IBM Support

PI78668: SECURITY OPTIONS FOR ODBM

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Provide more security options for ODBM:
ISIS=N  ODBM read-only access DLI RRS=N

Local fix

  • No fix

Problem summary

  • ****************************************************************
* USERS AFFECTED: All IMS V13 users of ODBM                    *
****************************************************************
* PROBLEM DESCRIPTION: The IMS parameter that is used to       *
*                      determine the level of security used    *
*                      for ODBM APSB resource authorization    *
*                      checking is dependent upon the value    *
*                      that is specified for the ODBM RRS=     *
*                      parameter.                              *
****************************************************************
* RECOMMENDATION: INSTALL CORRECTIVE SERVICE FOR APAR/PTF      *
****************************************************************
The IMS parameter that is to be used to determine the security
level used for ODBM APSB resource authorization is dependent
upon the value that is specified for the ODBM RRS= parameter.

When ODBM RRS=Y is specified, the IMS parameter ODBASE= is used
to determine the PSB security level for ODBM.  If ODBASE=Y, the
AIMS resource class is used to authorize ODBM APSB PSB
resources.

When ODBM RRS=Y and IMS ODBASE=N is specified, OR When ODBM
RRS=N is specified, the IMS parameter ISIS= is used to determine
the PSB security level for ODBM using the IIMS resource class.
*** IMS KEYWORDS ***
MSGDFS4585W ABENDU0166 IMSODBM

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • New parameter, ODBMSECURE, is added for the IMS control region.
It can be specified in either the DFSCGxxx member, or the
DFSDFxxx member section <SECTION=COMMON_SERVICE_LAYER>.

If you specify ODBMSECURE in both the DFSCGxxx member and the
CSL section of the DFSDFxxx member, the values specified in the
DFSCGxxx member override the values specified in the DFSDFxxx
member.

Recommendation: APAR PI78668 can be applied in a rolling fashion
to all IMS V13 systems. However, to enable ODBMSECURE, both the
IMS subsystem and ODBM must have PI78668 applied.

ODBMSECURE=
Specifies whether IMS should, for an ODBM thread at the time of
the allocate PSB (APSB) request,  perform security checking on
the PSB resource.
Any value other than 'I' will override the parameters ISIS=,
and ODBASE= for APSB requests from an ODBM connector.
The RACF resource class (RCLASS), AIMS/Axxxxxxx, is used for
PSB resource checking.

I
Ignore - Specifies that the ODBMSECURE= parameter is to be
ignored. This is the default.

N
None - Specifies that no security checking is to be performed
for APSB requests from an ODBM thread.
NOTE: This will override both the ISIS and ODBASE parms.

A
All - Specifies that both RACF and the IMS RAS user exit
routine are to be called (options E and R) for PSB
authorization. RACF is called first. The SAF return code, and
the RACF return and reason codes, are passed to the IMS RAS
user exit routine.

E
Exit - Specifies that the IMS RAS user exit routine is to be
called for PSB authorization.

R
RACF - Specifies that RACF is to be called to perform PSB
authorization using resource class AIMS/Axxxxxxx.



The following publication updates describe in further detail
the introduced changes:

GC19366000 - System Definition
Installing IMS>System definition>Members of the IMS
PROCLIB data set>
DFSCGxxx member of the IMS PROCLIB data set
>--+-------------------+-->
   |             .-I-. |
   '-ODBMSECURE=-+-N-+-'
                 +-A-+
                 +-E-+
                 '-R-'

Table 1. Applicability of DFSCGxxx parameters based on resource
manager environment
 Parameter     RMENV=Y    RMENV=N
+------------+----------+------------+
>>ODBMSECURE | optional | optional<<

Parameters
>>ODBMSECURE=
Specifies whether IMS should, for an ODBM thread at the time of
the allocate PSB (APSB) request,  perform security checking on
the PSB resource.
Any value other than 'I' will override the parameters ISIS=,
and ODBASE= for APSB requests from an ODBM connector.
The RACF resource class (RCLASS), AIMS/Axxxxxxx, is used for
PSB resource checking.

I
Ignore - Specifies that the ODBMSECURE= parameter is to be
ignored. This is the default.

N
None - Specifies that no security checking is to be performed
for APSB requests from an ODBM thread.
NOTE: This will override both the ISIS and ODBASE parms.

A
All - Specifies that both RACF and the IMS RAS user exit
routine are to be called (options E and R) for PSB
authorization. RACF is called first. The SAF return code, and
the RACF return and reason codes, are passed to the IMS RAS
user exit routine.

E
Exit - Specifies that the IMS RAS user exit routine is to be
called for PSB authorization.

R
RACF - Specifies that RACF is to be called to perform PSB
authorization using resource class AIMS/Axxxxxxx.<<

GC19366000 - System Definition
IMS 13.1.0>Installing IMS>System definition>Members of the IMS
PROCLIB data set>DFSDFxxx member of the IMS PROCLIB data set>
COMMON_SERVICE_LAYER section of the DFSDFxxx member
>>
>--+-------------------+-->
   |             .-I-. |
   '-ODBMSECURE=-+-N-+-'
                 +-A-+
                 +-E-+
                 '-R-'
<<

Parameters
>>ODBMSECURE=
Specifies whether IMS should, for an ODBM thread at the time of
the allocate PSB (APSB) request,  perform security checking on
the PSB resource. Any value other than 'I' will override the
parameters ISIS=, and/or ODBASE= for APSB requests from an ODBM
connector. The RACF resource class (RCLASS), AIMS/Axxxxxxx, is
used for PSB resource checking.

I
Ignore - Specifies that the ODBMSECURE= parameter is to be
ignored. This is the default.

N
None - Specifies that no security checking is to be performed
for APSB requests from an ODBM thread.
NOTE: This will override both the ISIS and ODBASE parms.

A
All - Specifies that both RACF and the IMS RAS user exit
routine are to be called (options E and R) for PSB
authorization. RACF is called first. The SAF return code, and
the RACF return and reason codes, are passed to the IMS RAS
user exit routine.

E
Exit - Specifies that the IMS RAS user exit routine is to be
called for PSB authorization.

R
RACF - Specifies that RACF is to be called to perform PSB
authorization using resource class AIMS/Axxxxxxx.<<

SC19365900 - System Administration
IMS 13.1.0>IMS administration>System administration>
IMS system administration considerations and tasks>
IMS security>Designing security for IMS DB/DC and DCCTL>

>>Security for ODBM allocate PSB (APSB) requests

Any PSB specified on an APSB request from an ODBM thread can be
secured using the z/OS System Authorization Facility (SAF)
and/or the IMS RAS user exit.

Enabling security for ODBM is accomplished with one of the
following methods:
1. Specify ODBMSECURE= A, E, R.
   This applies to all ODBM connectors to  the respective IMS,
   irrespective of the ODBM RRS= setting. ISIS= and ODBASE= are
   overridden for all ODBM connections to IMS that specifies
   ODBMSECURE=N|A|E|R. The resource class of AIMS or Axxxxxxx
   is used to authorize APSB resources.
2. Specify ISIS=A|C|R
   This applies to
   - ODBM RRS=Y connections with IMS ODBASE=N
   - ODBM RRS=N connections
   The resource class of IIMS or Ixxxxxxx is used to authorize
   APSB resources.
3. Specify ODBASE=Y
   This applies to ODBM RRS=Y only
   The resource class of AIMS or Axxxxxxx is used to authorize
   APSB resources.

After APSB SAF is security-enabled, IMS calls SAF to secure the
PSB specified on an APSB call using the respective resource
class, based on the user associated with the ODBM thread.
Define to RACF (or the installation exit) the PSBs that are to
be protected. Define them to AIMS or Axxxxxxx resource class
when using ODBMSECURE= or ODBASE=, or IIMS or Ixxxxxxx when
using ISIS=.

RCLASS=IMS|xxxxxxx must be specified with an initialization
EXEC parameter during IMS system definition.<<

SC19365900 - System Administration
IMS 13.1.0>IMS administration>System administration>
IMS system administration considerations and tasks>
IMS security>
Security considerations for a DBCTL environment>
Design considerations for DBCTL security>

>>Security for ODBM allocate PSB (APSB) requests

Any PSB specified on an APSB request from an ODBM thread can be
secured using the z/OS System Authorization Facility (SAF)
and/or the IMS RAS user exit.

Enabling security for ODBM is accomplished with one of the
following methods:
1. Specify ODBMSECURE= A, E, R.
   This applies to all ODBM connectors to  the respective IMS,
   irrespective of the ODBM RRS= setting. ISIS= and ODBASE= are
   overridden for all ODBM connections to IMS that specifies
   ODBMSECURE=N|A|E|R. The resource class of AIMS or Axxxxxxx
   is used to authorize APSB resources.
2. Specify ISIS=A|C|R
   This applies to
   - ODBM RRS=Y connections with IMS ODBASE=N
   - ODBM RRS=N connections
   The resource class of IIMS or Ixxxxxxx is used to authorize
   APSB resources.
3. Specify ODBASE=Y
   This applies to ODBM RRS=Y only
   The resource class of AIMS or Axxxxxxx is used to authorize
   APSB resources.

After APSB SAF is security-enabled, IMS calls SAF to secure the
PSB specified on an APSB call using the respective resource
class, based on the user associated with the ODBM thread.
Define to RACF (or the installation exit) the PSBs that are to
be protected. Define them to AIMS or Axxxxxxx resource class
when using ODBMSECURE= or ODBASE=, or IIMS or Ixxxxxxx when
using ISIS=.

RCLASS=IMS|xxxxxxx must be specified with an initialization
EXEC parameter during IMS system definition.<<

SC19365900 - System Administration
IMS 13.1.0>IMS administration>System administration>
IMS system administration considerations and tasks>
IMS security>
Security considerations for a DBCTL environment>
Activating IMS DBCTL security

Table 1. Resource class assignments for DBCTL

Resource class   RACF-defined name    User-defined name
----------------+--------------------+-----------------
>>APSB resource | AIMS               | Axxxxxxx
  class         |                    |                  <<
----------------+--------------------+-----------------

>>The RACF resource classes are defined in RACF's resource
class descriptor table (CDT) . Initially, the AIMS, IIMS, and
JIMS resource classes are predefined in the CDT. To add a
resource class or to define resource classes with user-defined
names, you must use the RACF resource class macro ICHERCDE to
create an installation-defined CDT.<<

SC19365500 - Exit Routines
IMS 13.1.0>IMS reference information>Exit routines>
IMS control region exit routines>
IMS system exit routines>
Resource Access Security user exit (RASE)

About this routine
>>This user exit is called during IMS dependent region
initialization, or during CCTL, ODBA, or ODBM connection, to
allow the user to instruct IMS to perform one of the functions
described in the return codes section. For example, this user
exit can terminate a connection with a user abend code 437.<<

>>This user exit is called to perform pre-authorization
processing and can instruct IMS to skip PSB or transaction
authorization processing for any thread instance as follows:

-IMS dependent regions, CCTL connections
The pre-authorization process is performed only if the exit
returns with return code 4 or 24 from initialization or
connection processing, and ISIS=R or ISIS=A is specified.

-ODBA connections
The pre-authorization process is performed only if the exit
returns with return code 4 or 24 from connection processing,
and one of the following is true
1. ODBASE=Y is specified
2. ODBASE=N and ISIS=R or ISIS=A is specified.

-ODBM connections
The pre-authorization process is performed only if the exit
returns with return code 4 or 24 from connection processing,
and one of the following is true
1. ODBMSECURE=R or ODBMSECURE=A is specified.
2. ODBMSECURE=I or ODBMSECURE is not specified, and ODBM RRS=N,
and ISIS=R or ISIS=A
3. ODBMSECURE=I or ODBMSECURE is not specified, and ODBM RRS=Y,
and ODBASE=Y
4. ODBMSECURE=I or ODBMSECURE is not specified, and ODBM RRS=Y,
and ODBASE=N and ISIS=R or ISIS=A

If ISIS=A, ISIS=C, ODBMSECURE=A, or ODBMSECURE=E is specified,
the RASE user exit is required at IMS initialization. If the
exit is not available during IMS initialization, IMS terminates
with a user abend code 107 subcode x'03'. The RASE user exit is
optional if ISIS=A, ISIS=C, ODBMSECURE=A, or ODBMSECURE=E are
not specified.

Specify the requirement to call the SAF interface and user exit
using the ISIS parameter at system initialization.
Specify the requirement to call the SAF interface and user exit
for ODBM threads using the ODBMSECURE parameter at system
initialization.<<

Table 2. Function-specific parameter list mapped by DFSRASL
Field    Offset Length  Content
--------+------+-------+---------------------------------------+
RASLVER  0      4       Version number for DFSRASL
>>                       x'04'
                         ODBMSECURE support added:
                           RASLFUNC=RASLODBI (x'0B')
                           RASLFUNC=RASLODBP (x'0C')
                           RASLENVR=RASLODBM (x'0A')
                           RASLFLG1=RASLODSE (x'10')
                           RASLFLG1=RASLODSR (x'08')<<
--------+------+-------+---------------------------------------+
RASLFUNC 4      1       Reason for entering the RASE user exit:
>>                       x'0B'
                         ODBM connection initialization
                         x'0C'
                         ODBM thread APSB PSB authorization<<
--------+------+-------+---------------------------------------+
RASLENVR 5      1       Type of dependent region for which exit
                        was called:
>>                       x'0A'
                         ODBM thread<<
--------+------+-------+---------------------------------------+
RASLFLG1 6      1       Flag byte:
>>                       x'10'
                         ODBMSECURE=E
                         x'08'
                         ODBMSECURE=R
                         Note: If bit X'10' and bit X'08'
                         are both on, ODBMSECURE=A is
                         specified for the IMS system.<<
--------+------+-------+---------------------------------------+

GC19424000 - Messages and Codes, Volume 1: DFS Messages
IMS 13.1.0>Troubleshooting for IMS>
IMS messages and codes>DFS messages>
DFS messages, DFS4501 - DFS4600I

DFS4585W
DFS4585W    RASE SECURITY USER EXIT DELETED. NO RASE SECURITY
            USER EXIT CALL WITH >>pppppppppppppppppppppppppppp<<

Explanation
The Resource Access Security user exit (RASE) was deleted with
the REFRESH USEREXIT command.

>>pppppppppppppppppppppppppppp
 The ISIS, ODBASE and ODBMSECURE parameter values.<<

An ISIS value of A or C specifies that resource security
checking is to be done using RACF and the RASE user exit
(ISIS=A) or the user exit only (ISIS=C) .

ODBASE=Y specifies that the RASE user exit is called if it
exists.

>>An ODBMSECURE value of A specifies that resource security
checking is to be done using RACF and the RASE user exit, a
value of E only the user exit.<<

GC19424000 - Messages and Codes, Volume 1: DFS Messages
IMS 13.1.0>Troubleshooting for IMS>IMS messages and codes>
IMS abend codes>IMS abend codes 0151 - 0200>

166
Analysis
0166 is a standard abend issued by module DFSIRAC0.

A return code in register 15 at the time of abend identifies the
cause of RACF initialization failure. Register 6 contains the
value returned by RACF in register 0. If the error occurred on
the RACF RACLIST call, register 5 contains a value that
indicates which class failed:

Codes Explanation
>>8   PIMS<<
>>9   AIMS<<

GC19424300  Messages and Codes, Volume 4: IMS Component Codes
IMS 13.1.0>Troubleshooting for IMS>IMS messages and codes>
IMS component codes>AIB return and reason codes set by IMS>

AIB return and reason codes
0110/0050
A CPI-C driven application>>, an ODBA thread, or an ODBM
thread<< issued an Allocate PSB (APSB) call.



Modules:
CSLDBR00 CSLDBR10 DFSAERG0 - update security failure return code
from x'0C' (TRANAUTH) to x'50' (PSBNRACF) to match that of the
same failure in RRS=No.
CSLDCF00 - Indicate to DRA or ODBA caller is ODBM
DFSAERA0 - DFSPRRC0 Check ODBM caller indicator
DFSAERI0 - DFSPRA10 Add ODBM caller to SSOB call
DFSCSL10 - Add ODBMSECURE grammar parsing logic
DFSDASI0 - Support ODBM identify and ODBMSECURE processing
DFSDASP0 - Use ODBMSECURE parm when ODBM
DFSFMOD0 - Attach RCF tcbs for ODBMSECURE
DFSIRAC0 - ODBMSECURE initialization code
DFSXLIC0 - Load DFSSCHR0 and RAS user exit for ODBMSECURE
DFSSCHR0 - New routine to service ODBMSECURE checking
DFSUSX00 DFSUSX90 - Update DFS4585W to include ODBMSECURE
DFSWCGDF DFSWCGH2 DFSWDRDF DFSWDRH2 DFSWBPVP - Syntax checker
updates for ODBMSECURE

Macros:
CSLDPRP  - Add ODBM caller option flag
DFSCSLA  - Add ODBMSECURE parm setting to CSLA block
DFSDFCSL - Define ODBMSECURE grammar
DFSIDT   - Flags for ODBMSECURE
DFSPAC   - ODBM flag
DFSPRP   - ODBM caller option
DFSRASL  - New version (4, RASLVER4),
           functions (RASLODBI,RASLODBP),
           environment (RASLODBM), and flags (RASLODSE,RASLODSR)
DFSSCHRW - ODBMSECURE functions and flags for call to RAS exit
DFSSSOB  - New flags for Identify options
DFSUSRXD - Update DFS4585W to include ODBMSECURE

    



APAR Information




    

  • APAR number
    PI78668
    • 

  • Reported component name
    IMS V13
    • 

  • Reported component ID
    5635A0400
    • 

  • Reported release
    300
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2017-03-23
    • 

  • Closed date
    2018-03-29
    • 

  • Last modified date
    2018-05-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI82897 UI54876
    

    • 



Modules/Macros


    

  • CSLDBR00 CSLDBR10 CSLDCF00 DFSAERA0 DFSAERG0
DFSAERI0 DFSCSLA  DFSCSL10 DFSDASI0 DFSDASP0 DFSFMOD0 DFSIDT
DFSIRAC0 DFSPRA10 DFSPRP   DFSPRRC0 DFSRASL  DFSSCHRW DFSSCHR0
DFSSSOB  DFSUSRXD DFSUSX00 DFSUSX90 DFSWBPVP DFSWCGDF DFSWCGH2
DFSWDRDF DFSWDRH2 DFSXLIC0

    




Publications Referenced


GC19366000SC19365900SC19365500GC19424000 





Fix information


    

  • Fixed component name
    IMS V13
    • 

  • Fixed component ID
    5635A0400
    • 



Applicable component levels


    

  • R300  PSY  UI54876
       UP18/04/04  P  F804
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"300","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback