A fix is available
APAR status
Closed as new function.
Error description
This APAR adds optional External Security Manager (ESM) controlled decisions for authorization and auditing of SMAPI requests.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of the z/VM System Management * * Application Programming Interface (SMAPI) * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** This APAR adds optional External Security Manager (ESM) controlled decisions for authorization and auditing of SMAPI requests.
Problem conclusion
Temporary fix
FOR RELEASE ES-CMS-710-BASE : PREREQ: VM66200 CO-REQ: NONE IF-REQ: NONE
Comments
Clients have placed requirements on IBM to have all of z/VM's security decisions controlled by the External Security Manager (ESM), whenever one is present. Clients have also asked IBM to simplify security auditing by reducing, ideally to one, the number of z/VM security logs that need to be persisted, saved, and examined for compliance and incident remediation purposes. o When an ESM is present, use the ESM for all SMAPI authorization decisions, at the same granularity used with SMAPI's existing authorization mechanism: <requestor, API, target>. When an ESM is present, the ESM logs the decision (or not) based on its active policy, without SMAPI's knowledge or intervention. o When an ESM defers its authorization decision to SMAPI, do one of the following, based on a configuration option: - Make SMAPI's authorization decision using the existing AUTHLIST process, and (new) call the ESM to log SMAPI's decision in the ESM-managed security log. ESM audit logging might be enabled or disabled; SMAPI will not have any knowledge of the ESM's state. - Fail the request. o Properly associate the requested SMAPI function with the proper security principal(s): when the requesting virtual machine (example: MAINT) is managed as a shared ID (LOGONBY or ESM equivalent), ensure that both the requesting virtual machine's name and the LOGONBY/equivalent user's name are recorded in the security log. - When the ESM makes the authorization decision, the ESM is responsible for all audit logging, including this. - When the ESM defers the authorization decision to SMAPI, SMAPI is responsible for all audit logging, including this. o Provide an implementation base that other z/VM components and functions, Services engagements, and any other CMS application can re-use in the future for similar purposes. o Provide the ability to better separate system programmer (system configuration), security administrator (authorization configuration), and security auditor duties by allowing the system programmer to delegate all authorization decisions to the security administrator - recording authorization decisions in the ESM audit log by default Usage Note: For the following APIs: - Asynchronous_Notification_Disable_DM - Asynchronous_Notification_Query_DM - Authorization_List_Query - Check_Authentication - Image_Status_Query - Name_List_Query The asterisk (*) is not supported in the target_identifier field, and will result in a 100/16 reason code/return code if the SMAPI authorization policy is set to either of the following: - Authorization_Policy_ESMAuthlist - Authorization_Policy_ESMOnly Also, Authorization_Query will fail with 100/16 reason code/return code when no Requesting Userid is entered as it is documented as optional. For additional information, please see the z/VM 7.1 Systems Management Application Programming Guide. The guide is available at https://ibm.biz/smapi_71 .
APAR Information
APAR number
VM66167
Reported component name
VM CMS
Reported component ID
568411201
Reported release
710
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2018-05-25
Closed date
2018-09-24
Last modified date
2018-09-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UM35358
Modules/Macros
CMSXLOAD DMSAPISD DMSAPISL DMSAPISP DMSBL493 DMSRP DMSSIPRM DMSWBRAC DMSWRAUD DMSWRAUT DMSWRESM DMSWRRAC DMSWSAUD DMSWSAUT DMSWSESM DMSWSRAC DMSWSSMI DMSWSSMP DMSWSWRK DMSWSXIA ELVMLOHC IBMCNF STDSAVEP
SC24632700 |
Fix information
Fixed component name
VM CMS
Fixed component ID
568411201
Applicable component levels
R710 PSY UM35358
UP18/09/27 I 1000
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
Document Information
Modified date:
27 September 2018