A fix is available
APAR status
Closed as program error.
Error description
RACF violations with CKFCOLL using CHECKDSN. RACF violations can be seen when creating CHECKSUMs for a PDSE using CKFCOLL parameter format: CHECKDSN=MY.PDSE.LOADLIB
Local fix
Specify instead the CKFCOLL parameter format: CHECK=(DSN=MY.PDSE.LOADLIB)
Problem summary
**************************************************************** * USERS AFFECTED: Users of zSecure Collect program exploiting * * the CHECKDSN= command to compute checksums * * for PDSE data sets. * **************************************************************** * PROBLEM DESCRIPTION: zSecure Collect issues a MSGCKF0096 * * while attempting to perform checksum * * calculation of a PDSE data set provided * * by the CHECKDSN= command in cases where * * a user running the program does not * * have a READ access to the PDSE data set * * in question. A MSGICH408I is also * * issued by the RACF. * **************************************************************** * RECOMMENDATION: Apply the PTF provided. * **************************************************************** When the CHECKDSN= command specifies a PDSE data set with no READ access to the user invoking the zSecure Collect program, a MSGCKF0096 which begins with the text "system abend 913-38 (access denied by security manager) ..." is issued. A MSGICH408I (insufficient access authority) is also issued by the RACF.
Problem conclusion
zSecure Collect has been modified, so that it allows system auditors to exploit the CHECKDSN= command for checksum computations of PDSE data sets without having a READ access to these data sets. However, the zSecure Collect program must run APF-authorized.
Temporary fix
Comments
APAR Information
APAR number
OA67080
Reported component name
ZSEC BASE,ADMIN
Reported component ID
5655T0100
Reported release
250
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-10-08
Closed date
2024-11-15
Last modified date
2024-12-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ96330 UJ96331
Modules/Macros
CKFDSN CKFINPUT CKFSCHED CKFVTOC
Fix information
Fixed component name
ZSEC BASE,ADMIN
Fixed component ID
5655T0100
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"250","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
03 December 2024