APAR status
Closed as documentation error.
Error description
Documentation updates related to APAR OA51174
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of HBB7780 (z/OS 1.13) and above * * supported releases using system logger * **************************************************************** * RECOMMENDATION: * **************************************************************** Publication (documentation) updates related to APAR OA51174 should be available in RETAIN database.
Problem conclusion
z/OS Migration Chapter - BCP actions to perform before the first IPL of z/OS release (with PTF for APAR OA51174 applied). Define a RACF authorization profile for log stream subsystem exits Description - Log stream users on z/OS can specify a log stream subsystem exit routine name to receive control for reading log data through either of the following methods- - SUBSYS=(LOGR,exit_routine_name,...) keyword of the DDNAME JCL statement, or - on a dynamic allocation request using text units DALSSNM (value LOGR) and DALSSPRM (value specifying the exit_routine_name), refer to DYNALLOC/SVC99 and macro IEFZB4D2. As of APAR OA51174, to use an exit_routine_name, as specified above, then you are required to define a RACF authorization profile in the FACILITY class to cover the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, where exit_routine_name identifies the name of the log stream subsystem exit routine. The exception to this requirement is when the exit_routine_name is one of the following names IXGSEXIT, IFASEXIT, IFBSEXIT or DFHLGCNV. A log stream subsystem exit_routine_name will only be used when it is either one of the names listed above or the authorization check allows use of the noted resource. Otherwise, z/OS system logger will not invoke the exit routine name, a logger error message (IXG507I) will be issued and a failure return will be provided to the log stream subsystem function (that is, z/OS converter and/or allocation). Table- Information about this migration action Element or feature- BCP When change was Introduced- z/OS V2R2, z/OS V2R1 and z/OS V1R13, all with PTFs for APAR OA51174 applied. Applies to migration from-z/OS V2R2, z/OS V2R1 and z/OS V1R13, all without PTFs for APAR OA51174 applied. Is the migration action required? Yes, if your installation has log stream subsystem exit routines that are specified either through the SUBSYS=(LOGR,...) keyword on a DDNAME JCL statement or on a dynamic allocation request via a text unit value for key DALSSPRM, and the exit routine name is NOT one of the following- IXGSEXIT, IFASEXIT, IFBSEXIT, or DFHLGCNV. Timing- Before the first IPL of z/OS with PTF for APAR OA51174 applied. Target system hardware requirements- None. Target system software requirements- None. Other system (coexistence or fallback) requirements- None. Restrictions- None. System impacts- Jobs or dynamic allocation requests that specify a log stream exit routine name may fail and not complete successfully. Related IBM Health Checker for z/OS check- None. Steps to take- - If your installation does use log stream subsystem exit routines, but only uses the names IXGSEXIT, IFASEXIT, IFBSEXIT, or DFHLGCNV, then you are not affected and there are no actions for you. - If your installation does use or intends to use log stream subsystem exit routine names, other than the set of names IXGSEXIT, IFASEXIT, IFBSEXIT or DFHLGCNV, that are specified either through the SUBSYS=(LOGR,exit_routine_name ,...) keyword on a DDNAME JCL statement or on a dynamic allocation request via a text unit value for key DALSSPRM, then you are affected and there are actions for you to perform. Actions: To use an exit_routine_name (other than one in the set of IXGSEXIT, IFASEXIT, IFBSEXIT or DFHLGCNV) then you must define a RACF profile in the FACILITY class covering the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, where exit_routine_name identifies the name of the log stream subsystem exit routine. IBM recommends you do one of the following: (a) Define a discrete profile IXGLOGR.SUBSYS.LSEXIT.exit_routine_name for the FACILITY class to cover the resource, where exit_routine_name identifies the name of the log stream subsystem exit routine. This profile should audit all failures and allow all users READ access. For example: RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.exit_routine_name UACC(READ) AUDIT(FAIL(READ)) (b) If you choose to allow for exit_routine_names that may not be explicitly known to be used on your system, meaning you did not define explicit discrete profile(s) as described in step (a) above, then consider also defining a generic profile IXGLOGR.SUBSYS.LSEXIT.* for the FACILITY class to cover the resources associated with using these log stream subsystem exit routines. Include in this generic profile the WARNING attribute. For example: RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.* UACC(NONE) WARN When this generic profile is used to cover the authorization check for a resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name , if the check fails since WARNING has been specified, RACF will issue the appropriate warning message to the user, logs the access attempt, and allows the user to access the resource. This generic profile approach is recommended only as a temporary mechanism to gather information on the possible exit routine names that need to be supported, and once known you can then define the appropriate discrete profiles. Once the known exit routine names are covered by discrete profiles, then delete the IXGLOGR.SUBSYS.LSEXIT.* generic profile. Note, if you do not define any of the profiles similar to those stated above but you have defined a different generic profile that will cover the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, then those generic profile attributes will determine the outcome of the authorization checking, logging, and whether the exit_routine_name will be used. Reference information- - For more information on system logger log stream subsystem exit routines, refer to topic "Authorization for system logger applications" in z/OS MVS Setting Up a Sysplex, and topic "IXGSEXIT - Log Stream Subsystem Exit" in z/OS MVS Installation Exits. - For more information on defining RACF profiles, refer to topic "Planning for profiles in the FACILITY class" in z/OS Security Server RACF Security Administrator's Guide. z/OS MVS Setting Up a Sysplex Chapter - Planning for system logger applications Authorization for system logger applications < add following text at end of this topic > Log stream users can specify a log stream subsystem exit routine name to receive control for reading log data through either of the following methods: - SUBSYS=(LOGR,exit_routine_name,...) keyword of the DDNAME JCL statement, or - on a dynamic allocation request using text units DALSSNM (value LOGR) and DALSSPRM (value specifying the exit_routine_name). If your installation does not intend to use any log stream subsystem exit routines, or if your installation intends to use only the log stream subsystem exit routine names IXGSEXIT, IFASEXIT, IFBSEXIT, or DFHLGCNV, then there is no need to define the RACF policies described below. If your installation does use or intends to use log stream subsystem exit routine names, other than the set of explicit names listed above, then you or your security administrator needs to define a RACF authorization profile in the FACILITY class to cover the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, where exit_routine_name identifies the name of the log stream subsystem exit routine. For more information on defining RACF profiles, refer to topic "Planning for profiles in the FACILITY class" in z/OS Security Server RACF Security Administrator's Guide. IBM recommends you do one of the following: (a) Define a discrete profile IXGLOGR.SUBSYS.LSEXIT.exit_routine_name for the FACILITY class to cover the resource, where exit_routine_name identifies the name of the log stream subsystem exit routine. This profile should audit all failures and allow all users READ access. For example: RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.exit_routine_name UACC(READ) AUDIT(FAIL(READ)) (b) If you choose to allow for exit_routine_names that may not be explicitly known to be used on your system, meaning you did not define explicit discrete profile(s) as described in step (a) above, then consider also defining a generic profile IXGLOGR.SUBSYS.LSEXIT.* for the FACILITY class to cover the resources associated with using these log stream subsystem exit routines. Include in this generic profile the WARNING attribute. For example: RDEFINE FACILITY IXGLOGR.SUBSYS.LSEXIT.* UACC(NONE) WARN When this generic profile is used to cover the authorization check for a resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name , if the check fails since WARNING has been specified, RACF will issue the appropriate warning message to the user, logs the access attempt, and allows the user to access the resource. This generic profile approach is recommended only as a temporary mechanism to gather information on the possible exit routine names that need to be supported, and once known you can then define the appropriate discrete profiles. Once the known exit routine names are covered by discrete profiles, then delete the IXGLOGR.SUBSYS.LSEXIT.* generic profile. Note, if you do not define any of the profiles similar to those stated above but you have defined a different generic profile that will cover the resource IXGLOGR.SUBSYS.LSEXIT.exit_routine_name, then those generic profile attributes will determine the outcome of the authorization checking, logging, and whether the exit_routine_name will be used. < end of new text in this topic > Activate the LOGR subsystem < add following bulleted item at end of list in last paragraph> |- See previous topic "Authorization for system logger | applications" for additional information on allowing | authorization for system logger applications. z/OS MVS Programming: Assembler Services Guide Chapter - Using System Logger Services JCL for the LOGR Subsystem SUBSYS=(LOGR ,exit_routine_name ,'SUBSYS-options1' ,'SUBSYS-options2' ) . . . The exit_routine_name is the second positional parameter and specifies the name of the exit routine to receive control from the LOGR subsystem. . . . <add following text at end of exit_routine_name description> | Contact your installation system programmer to ensure your | exit_routine_name can be used as a log stream subsystem exit | routine. Refer to topic "Authorization for system logger | applications" in z/OS MVS Setting Up a Sysplex. z/OS MVS Installation Exits Chapter - Using System Logger Services Section - IXGSEXIT Log Stream Subsystem Installing the Exit < changes to introduction as noted below > The log stream subsystem exit must be link edited in its own load module into SYS1.LINKLIB or any APF-authorized library in the LNKLST concatenation. | Do not give the exit routine APF authority. In other words | do not specify the binder option AC(1). That option is only | for programs that are designed to run as job step tasks. To activate the exit routine, refresh LLA through the MODIFY LLA,REFRESH command. . . . Note: To use the log stream subsystem exit, the LOGR | subsystem must be activated, and the installation must | allow authorization for the log stream subsystem exit | routine name to be used. Refer to topic "Authorization | for system logger applications" in z/OS MVS Setting Up | a Sysplex for more information. z/OS MVS System Messages, Vol 10 (IXC-IZP)- new message IXG507I LOGGER SUBSYSTEM (ssnam) LOG STREAM EXIT NOT REGISTERED, DD=ddname EXIT=exitname FUNCTION= CONVERTER | ALLOCATION} Explanation: The exit routine name specified, either through the SUBSYS=(LOGR,exitname,...) keyword on a DDNAME JCL statement or on a dynamic allocation request via a text unit value for key DALSSPRM, for the log stream subsystem data set interface is not registered with the system. No Security Server RACF profile is defined to allow it. System logger will not use this exit routine name. In the message text: ssnam is the installation defined subsystem name for system logger. ddname is the name of the DD statement or equivalent dynamic allocation DD name with the SUBSYS= specification. The name will be blanks for the converter function or for the allocation function on a concatenated DD. exitname is the name of the log stream subsystem exit routine. CONVERTER indicates that the log stream subsystem converter function encountered the error. ALLOCATION indicates that the log stream subsystem allocation function encountered the error. System Action: System logger will not use this exit routine name, and message IXG510I will be issued to the job log. Depending upon the log stream subsystem function encountering the issue, the following will occur: - The job terminates for CONVERTER requests. - The job step terminates for ALLOCATION requests of JCL DD SUBSYS= statements. - Dynamic Allocation requests return with an error and the request is rejected. User Response: Contact the system programmer. Operator Response: Contact the system programmer. Application Programmer Response: Contact the system programmer. System Programmer Response: Contact your security administrator. Action depends on whether your installation intends to use the log stream subsystem exit routine name (exitname). If so, then have your security administrator define the appropriate RACF profile to allow the use of the exit routine name. Refer to topic "Authorization for system logger applications" in z/OS MVS Setting Up a Sysplex. If your installation does not intend to use the log stream subsystem exit routine name (exitname), then work with your security administrator to determine your next course of action. Source: System logger (SCLOG) Detecting Module: IXGSDSAL, IXGSDSCN Routing Code: 11 Descriptor Code: 6
Temporary fix
Comments
APAR Information
APAR number
OA51527
Reported component name
SYSTEM LOGGER
Reported component ID
5752SCLOG
Reported release
780
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-10-25
Closed date
2016-10-26
Last modified date
2016-10-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
26 October 2016