IBM Support

OA58605: DATETIME FIELD DOES NOT HAVE THE CORRECT LENGTH OVERRIDE FOR ALERT 1110

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Datetime field does not have the correct length override for
    Alert 1110.
    
    This can affect parsing of the alerts by QRadar, causing
    alert 1110 to be parsed as a different log source.
    

Local fix

  • 1) Create your own userid.SCKRSLIB dataset like the zSecure
    supplied hlq.SCKRSLIB
    2) Copy hlq.SCKRSLIB(C2PS1110) to userid.SCKRSLIB
    3) Edit userid.SCKRSLIB(C2PS1110) and issue:
     c 'datetime(cef_dt),' 'datetime(cef_dt,15),' all
    4) Save userid.SCKRSLIB(C2PS1110)
    5) Start the zSecure Admin UI using CKR UPREFIX(userid)
      (this will then use the updated skeleton from userid.SCKRSLIB
    6) Re-Verify and reFresh your alert configuration.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Alert exploiting            *
    *                 predefined alert ID 1110 with a QRdadar SIEM *
    *                 destination.                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: zSecure Alert generates the predefined  *
    *                      alert 1110 (Successful data set access  *
    *                      using OPERATIONS by user without        *
    *                      OPERATIONS) with an incorrectly         *
    *                      formatted datetime stamp causing QRadar *
    *                      SIEM to misinterpret such alerts.       *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    The datetime stamp for alert 1110 is formatted with fractions of
    seconds causing QRadar SIEM to misinterpret such alerts.
    

Problem conclusion

  • zSecure Alert has been modified so that the datetime stamp for
    alert 1110 is formatted without fraction of seconds so that
    QRadar SIEM properly interprets such alerts.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA58605

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    231

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-11-01

  • Closed date

    2019-11-14

  • Last modified date

    2019-11-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UJ01370 UJ01371

Modules/Macros

  • C2PS1110
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R231 PSY UJ01370

       UP19/11/16 P F911

  • R240 PSY UJ01371

       UP19/11/16 P F911

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"231","Edition":""}]

Document Information

Modified date:
30 November 2019