VSM_ALLOWUSERKEYCSA

Description:
This check examines the setting of the ALLOWUSERKEYCSA(YES|NO) DIAGxx option and compares it to the IBM® recommended setting of ALLOWUSERKEYCSA(NO). A warning is issued if the setting is YES.
Reason for check:
Allowing programs to obtain user key CSA creates a security risk because CSA storage can then be modified by any unauthorized program. IBM recommends that ALLOWERUSERKEYCSA(NO) be coded in the active DIAGxx parmlib member.
Note: Coding ALLOWUSERKEYCSA(NO) for this option will cause user key programs attempting to obtain CSA storage to ABEND with abend code B78, reason code xxxxxx5C. (The first three bytes of the reason code provide internal failure details.) The default setting for this option is ALLOWUSERKEYCSA(NO).
z/OS® releases the check applies to:
z/OS V1R4 and later.
Parameters accepted:
No.
User override of IBM values:
Start of changeThe following sample shows the defaults for customizable values for this check. Use this sample to make permanent check customizations in an HZSPRMxx parmlib member used at IBM Health Checker for z/OS startup. If you just want a one-time only update to the check defaults, omit the first line (ADDREPLACE POLICY) and use the UPDATE statement on a MODIFY hzsproc command. Note that using non-POLICY UPDATEs in HZSPRMxx can lead to unexpected results and is therefore not recommended.End of change
Start of changeADDREPLACE POLICY[(policyname)] [STATEMENT(name)]End of change
UPDATE
CHECK(IBMVSM,VSM_ALLOWUSERKEYCSA),
ACTIVE,
INTERVAL(ONETIME),
SEVERITY(LOW),
DATE('20060201'),
Reference:
No
Messages:
This check issues the following exception messages:
  • IGVH110E
See the IGVH messages in z/OS MVS System Messages, Vol 9 (IGF-IWM).
SECLABEL recommended for multilevel security users:
SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
Parent topic: VSM checks (IBMVSM)