Stay informed about Security/Integrity APARs, Highly Pervasive issues, and other important fixes relating to WebSphere Application Server for z/OS

Body

Staying abreast of issues deserving heightened awareness in WebSphere Application Server on z/OS

WebSphere Application Server for z/OS (zWAS) has always behaved and been administered a little differently from most other products on z/OS. On top of that, when we released zWAS Version 8 we deviated further with the move from SMP/E to Installation Manager (IM) for installation and maintenance. Along the way we have also had to evolve the manner in which we document some of the issues that deserve heightened awareness (like Security/Integrity (Sec/Int), regressions, etc.) as well as the methods we employ to notify you of them. It's important to be aware of what options are available to you and which will meet your needs.

What's new about how we document these issues in WAS Version 8 and above?

As of WAS Version 8:

• The Sec/Int flag is still used on APARs, but will not halt your upgrade/warn you if you are missing the fix for that APAR in your new level.
• 
  
• PE flagging of APARs has been replaced with MDV flagging. MDVREGR and MDVPARTL flags represent regressions and incomplete fixes, respectively, and will no longer halt your upgrade/warn you if you are missing the fix for that APAR in your new level. To identify these known regressions in V8, you should refer to the table at the top of the DCF download document for your target fix pack. If there is no table, there are currently no known regressions affecting that fix pack. They are also considered for their high/medium/low impact and marked appropriately in the table. These fix pack pages can be found at: Recommended fixes for WebSphere Application Server (click the links that say "Fix pack x")
  Fix pack 8.0.0.4 is an example of one with known regressions: 8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
  
  Take note: These fix pack webpages are only relevant for zWAS V8 and above now that we too use IM as our installer. For information on the PTFs for zWAS V7 and earlier you should continue to refer to the APAR/PTF tables here: APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
• 
  
• The only PTFs and cover letters generated are for updating IM repositories, not the WAS runtime directly, so, they will only contain IM-related information. This means you may find that a PTF for IM is flagged PE if the build/packaging was bad, but they won't be PE'd for anything related to the zWAS runtime.
• 
  
• HIPER flags are no longer used, but those kinds of issues will be Flashed through the WebSphere Application Server Support website and, if applicable to applying maintenance, noted in the relevant PSP buckets. This article explains how to find the appropriate PSP bucket for your release: Preventive Service Planning (PSP) Buckets

So how can I be proactively notified?

• The IBM System z Security Portal - Most z/OS administrators and z/OS security admins are well aware of this website and rely on it as the single point of reference to learn about the Sec/Int issues affecting all of their z/OS products. But, zWAS was not always fully represented in this portal. This was an information gap and some clients were surprised to realize that the System z security portal didn't cover zWAS the way it covers all of it's other software products. To address this, we've recently enhanced our processes and formed a stronger bond between our WAS security board and the System z Security Portal team to ensure that it includes all of the zWAS Sec/Int APARs for V7 and above. But, take note that this will only report Sec/Int issues; it will not include the entire range of content that the WAS support website and email notification list includes. It is also important to note that the WAS V7 issues will continue to be handled through the PTF process and delivered along with all other z/OS PTFs in the HOLDDATA and the WAS V8 issues will be presented in Security Notes (ex. SN-2014-nn).
  
  Link: http://www.ibm.com/systems/z/advantages/security/integrity_sub.html
  This is the URL for the IBM System z Security Portal. If you are not already registered for access to the portal, start by following the instructions on that page for Portal Registration.
• 
  
• The WebSphere Application Server Support website and email notification list - This is the preferred method for most of our clients; if any part of WAS is your responsibility, no matter the platform, this is your best source for notification of important issues. It's flexible and will make sure you don't miss anything, because it can send you notifications for every type of article we might raise for awareness. You can find all of our communicated notifications on this website as well as sign up for the email notifications so you are made aware of them as soon as they are released. On the other hand, if you only care about Sec/Int issues then the System z Security Portal may suffice.
  
  Link: http://www.ibm.com/support/entry/portal/product/websphere/websphere_application_server?productContext=224294509
  This is the URL for the main WAS Support page. Clicking on the "Flashes, alerts, and bulletins" link allows you to categorically filter or search through the articles we have sent out in the past.
  
  You can sign up for the email notifications by:
  1. Following the link titled "Subscribe to support notifications" (This link changes to "Manage your support notifications" after you've setup your notification preferences, incase you need to alter them)
  2. From the Subscribe tab, select zWAS by clicking "WebSphere"
  3. Then check the box for "WebSphere Application Server for z/OS"
  4. Press "Continue" at the bottom of the page
  5. Select what kinds of notifications you want to receive (Security bulletins, Technotes, etc)
  6. Press "Submit"
  
  This will get you the notifications for issues affecting WAS commonly across all platforms as well those that only affect WAS on z/OS. If you also select the checkbox for "WebSphere Application Server" you will additionally get notifications about the issues that only affect the distributed platforms (Windows, Linux, Linux on z/OS, etc.). Also take a look at the "My Defaults" tab to further customize how you receive these notifications and how frequently.

What if I'm still using WAS Version 7?

Presently, you can rely on both methods to be notified of Sec/Int WAS APARs for V7 and above, so choose whichever covers the topics you want to know about. With V7 you can also still rely on SMP/E to warn you when applying PTFs about open Sec/Int, HIPER, or PE issues that remain unresolved on your target level, HOLD warnings for user actions etc., and you can get the Enhanced HOLDDATA and CVSS scores as part of the System z Security Portal.

Which method should I choose?

In short, if you're in a z/OS or solely a security focused role, the System z Security Portal will probably suffice for your needs. If you have virtually any other kind of responsibility with zWAS, you'll almost certainly benefit from the WebSphere Application Server Support notification email list, as well as the PSP buckets.

I hope you found this informative!

Steve Dittmar
WAS for z/OS L2 Support

title image (modified) credit (some rights reserved) by: http://www.keepcalm-o-matic.co.uk