The fix is shipped as file IBM.HAMA110.UO03034
The fix has rework (build) date 2025122 (2 May 2025)
The following fixes are prerequisites for this fix:
The following fixes are corequisites for this fix:
The following fixes are superseded by this fix:
AH50505 AH53200 AH55137 AH57572 AH58778 AH60239 AH60820 AH61781 AH61950 AH65511 AH65787 AH66382 UI83055 UI90927 UI92232 UI94020 UI94895 UI96011 UI96491 UI97241 UI99157 UO02347Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
// SET HLQ=#hlq //* //ALLOC EXEC PGM=IEFBR14 //UO03034 DD DSN=&HLQ..IBM.HAMA110.UO03034, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(876,170)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TCP/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HAMA110.UO03034 200 Port request OK. 125 Storing data set hlq.IBM.HAMA110.UO03034 250 Transfer completed successfully 48340720 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UO03034) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(25122)
COMMENT(
****************************************************************
* Affected function: RSEAPI *
****************************************************************
* Description: started task JCL update *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: HUH.SHUHSAMP(HUHSTC) *
* ÝHUH.#CUST.PROCLIB(RSEAPI)¨ *
****************************************************************
This fix updates the RSEAPI started task JCL procedure. Instead
of BPXBATCH, now BPXBATSL is used to start the server.
Without this change, the console listener is spawned in a child
address space, RSEAPI1, so to stop the server you must issue
operator command STOP RSEAPI1 for RSEAPI to see the request.
With this change, the console listener is active in the RSEAPI
address space, so you can issue STOP RSEAPI, as expected.
).
++HOLD(UI97241) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(24162)
COMMENT(
****************************************************************
* Affected function: security setup *
****************************************************************
* Description: add permit for z/OS UNIX kill command *
* add permit for running server in batch *
* add permit for Administrator API usage *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.SFEKSAMP(FEKRACF) *
****************************************************************
This fix introduces the following permit for the started task:
# define permit to remove RSE-managed but user-owned processes
RDEFINE UNIXPRIV SUPERUSER.PROCESS.KILL UACC(NONE) -
DATA('OVERRIDE KILL PROCESS RESTRICTIONS')
PERMIT SUPERUSER.PROCESS.KILL CLASS(UNIXPRIV) ACCESS(READ) -
ID(STCAPI)
SETROPTS RACLIST(UNIXPRIV) REFRESH
RLIST UNIXPRIV SUPERUSER.PROCESS.KILL ALL
# allow RSE API to start as job instead of STC
RDEFINE FACILITY HUH.START.BATCH.*.** UACC(NONE) -
DATA('start RSE API in batch')
# uncomment permit to allow batch startup
# PERMIT HUH.START.BATCH.*.** CLASS(FACILITY) ACCESS(READ) -
ID(STCAPI)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY HUH.START.BATCH.*.** ALL
This fix introduces the following permit for RSE API admins:
RDEFINE FACILITY HUH.API.ADMIN.CMD UACC(NONE) -
DATA('ZEXPL - RSE API administrator')
PERMIT HUH.API.ADMIN.CMD CLASS(FACILITY) ACCESS(READ) -
ID(#admin)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY HUH.API.ADMIN.CMD ALL
).
++HOLD(UI94020) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(23289)
COMMENT(
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: new environment variable *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: tomcat.base/samples/rseapi.env *
* {/etc/zexpl/rseapi.env} *
****************************************************************
This fix updates the sample rseapi.env by adding the
following optional directives:
#RSEAPI_SAF_JWT=true
Enables the support (provision and validation) of SAF JSON Web
Tokens (JWTs). The default is true. Set it to false to disable
the feature.
Note:
*z/OS Explorer SAF JWT support must be set up for this feature
to work. See Define SAF JSON Web Token (JWT) support for RSE
in the z/OS Explorer Host Configuration Guide for
configuration instructions.
*Support for SAF JWT requires z/OS 2.4 or higher.
Redo your customizations, if any, after applying this
maintenance.
).
++HOLD(UI90927) SYSTEM FMID(HAMA110) REASON(ACTION) DATE(23073)
COMMENT(
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: add support for SAF key ring and AT-TLS *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env *
* Ý/etc/zexpl/rseapi.env¨ *
****************************************************************
This fix changes configuration of HTTPS encrypted communication.
It adds support for storing certificates in a SAF keyring, and
adds support for using AT-TLS to manage encrypted communication.
The existing usage of a key store file is still supported, but
deprecated.
Using a SAF key ring is the new default, which changes the
default values of these rseapi.env variables:
- RSEAPI_KEYSTORE_FILE
"$RSEAPI_CFG/rseapi_crypto/keystore" becomes
"safkeyring://$(id -un)/$RSEAPI_KEYRING"
- RSEAPI_KEYSTORE_PASS
"" becomes "password"
- RSEAPI_KEYSTORE_TYPE
"JKS" becomes "JCERACFKS"
If you are currently using a key store file to enable HTTPS
encrypted communication, you might rely on RSEAPI_KEYSTORE_FILE
and RSEAPI_KEYSTORE_TYPE holding the old default values. If so,
explicitly add these definitions to rseapi.env to ensure that
your current setup continues to work after applying this fix.
RSEAPI_KEYSTORE_FILE=$RSEAPI_CFG/rseapi_crypto/keystore
RSEAPI_KEYSTORE_TYPE=JKS
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env *
* Ý/etc/zexpl/rseapi.env¨ *
****************************************************************
This fix updates the sample rseapi.env by adding the
following optional directives:
RSEAPI_KEYRING=SAF.ring
Specifies the name of the SAF key ring that holds the server
certificate and private key for HTTPS encrypted communication.
The default value is SAF.ring.
Note: This variable is not used when the RSEAPI started task
specifies SECURE='false' as startup argument.
#RSEAPI_USING_ATTLS=false
When true, this variable specifies that Application
Transparent Transport Layer Security (AT-TLS) is responsible
for managing HTTPS encrypted communication, in which case the
RSEAPI started task must specify SECURE='false' as startup
argument. When false, the RSEAPI started task is responsible
for managing HTTPS encrypted communication. Valid values are
true and false. The default value is false.
Note: RSE API currently cannot detect if AT-TLS is actually
encrypting the communication. It is up to the system
administrator to ensure this is the case when
RSEAPI_USING_ATTLS is set to true.
#RSEAPI_SSL_CIPHERS=
A comma (,) separated list of encryption cipher suites that
are allowed for HTTPS encrypted communication. Valid values
are defined by the IBMJSSE2 security provider and are
documented in the Security Guide of IBM SDK, Java Technology.
The default depends on the encryption protocol selected with
variable RSEAPI_SSL_ENABLED_PROTOCOLS.
Note: This variable is not used when the RSEAPI started task
specifies SECURE='false' as startup argument.
****************************************************************
* Affected function: configuration *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/IBM/rseapi/tomcat.base/samples/rseapi.env *
* Ý/etc/zexpl/rseapi.env¨ *
****************************************************************
This fix updated sample file rseapi.env.
Redo your customizations, if any, after applying this
maintenance.
).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change #globalcsi to the data set name of your global CSI. //* Change #dzone to your CSI distribution zone name. //* //ACCEPT EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#dzone) . ACCEPT SELECT( ) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #hlq to the high level qualifier used to upload the fix.
//* Change (2x) #globalcsi to the data set name of your global CSI.
//* Change #tzone to your CSI target zone name.
//*
// SET HLQ=#hlq
//*
//RECEIVE EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPPTFIN DD DISP=SHR,DSN=&HLQ..IBM.HAMA110.UO03034
//SMPCNTL DD *
SET BOUNDARY(GLOBAL) .
RECEIVE SELECT(
UO03034
) SYSMODS LIST .
//*
//APPLY EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#tzone) .
APPLY SELECT(
UO03034
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
Restart started tasks to activate changes.