IBM Support

VM65930: RACF/VM SECURITY ENHANCEMENTS

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • New function in RACF/VM to provide:
    - Read-Only auditor support
    - Control of the XAUTOLOG..ON operand
    - Listing of the current VMXEVENT profile
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of RACF/VM.                        *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    This APAR implements new function in RACF/VM to provide:
    - Read-Only auditor support
    - Control of the XAUTOLOG..ON operand
    - Listing of the current VMXEVENT profile
    

Problem conclusion

Temporary fix

Comments

  • This APAR implements new function in RACF/VM to provide:
    - Read-Only auditor support which is a port of the ROAUDIT role
    from z/OS. This new role is similar to the existing AUDITOR
    capability, save that logs and policy may only be examined, not
    manipulated.
    - Control of the XAUTOLOG..ON operand which introduces new
    security controls for the ON operand. ON today behaves as a
    'LOGON..THERE' function, whereby a privileged user may initiate
    a connection between an existing rdev (terminal window) and a
    virtual machine. The security controls will disallow this by
    default unless appropriate PERMITs have been granted to the
    console's resource profile.
    WARNING: This PTF changes the default behavior for the XAUTOLOG
    ON operand when RACFVM is installed. The introduction of the
    XAUTOLOG..ON control will cause the XAUTOLOG command with the ON
    parameter to fail under all circumstances in installations where
    RACF/VM is enabled unless and until some RACF configuration is
    performed. Customers desiring XAUTOLOG..ON to continue to work
    as it currently does will need to enable generic command
    processing and create a generic VMCMD resource profile named
    'XAUTOLOG.ON.**' which has universal READ access. i.e.
     RDEFINE VMCMD XAUTOLOG.ON.** UACC(READ)
    See the Section "Protecting XAUTOLOG ON", in the z/VM V6.4 RACF
    Security Server Security Administrator's Guide for more
    information.
    - Listing of the current VMXEVENT profile which provides a
    mechanism to display which VMXEVENT Profile has been activated
    and is in use by RACF. This support updates the SETEVENT LIST
    function to provide this information to an authorized user.
    
    See the z/VM 6.4.0 RACF books (dated March 2017) for information
    on using these enhancements: http://www.vm.ibm.com/library/
    
    NOTE: PREREQ PTF UM35042 for APAR VM65982 is required.
    
    The RACF database templates have been updated as part of this
    APAR. Use the RACFCONV utility on the RACMAINT userid to
    update the templates for both the primary and the backup RACF
    database. If you running a 1-4 member SSI system, follow these
    instructions:
    1. For 1-4 member SSI, verify the CP directory entry for the
    RACMAINT userid has:
    LINK RACFVM 200 200 MW
    LINK RACFVM 300 300 MW
    2. SERVICE RACF from MAINT640 on only one SSI member.
    3. FORCE RACFVM from Operator from each SSI member.
    4. LOGON RACMAINT on one SSI member and run the RACFCONV
    utility as follows:
    IPL 190
    RACFCONV
    enter
    200
    yes
    RACFCONV
    enter
    300
    yes
    IPL 490
    RACSTART
    #cp disc
    5. XAUTOLOG RACMAINT for the rest of the SSI members.
    6. PUT2PROD RACF from MAINT640 on each SSI member.
    Note: If PUT2PROD messages say to 'Recycle the appropriate
    servers' for both CP and RACF, then the recycle of z/VM is
    necessary for each SSI member. Otherwise only RACF needs to
    be recycled on each SSI member.
    7. FORCE RACMAINT from Operator on each SSI member.
    8. XAUTOLOG RACFVM from Operator on each SSI member.
    Now RACF has been updated with the service and recycled for each
    SSI member.
    

APAR Information

  • APAR number

    VM65930

  • Reported component name

    RACF/VM SUPPORT

  • Reported component ID

    576700201

  • Reported release

    640

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2016-11-03

  • Closed date

    2017-03-17

  • Last modified date

    2017-03-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UV61335

Modules/Macros

  • EVNTUTIL HCPRPI   HCPRPW   ICHCAU00 ICHCCU00 ICHCCU01 ICHCLD00
    ICHCLG00 ICHCLR00 ICHCLU00 ICHCOP00 ICHCOP06 ICHCOP11 ICHCRL00
    ICHDSM00 ICHDSM05 ICHHR51  ICHH41A  ICHH42   ICHP41A  ICHP42
    ICHRIN00 ICHSEC00 ICHS41   ICHS42   IFASMFR9 IHAACEE  IRRADULD
    IRRADUTB IRRADUX1 IRRADU00 IRRADU20 IRRADU30 IRRCAU0P IRRCCU0P
    IRRDPR12 IRRREQTB IRRREQ02 IRRREQ03 IRRRIN17 IRRSCHEM IRRSEC13
    IRRTEMP2 IRRUT100 IRRXTR01 MSGTABLE RACDBULD RACDBUTB RPIBLCMD
    RPIBLOBJ RPIBLPNL RPICLS   RPIEVNT  RPIMAUTO RPIMERM  RPIMSGSC
    

Publications Referenced
SC246175XX SC246216XX SC246201XX SC246218XX SC246212XX
SC246219XX SC246213XX SC246231XX    

Fix information

  • Fixed component name

    RACF/VM SUPPORT

  • Fixed component ID

    576700201

Applicable component levels

  • R640 PSY UV61335

       UP17/03/22 I 1000

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/VM family

Software version: 640

Operating system(s): VM/ESA, z/VM

Reference #: VM65930

Modified date: 22 March 2017


Translate this page: