DFSMSdfp: Define a security profile for VSAM exception exits

Description

VSAM users can specify an exit to receive control for physical I/O errors that might occur against a VSAM data set, through either of the following methods:
  • EXCEPTIONEXIT keyword of the IDCAMS define function
  • SYNAD= sub-parameter of the AMP= keyword of the DDNAME JCL statement.

As of APAR OA46090, the exit name that can be specified on these keywords is controlled through a FACILITY class profile. The FACILITY class profile is named IDA.VSAMEXIT.exitname where exitname identifies the exit to be invoked.

You must ensure that the exit name is protected through a FACILITY class profile, and that callers of the exit have at least READ authority.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: DFSMSdfp.
When change was introduced: z/OS V2R1 and z/OS V1R13, both with APAR OA46090 applied.
Applies to migration from: z/OS V2R1 and z/OS V1R13, both without APAR OA46090 applied.
Timing: Before the first IPL of z/OS V2R2.
Is the migration action required? Yes, if your installation has VSAM exception exits that are specified through the AMP or EXCEPTIONEXIT parameters.
Target system hardware requirements: None.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: If you have programs that specify VSAM exception exits in this manner and you do not take the necessary migration action, the programs will encounter the following open errors:
  • Non-authorized exits specified in the EXCEPTIONEXIT parm: IEC161I 40(1)-53
  • Non-authorized exits specified in the SYNAD parm: IEC161I 40(2)-81
Related IBM® Health Checker for z/OS® check: None.

Steps to take

Follow these steps:
  • Define a FACILITY class profile with the resource name IDA.VSAMEXIT.exitname, where exitname is the EXCEPTIONEXIT or SYNAD parameter value.
  • Ensure that callers of the exit have at least READ authority to the FACILITY class resource name.

Use caution if you choose to use a generic RACF profile to ensure that you do not allow unintended modules to be used as VSAM exception exits.

Note: This action must be taken even if the exits do not actually exist, unless you choose to remove the EXCEPTIONEXIT or SYNAD parameter.

Reference information

For more information, see z/OS DFSMS Using Data Sets .

Parent topic: DFSMS actions to perform before the first IPL of z/OS V2R2