The fix is shipped as file IBM.HALG330.UI94017
The fix has rework (build) date 2023289 (16 Oct 2023)
The following fixes are prerequisites for this fix:
The following fixes are corequisites for this fix:
The following fixes are superseded by this fix:
AH50484 AH51845 AH55097 AH55322 AH56681 AH56739 AH57454 UI83044 UI90920 UI92190Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
// SET HLQ=#hlq //* //ALLOC EXEC PGM=IEFBR14 //UI94017 DD DSN=&HLQ..IBM.HALG330.UI94017, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(144,20)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TC P/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HALG330.UI94017 200 Port request OK. 125 Storing data set hlq.IBM.HALG330.UI94017 250 Transfer completed successfully 8001840 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI94017) SYSTEM FMID(HALG330) REASON(ACTION) DATE(23289)
COMMENT(
****************************************************************
* Affected function: security & cryptographic setup *
****************************************************************
* Description: add support for SAF JWT (JSON Web Token) *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.SFEKSAMP(FEKRACF) *
* FEK.SFEKSAMP(FEKPKCS1) *
****************************************************************
This fix introduces support for SAF JWT (JSON Web Token)
provisioning, which requires security and cryptograhic updates.
Sample security setup job FEKRACF is updated with:
** step RACFINIT **
# activate ICSF usage permission for cryptographic admin
# SETROPTS GENERIC(CRYPTOZ)
# SETROPTS CLASSACT(CRYPTOZ) RACLIST(CRYPTOZ)
# activate private key definitions for usage by RSE
# SETROPTS GENERIC(IDTDATA)
# SETROPTS CLASSACT(IDTDATA) RACLIST(IDTDATA)
** step JWT **
# allow crypto admin to define a PCKS#11 token and private key
RLIST CRYPTOZ SO.JWTTOK.FEKAPPL ALL
RDEFINE CRYPTOZ SO.JWTTOK.FEKAPPL UACC(NONE) -
DATA('CREATE PCKS#11 TOKEN')
PERMIT SO.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(CONTROL) -
ID(#crypto)
RLIST CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL ALL
RDEFINE CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL UACC(NONE) -
DATA('CREATE PCKS#11 KEY')
PERMIT CLEARKEY.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(READ) -
ID(#crypto)
SETROPTS RACLIST(CRYPTOZ) REFRESH
# define PCKS#11 token holding the secret key
RACDCERT LISTTOKEN(JWTTOK.FEKAPPL)
RACDCERT ADDTOKEN (JWTTOK.FEKAPPL)
# create secret key with job FEKPCKS1 after ADDTOKEN completed
# define JSON Web Token used by RSE
RLIST IDTDATA JWT.FEKAPPL.*.SAF ALL IDTPARMS
RDEFINE IDTDATA JWT.FEKAPPL.*.SAF -
IDTPARMS(SIGTOKEN(JWTTOK.FEKAPPL) -
SIGALG(HS512) ANYAPPL(NO) IDTTIMEOUT(30)) UACC(NONE) -
DATA('IBM EXPLORER FOR z/OS')
SETROPTS RACLIST(IDTDATA) REFRESH
# show results ...............................................
RLIST CRYPTOZ SO.JWTTOK.FEKAPPL ALL
RLIST CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL ALL
RACDCERT LISTTOKEN(JWTTOK.FEKAPPL)
RLIST IDTDATA JWT.FEKAPPL.*.SAF ALL IDTPARMS
A new sample job, FEKPKCS1, is provided to define the secret key
used for JWT generation. FEKPKCS1 must be executed after the
security updates listed above completed, and must be executed by
a cryptographic administrator due to the required ICSF permits.
).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change #globalcsi to the data set name of your global CSI. //* Change #dzone to your CSI distribution zone name. //* //ACCEPT EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#dzone) . ACCEPT SELECT( ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #hlq to the high level qualifier used to upload the fix.
//* Change (2x) #globalcsi to the data set name of your global CSI.
//* Change #tzone to your CSI target zone name.
//*
// SET HLQ=#hlq
//*
//RECEIVE EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HALG330.UI94017
//SMPCNTL DD *
SET BOUNDARY(GLOBAL) .
RECEIVE SELECT(
UI94017
) SYSMODS LIST .
//*
//APPLY EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#tzone) .
APPLY SELECT(
UI94017
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
Restart started tasks to activate changes.