The fix is shipped as file IBM.HHOP900.UI28242
The fix has rework (build) date 2015155 (4 Jun 2015)
The following fixes are prerequisites for this fix:
These prerequisites can be downloaded from the Developer for System z Recommended Fixes page, if not included as file IBM.HHOP900.<prereq>.
Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//ALLOC EXEC PGM=IEFBR14 //* //UI28242 DD DSN=hlq.IBM.HHOP900.UI28242, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(139,20)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TC P/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HHOP900.UI28242 200 Port request OK. 125 Storing data set hlq.IBM.HHOP900.UI28242 250 Transfer completed successfully 7735760 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI28242) SYS FMID(HHOP900) REASON(ACTION) DATE(15155)
COMMENT
(****************************************************************
* Affected function: Integrated Debugger *
****************************************************************
* Description: block insecure ciphers in AT-TLS *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
By default Rational Developer for System z relies on System SSL
defaults for active cipher suites. System SSL enables some
ciphers that are now known to be insecure.
The DH, and DHE ciphers are (Logjam attack):
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (13 or 0013)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (32 or 0033)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (40 or 0040)
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (A4 or 00A4)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (38 or 0038)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (6A or 006A)
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (A3 or 00A3)
TLS_DHE_DSS_WITH_DES_CBC_SHA (12 or 0012)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (16 or 0016),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (33 or 0032)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (67 or 0067)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (9E or 009E)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (39 or 0039)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (6B or 006B)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (9F or 009F)
TLS_DHE_RSA_WITH_DES_CBC_SHA (15 or 0015)
The RC4 ciphers are (Bar Mitzvah attack):
TLS_RSA_WITH_RC4_40_MD5 ("03" or "0003")
TLS_RSA_WITH_RC4_128_MD5 ("04" or "0004")
TLS_RSA_WITH_RC4_128_MD5 ("05" or "0005")
TLS_ECDH_ECDSA_WITH_RC4_128_SHA ("C002")
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ("C007")
TLS_ECDH_RSA_WITH_RC4_128_SHA ("C00C")
TLS_ECDHE_RSA_WITH_RC4_128_SHA ("C011")
The RSA-EXPORT ciphers are (FREAK attack):
TLS_RSA_EXPORT_WITH_RC4_40_MD5 ("03" or "0003")
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ("06" or "0006")
Rational Developer for System z has two components that utilize
System SSL:
* RSE, which is used when a client connects to the host.
Applying this service will disable the listed ciphers.
* Debug Manager, by means of an AT-TLS policy.
You must create a file holding the GSK_V3_CIPHER_SPECS
environment variable and reference it via the Envfile keyword
in the TTLSGroupAdvancedParms section of the policy.
You can explicitly disable the usage of the listed ciphers by
adding the GSK_V3_CIPHER_SPECS environment variable to
rsed.envvars and the AT-TLS policy, ensuring that the
environment variable character string does not include
"12", "13", "15", "16", "32", "33", "38", "39", "40", "67",
"6A", "6B", "9E", "9F", "A3", or "A4".
Notes:
* The RSED started task must be recycled for changes in
rsed.envvars to be picked up.
* The AT-TLS policy must be re-activated for the update to be
picked up.
****************************************************************
* Affected function: CA Endevor SCM(R) interface *
****************************************************************
* Description: new option *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.#CUST.PARMLIB(CRACFG) *
* [FEK.SFEKSAMP(CRACFG)] *
****************************************************************
This fix updates configuration file CRACFG, which is used by
Edit support for CA Endevor SCM(R).
# ALTERNATIVE-ALLOC
Uncomment to use an alternative allocation mechanism for those
situations where the data sets that are being created for use
by the client are locked exclusively by the CARMA server.
****************************************************************
* Affected function: CA Endevor SCM(R) interface *
****************************************************************
* Description: new option *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.#CUST.PARMLIB(CRACFG) *
* [FEK.SFEKSAMP(CRACFG)] *
****************************************************************
This fix updates configuration file CRACFG, which is used by
Package Editor for CA Endevor SCM(R).
PACKAGE-EDITING-OPTION = READONLY
PACKAGE-EDITING-OPTION = DISABLED
Uncomment one of the options if you need to restrict how
CA Endevor(R) Packages are processed.
Set the PACKAGE-EDITING-OPTION to READONLY to force the
Developer for System z Packages Editor to only open a Package
in browse mode.
Set the PACKAGE-EDITING-OPTION to DISABLED to prevent a
Package from being opened in the Developer for System z
Packages Editor.
SCL-REQUIRED = YES
Uncomment to require that an SCL template must be present to
edit a CA Endevor(R) Package.
SCL-DATASET-TEMPLATE = FEK.#CUST.PARMLIB(CRASCL)
Uncomment and specify the name of a template SCL if some
actions or some parameters are not allowed when CA Endevor(R)
Packages are processed. The template SCL can be a sequential
data set or a member.
The template SCL must lists the valid actions and options.
Other information in the template SCL, like element name or
environment, is ignored by the Developer for System z Packages
Editor.
****************************************************************
* Affected function: CA Endevor SCM(R) interface *
****************************************************************
* Description: new option *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.#CUST.PARMLIB(CRASCL) *
* [FEK.SFEKSAMP(CRASCL)] *
****************************************************************
This fix defines a sample SCL template, CRASCL, which is used by
Package Editor for CA Endevor SCM(R).
When used, this template SCL will limit which actions and
options are allowed when CA Endevor(R) Packages are processed.
The template SCL must lists the valid actions and options.
Actions and options that are not listed will not be allowed to
be specified in the Developer for System z Packages Editor.
Other information in the template SCL, like environment or
element name, is ignored by the Developer for System z Packages
Editor.
For example, in order to prevent an action from being accessed
in the Packages Editor, that action would be removed from the
SCL template.
In order to prevent an OPTIONS parameter from being used in
certain actions, this OPTIONS parameter would be removed from
the template SCL for these actions. Other OPTIONS parameters
would continue to be allowed, if they are specified in the
template SCL.
Note for mutually exclusive OPTIONS parameters:
For actions that contain OPTIONS parameters that are mutually
exclusive (for example, SEARCH and NOSEARCH), the action is
specified more than once in the template SCL, once for each of
the OPTIONS parameters that can only be specified exclusive of
the other. There is no need to specify the non-exclusive OPTIONS
parameters more than once for each of the repeated action.
For example, if an action accepts SEARCH and NOSEARCH as OPTIONS
parameter, the action is once specified with the SEARCH
parameter and all other non-exclusive parameters, and once with
the NOSEARCH parameter without the non-exclusive parameters.
****************************************************************
* Affected function: console messages *
****************************************************************
* Description: changed message, FEK800S *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
This maintenance adds a new console message:
FEK800S = client_userid abend_message
The message is issued when a client action causes an abend.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updates the sample rsed.envvars by adding the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS
-Dsearch.server.limit.errcount=true"
Limit the resource usage of non-indexed file and text
searches. The default is false (no limit). Uncomment and
specify true to stop a search before it exceeds a non-zero
Language Environment (LE) ERRCOUNT value.
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS
-Dsearch.server.limit.scanned_objects=0"
Limit the resource usage of non-indexed file and text
searches. The default is 0 (no limit). Uncomment and customize
this directive to stop a search after the specified number of
objects (data set or PDS(E) member) has been scanned.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: removed environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updates the sample rsed.envvars by REMOVING the
following optional directives:
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Denable.saf.check=true"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -DRSE_DSICALL=TSO"
#_RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dsearch.server.limit.datasets=0"
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updated sample file rsed.envvars.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: error feedback *
****************************************************************
* Description: moving allocation script *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: FEK.SFEKPROC(FEKFERRF) *
* Part: /usr/lpp/rdz/bin/fekferrf.rex *
****************************************************************
After applying this change, the FEK.SFEKPROC(FEKFERRF)
allocation exec is no longer used. /usr/lpp/rdz/bin/fekferrf.rex
is used instead.
If you have customized SFEKPROC(FEKFERRF), you must redo your
customizations in /usr/lpp/rdz/bin/fekferrf.rex.
****************************************************************
* Affected function: system usage *
****************************************************************
* Description: FEKDSI no longer optional. *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
Usage of load module FEK.SFEKLPA(FEKDSI) used to be optional,
and was enabled with the RSE_DSICALL=TSO option in rsed.envvars.
The usage of FEK.SFEKLPA(FEKDSI) is now mandatory to work with
data sets, and RSE_DSICALL=TSO is no longer used.
FEK.SFEKLPA modules are assumed to be in LPA, which can be done
dynamically with operator command
SETPROG LPA,ADD,DSN=FEK.SFEKLPA
Note that FEKDSI expects the REXX runtime library,
REXX.*.SEAGLPA, to be accessible. This runtime is part of the
REXX compiler, and also of the (free) Alternate Library for REXX
product package. The default alternate library name is
REXX.*.SEAGALT.
****************************************************************
* Affected function: RSED operator commands *
****************************************************************
* Description: new RSED operator command *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
This service introduces a new operator command for the RSED
started task.
MODIFY rsed,APPL=DEBUG {PROCESS | P},{STORAGE | STOR}[,PID=pid]
MODIFY rsed,APPL=DEBUG {DAEMON | D},{STORAGE | STOR}
Request an overview of current real storage usage, below and
above the 16MB line and 2GB bar.
sample output
F RSED,APPL=DEBUG PROCESS,STORAGE,PID=484
BPXM023I (STCRSE)
ProcessId(484 ) ASId(00C9) JobName(RSED9 ) Order(2)
below 16M line
LDASIZA 7315456 7144.0K 6.9M maximum region size
LDALIMIT 7315456 7144.0K 6.9M limit
LDAVVRG 7315456 7144.0K 6.9M getmain limit
LDALOAL 73728 72.0K 0.0M in use
LDAHIAL 253952 248.0K 0.2M LSQA/SWA/private subpools
_GAP 0 0.0K 0.0M gaps in allocation
_AVAIL 6987776 6824.0K 6.6M available including gaps
_MAX 7061504 6896.0K 6.7M current limit
above 16M line
LDAESIZA 1898971136 1854464.0K 1811.0M maximum region size
LDAELIM 1898971136 1854464.0K 1811.0M limit
LDAEVVRG 1898971136 1854464.0K 1811.0M getmain limit
LDAELOAL 639860736 624864.0K 610.2M in use
LDAEHIAL 83677184 81716.0K 79.8M ELSQA/ESWA/private subpoo
_EGAP 12288 12.0K 0.0M gaps in allocation
_EAVAIL 1175433216 1147884.0K 1120.9M available including gaps
_EMAX 1815293952 1772748.0K 1731.1M current limit
above 2G bar
RAXLVMEMLIM 17592186040320.0M NOLIMIT limit (REG=0)
RAXLVABYTES 2.0M 2.0M allocated
RAXLVHBYTES 0 0 guarded
RAXLVGBYTES 2.0M 2.0M high water mark
RAXLVNMOMB 2 # of objects
****************************************************************
* Affected function: APPC *
****************************************************************
* Description: changed environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updates the sample rsed.envvars by making the
following optional directives mandatory if APPC is used to
connect to the TSO Commands service. Note that the default
connection method is the ISPF Client Gateway.
#_FEKFSCMD_PARTNER_LU_=
Specify the APPC partner LU. Specifying the APPC base LU as
partner LU is acceptable. This is a required directive for
APPC usage.
****************************************************************
* Affected function: APPC *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updated sample file rsed.envvars.
Redo your customizations, if any, after applying this
maintenance.
****************************************************************
* Affected function: APPC *
****************************************************************
* Description: new security setup *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: none *
****************************************************************
This fix updates how RSE authenticates with APPC, when APPC is
used to connect to the TSO Commands service. Note that the
default connection method is the ISPF Client Gateway.
RSE will now generate a passticket to do the authentication.
To do so, RSE requires additional permits, as APPC requires that
the partner-LU is used as APPLID.
The following sample RACF commands can be used to define the
additional permits. Except for the APPLID value, these commands
are identical to the passticket-related commands that allow RSE
to create passtickets for APPLID FEKAPPL.
- replace luname with the partner-LU name, as specified in
rsed.envvars variable _FEKFSCMD_PARTNER_LU_
- change "key16 " to a secret, user-provided,
16 character string with only these characters:
0123456789ABCDEF
- replace stcrse with the userid of the RSED started task
RDEFINE PTKTDATA luname UACC(NONE) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z') -
APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') -
SSIGNON(KEYMASKED(key16 ))
RDEFINE PTKTDATA IRRPTAUTH.luname.* UACC(NONE) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
PERMIT IRRPTAUTH.luname.* CLASS(PTKTDATA) ACCESS(UPDATE) -
ID(stcrse)
SETROPTS RACLIST(PTKTDATA) REFRESH
# show results
RLIST PTKTDATA luname ALL SSIGNON
RLIST PTKTDATA IRRPTAUTH.luname.* ALL).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #globalcsi to the data set name of your global CSI.
//* Change #dzone to your CSI distribution zone name.
//*
//ACCEPT EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#dzone) .
ACCEPT SELECT(
UI20613
UI14892
UI13095
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change hlq to the high level qualifier used to upload the fix. //* Change (2x) #globalcsi to the data set name of your global CSI. //* Change #tzone to your CSI target zone name. //* //RECEIVE EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPPTFIN DD DISP=SHR,DSN=hlq.IBM.HHOP900.UI28242 //SMPCNTL DD * SET BOUNDARY(GLOBAL) . RECEIVE SELECT(UI28242) SYSMODS LIST . //* //APPLY EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#tzone) . APPLY SELECT(UI28242) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
Restart started tasks to activate changes.