The fix is shipped as file IBM.HHOP801.UI19415
The fix has rework (build) date 2014189 (8 Jul 2014)
The following fixes are prerequisites for this fix:
These prerequisites can be downloaded from the Developer for System z Recommended Fixes page, if not included as file IBM.HHOP801.<prereq>.
Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//ALLOC EXEC PGM=IEFBR14 //* //UI19415 DD DSN=hlq.IBM.HHOP801.UI19415, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(92,10)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TC P/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HHOP801.UI19415 200 Port request OK. 125 Storing data set hlq.IBM.HHOP801.UI19415 250 Transfer completed successfully 5104160 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI19415) SYS FMID(HHOP801) REASON(ACTION) DATE(14189)
COMMENT
(****************************************************************
* Affected function: audit *
****************************************************************
* Description: additional audit records *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
This fix introduces new audit records that track z/OS UNIX
activity.
* File access (read, write, create, delete, rename)
* Execution of z/OS UNIX commands
****************************************************************
* Affected function: CARMA *
****************************************************************
* Description: CA Endevor(R) SCM VSAM update *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: SFEKVSM2(CRA0VCAD) *
****************************************************************
This maintenance updates the CRADEF VSAM data set
used by the Developer for System z interface to CA Endevor(R).
To apply these changes to your active VSAM data set, resubmit
the customized SFEKSAMP(CRA$VCAD).
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updates the sample rsed.envvars by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.saf.check=true"
Verify access permits before accessing a data set. The default
value is false. Uncomment and specify true if you want RSE to
call your security product before accessing a data set to avoid
S913 abends (access denied). RSE itself recovers from an S913
abend, but Language Environment (LE) does count the S913 abend
if you specify a non-zero value for the ERRCOUNT LE option.
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.dDVIPA=true"
Enable distributed dynamic VIPA support. The default value is
false. Uncomment and specify true if you want to use RSE in a
distributed dynamic VIPA setup.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updated sample file rsed.envvars.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updates the sample rsed.envvars by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.file.mode=RW.N.N"
Access permission mask for log files and log directories. The
default is RW.N.N, which allows the owner read and write access.
The owner's default group and everyone else have no access. To
set the required access permissions, uncomment and customize.
UNIX standards dictate that permissions can be set for three
types of users: owner, group, and other. The fields in this
variable match this order, and the fields are separated by a
period (.). Each field can be empty (which equals N), or have
N, R, W, or RW as values, where N = none, R = read and W =
write.
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dlog.secure.mode=true"
Validate log-directory ownership. The default is false, which
skips the test where RSE validates that a user (RSE daemon
itself or a client user ID) is the owner of the directory in
which the logs will be written. Uncomment and specify true to
enable the directory ownership test and write the log files only
if it is successful. Console message FEK301E is issued when the
test is not successful.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updated sample file rsed.envvars.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: console messages *
****************************************************************
* Description: new message, FEK301E, FEK303E, FEK304W, FEK305E *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
This maintenance introduces new console messages
FEK301E = {0} (uid:{1}) does not own the directory of {2}
(file_owner uid:{3})
FEK303E = The symbolic link, {0}, cannot be used as a log
directory
When rsed.envvars variable log.secure.mode is enabled, RSE will
validate that a user (client or RSE itself) owns the directory
in which log files will be written, and that the log directory
is not a symbolic link. These messages are issued when the
related test fails.
FEK304W Invalid {0}, {1}, was specified. The default mode, {3},
is used instead.
RSE will issue this message when an inviled file permission
mask is specified in rsed.envvars.
FEK305E The ID, {0}, does not have appropriate privileges to
access {1}.
RSE will issue this message when it cannot access a log
directory.
****************************************************************
* Affected function: log files *
****************************************************************
* Description: new script to update log file access permits *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.SFEKSAMP(FEKPBITS) *
* [FEK.#CUST.JCL(FEKPBITS)] *
****************************************************************
This maintenance adds a new sample JCL, SFEKSAMP(FEKPBITS),
which can be used to update existing log file permissions.
It is intended to update an existing log infrastructure so all
slog files comply with the new, more secure, file access permits).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #globalcsi to the data set name of your global CSI.
//* Change #dzone to your CSI distribution zone name.
//*
//ACCEPT EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#dzone) .
ACCEPT SELECT(
UK96308
UK90246
UK81498
UK77465
UK76573
UK72577
UK67739
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change hlq to the high level qualifier used to upload the fix. //* Change (2x) #globalcsi to the data set name of your global CSI. //* Change #tzone to your CSI target zone name. //* //RECEIVE EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPPTFIN DD DISP=SHR,DSN=hlq.IBM.HHOP801.UI19415 //SMPCNTL DD * SET BOUNDARY(GLOBAL) . RECEIVE SELECT(UI19415) SYSMODS LIST . //* //APPLY EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#tzone) . APPLY SELECT(UI19415) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
Restart started tasks to activate changes.