IBM Support

OA67080: RACF VIOLATIONS WITH CKFCOLL USING CHECKDSN

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • RACF violations with CKFCOLL using CHECKDSN.
    
    RACF violations can be seen when creating CHECKSUMs for a PDSE
    using CKFCOLL parameter format:
    CHECKDSN=MY.PDSE.LOADLIB
    

Local fix

  • Specify instead the CKFCOLL parameter format:
    CHECK=(DSN=MY.PDSE.LOADLIB)
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Collect program exploiting  *
    *                 the CHECKDSN= command to compute checksums   *
    *                 for PDSE data sets.                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: zSecure Collect issues a MSGCKF0096     *
    *                      while attempting to perform checksum    *
    *                      calculation of a PDSE data set provided *
    *                      by the CHECKDSN= command in cases where *
    *                      a user running the program does not     *
    *                      have a READ access to the PDSE data set *
    *                      in question. A MSGICH408I is also       *
    *                      issued by the RACF.                     *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    When the CHECKDSN= command specifies a PDSE data set with no
    READ access to the user invoking the zSecure Collect program,
    a MSGCKF0096 which begins with the text "system abend 913-38
    (access denied by security manager) ..." is issued. A MSGICH408I
    (insufficient access authority) is also issued by the RACF.
    

Problem conclusion

  • zSecure Collect has been modified, so that it allows system
    auditors to exploit the CHECKDSN= command for checksum
    computations of PDSE data sets without having a READ access to
    these data sets. However, the zSecure Collect program must run
    APF-authorized.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA67080

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    250

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2024-10-08

  • Closed date

    2024-11-15

  • Last modified date

    2024-12-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UJ96330 UJ96331

Modules/Macros

  • CKFDSN   CKFINPUT CKFSCHED CKFVTOC
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R250 PSY UJ96331

       UP24/11/19 P F411

  • R310 PSY UJ96330

       UP24/11/19 P F411

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"250","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 December 2024