Identify unauthorized callers of the IWMSRDRS and IWMSRSRG services
Description
With z/OS® V2R2, the minimum authorization requirements
for the callers of Workload Management services IWMSRDRS (Deregister
a server for sysplex routing) and IWMSRSRG (Register a server for
sysplex routing) are changed.
- Problem state with any PSW key if the server address space to be registered or deregistered is the home address space. If resource BPX.WLMSERVER is defined in the FACILITY class, an unauthorized caller requires access authority to this resource or the IWM.SERVER.REGISTER resource in the FACILITY class.
- If the server to be registered or deregistered is not the home
address, one of the following:
- Supervisor state
- Program key mask (PKM) allowing at least one of the keys 0-7
- The caller has at least READ authority to the resource IWM.SERVER.REGISTER in the FACILITY class. If this resource is not defined, READ authority to the FACILITY class resource BPX.WLMSERVER is required.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | BCP |
---|---|
When change was introduced: | z/OS V2R2, z/OS V2R1, and z/OS V1R13, all with APAR OA46405. |
Applies to migration from: | z/OS V2R1 and z/OS V1R13, both without APAR OA46405. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if you have unauthorized applications that invoke one of these services and resource BPX.WLMSERVER in the FACILITY class is not defined. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM® Health Checker for z/OS check: | None. |
Steps to take
If RACF resource BPX.WLMSERVER is defined in the FACILITY class, unauthorized callers of WLM services IWMSRDRS and IWMSRSRG already have access authority and no further steps are necessary.
If the resource
is not defined, it is recommended that you identify unauthorized callers
that use the IWMSRDRS and IWMSRSRG services to register or deregister
an address space other than the caller's home address space. To do
so, you can temporarily define the IWM.SERVER.REGISTER resource profile
with the WARNING parameter. After the first IPL of z/OS V2R2, RACF
issues the following warning message for callers of the macro with
insufficient authorization:
ICH408I USER(user) IWM.SERVER.REGISTER CL(FACILITY)
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
For
unauthorized callers, take one of the following steps:
- Change the program so that it no longer calls the IWMSRDRS or IWMSRSRG macro or no longer runs the program.
- Change the caller's authorization to supervisor state or PKM allowing at least one of the keys 0-7.
- Give the user ID associated with the program access authority to the resource profile IWM.SERVER.REGISTER or an appropriate generic profile when generic profile checking is active.
After all necessary steps have been taken, modify the resource profile and specify NOWARNING. Or, delete the resource profile if there are no unauthorized callers of the IWMSRDRS or IWMSRSRG macro.
Reference information
For more information, see z/OS MVS Programming: Workload Management Services.