A fix is available
APAR status
Closed as program error.
Error description
Incorrect non-compliant findings for ZWMQ0054 when MQ mixed case support uses class MXQUEUE. When MQ region mixed case security support is enabled ( SCYCASE(MIXED) ) the RACF profiles used are in class MXQUEUE, but control ZWMQ0054 only checks class MQQUEUE.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: Users of zSecure Audit exploiting RACF STIG * * compliance controls ZWMQ0054, ZWMQ0055, * * ZWMQ0056, and ZWMQ0057. * **************************************************************** * PROBLEM DESCRIPTION: zSecure Audit might report incorrect * * non-compliant findings in cases where * * MQ region mixed case security support * * is enabled (the SCYCASE(MIXED) message * * queue manager parameter is in effect). * **************************************************************** * RECOMMENDATION: Apply the PTF provided. * **************************************************************** When MQ manager uses mixed case RACF security profiles, the following RACF STIG compliance controls provided by zSecure Audit might report incorrect non-compliant findings because of an incorrect RACF class test (no MXQUEUE class is tested): o ZWMQ0054: IBM MQ for z/OS resources defined to the MQQUEUE resource class must be protected in accordance with security requirements. o ZWMQ0055: IBM MQ for z/OS process resources must be protected in accordance with security requirements. o ZWMQ0056: IBM MQ for z/OS namelist resources must be protected in accordance with security requirements. o ZWMQ0057: IBM MQ for z/OS alternate user resources defined to MQADMIN resource class must be properly protected.
Problem conclusion
zSecure Audit has been modified, so that RACF STIG compliance controls ZWMQ0054, ZWMQ0055, ZWMQ0056, and ZWMQ0057 does not report incorrect non-compliant findings in cases where MQ region mixed case security support is enabled.
Temporary fix
Comments
APAR Information
APAR number
OA66108
Reported component name
ZSEC BASE,ADMIN
Reported component ID
5655T0100
Reported release
310
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-02-08
Closed date
2024-05-30
Last modified date
2024-06-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ94852 OA66558
Modules/Macros
C2R3IO25 C2R3IO26 C2R3SYH@ C2R3SYHZ C2RDRAS C2RDRASD C2RT3SEG C2RT3SO1 C2RT3SOA C2RT3SOD C2RT3T@1 CKAGSENS CKAHWM54 CKAHWM55 CKAHWM56 CKAHWM57 CKARCMD CKFINIT CKFRACF CKRCDTIN CKRCFS CKRDSD80 CKRDSR80 CKRFDEF CKRFDSY CKRFMT CKRINLT CKRINMO CKRLSD13 CKRLSD80 CKRLSR13 CKRLSR80 CKROUICB CKROUNIT CKROUOPT CKRXJPND CKRXJPNE GKRCDTIN GKRCFS GKRFDEF GKRFDSY GKRFMT GKRGSENS GKRINLT GKRINMO GKROUICB GKROUNIT GKROUOPT GKRRCMD
Fix information
Fixed component name
ZSEC BASE,ADMIN
Fixed component ID
5655T0100
Applicable component levels
R310 PSY UJ94852
UP24/05/31 P F405
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"310","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
03 June 2024