A fix is available
APAR status
Closed as new function.
Error description
New Function
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * RACF users with HRF77B0 (z/OS V2R3) installed * **************************************************************** * PROBLEM DESCRIPTION: * * The CSFKEYS and CSFSERV profile lengths need to be increased * * Need support to add services to the conditional access list * * for a RACF profile. * **************************************************************** * RECOMMENDATION: * **************************************************************** The CSFKEYS and CSFSERV profile lengths are increased. The CSFKEYS, CSFSERV, XCSFKEY, and CRYPTOZ classes now specify SIGNAL=YES. Support was added to allow services in the conditional access list for a RACF profile.
Problem conclusion
Temporary fix
Comments
In the RACF Class Descriptor Table : - The CSFKEYS and CSFSERV MAXLENX field has been set to 246. - The CSFKEYS, CSFSERV, XCSFKEY, and CRYPTOZ classes now specify SIGNAL=YES. - The OTHER field for the CSFSERV class has been changed to ANY. A new criteria-name value, SERVICE, has been added to add services to the conditional access list. Note that neither ISPF panel nor TSO HELP support is provided for the new command keywords. The following documents the new criteria-name value: Security Server RACF Callable Services (SA23-2293-30) In Appendix B, under User Administration in the Base segment fields table Field Name Flag bytes values PERMIT Keyword Reference ---------- ----------------- ------------------------- WHENSRV 'Y' WHEN(CRIT(SERVICE(...))) Security Server RACF Command Language Reference (SA23-2292-30) Chapter 5 under PERMIT (Maintain resource access list). WHEN(CRITERIA(criteria-name(criteria-value| *))) ... The criteria-names a string of 1- 8 characters. Lowercase characters in the criteria-name are translated to uppercase. The valid criteria-name values are SQLROLE, SMS, and SERVICE. The criteria-value is a string of 1 - 235 characters of any combination. For SERVICE, the criteria-value will be a list of strings of 1- 8 characters of any combination. If the criteria-value consists of a single asterisk (*), you can optionally enclose it in single quotation marks. If the criteria-value contains blanks or other special characters, you must enclose the entire string in single quotation marks. .... For SQLROLE, the criteria-value is stored in the RACF database exactly as you specify it: -Both uppercase and lower case characters are preserved in the case in which they are specified. -Leading blanks are preserved when the string is quoted. For SMS and SERVICE, the criteria-value is folded to uppercase and stored in the RACF database. WHEN(CRITERIA(SQLROLE(*))) and WHEN(CRITERIA(SQLROLE(?*?))) delete all SQLROLE CRITERIA entries for the specified users or groups when the DELETE operand is also specified. WHEN(CRITERIA(SMS(*))) and WHEN(CRITERIA(SMS(*))) delete all SMS CRITERIA entries for the specified users or groups and are only valid when the DELETE operand is also specified. WHEN(CRITERIA(SERVICE(service names))) You can authorize conditional access to resources by specifying which services it can be used with. Example: WHEN(CRITERIA(SERVICE(CSFSKE,CSFSKD,CSFKRR2))) Example: WHEN(CRITERIA(SERVICE(CSFKRR2))) WHEN(CRITERIA(SERVICE(*))) and WHEN(CRITERIA(SERVICE('*'))) specified with the DELETE operand will delete all SERVICE CRITERIA entries for the specified users or groups. Specifying '*' as part of a list of services will yield unpredictable results. Security Server RACF Messages and Codes (SA23-2291-30) Chapter 2. ICH messages for RACF commands. Description of ICH06018I is updated ICH06018I command-name failed. WHEN operand is incorrect without a value. Explanation: The user did not specify a keyword for the WHEN operand. Valid keywords are PROGRAM, JESINPUT, CONSOLE, APPCPORT, SERVAUTH, SYSID, TERMINAL, CRITERIA(SERVICE(...)), CRITERIA(SMS(...)), or CRITERIA(SQLROLE(...)). The following documents the updates to the Class Descriptor Table: Security Server RACF Macros and Interfaces (SA23-2288-30) Security Server RACROUTE Macro Reference (SA23-2294-30) Appendix C In the Supplied class descriptor table entries: CSFKEYS POSIT=98 OTHER=ANY ------------------------------------------------- RACLIST=ALLOWED MAXLNTH=73 ------------------------------------------------- GENLIST=DISALLOWED DFTRETC=4 ------------------------------------------------- RACLREQ=YES DFTUACC=NONE ------------------------------------------------- GROUP=GCSFKEYS ------------------------------------------------- ------------------------------------------------- OPER=NO ------------------------------------------------- ID=100 ------------------------------------------------- FIRST=ALPHA MAXLENX=246 ------------------------------------------------- SIGNAL=YES CSFSERV POSIT=98 OTHER=ANY ------------------------------------------------- RACLIST=ALLOWED MAXLNTH=8 ------------------------------------------------- GENLIST=DISALLOWED DFTRETC=4 ------------------------------------------------- RACLREQ=YES DFTUACC=NONE ------------------------------------------------- ------------------------------------------------- OPER=NO ------------------------------------------------- ID=99 ------------------------------------------------- FIRST=ALPHA MAXLENX=246 ------------------------------------------------- SIGNAL=YES CRYPTOZ POSIT=578 OTHER=ANY ------------------------------------------------- RACLIST=ALLOWED MAXLNTH=246 ------------------------------------------------- GENLIST=DISALLOWED DFTRETC=4 ------------------------------------------------- RACLREQ=YES DFTUACC=NONE ------------------------------------------------- ------------------------------------------------- OPER=NO KEYQUAL=0 ------------------------------------------------- ID=1 ------------------------------------------------- FIRST=ANY ------------------------------------------------- SIGNAL=YES XCSFKEY POSIT=98 OTHER=ANY ------------------------------------------------- RACLIST=ALLOWED MAXLNTH=246 ------------------------------------------------- GENLIST=DISALLOWED DFTRETC=8 ------------------------------------------------- RACLREQ=YES DFTUACC=NONE ------------------------------------------------- GROUP=GXCSFKEY ------------------------------------------------- OPER=NO ------------------------------------------------- ID=100 ------------------------------------------------- FIRST=ALPHA ------------------------------------------------- SIGNAL=YES ×**** PE19/07/18 PTF IN ERROR. SEE APAR OA57972 FOR DESCRIPTION
APAR Information
APAR number
OA54350
Reported component name
RACF
Reported component ID
5752XXH00
Reported release
7B0
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-11-07
Closed date
2018-11-07
Last modified date
2019-12-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA97873 426PC7 426PC7
Modules/Macros
IRRPAR65 IRRREQTB ICHCPE00 IRRREQ01 ICHRRCDX IRRCPE0P IRRADU20
SA23229330 | SA23229230 | SA23229130 | SA23228830 | SA23229430 |
Fix information
Fixed component name
RACF
Fixed component ID
5752XXH00
Applicable component levels
R7B0 PSY UA97873
UP18/11/21 P F811
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7B0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7B0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
11 December 2019