A fix is available
APAR status
Closed as new function.
Error description
NEW FUNCTION Enhancement to RACF to store a flag in the ICSF segment of a CSFKEYS profile indicating whether a key can be returned in a CPACF wrapped form.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Application developers wishing to directly * * utilize CPACF wrapped keys * **************************************************************** * PROBLEM DESCRIPTION: Enhancement to RACF to store a flag in * * the ICSF segment of a CSFKEYS profile * * indicating whether a key can be * * returned in a CPACF wrapped form * **************************************************************** * RECOMMENDATION: * **************************************************************** New support in RACF storing a flag in the ICSF segment of a CSFKEYS profile indicating whether a key can be returned in a CPACF wrapped form. The ISPF panels and TSO helps are not updated for the new command operands. Note that when commands are propagated in an RRSF network, command behavior on the target system depends on the release and service level in effect on the target system. In addition, this APAR fixes a typographical error in the RACDBUTB sample introduced by OA48359. Some missing comment delimiters result in message DSNT408I (MSGDSNT408I) if the unmodified sample is used. For example: DSNT408I SQLCODE = -103, ERROR: 020A IS AN INVALID NUMERIC CONSTANT
Problem conclusion
Temporary fix
Comments
This APAR adds function utilized by ICSF to enforce restrictions on a new use of keys stored in ICSF. Security Server RACF Callable Services ---------------------------------------------------------------- Appendix A. R_admin reference information, Section "General resource administration", Table 163. ICSF segment fields The following rows are added: Flag RDEFINE/RALTER Allowed Allowed Returned Field byte keyword on add on alter on extract name value reference requests requests requests ------ ----- ---------------------- -------- -------- ---------- SCPRET 'Y' ICSF(SYMCPACFRET(YES)) Yes Yes Yes (bool) 'N' ICSF(SYMCPACFRET(NO)) Yes Yes Yes Security Server RACF Command Language Reference ---------------------------------------------------------------- Chapter 5. RACF command syntax, Section "RALTER (Alter general resource profile)" subsystem-prefix {RALTER | RALT} ... SYMCPACFWRAP ( YES | NO ) SYMCPACFRET ( YES | NO ) ... SYMCPACFRET Specifies whether the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an authorized caller. If you specify ICSF operand to create a new ICSF segment and omit the SYMCPACFRET option, NO is the default setting. YES Specifies that the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an authorized caller. NO Specifies that the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are ineligible to be returned to an authorized caller. Chapter 5. RACF command syntax, Section "RDEFINE (Define general resource profile)" subsystem-prefix {RDEFINE | RDEF} ... SYMCPACFWRAP ( YES | NO ) SYMCPACFRET ( YES | NO ) ... SYMCPACFRET Specifies whether the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an authorized caller. If you specify ICSF operand to create a new ICSF segment and omit the SYMCPACFRET option, NO is the default setting. YES Specifies that the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an authorized caller. NO Specifies that the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are ineligible to be returned to an authorized caller. Security Server RACROUTE Macros Reference ---------------------------------------------------------------- Chapter 3. System macros, Section "RACROUTE REQUEST=EXTRACT (standard form)" Subsection BRANCH=YES|BRANCH=NO, the list of fields that can be extracted from a general-resource profile is updated to add CSFSCPR (alphabetically between CSFAUSE and CSFSCPW). Appendix B. RACF database templates, Section General template for the RACF database, Subsection The following is the ICSF segment of the GENERAL template. Add CSFSCPR after CSFSCPW Template Field name Field (char Field Flag Flag length Default Field being data) ID 1 2 decimal value Type described ------- ----- ---- ---- -------- ------- ---- ---------------- CSFSCPR 009 00 00 00000001 00 Bin Symmetric key CPACF return Value Meaning X'80' YES X'00' NO Security Server RACF Security Administrator's Guide ---------------------------------------------------------------- Chapter 7. Protecting General Resources, Section "Field-level access checking", Table 18. "Fields in RACF segments that correspond to RACF command operands. Specify field-name as the third qualifier of the profile name for field-level access checking." SYMCPACFRET is added: -------------------------------------------------------------- To control the use of this Specify this value as the operand: 1 field-name qualifier: -------------------------------------------------------- ... -------------------------------------------------------- ICSF segment in CSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY class profiles: -------------------------------------------------------- ASYMUSAGE CSFAUSE SYMEXPORTABLE CSFSEXP SYMEXPORTCERTS CSFSCLBS and CSFSCLCT 2 SYMEXPORTKEYS CSFSKLBS and CSFSKLCT 2 SYMCPACFWRAP CSFSCPW SYMCPACFRET CSFSCPR Security Server RACF Macros and Interfaces ---------------------------------------------------------------- Chapter 9. RACF database unload utility (IRRDBU00) records, Section "General Resource ICSF record (05G0)" Add GRCSF_CPACF_RET after GRCSF_CPACF_WRAP: Position Field Name Type Start End Comments --------------- ------ ----- ----- --------------------------- GRCSF_CPACF_RET Yes/No 535 537 Specifies whether the encrypted symmetric keys that are rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an authorized caller.
APAR Information
APAR number
OA50367
Reported component name
RACF
Reported component ID
5752XXH00
Reported release
7A0
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2016-04-20
Closed date
2016-08-31
Last modified date
2016-10-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA82675 UA82676
Modules/Macros
ICHCDX41 ICHGLS00 ICHRLS00 IRRDBU03 IRRDPSDS IRRFRX00 IRRREQTB IRRTEMP2 RACDBULD RACDBUTB
| SA23229300 | SA23229301 | SA23229200 | SA23229201 | SA23229400 |
| SA23229401 | SA23228900 | SA23228901 | SA23228800 | SA23228801 |
Fix information
Fixed component name
RACF
Fixed component ID
5752XXH00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 October 2016