The fix is shipped as file IBM.HAMA100.UI91784
The fix has rework (build) date 2023132 (12 May 2023)
The following fixes are prerequisites for this fix:
The following fixes are corequisites for this fix:
The following fixes are superseded by this fix:
AH28750 AH30508 AH32168 AH34850 AH36331 AH37402 AH37649 AH38038 AH39742 AH39927 AH40882 AH41539 AH44566 AH44985 AH45953 AH46593 AH48642 AH50833 AH51218 AH52498 AH54496 UI71260 UI72086 UI72877 UI74381 UI74953 UI75508 UI75610 UI75853 UI76666 UI76819 UI77326 UI77777 UI79545 UI79806 UI80330 UI80595 UI81917 UI83268 UI90190 UI90468Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
// SET HLQ=#hlq //* //ALLOC EXEC PGM=IEFBR14 //UI91784 DD DSN=&HLQ..IBM.HAMA100.UI91784, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(925,180)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TC P/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HAMA100.UI91784 200 Port request OK. 125 Storing data set hlq.IBM.HAMA100.UI91784 250 Transfer completed successfully 51641280 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI90468) SYSTEM FMID(HAMA100) REASON(ACTION) DATE(23040)
COMMENT(
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env *
* /etc/zexpl/rseapi.envŲ *
****************************************************************
This fix updates the sample rseapi.env by adding the
following optional directives:
RSEAPI_KEYRING=SAF.ring
Specifies the name of the SAF key ring that holds the server
certificate and private key for HTTPS encrypted communication.
The default value is SAF.ring.
Note: This variable is not used when the RSEAPI started task
specifies SECURE='false' as startup argument.
#RSEAPI_USING_ATTLS=false
When true, this variable specifies that Application
Transparent Transport Layer Security (AT-TLS) is responsible
for managing HTTPS encrypted communication, in which case the
RSEAPI started task must specify SECURE='false' as startup
argument. When false, the RSEAPI started task is responsible
for managing HTTPS encrypted communication. Valid values are
true and false. The default value is false.
Note: RSE API currently cannot detect if AT-TLS is actually
encrypting the communication. It is up to the system
administrator to ensure this is the case when
RSEAPI_USING_ATTLS is set to true.
#RSEAPI_SSL_CIPHERS=
A comma (,) separated list of encryption cipher suites that
are allowed for HTTPS encrypted communication. Valid values
are defined by the IBMJSSE2 security provider and are
documented in the Security Guide of IBM SDK, Java Technology.
The default depends on the encryption protocol selected with
variable RSEAPI_SSL_ENABLED_PROTOCOLS.
Note: This variable is not used when the RSEAPI started task
specifies SECURE='false' as startup argument.
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env *
* /etc/zexpl/rseapi.envŲ *
****************************************************************
This fix updated sample file rseapi.env.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: add support for SAF key ring and AT-TLS *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env *
* /etc/zexpl/rseapi.envŲ *
****************************************************************
This fix changes configuration of HTTPS encrypted communication.
It adds support for storing certificates in a SAF keyring, and
adds support for using AT-TLS to manage encrypted communication.
The existing usage of a key store file is still supported, but
deprecated.
Using a SAF key ring is the new default, which changes the
default values of these rseapi.env variables:
- RSEAPI_KEYSTORE_FILE
"$RSEAPI_CFG/rseapi_crypto/keystore" becomes
"safkeyring://$(id -un)/$RSEAPI_KEYRING"
- RSEAPI_KEYSTORE_PASS
"" becomes "password"
- RSEAPI_KEYSTORE_TYPE
"JKS" becomes "JCERACFKS"
If you are currently using a key store file to enable HTTPS
encrypted communication, you might rely on RSEAPI_KEYSTORE_FILE
and RSEAPI_KEYSTORE_TYPE holding the old default values. If so,
explicitly add these definitions to rseapi.env to ensure that
your current setup continues to work after applying this fix.
RSEAPI_KEYSTORE_FILE=$RSEAPI_CFG/rseapi_crypto/keystore
RSEAPI_KEYSTORE_TYPE=JKS
).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change #globalcsi to the data set name of your global CSI. //* Change #dzone to your CSI distribution zone name. //* //ACCEPT EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#dzone) . ACCEPT SELECT( ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #hlq to the high level qualifier used to upload the fix.
//* Change (2x) #globalcsi to the data set name of your global CSI.
//* Change #tzone to your CSI target zone name.
//*
// SET HLQ=#hlq
//*
//RECEIVE EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HAMA100.UI91784
//SMPCNTL DD *
SET BOUNDARY(GLOBAL) .
RECEIVE SELECT(
UI91784
) SYSMODS LIST .
//*
//APPLY EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#tzone) .
APPLY SELECT(
UI91784
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
Restart started tasks to activate changes.