Installation instructions for fix UI97198 for Explorer for z/OS v3.3 (FMID HALG330)

The fix is shipped as file IBM.HALG330.UI97198

The fix has rework (build) date 2024158 (6 Jun 2024)

The following fixes are prerequisites for this fix:

The following fixes are corequisites for this fix:

The following fixes are superseded by this fix:

AH50484 AH51845 AH55097 AH55322 AH56681 AH56739 AH57454 AH58699 AH59049 AH59430 AH59985 AH60635 AH60792 AH60824 UI83044 UI90920 UI92190 UI94017 UI94851 UI95148 UI95993

Overview of the installation steps

Steps required to install the fix:

  1. Allocate host data sets for the fix.
  2. Upload the fix from your workstation to z/OS.
  3. SMP/E hold information for the fix.
  4. Perform SMP/E ACCEPT for the prerequisites.
  5. Perform SMP/E RECEIVE and APPLY for the fix.
  6. Restart started tasks to activate changes.

Allocate host data sets for the fix

A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.

//         SET HLQ=#hlq
//*
//ALLOC    EXEC PGM=IEFBR14
//UI97198    DD DSN=&HLQ..IBM.HALG330.UI97198,
//            DISP=(NEW,CATLG,DELETE),
//            DSORG=PS,
//            RECFM=FB,
//            LRECL=80,
//            UNIT=SYSALLDA,
//*            VOL=SER=volser,
//*            BLKSIZE=6160,
//            SPACE=(TRK,(169,30))
//*

Upload the fix from your workstation to z/OS

Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:

User enters: Values
mvsaddr TCP/IP address of the z/OS system
tsouid Your TSO user ID
tsopw Your TSO password
d: Your drive containing the fix files
hlq High-level qualifier that you used for the data set that you allocated in the job above
C:\>ftp mvsaddr
Connected to mvsaddr.
220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%.
220 Connection will close if idle for more than 60 minutes.
 
User (mvsaddr:(none)): tsouid
331 Send password please.
 
Password: tsopw
230 tsouid is logged on.  Working directory is "tsouid.".
 
ftp> cd ..
250 "" is the working directory name prefix.
 
ftp> cd hlq
250 "hlq." is the working directory name prefix.
 
ftp> binary
200 Representation type is Image
 
ftp> put d:\IBM.HALG330.UI97198
200 Port request OK.
125 Storing data set hlq.IBM.HALG330.UI97198
250 Transfer completed successfully
9392480 bytes sent in 0.28 seconds
 
ftp> quit
221 Quit command received. Goodbye.

SMP/E hold information for the fix

++HOLD(UI97198) SYSTEM FMID(HALG330) REASON(ACTION) DATE(24158)
  COMMENT(
  ****************************************************************
  * Affected function: RSE                                       *
  ****************************************************************
  * Description: new environment variables                       *
  ****************************************************************
  * Timing: post-APPLY                                           *
  ****************************************************************
  * Part: /usr/lpp/IBM/zexpl/samples/rse.env                     *
  *       {/etc/zexpl/rse.env}                                   *
  ****************************************************************
  This fix updates the sample rse.env by REMOVING the
  following optional directives:
 
  #LANG=C
  This directive controls the locale used in the shell that
  starts RSE daemon. It is not used by the server itself. Changing
  the locale can cause shell script errors, so the option is
  removed as it serves no real purpose.
 
  Redo your customizations, if any, after applying this
  maintenance.
 
  ****************************************************************
  * Affected function: security setup                            *
  ****************************************************************
  * Description: add permit for z/OS UNIX kill command           *
  *              add permit for running server in batch          *
  ****************************************************************
  * Timing: post-APPLY                                           *
  ****************************************************************
  * Part: FEK.SFEKSAMP(FEKRACF)                                  *
  ****************************************************************
  This fix introduces the following permit for the started task:
 
  #  define permit to remove RSE-managed but user-owned processes
    RDEFINE UNIXPRIV SUPERUSER.PROCESS.KILL UACC(NONE) -
     DATA('OVERRIDE KILL PROCESS RESTRICTIONS')
    PERMIT SUPERUSER.PROCESS.KILL CLASS(UNIXPRIV) ACCESS(READ) -
     ID(STCRSE)
    SETROPTS RACLIST(UNIXPRIV) REFRESH
    RLIST   UNIXPRIV SUPERUSER.PROCESS.KILL ALL
 
  #  allow JES Job Monitor to start as job instead of STC
    RDEFINE FACILITY FEJ.START.BATCH.*.** UACC(NONE) -
     DATA('start JMON in batch')
  #  uncomment permit to allow batch startup
  # PERMIT FEJ.START.BATCH.*.** CLASS(FACILITY) ACCESS(READ) -
     ID(STCJMON)
    SETROPTS RACLIST(FACILITY) REFRESH
    RLIST   FACILITY FEJ.START.BATCH.*.** ALL
 
  #  allow RSE daemon to start as job instead of STC
    RDEFINE FACILITY FEK.START.BATCH.*.** UACC(NONE) -
     DATA('start RSED in batch')
  #  uncomment permit to allow batch startup
  # PERMIT FEK.START.BATCH.*.** CLASS(FACILITY) ACCESS(READ) -
     ID(STCRSE)
    SETROPTS RACLIST(FACILITY) REFRESH
    RLIST   FACILITY FEK.START.BATCH.*.** ALL
  ).
++HOLD(UI95148) SYSTEM FMID(HALG330) REASON(ACTION) DATE(24008)
  COMMENT(
  ****************************************************************
  * Affected function: security & cryptographic setup            *
  ****************************************************************
  * Description: add support for SAF JWT (JSON Web Token)        *
  ****************************************************************
  * Timing: post-APPLY                                           *
  ****************************************************************
  * Part: FEK.SFEKSAMP(FEKRACF)                                  *
  *       FEK.SFEKSAMP(FEKPKCS1)                                 *
  ****************************************************************
  This fix introduces support for SAF JWT (JSON Web Token)
  provisioning, which requires security and cryptograhic updates.
 
  Sample security setup job FEKRACF is updated with:
 
  ** step RACFINIT **
 
  #  activate ICSF usage permission for cryptographic admin
  # SETROPTS GENERIC(CRYPTOZ)
  # SETROPTS CLASSACT(CRYPTOZ) RACLIST(CRYPTOZ)
 
  #  activate private key definitions for usage by RSE
  # SETROPTS GENERIC(IDTDATA)
  # SETROPTS CLASSACT(IDTDATA) RACLIST(IDTDATA)
 
  ** step JWT **
 
  #  allow crypto admin to define a PCKS#11 token and private key
    RLIST   CRYPTOZ SO.JWTTOK.FEKAPPL ALL
    RDEFINE CRYPTOZ SO.JWTTOK.FEKAPPL UACC(NONE) -
     DATA('CREATE PCKS#11 TOKEN')
    PERMIT SO.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(CONTROL) -
     ID(#crypto)
 
    RLIST   CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL ALL
    RDEFINE CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL UACC(NONE) -
     DATA('CREATE PCKS#11 KEY')
    PERMIT CLEARKEY.JWTTOK.FEKAPPL CLASS(CRYPTOZ) ACCESS(READ) -
     ID(#crypto)
 
    SETROPTS RACLIST(CRYPTOZ) REFRESH
 
  #  define PCKS#11 token holding the secret key
    RACDCERT LISTTOKEN(JWTTOK.FEKAPPL)
    RACDCERT ADDTOKEN (JWTTOK.FEKAPPL)
  # create secret key with job FEKPCKS1 after ADDTOKEN completed
 
  #  define JSON Web Token used by RSE
    RLIST   IDTDATA JWT.FEKAPPL.*.SAF ALL IDTPARMS
    RDEFINE IDTDATA JWT.FEKAPPL.*.SAF -
     IDTPARMS(SIGTOKEN(JWTTOK.FEKAPPL) -
     SIGALG(HS512) ANYAPPL(NO) IDTTIMEOUT(30)) UACC(NONE) -
     DATA('IBM EXPLORER FOR z/OS')
 
    SETROPTS RACLIST(IDTDATA) REFRESH
 
  #  show results ...............................................
    RLIST   CRYPTOZ SO.JWTTOK.FEKAPPL ALL
    RLIST   CRYPTOZ CLEARKEY.JWTTOK.FEKAPPL ALL
    RACDCERT LISTTOKEN(JWTTOK.FEKAPPL)
    RLIST   IDTDATA JWT.FEKAPPL.*.SAF ALL IDTPARMS
 
 
  A new sample job, FEKPKCS1, is provided to define the secret key
  used for JWT generation. FEKPKCS1 must be executed after the
  security updates listed above completed, and must be executed by
  a cryptographic administrator due to the required ICSF permits.
  ).

Perform SMP/E ACCEPT for the prerequisites

SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.

This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.

You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.

//*
//* Change #globalcsi to the data set name of your global CSI.
//* Change #dzone to your CSI distribution zone name.
//*
//ACCEPT   EXEC PGM=GIMSMP,REGION=0M
//SMPCSI   DD DISP=OLD,DSN=#globalcsi
//SMPCNTL  DD *
   SET BOUNDARY(#dzone) .
   ACCEPT SELECT(
   ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*

Perform SMP/E RECEIVE and APPLY for the fix

SMP/E RECEIVE and APPLY the fix.

You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.

//*
//* Change #hlq to the high level qualifier used to upload the fix.
//* Change (2x) #globalcsi to the data set name of your global CSI.
//* Change #tzone to your CSI target zone name.
//*
//         SET HLQ=#hlq
//*
//RECEIVE  EXEC PGM=GIMSMP,REGION=0M
//SMPCSI   DD DISP=OLD,DSN=#globalcsi
//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HALG330.UI97198
//SMPCNTL  DD *
   SET BOUNDARY(GLOBAL) .
   RECEIVE SELECT(
     UI97198
   ) SYSMODS LIST .
//*
//APPLY    EXEC PGM=GIMSMP,REGION=0M
//SMPCSI   DD DISP=OLD,DSN=#globalcsi
//SMPCNTL  DD *
   SET BOUNDARY(#tzone) .
   APPLY SELECT(
     UI97198
   ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*

Restart started tasks to activate changes

Restart started tasks to activate changes.