The fix is shipped as file IBM.HAMA110.UI99157
The fix has rework (build) date 2024326 (21 Nov 2024)
The following fixes are prerequisites for this fix:
The following fixes are corequisites for this fix:
The following fixes are superseded by this fix:
AH50505 AH53200 AH55137 AH57572 AH58778 AH60239 AH60820 AH61781 AH61950UI83055 UI90927 UI92232 UI94020 UI94895 UI96011 UI96491 UI97241Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
// SET HLQ=#hlq//*//ALLOC EXEC PGM=IEFBR14//UI99157 DD DSN=&HLQ..IBM.HAMA110.UI99157,// DISP=(NEW,CATLG,DELETE),// DSORG=PS,// RECFM=FB,// LRECL=80,// UNIT=SYSALLDA,//* VOL=SER=volser,//* BLKSIZE=6160,// SPACE=(TRK,(1048,200))//*
Upload the file in binary format from your workstation to the z/OS dataset. On a Windows system, you can use FTP from a command prompt to upload thefile. In the sample dialog shown below, commands or other information enteredby the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TCP/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddrConnected to mvsaddr.220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%.220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid331 Send password please. Password: tsopw230 tsouid is logged on. Working directory is "tsouid.". ftp> cd ..250 "" is the working directory name prefix. ftp> cd hlq250 "hlq." is the working directory name prefix. ftp> binary200 Representation type is Image ftp> put d:\IBM.HAMA110.UI99157200 Port request OK.125 Storing data set hlq.IBM.HAMA110.UI99157250 Transfer completed successfully57799360 bytes sent in 0.28 seconds ftp> quit221 Quit command received. Goodbye.
++HOLD(UI97241) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(24162) COMMENT( **************************************************************** * Affected function: security setup * **************************************************************** * Description: add permit for z/OS UNIX kill command * * add permit for running server in batch * * add permit for Administrator API usage * **************************************************************** * Timing: post-APPLY * **************************************************************** * Part: FEK.SFEKSAMP(FEKRACF) * **************************************************************** This fix introduces the following permit for the started task: # define permit to remove RSE-managed but user-owned processes RDEFINE UNIXPRIV SUPERUSER.PROCESS.KILL UACC(NONE) - DATA('OVERRIDE KILL PROCESS RESTRICTIONS') PERMIT SUPERUSER.PROCESS.KILL CLASS(UNIXPRIV) ACCESS(READ) - ID(STCAPI) SETROPTS RACLIST(UNIXPRIV) REFRESH RLIST UNIXPRIV SUPERUSER.PROCESS.KILL ALL # allow RSE API to start as job instead of STC RDEFINE FACILITY HUH.START.BATCH.*.** UACC(NONE) - DATA('start RSE API in batch') # uncomment permit to allow batch startup # PERMIT HUH.START.BATCH.*.** CLASS(FACILITY) ACCESS(READ) - ID(STCAPI) SETROPTS RACLIST(FACILITY) REFRESH RLIST FACILITY HUH.START.BATCH.*.** ALL This fix introduces the following permit for RSE API admins: RDEFINE FACILITY HUH.API.ADMIN.CMD UACC(NONE) - DATA('ZEXPL - RSE API administrator') PERMIT HUH.API.ADMIN.CMD CLASS(FACILITY) ACCESS(READ) - ID(#admin) SETROPTS RACLIST(FACILITY) REFRESH RLIST FACILITY HUH.API.ADMIN.CMD ALL ). ++HOLD(UI94020) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(23289) COMMENT( **************************************************************** * Affected function: configuration * **************************************************************** * Description: new environment variable * **************************************************************** * Timing: post-APPLY * **************************************************************** * Part: tomcat.base/samples/rseapi.env * * {/etc/zexpl/rseapi.env} * **************************************************************** This fix updates the sample rseapi.env by adding the following optional directives: #RSEAPI_SAF_JWT=true Enables the support (provision and validation) of SAF JSON Web Tokens (JWTs). The default is true. Set it to false to disable the feature. Note: *z/OS Explorer SAF JWT support must be set up for this feature to work. See Define SAF JSON Web Token (JWT) support for RSE in the z/OS Explorer Host Configuration Guide for configuration instructions. *Support for SAF JWT requires z/OS 2.4 or higher. Redo your customizations, if any, after applying this maintenance. ). ++HOLD(UI90927) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(23073) COMMENT( **************************************************************** * Affected function: configuration * **************************************************************** * Description: add support for SAF key ring and AT-TLS * **************************************************************** * Timing: pre-APPLY * **************************************************************** * Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env * * Ý/etc/zexpl/rseapi.env¨ * **************************************************************** This fix changes configuration of HTTPS encrypted communication. It adds support for storing certificates in a SAF keyring, and adds support for using AT-TLS to manage encrypted communication. The existing usage of a key store file is still supported, but deprecated. Using a SAF key ring is the new default, which changes the default values of these rseapi.env variables: - RSEAPI_KEYSTORE_FILE "$RSEAPI_CFG/rseapi_crypto/keystore" becomes "safkeyring://$(id -un)/$RSEAPI_KEYRING" - RSEAPI_KEYSTORE_PASS "" becomes "password" - RSEAPI_KEYSTORE_TYPE "JKS" becomes "JCERACFKS" If you are currently using a key store file to enable HTTPS encrypted communication, you might rely on RSEAPI_KEYSTORE_FILE and RSEAPI_KEYSTORE_TYPE holding the old default values. If so, explicitly add these definitions to rseapi.env to ensure that your current setup continues to work after applying this fix. RSEAPI_KEYSTORE_FILE=$RSEAPI_CFG/rseapi_crypto/keystore RSEAPI_KEYSTORE_TYPE=JKS **************************************************************** * Affected function: configuration * **************************************************************** * Description: new environment variables * **************************************************************** * Timing: pre-APPLY * **************************************************************** * Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env * * Ý/etc/zexpl/rseapi.env¨ * **************************************************************** This fix updates the sample rseapi.env by adding the following optional directives: RSEAPI_KEYRING=SAF.ring Specifies the name of the SAF key ring that holds the server certificate and private key for HTTPS encrypted communication. The default value is SAF.ring. Note: This variable is not used when the RSEAPI started task specifies SECURE='false' as startup argument. #RSEAPI_USING_ATTLS=false When true, this variable specifies that Application Transparent Transport Layer Security (AT-TLS) is responsible for managing HTTPS encrypted communication, in which case the RSEAPI started task must specify SECURE='false' as startup argument. When false, the RSEAPI started task is responsible for managing HTTPS encrypted communication. Valid values are true and false. The default value is false. Note: RSE API currently cannot detect if AT-TLS is actually encrypting the communication. It is up to the system administrator to ensure this is the case when RSEAPI_USING_ATTLS is set to true. #RSEAPI_SSL_CIPHERS= A comma (,) separated list of encryption cipher suites that are allowed for HTTPS encrypted communication. Valid values are defined by the IBMJSSE2 security provider and are documented in the Security Guide of IBM SDK, Java Technology. The default depends on the encryption protocol selected with variable RSEAPI_SSL_ENABLED_PROTOCOLS. Note: This variable is not used when the RSEAPI started task specifies SECURE='false' as startup argument. **************************************************************** * Affected function: configuration * **************************************************************** * Description: new environment variables * **************************************************************** * Timing: post-APPLY * **************************************************************** * Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env * * Ý/etc/zexpl/rseapi.env¨ * **************************************************************** This fix updated sample file rseapi.env. Redo your customizations, if any, after applying this maintenance. ). SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*//* Change #globalcsi to the data set name of your global CSI.//* Change #dzone to your CSI distribution zone name.//*//ACCEPT EXEC PGM=GIMSMP,REGION=0M//SMPCSI DD DISP=OLD,DSN=#globalcsi//SMPCNTL DD * SET BOUNDARY(#dzone) . ACCEPT SELECT( ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).//*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*//* Change #hlq to the high level qualifier used to upload the fix.//* Change (2x) #globalcsi to the data set name of your global CSI.//* Change #tzone to your CSI target zone name.//*// SET HLQ=#hlq//*//RECEIVE EXEC PGM=GIMSMP,REGION=0M//SMPCSI DD DISP=OLD,DSN=#globalcsi//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HAMA110.UI99157//SMPCNTL DD * SET BOUNDARY(GLOBAL) . RECEIVE SELECT( UI99157 ) SYSMODS LIST .//*//APPLY EXEC PGM=GIMSMP,REGION=0M//SMPCSI DD DISP=OLD,DSN=#globalcsi//SMPCNTL DD * SET BOUNDARY(#tzone) . APPLY SELECT( UI99157 ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).//*
Restart started tasks to activate changes.