A fix is available
APAR status
Closed as new function.
Error description
New Function
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All users running z/OS V2R1 and above that use user key * * CSA storage. * **************************************************************** * PROBLEM DESCRIPTION: * * Unrestricted user key CSA usage will * * not be supported after z/OS V2R3. * * This APAR provides a way to support * * restricted user key CSA usage with * * SAF security protection until the * * user key CSA usage can be removed. * **************************************************************** * RECOMMENDATION: * **************************************************************** Allowing programs to obtain user key common storage creates a security risk because the storage can then be modified by any unauthorized program. Therefore, the allocation, obtaining and changing of unrestricted common areas of virtual storage, such that the storage is in user key (8-15), will not be supported after z/OS V2R3. APAR OA53355 provided the means to identify all user key common allocations via a migration health check, ZOSMIGV2R3_NEXT_VSM_USERKEYCOMM. IBM strongly recommends eliminating all user key common usage identified by this health check. Note that with APAR OA53355, ZOSMIGV2R3_NEXT_VSM_USERKEYCOMM identifies all allocations of user key CSA, but not all users once it is allocated.
Problem conclusion
Temporary fix
Comments
This APAR provides the means to identify all accesses of user key CSA subpools, as well as support restricted user key CSA usage with SAF security protection until the user key CSA usage can be removed. Note: This APAR only applies to user key CSA storage. Both user key (8-15) SCOPE=COMMON data spaces and the usage of the CHANGKEY service to change the storage key of common storage to a key of 8-15 are not affected by this APAR, and will no longer be supported after z/OS V2R3. For systems with no user key CSA usage, there are no additional planning considerations. For systems with user key CSA usage, you will need to define a restricted use CSA (RUCSA) to identify all accesses to allocated user key CSA. This area will allow auditing of all user key CSA accesses, as well as reduce (but not eliminate) the inherent security risk. Once defined, existing user key CSA allocation requests will transparently obtain storage from RUCSA and the ZOSMIGV2R3_NEXT_VSM_USERKEYCOMM health check will detect all accesses to allocated user key CSA. For complete instructions on how to define a RUCSA, refer to the 'Migrating to RUCSA' subsection of the z/OS MVS Initialization and Tuning Guide section in pdf file, OA56180.pdf, available at: - http://publibz.boulder.ibm.com/zoslib/pdf/OA56180.pdf APAR OA56180 also includes the following list of corrections to APAR OA53355: - APAR OA53355 only set the SMF30_USERKEYCOMMONAUDITENABLED bit for certain jobs/address spaces. This APAR ensures that the SMF30_USERKEYCOMMONAUDITENABLED bit is set for all jobs/address spaces. The following publications are updated to support the APAR: - z/OS Migration (GA32-0889) The 'Prepare for the removal of support for user key common areas' section is updated to mention this solution. - z/OS MVS Diagnosis: Reference (GA32-0904) The Storage Summary section is updated to document the subpool characteristics associated with RUCSA. The VSMDATA CONTROLBLOCKS and OWNCOMM sections are updated to explain the changes to the reports when RUCSA is defined. - z/OS MVS Data Areas Volume 1 (GA32-0935) The GDA mapping is updated to document the new GDA fields associated with RUCSA. - z/OS MVS Data Areas Volume 2 (GA32-0936) The IGVCAUB mapping is updated to document the new CAUB fields associated with RUCSA. - z/OS MVS Programming: Assembler Services Guide (SA23-1371) The 'Virtual Storage Management' section is updated to describe the changes to VSMLIST as a result of RUCSA. The 'Sharing data in virtual storage (IARVSERV macro)' section is updated to describe the changes to IARVSERV as a result of RUCSA. - z/OS MVS Initialization and Tuning Guide (SA23-1379) The Storage Management Overview section is updated to describe the RUCSA. - z/OS MVS Initialization and Tuning Reference (SA23-1380) A new IEASYSxx parameter section is included to describe the RUCSA parameter. - z/OS MVS IPCS Commands (SA23-1382) The VSMDATA subcommand section is updated to document how the RUCSA output is reported. - z/OS MVS System Codes (SA38-0665) The following sections are updated to mention that the below codes can be issued when attempting to use the RUCSA: 0Cx, 18A, 6C5, B04, B0A, B78 - z/OS MVS System Management Facilities (SMF) (SA38-0667) The SMF type 30 record section is updated to describe the new audit flag, SMF30_UserKeyRucsaUsage. - z/OS MVS System Messages, Vol 6 (GOS-IEA) (SA38-0673) The following messages have been updated to support the specification of a IEASYSxx RUCSA parameter: IEA321I, IEA909I, IEA907W Documentation updates for the above publications are located in a pdf file, OA56180.pdf, available at: - http://publibz.boulder.ibm.com/zoslib/pdf/OA56180.pdf KEYWORDS: MSGIEA321I MSGIEA909I MSGIEA907W
APAR Information
APAR number
OA56180
Reported component name
VSM - VIRT STOR
Reported component ID
5752SC1CH
Reported release
790
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2018-09-18
Closed date
2019-03-15
Last modified date
2019-04-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA98722 UA98723 UA98724
Modules/Macros
IGVFSQA IGVVSHEN IEAVNPIL BLSAIPIN IGVSFOWN IHAPVT IGVIVGDA IAXMD IAXXL IAXMA IHAGDA IAXDK IAXMB IARRAX IGVFCSA IAXMJ IGVCAUB IGVRSRTN IAXMP IAXIS IARMN IEAVEPC IAXZIFTE IGVSFMAN IAXIX IGVNIPCR IARVB IGVSFGLB IGVHCHK1 IARRCE IEECB985 IGVRVSM IGVRQVR2 IEAVNPCF IFASMFR3 IARVSERV IEFTB721 IGVRCSA IGVVSMRF IAXRI IEAIPL14 IAXFS IGVSLIS1 IAXZTRID IGVMGDA IAXVG IGVVSCEL IEAIPAMD IGVVSMRT IGVSFSRT IEAVNIPX IGVSFBTB IAXGT IGVSLIST IGVGCAS IEAIPL04 IEFSMFIE IGVGCSA IHAIPA IGVFVIRT IEAVNP03 IGVGSQA IGVSFLCL IGVHCMSG IAXZITBL IGVVSERR IEFSD162 IEAIPASR IEAVNP08 IAXPY IAXZSTK2 IGVDIPR
GA320889XX | GA320904XX | GA320935XX | GA320936XX | SA231371XX |
SA231379XX | SA231380XX | SA231382XX | SA380665XX | SA380667XX |
SA380673XX |
Fix information
Fixed component name
VSM - VIRT STOR
Fixed component ID
5752SC1CH
Applicable component levels
R790 PSY UA98722
UP19/03/28 P F903
R7A0 PSY UA98723
UP19/03/28 P F903
R7B0 PSY UA98724
UP19/03/28 P F903
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"790","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"790","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
22 April 2019