOS address
      | space has security permission for a USS segment. The USS
      | segment is only for TCP/IP connectivity and UID(0) or
      | super user ability is not required.  For example in RACF,
      | issue the following:
      |
      |     ADDUSER IOSAS OMVS(UID(xxxx) HOME('/'))
      |
      |     where xxxx is an unique user id.
    
        Subtopics:
          . xx.xx.x Statements/parameters for EKM
    
    - MVS System Commands (SA22-7627), the chapter on the SETIOS
      command, section on Parameters, as follows:
    
        EKM,PRIMARY=
        Specifies the hostname or IP address and port number of
        the primary key manager...normal operation continues.
    
      | Note: In-band tape encryption requires that the IOS address
      | space has security permission for a USS segment. The USS
      | segment is only for TCP/IP connectivity and UID(0) or super
      | user ability is not required.  For example, for RACF
      | environments, issue:
      |
      |     ADDUSER IOSAS OMVS(UID(xxxx) HOME('/'))
      |
      |     where xxxx is an unique user id.
    
        host_name :port | ,PRIPORT=port
    
        ...
    
        EKM,SECONDARY=
        Specifies the hostname or IP address and port number of
        the secondary key manager.
    
      | Note: In-band tape encryption requires that the IOS
      | address space has security permission for a USS segment.
      | See EKM,PRIMARY= parameter description above for more
      | information.
    
        host_name :port | ,SECPORT=port
    
    - MVS System Commands (SA22-7627), the chapter on the SETIOS
      command, section on Parameters, as follows:
    
        STORAGE,IOSBLKS={24 or 31}
        Use this command to enable 24 or 31-bit storage for IOS
        blocks.
    
      | Note: Use of this command requires that the IOS Address
      | Space (IOSAS) is set up as a TRUSTED address space.
    
        ...
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA23893

  • Reported component name

    5752 IOS

  • Reported component ID

    5752SC1C3

  • Reported release

    720

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-02-01

  • Closed date

    2008-07-08

  • Last modified date

    2008-07-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SA22762700 SA22759200      

Fix information

Applicable component levels



Rate this page:

(0 users)Average rating

Document information


More support for:

z/OS family

Software version:

720

Operating system(s):

MVS, z/OS

Reference #:

OA23893

Modified date:

2008-07-08

Translate my page

Machine Translation

Content navigation