IBM Support

VM66167: ESM AUTHORIZATION AND AUDITING OF SMAPI REQUESTS

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • This APAR adds optional External Security Manager (ESM)
    controlled decisions for authorization and auditing of SMAPI
    requests.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of the z/VM System Management          *
    *                 Application Programming Interface (SMAPI)    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    This APAR adds optional External Security Manager (ESM)
    controlled decisions for authorization and auditing of SMAPI
    requests.
    

Problem conclusion

Temporary fix

  • FOR RELEASE ES-CMS-710-BASE :
    PREREQ: VM66200
    CO-REQ: NONE
    IF-REQ: NONE
    

Comments

  • Clients have placed requirements on IBM to have all of z/VM's
    security decisions controlled by the External Security Manager
    (ESM), whenever one is present.  Clients have also asked IBM to
    simplify security auditing by reducing, ideally to one, the
    number of z/VM security logs that need to be persisted, saved,
    and examined for compliance and incident remediation purposes.
    
    o   When an ESM is present, use the ESM for all SMAPI
        authorization decisions, at the same granularity used with
        SMAPI's existing authorization mechanism: <requestor, API,
        target>.  When an ESM is present, the ESM logs the decision
        (or not) based on its active policy, without SMAPI's
        knowledge or intervention.
    o   When an ESM defers its authorization decision to SMAPI, do
        one of the following, based on a configuration option:
        -   Make SMAPI's authorization decision using the existing
            AUTHLIST process, and (new) call the ESM to log
            SMAPI's decision in the ESM-managed security log.  ESM
            audit logging might be enabled or disabled; SMAPI will
            not have any knowledge of the ESM's state.
        -   Fail the request.
    o   Properly associate the requested SMAPI function with the
        proper security principal(s): when the requesting virtual
        machine (example: MAINT) is managed as a shared ID (LOGONBY
        or ESM equivalent), ensure that both the requesting virtual
        machine's name and the LOGONBY/equivalent user's name are
        recorded in the security log.
        -   When the ESM makes the authorization decision, the ESM
            is responsible for all audit logging, including this.
        -   When the ESM defers the authorization decision to SMAPI,
            SMAPI is responsible for all audit logging, including
            this.
    o   Provide an implementation base that other z/VM components
        and functions, Services engagements, and any other CMS
        application can re-use in the future for similar purposes.
    o   Provide the ability to better separate system programmer
        (system configuration), security administrator
        (authorization configuration), and security auditor duties
        by allowing the system programmer to delegate all
        authorization decisions to the security administrator
        -   recording authorization decisions in the ESM audit log
              by default
    
    Usage Note:
    For the following APIs:
      - Asynchronous_Notification_Disable_DM
      - Asynchronous_Notification_Query_DM
      - Authorization_List_Query
      - Check_Authentication
      - Image_Status_Query
      - Name_List_Query
    The asterisk (*) is not supported in the target_identifier
    field, and will result in a 100/16 reason code/return code if
    the SMAPI authorization policy is set to either of the
    following:
      - Authorization_Policy_ESMAuthlist
      - Authorization_Policy_ESMOnly
    Also, Authorization_Query will fail with 100/16
    reason code/return code when no Requesting Userid is entered as
    it is documented as optional.
    
    For additional information, please see the z/VM 7.1 Systems
    Management Application Programming Guide. The guide is available
    at https://ibm.biz/smapi_71 .
    

APAR Information

  • APAR number

    VM66167

  • Reported component name

    VM CMS

  • Reported component ID

    568411201

  • Reported release

    710

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2018-05-25

  • Closed date

    2018-09-24

  • Last modified date

    2018-09-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UM35358

Modules/Macros

  • CMSXLOAD DMSAPISD DMSAPISL DMSAPISP DMSBL493 DMSRP    DMSSIPRM
    DMSWBRAC DMSWRAUD DMSWRAUT DMSWRESM DMSWRRAC DMSWSAUD DMSWSAUT
    DMSWSESM DMSWSRAC DMSWSSMI DMSWSSMP DMSWSWRK DMSWSXIA ELVMLOHC
    IBMCNF   STDSAVEP
    

Publications Referenced
SC24632700        

Fix information

  • Fixed component name

    VM CMS

  • Fixed component ID

    568411201

Applicable component levels

  • R710 PSY UM35358

       UP18/09/27 I 1000  

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/VM family

Software version: 710

Operating system(s): z/VM

Reference #: VM66167

Modified date: 27 September 2018