The fix is shipped as file IBM.HALG330.UI99118
The fix has rework (build) date 2024324 (19 Nov 2024)
The following fixes are prerequisites for this fix:
The following fixes are corequisites for this fix:
The following fixes are superseded by this fix:
AH50484 AH51845 AH55097 AH55322 AH56681 AH56739 AH57454 AH58699 AH59049 AH59430 AH59985 AH60635 AH60792 AH60824 AH62266 AH62617 AH62896 UI83044 UI90920 UI92190 UI94017 UI94851 UI95148 UI95993 UI97198Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
// SET HLQ=#hlq //* //ALLOC EXEC PGM=IEFBR14 //UI99118 DD DSN=&HLQ..IBM.HALG330.UI99118, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(169,30)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TCP/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HALG330.UI99118 200 Port request OK. 125 Storing data set hlq.IBM.HALG330.UI99118 250 Transfer completed successfully 8555805 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI97198) SYSTEM FMID(HALG330) REASON(ACTION) DATE(24158)
COMMENT(
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/zexpl/samples/rse.env *
* {/etc/zexpl/rse.env} *
****************************************************************
This fix updates the sample rse.env by REMOVING the
following optional directives:
#LANG=C
This directive controls the locale used in the shell that
starts RSE daemon. It is not used by the server itself. Changing
the locale can cause shell script errors, so the option is
removed as it serves no real purpose.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: security setup *
****************************************************************
* Description: add permit for z/OS UNIX kill command *
* add permit for running server in batch *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.SFEKSAMP(FEKRACF) *
****************************************************************
This fix introduces the following permit for the started task:
# define permit to remove RSE-managed but user-owned processes
RDEFINE UNIXPRIV SUPERUSER.PROCESS.KILL UACC(NONE) -
DATA('OVERRIDE KILL PROCESS RESTRICTIONS')
PERMIT SUPERUSER.PROCESS.KILL CLASS(UNIXPRIV) ACCESS(READ) -
ID(STCRSE)
SETROPTS RACLIST(UNIXPRIV) REFRESH
RLIST UNIXPRIV SUPERUSER.PROCESS.KILL ALL
# allow JES Job Monitor to start as job instead of STC
RDEFINE FACILITY FEJ.START.BATCH.*.** UACC(NONE) -
DATA('start JMON in batch')
# uncomment permit to allow batch startup
# PERMIT FEJ.START.BATCH.*.** CLASS(FACILITY) ACCESS(READ) -
ID(STCJMON)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY FEJ.START.BATCH.*.** ALL
# allow RSE daemon to start as job instead of STC
RDEFINE FACILITY FEK.START.BATCH.*.** UACC(NONE) -
DATA('start RSED in batch')
# uncomment permit to allow batch startup
# PERMIT FEK.START.BATCH.*.** CLASS(FACILITY) ACCESS(READ) -
ID(STCRSE)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY FEK.START.BATCH.*.** ALL
).
++HOLD(UI95148) SYSTEM FMID(HALG330) REASON(ACTION) DATE(24008)
COMMENT(
****************************************************************
* Affected function: security & cryptographic setup *
****************************************************************
* Description: add support for SAF JWT (JSON Web Token) *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.SFEKSAMP(FEKRACF) *
* FEK.SFEKSAMP(FEKPKCS1) *
****************************************************************
This fix introduces support for SAF JWT (JSON Web Token)
provisioning, which requires security and cryptograhic updates.
Sample security setup job FEKRACF is updated with:
** step RACFINIT **
# activate ICSF usage permission for cryptographic admin
# SETROPTS GENERIC(CRYPTOZ)
# SETROPTS CLASSACT(CRYPTOZ) RACLIST(CRYPTOZ)
# activate private key definitions for usage by RSE
# SETROPTS GENERIC(IDTDATA)
# SETROPTS CLASSACT(IDTDATA) RACLIST(IDTDATA)
** step JWT **
# allow crypto admin to define a PCKS#11 token and private key
RLIST CRYPTOZ SO.JWTTOK.FEKAPPL ALL
RDEFINE CRYPTOZ SO.JWTTOK.FEKAPPL UACC(NONE) -
DATA('CREATE PCKS#11 TOKEN')
PERMIT SO.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(CONTROL) -
ID(#crypto)
RLIST CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL ALL
RDEFINE CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL UACC(NONE) -
DATA('CREATE PCKS#11 KEY')
PERMIT CLEARKEY.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(READ) -
ID(#crypto)
SETROPTS RACLIST(CRYPTOZ) REFRESH
# define PCKS#11 token holding the secret key
RACDCERT LISTTOKEN(JWTTOK.FEKAPPL)
RACDCERT ADDTOKEN (JWTTOK.FEKAPPL)
# create secret key with job FEKPCKS1 after ADDTOKEN completed
# define JSON Web Token used by RSE
RLIST IDTDATA JWT.FEKAPPL.*.SAF ALL IDTPARMS
RDEFINE IDTDATA JWT.FEKAPPL.*.SAF -
IDTPARMS(SIGTOKEN(JWTTOK.FEKAPPL) -
SIGALG(HS512) ANYAPPL(NO) IDTTIMEOUT(30)) UACC(NONE) -
DATA('IBM EXPLORER FOR z/OS')
SETROPTS RACLIST(IDTDATA) REFRESH
# show results ...............................................
RLIST CRYPTOZ SO.JWTTOK.FEKAPPL ALL
RLIST CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL ALL
RACDCERT LISTTOKEN(JWTTOK.FEKAPPL)
RLIST IDTDATA JWT.FEKAPPL.*.SAF ALL IDTPARMS
A new sample job, FEKPKCS1, is provided to define the secret key
used for JWT generation. FEKPKCS1 must be executed after the
security updates listed above completed, and must be executed by
a cryptographic administrator due to the required ICSF permits.
).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change #globalcsi to the data set name of your global CSI. //* Change #dzone to your CSI distribution zone name. //* //ACCEPT EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#dzone) . ACCEPT SELECT( ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #hlq to the high level qualifier used to upload the fix.
//* Change (2x) #globalcsi to the data set name of your global CSI.
//* Change #tzone to your CSI target zone name.
//*
// SET HLQ=#hlq
//*
//RECEIVE EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HALG330.UI99118
//SMPCNTL DD *
SET BOUNDARY(GLOBAL) .
RECEIVE SELECT(
UI99118
) SYSMODS LIST .
//*
//APPLY EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#tzone) .
APPLY SELECT(
UI99118
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
Restart started tasks to activate changes.