A fix is available
APAR status
Closed as new function.
Error description
Provide more security options for ODBM: ISIS=N ODBM read-only access DLI RRS=N
Local fix
No fix
Problem summary
**************************************************************** * USERS AFFECTED: All IMS V13 users of ODBM * **************************************************************** * PROBLEM DESCRIPTION: The IMS parameter that is used to * * determine the level of security used * * for ODBM APSB resource authorization * * checking is dependent upon the value * * that is specified for the ODBM RRS= * * parameter. * **************************************************************** * RECOMMENDATION: INSTALL CORRECTIVE SERVICE FOR APAR/PTF * **************************************************************** The IMS parameter that is to be used to determine the security level used for ODBM APSB resource authorization is dependent upon the value that is specified for the ODBM RRS= parameter. When ODBM RRS=Y is specified, the IMS parameter ODBASE= is used to determine the PSB security level for ODBM. If ODBASE=Y, the AIMS resource class is used to authorize ODBM APSB PSB resources. When ODBM RRS=Y and IMS ODBASE=N is specified, OR When ODBM RRS=N is specified, the IMS parameter ISIS= is used to determine the PSB security level for ODBM using the IIMS resource class. *** IMS KEYWORDS *** MSGDFS4585W ABENDU0166 IMSODBM
Problem conclusion
Temporary fix
Comments
New parameter, ODBMSECURE, is added for the IMS control region. It can be specified in either the DFSCGxxx member, or the DFSDFxxx member section <SECTION=COMMON_SERVICE_LAYER>. If you specify ODBMSECURE in both the DFSCGxxx member and the CSL section of the DFSDFxxx member, the values specified in the DFSCGxxx member override the values specified in the DFSDFxxx member. Recommendation: APAR PI78668 can be applied in a rolling fashion to all IMS V13 systems. However, to enable ODBMSECURE, both the IMS subsystem and ODBM must have PI78668 applied. ODBMSECURE= Specifies whether IMS should, for an ODBM thread at the time of the allocate PSB (APSB) request, perform security checking on the PSB resource. Any value other than 'I' will override the parameters ISIS=, and ODBASE= for APSB requests from an ODBM connector. The RACF resource class (RCLASS), AIMS/Axxxxxxx, is used for PSB resource checking. I Ignore - Specifies that the ODBMSECURE= parameter is to be ignored. This is the default. N None - Specifies that no security checking is to be performed for APSB requests from an ODBM thread. NOTE: This will override both the ISIS and ODBASE parms. A All - Specifies that both RACF and the IMS RAS user exit routine are to be called (options E and R) for PSB authorization. RACF is called first. The SAF return code, and the RACF return and reason codes, are passed to the IMS RAS user exit routine. E Exit - Specifies that the IMS RAS user exit routine is to be called for PSB authorization. R RACF - Specifies that RACF is to be called to perform PSB authorization using resource class AIMS/Axxxxxxx. The following publication updates describe in further detail the introduced changes: GC19366000 - System Definition Installing IMS>System definition>Members of the IMS PROCLIB data set> DFSCGxxx member of the IMS PROCLIB data set >--+-------------------+--> | .-I-. | '-ODBMSECURE=-+-N-+-' +-A-+ +-E-+ '-R-' Table 1. Applicability of DFSCGxxx parameters based on resource manager environment Parameter RMENV=Y RMENV=N +------------+----------+------------+ >>ODBMSECURE | optional | optional<< Parameters >>ODBMSECURE= Specifies whether IMS should, for an ODBM thread at the time of the allocate PSB (APSB) request, perform security checking on the PSB resource. Any value other than 'I' will override the parameters ISIS=, and ODBASE= for APSB requests from an ODBM connector. The RACF resource class (RCLASS), AIMS/Axxxxxxx, is used for PSB resource checking. I Ignore - Specifies that the ODBMSECURE= parameter is to be ignored. This is the default. N None - Specifies that no security checking is to be performed for APSB requests from an ODBM thread. NOTE: This will override both the ISIS and ODBASE parms. A All - Specifies that both RACF and the IMS RAS user exit routine are to be called (options E and R) for PSB authorization. RACF is called first. The SAF return code, and the RACF return and reason codes, are passed to the IMS RAS user exit routine. E Exit - Specifies that the IMS RAS user exit routine is to be called for PSB authorization. R RACF - Specifies that RACF is to be called to perform PSB authorization using resource class AIMS/Axxxxxxx.<< GC19366000 - System Definition IMS 13.1.0>Installing IMS>System definition>Members of the IMS PROCLIB data set>DFSDFxxx member of the IMS PROCLIB data set> COMMON_SERVICE_LAYER section of the DFSDFxxx member >> >--+-------------------+--> | .-I-. | '-ODBMSECURE=-+-N-+-' +-A-+ +-E-+ '-R-' << Parameters >>ODBMSECURE= Specifies whether IMS should, for an ODBM thread at the time of the allocate PSB (APSB) request, perform security checking on the PSB resource. Any value other than 'I' will override the parameters ISIS=, and/or ODBASE= for APSB requests from an ODBM connector. The RACF resource class (RCLASS), AIMS/Axxxxxxx, is used for PSB resource checking. I Ignore - Specifies that the ODBMSECURE= parameter is to be ignored. This is the default. N None - Specifies that no security checking is to be performed for APSB requests from an ODBM thread. NOTE: This will override both the ISIS and ODBASE parms. A All - Specifies that both RACF and the IMS RAS user exit routine are to be called (options E and R) for PSB authorization. RACF is called first. The SAF return code, and the RACF return and reason codes, are passed to the IMS RAS user exit routine. E Exit - Specifies that the IMS RAS user exit routine is to be called for PSB authorization. R RACF - Specifies that RACF is to be called to perform PSB authorization using resource class AIMS/Axxxxxxx.<< SC19365900 - System Administration IMS 13.1.0>IMS administration>System administration> IMS system administration considerations and tasks> IMS security>Designing security for IMS DB/DC and DCCTL> >>Security for ODBM allocate PSB (APSB) requests Any PSB specified on an APSB request from an ODBM thread can be secured using the z/OS System Authorization Facility (SAF) and/or the IMS RAS user exit. Enabling security for ODBM is accomplished with one of the following methods: 1. Specify ODBMSECURE= A, E, R. This applies to all ODBM connectors to the respective IMS, irrespective of the ODBM RRS= setting. ISIS= and ODBASE= are overridden for all ODBM connections to IMS that specifies ODBMSECURE=N|A|E|R. The resource class of AIMS or Axxxxxxx is used to authorize APSB resources. 2. Specify ISIS=A|C|R This applies to - ODBM RRS=Y connections with IMS ODBASE=N - ODBM RRS=N connections The resource class of IIMS or Ixxxxxxx is used to authorize APSB resources. 3. Specify ODBASE=Y This applies to ODBM RRS=Y only The resource class of AIMS or Axxxxxxx is used to authorize APSB resources. After APSB SAF is security-enabled, IMS calls SAF to secure the PSB specified on an APSB call using the respective resource class, based on the user associated with the ODBM thread. Define to RACF (or the installation exit) the PSBs that are to be protected. Define them to AIMS or Axxxxxxx resource class when using ODBMSECURE= or ODBASE=, or IIMS or Ixxxxxxx when using ISIS=. RCLASS=IMS|xxxxxxx must be specified with an initialization EXEC parameter during IMS system definition.<< SC19365900 - System Administration IMS 13.1.0>IMS administration>System administration> IMS system administration considerations and tasks> IMS security> Security considerations for a DBCTL environment> Design considerations for DBCTL security> >>Security for ODBM allocate PSB (APSB) requests Any PSB specified on an APSB request from an ODBM thread can be secured using the z/OS System Authorization Facility (SAF) and/or the IMS RAS user exit. Enabling security for ODBM is accomplished with one of the following methods: 1. Specify ODBMSECURE= A, E, R. This applies to all ODBM connectors to the respective IMS, irrespective of the ODBM RRS= setting. ISIS= and ODBASE= are overridden for all ODBM connections to IMS that specifies ODBMSECURE=N|A|E|R. The resource class of AIMS or Axxxxxxx is used to authorize APSB resources. 2. Specify ISIS=A|C|R This applies to - ODBM RRS=Y connections with IMS ODBASE=N - ODBM RRS=N connections The resource class of IIMS or Ixxxxxxx is used to authorize APSB resources. 3. Specify ODBASE=Y This applies to ODBM RRS=Y only The resource class of AIMS or Axxxxxxx is used to authorize APSB resources. After APSB SAF is security-enabled, IMS calls SAF to secure the PSB specified on an APSB call using the respective resource class, based on the user associated with the ODBM thread. Define to RACF (or the installation exit) the PSBs that are to be protected. Define them to AIMS or Axxxxxxx resource class when using ODBMSECURE= or ODBASE=, or IIMS or Ixxxxxxx when using ISIS=. RCLASS=IMS|xxxxxxx must be specified with an initialization EXEC parameter during IMS system definition.<< SC19365900 - System Administration IMS 13.1.0>IMS administration>System administration> IMS system administration considerations and tasks> IMS security> Security considerations for a DBCTL environment> Activating IMS DBCTL security Table 1. Resource class assignments for DBCTL Resource class RACF-defined name User-defined name ----------------+--------------------+----------------- >>APSB resource | AIMS | Axxxxxxx class | | << ----------------+--------------------+----------------- >>The RACF resource classes are defined in RACF's resource class descriptor table (CDT) . Initially, the AIMS, IIMS, and JIMS resource classes are predefined in the CDT. To add a resource class or to define resource classes with user-defined names, you must use the RACF resource class macro ICHERCDE to create an installation-defined CDT.<< SC19365500 - Exit Routines IMS 13.1.0>IMS reference information>Exit routines> IMS control region exit routines> IMS system exit routines> Resource Access Security user exit (RASE) About this routine >>This user exit is called during IMS dependent region initialization, or during CCTL, ODBA, or ODBM connection, to allow the user to instruct IMS to perform one of the functions described in the return codes section. For example, this user exit can terminate a connection with a user abend code 437.<< >>This user exit is called to perform pre-authorization processing and can instruct IMS to skip PSB or transaction authorization processing for any thread instance as follows: -IMS dependent regions, CCTL connections The pre-authorization process is performed only if the exit returns with return code 4 or 24 from initialization or connection processing, and ISIS=R or ISIS=A is specified. -ODBA connections The pre-authorization process is performed only if the exit returns with return code 4 or 24 from connection processing, and one of the following is true 1. ODBASE=Y is specified 2. ODBASE=N and ISIS=R or ISIS=A is specified. -ODBM connections The pre-authorization process is performed only if the exit returns with return code 4 or 24 from connection processing, and one of the following is true 1. ODBMSECURE=R or ODBMSECURE=A is specified. 2. ODBMSECURE=I or ODBMSECURE is not specified, and ODBM RRS=N, and ISIS=R or ISIS=A 3. ODBMSECURE=I or ODBMSECURE is not specified, and ODBM RRS=Y, and ODBASE=Y 4. ODBMSECURE=I or ODBMSECURE is not specified, and ODBM RRS=Y, and ODBASE=N and ISIS=R or ISIS=A If ISIS=A, ISIS=C, ODBMSECURE=A, or ODBMSECURE=E is specified, the RASE user exit is required at IMS initialization. If the exit is not available during IMS initialization, IMS terminates with a user abend code 107 subcode x'03'. The RASE user exit is optional if ISIS=A, ISIS=C, ODBMSECURE=A, or ODBMSECURE=E are not specified. Specify the requirement to call the SAF interface and user exit using the ISIS parameter at system initialization. Specify the requirement to call the SAF interface and user exit for ODBM threads using the ODBMSECURE parameter at system initialization.<< Table 2. Function-specific parameter list mapped by DFSRASL Field Offset Length Content --------+------+-------+---------------------------------------+ RASLVER 0 4 Version number for DFSRASL >> x'04' ODBMSECURE support added: RASLFUNC=RASLODBI (x'0B') RASLFUNC=RASLODBP (x'0C') RASLENVR=RASLODBM (x'0A') RASLFLG1=RASLODSE (x'10') RASLFLG1=RASLODSR (x'08')<< --------+------+-------+---------------------------------------+ RASLFUNC 4 1 Reason for entering the RASE user exit: >> x'0B' ODBM connection initialization x'0C' ODBM thread APSB PSB authorization<< --------+------+-------+---------------------------------------+ RASLENVR 5 1 Type of dependent region for which exit was called: >> x'0A' ODBM thread<< --------+------+-------+---------------------------------------+ RASLFLG1 6 1 Flag byte: >> x'10' ODBMSECURE=E x'08' ODBMSECURE=R Note: If bit X'10' and bit X'08' are both on, ODBMSECURE=A is specified for the IMS system.<< --------+------+-------+---------------------------------------+ GC19424000 - Messages and Codes, Volume 1: DFS Messages IMS 13.1.0>Troubleshooting for IMS> IMS messages and codes>DFS messages> DFS messages, DFS4501 - DFS4600I DFS4585W DFS4585W RASE SECURITY USER EXIT DELETED. NO RASE SECURITY USER EXIT CALL WITH >>pppppppppppppppppppppppppppp<< Explanation The Resource Access Security user exit (RASE) was deleted with the REFRESH USEREXIT command. >>pppppppppppppppppppppppppppp The ISIS, ODBASE and ODBMSECURE parameter values.<< An ISIS value of A or C specifies that resource security checking is to be done using RACF and the RASE user exit (ISIS=A) or the user exit only (ISIS=C) . ODBASE=Y specifies that the RASE user exit is called if it exists. >>An ODBMSECURE value of A specifies that resource security checking is to be done using RACF and the RASE user exit, a value of E only the user exit.<< GC19424000 - Messages and Codes, Volume 1: DFS Messages IMS 13.1.0>Troubleshooting for IMS>IMS messages and codes> IMS abend codes>IMS abend codes 0151 - 0200> 166 Analysis 0166 is a standard abend issued by module DFSIRAC0. A return code in register 15 at the time of abend identifies the cause of RACF initialization failure. Register 6 contains the value returned by RACF in register 0. If the error occurred on the RACF RACLIST call, register 5 contains a value that indicates which class failed: Codes Explanation >>8 PIMS<< >>9 AIMS<< GC19424300 Messages and Codes, Volume 4: IMS Component Codes IMS 13.1.0>Troubleshooting for IMS>IMS messages and codes> IMS component codes>AIB return and reason codes set by IMS> AIB return and reason codes 0110/0050 A CPI-C driven application>>, an ODBA thread, or an ODBM thread<< issued an Allocate PSB (APSB) call. Modules: CSLDBR00 CSLDBR10 DFSAERG0 - update security failure return code from x'0C' (TRANAUTH) to x'50' (PSBNRACF) to match that of the same failure in RRS=No. CSLDCF00 - Indicate to DRA or ODBA caller is ODBM DFSAERA0 - DFSPRRC0 Check ODBM caller indicator DFSAERI0 - DFSPRA10 Add ODBM caller to SSOB call DFSCSL10 - Add ODBMSECURE grammar parsing logic DFSDASI0 - Support ODBM identify and ODBMSECURE processing DFSDASP0 - Use ODBMSECURE parm when ODBM DFSFMOD0 - Attach RCF tcbs for ODBMSECURE DFSIRAC0 - ODBMSECURE initialization code DFSXLIC0 - Load DFSSCHR0 and RAS user exit for ODBMSECURE DFSSCHR0 - New routine to service ODBMSECURE checking DFSUSX00 DFSUSX90 - Update DFS4585W to include ODBMSECURE DFSWCGDF DFSWCGH2 DFSWDRDF DFSWDRH2 DFSWBPVP - Syntax checker updates for ODBMSECURE Macros: CSLDPRP - Add ODBM caller option flag DFSCSLA - Add ODBMSECURE parm setting to CSLA block DFSDFCSL - Define ODBMSECURE grammar DFSIDT - Flags for ODBMSECURE DFSPAC - ODBM flag DFSPRP - ODBM caller option DFSRASL - New version (4, RASLVER4), functions (RASLODBI,RASLODBP), environment (RASLODBM), and flags (RASLODSE,RASLODSR) DFSSCHRW - ODBMSECURE functions and flags for call to RAS exit DFSSSOB - New flags for Identify options DFSUSRXD - Update DFS4585W to include ODBMSECURE
APAR Information
APAR number
PI78668
Reported component name
IMS V13
Reported component ID
5635A0400
Reported release
300
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2017-03-23
Closed date
2018-03-29
Last modified date
2018-05-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI82897 UI54876
Modules/Macros
CSLDBR00 CSLDBR10 CSLDCF00 DFSAERA0 DFSAERG0 DFSAERI0 DFSCSLA DFSCSL10 DFSDASI0 DFSDASP0 DFSFMOD0 DFSIDT DFSIRAC0 DFSPRA10 DFSPRP DFSPRRC0 DFSRASL DFSSCHRW DFSSCHR0 DFSSSOB DFSUSRXD DFSUSX00 DFSUSX90 DFSWBPVP DFSWCGDF DFSWCGH2 DFSWDRDF DFSWDRH2 DFSXLIC0
GC19366000 | SC19365900 | SC19365500 | GC19424000 |
Fix information
Fixed component name
IMS V13
Fixed component ID
5635A0400
Applicable component levels
R300 PSY UI54876
UP18/04/04 P F804
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"300","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
14 December 2020