The fix is shipped as file IBM.HALG310.UI78267
The fix has rework (build) date 2021330 (26 Nov 2021)
The following fixes are prerequisites for this fix:
The following fixes are corequisites for this fix:
The following fixes are superseded by this fix:
AH00029 AH01232 AH02312 AH03308 AH04702 AH05319 AH06102 AH06343 AH08218 AH08368 AH10896 AH12707 AH15383 AH16216 AH16725 AH17108 AH17896 AH19470 AH20624 AH22770 AH22909 AH23519 AH23881 AH24047 AH24874 AH24875 AH25156 AH26118 AH26225 AH26554 AH26711 AH30613 AH31152 AH32040 AH32484 AH32999 AH34531 AH34966 AH34997 AH35746 AH36080 AH37900 AH37975 AH38067 AH39191 AH40095 AH40148 AH42388 AI87570 AI88531 AI89940 AI91151 AI93088 AI94098 AI96122 AI96684 AI98306 UI51053 UI51794 UI52607 UI53601 UI54540 UI55170 UI55777 UI56381 UI57214 UI57808 UI58187 UI59068 UI59623 UI60636 UI61722 UI62925 UI63528 UI64702 UI65057 UI66683 UI67384 UI68248 UI69399 UI69923 UI71234 UI71873 UI72788 UI74253 UI74965 UI75787 UI76533 UI77584Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
// SET HLQ=#hlq //* //ALLOC EXEC PGM=IEFBR14 //UI78267 DD DSN=&HLQ..IBM.HALG310.UI78267, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(145,20)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TC P/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HALG310.UI78267 200 Port request OK. 125 Storing data set hlq.IBM.HALG310.UI78267 250 Transfer completed successfully 8093680 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI78267) SYSTEM FMID(HALG310) REASON(ACTION) DATE(21330)
COMMENT(
****************************************************************
* Affected function: installation verification *
****************************************************************
* Description: update ivpinit initialization script *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/bin/ivpinit *
* /etc/zexpl/ivpinitŲ *
****************************************************************
This maintenance updates the ivpinit script, which was copied
to /etc/zexpl during initial customization of the product.
Issue the following z/OS UNIX command to update the copied
version:
cp /usr/lpp/IBM/zexpl/bin/ivpinit /etc/zexpl/
).
++HOLD(UI77584) SYSTEM FMID(HALG310) REASON(ACTION) DATE(21287)
COMMENT(
****************************************************************
* Affected function: RSED *
****************************************************************
* Description: security permit required for batch startup *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: none *
****************************************************************
After applying this fix, RSED will require that the server
user ID has at least READ permit to FACILITY class profile
FEK.START.BATCH.jobname.port when started as a job. No security
permit is required when started as started task.
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: security permit required for batch startup *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: none *
****************************************************************
After applying this fix, JMON will require that the server
user ID has at least READ permit to FACILITY class profile
FEJ.START.BATCH.jobname.port when started as a job. No security
permit is required when started as started task.
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variable *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: SFEKSAMP(FEJJCNFG) *
* {FEK.#CUST.PARMLIB(FEJJCNFG)} *
****************************************************************
This fix updates the sample FEJJCNFG by adding the
following optional directives:
#SAF_CLASS
The security class holding JMON specific FEJ.** security
profiles. The default is FACILITY. Uncomment and change to
match your actual security class name.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI74965) SYSTEM FMID(HALG310) REASON(ACTION) DATE(21106)
COMMENT(
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variable *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: SFEKSAMP(FEJJCNFG) *
* {FEK.#CUST.PARMLIB(FEJJCNFG)} *
****************************************************************
This fix updates the sample FEJJCNFG by adding the
following optional directives:
#DISPLAY_ACTIVE=ON
Control whether a client can show system information, like
job name, owner, CPU usage, etc, of all active address spaces.
The default is ON. Uncomment and specify OFF to disallow
showing all active address spaces.
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variable *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: SFEKSAMP(FEJJCNFG) *
* {FEK.#CUST.PARMLIB(FEJJCNFG)} *
****************************************************************
This fix updates the sample FEJJCNFG file.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new operator commands *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: / *
****************************************************************
After this update, JMON users can issue new operator commands to
change a job's CLASS and MSGCLASS. Verify that users are able to
issue the following operator commands. This permit can be
conditional, so it's only granted when the console is JMON.
JES2
$T{J|S|T}(jobid),C=class
UPDATE permit to profile jesname.MODIFY.BAT, jesname.MODIFY.STC,
and jesname.MODIFY.TSU in the OPERCMDS class.
$TO{J|S|T}(jobid),Q=queue
UPDATE permit to profile jesname.MODIFY.BATOUT,
jesname.MODIFY.STCOUT, and jesname.MODIFY.TSUOUT in the OPERCMDS
class.
JES3
*F,J=jobid,C=class
UPDATE permit to profile jesname.MODIFY.JOB in the OPERCMDS
class.
*F,U,J=jobid,NCL=class
UPDATE permit to profile jesname.MODIFY.U in the OPERCMDS class.
).
++HOLD(UI72788) SYSTEM FMID(HALG310) REASON(ACTION) DATE(20331)
COMMENT(
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variable *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: SFEKSAMP(FEJJCNFG) *
* {FEK.#CUST.PARMLIB(FEJJCNFG)} *
****************************************************************
This fix updates the sample FEJJCNFG by adding the
following optional directives:
#PASS_PHRASE=OFF
Support authentication using a pass phrase. The default is
OFF. Uncomment and specify ON to allow pass phrases up to 100
characters instead of a 8-character password or passticket for
authentication.
Note that this option only applies to clients who connect
directly to JMON. This does not include the z/OS Explorer
client, who connects to the RSED daemon, and in turn the
daemon connects to JMON, using passtickets for authentication.
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variable *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: SFEKSAMP(FEJJCNFG) *
* {FEK.#CUST.PARMLIB(FEJJCNFG)} *
****************************************************************
This fix updates the sample FEJJCNFG file.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI69399) SYSTEM FMID(HALG310) REASON(ACTION) DATE(20132)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by removing the following
optional directive:
GSK_PROTOCOL_SSLV3
Sample command to enable or disable SSLv3 usage.
and adding the following optional directives:
GSK_PROTOCOL_TLSV1_3
Specifies whether the specified encryption protocol, TLSV1_3 in
this sample, is enabled. A protocol that is supported by but
not enabled in System SSL can be enabled here by specifying
GSK_PROTOCOL_<protocol>=ON. You can disable a protocol by
specifying OFF as value. For a list of supported protocols and
the matching variable names, see Cryptographic Services System
SSL Programming (SC24-5901).
Note
* Due to a vulnerability in the SSLv3 (Secure Socket Layer)
protocol, support for this protocol is deprecated in z/OS
Explorer.
* Enabling the TLSv1.3 (Transport Layer Security) protocol
requires z/OS 2.4 or higher. It also requires the usage of
4-character cipher IDs, specific ciphers, and server key
shares. These definitions are set automatically if you do not
set them yourself.
GSK_SERVER_TLS_KEY_SHARES
Specifies the encryption key share groups in order of
preference as a string consisting of one or more 4-character
values. Uncomment and specify the desired string if you want to
influence key share group selection when protocol TLSv1.3 or
higher is used. For a list of supported key share groups and
their 4-character ID, see Cryptographic Services System SSL
Programming (SC24-5901).
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI68248) SYSTEM FMID(HALG310) REASON(ACTION) DATE(20066)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This enhancement updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DSHOW_SSH_TERMINAL=true"
This option enables the z/OS SSH terminal on the client.
The default is false.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI66683) SYSTEM FMID(HALG310) REASON(ACTION) DATE(19331)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: SFEKSAMP(FEKRSED) *
* FEK.#CUST.PROCLIB(RSED)Ų *
****************************************************************
This fix updates environment variable processing by allowing you
to conditionally initialize variables PATH, LIBPATH, CLASSPATH,
and STEPLIB.
To avoid initialization, define environment variable RSE_NO_INIT
before or during RSED startup, for example by adding it to DD
STDENV of the RSED started task. The RSE_NO_INIT variable holds
a semicolon (:) separated list of variable names that should not
be initialized. For example:
//STDENV DD *
RSE_NO_INIT=PATH:STEPLIB
).
++HOLD(UI58187) SYSTEM FMID(HALG310) REASON(ACTION) DATE(18241)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: enable 4 char-id ciphers *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: not applicable *
****************************************************************
This fix updates RSE deamon to allow the use of 4 char-id
ciphers if SSL is enabled. The default is to use 2 char-id
ciphers.
Uncomment the following to use 2 char-id ciphers:
#GSK_V3_CIPHERS=GSK_V3_CIPHERS_CHAR2
#GSK_V3_CIPHER_SPECS=3538392F3233
Uncomment and set the following to use 4 char ciphers:
#GSK_V3_CIPHERS=GSK_V3_CIPHERS_CHAR4
#GSK_V3_CIPHER_SPECS_EXPANDED=003500380039002F00320033
Note: 4 character ciphers are only supported with JAVA 8
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dbackupfiles=false"
Create a temporary backup before updating a z/OS UNIX file.
The default is true. The temporary backup file is a copy of
the original file, placed in the same directory and prefixed
with the tilde character (~). Uncomment and specify false to
prevent the creation of the temporary backup file.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI55170) SYSTEM FMID(HALG310) REASON(ACTION) DATE(18102)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Daudit.display.attributes=true"
Enable or disable the display of Dataset Attributes on the
Audit log. The default is true. Uncomment and specify false
to prevent dataset attributes to be displayed.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI54540) SYSTEM FMID(HALG310) REASON(ACTION) DATE(18079)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaxthreadtasks.threshold=60"
Allow the user to specify how close to the MAXTHREADTASKS
limit before displaying a pop up to alert them. The default
is 60. Uncomment and adjust the number to specify a new
MAXTHREADTASKS threshold.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dmaximum.ispf.sessions=0"
Limit the number of concurrent invocation of TSO/ISPF
commands in one user session. The default is 0 (no limit).
Uncomment and customize this directive to limit the number
of concurrent ISPF Gateway sessions per user.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Duse.fastpath.getattributes=true"
Use ISPF file statistics when obtaining attribute information,
including line counts, for members of partitioned data sets.
The default is true. Uncomment and specify false to use a
slower implementation that reports byte counts instead of line
counts
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updates the sample rse.env by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS
-Dallow.retry.on.failed.saf.check=false"
Allow the user to re-query the host security product multiple
times during a single login session if they are denied access
to an MVS file resource. The default is false. Uncomment and
specify true to allow re-querying the host security product.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* /etc/zexpl/rse.envŲ *
****************************************************************
This fix updated sample file rse.env.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI53601) SYSTEM FMID(HALG310) REASON(ACTION) DATE(18033)
COMMENT(
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: FEJJCNFG *
****************************************************************
This fix updates the sample FEJJCNFG JES Job Monitor
configuration file by adding the following optional directives:
#DISPLAY_SYSIN=OFF
Enables or disables the display of SYSIN data. The default is
OFF. Uncomment and change to ON to include SYSIN data.
****************************************************************
* Affected function: JMON *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEJJCNFG *
****************************************************************
This fix updated sample file FEJJCNFG.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI51794) SYSTEM FMID(HALG310) REASON(ACTION) DATE(17313)
COMMENT(
****************************************************************
* Affected function: security setup *
****************************************************************
* Description: Multi Factor Authentication *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
This maintenance adds basic support for
Multi Factor Authentication (MFA).
This HOLD information documents basic requirements and expected
behavior.
- MFA must be configured to allow for passticket usage after
initial authentication.
- Passtickets will be used during the whole lifetime of a
user session, so the window in which passtickets are accepted
after intial authentication should be big enough to cover a
typical workday, and must be at least long enough to cover
the logon process.
- Once passticket usage fails, the client connection will be
severed and the user must re-logon (and thus re-authenticate).
This behavior is similar to users being disconnected due to
inactivity time-out.
- If MFA is set up to prompt for a second authentication, it
will show to the user as though the first authentication
failed, even if it was successful.
).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change #globalcsi to the data set name of your global CSI. //* Change #dzone to your CSI distribution zone name. //* //ACCEPT EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#dzone) . ACCEPT SELECT( ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #hlq to the high level qualifier used to upload the fix.
//* Change (2x) #globalcsi to the data set name of your global CSI.
//* Change #tzone to your CSI target zone name.
//*
// SET HLQ=#hlq
//*
//RECEIVE EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HALG310.UI78267
//SMPCNTL DD *
SET BOUNDARY(GLOBAL) .
RECEIVE SELECT(
UI78267
) SYSMODS LIST .
//*
//APPLY EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#tzone) .
APPLY SELECT(
UI78267
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
Restart started tasks to activate changes.