APAR status
Closed as program error.
Error description
Explorer for z/OS - zExpl After applying PTF UI79568 or UI79780 on a system using ACF2 as the security software, the user might receive the following message when trying to connect to z/OS Explorer (with user1 being the affected userid): RseDaemon:RACF profile error: user1: User, user1 has insufficient permission to profile FEKAPPL in the APPL class - RACROUTE AUTH returned SAF return code= 8, RACF return code=8, RACF reason code=0. The issue is caused by an input parsing error of the validation routine. The message is presented despite having a valid resource profile providing access to the user. As another symptom, when checking an ACF2 trace of the RACROUTE the Entity field might contain only dots.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: 1. Users using TLS1.3. * * 2. z/OS Explorer * * 3. z/OS Explorer * * 4. z/OS Explorer * * 5. z/OS Explorer * * 6. All RSE users using copy&paste a PDS * * member or SEQ dataset to a SEQ dataset in * * the same connection * * 7. All ACF2 RSE users. * * 8. No user affected, only RSE service * * exercises unnecessary authentication with * * strange input. * * 9. z/OS Explorer * * 10. All servers using the same VSAM file * * tracker. * * 11. All users using uploading a local * * Unix-file to a dataset. * * 12. System that wants to use AT-TLS secure * * connection instead of RSE server secure * * connection management. * * 13. All servers using the extended VSAM * * file owner tracker. * * 14. All RSE and RSEAPI users attempt to * * change password or passphrase with new * * value not the same type as the old value. * * 15. All RSE and RSEAPI server * **************************************************************** * PROBLEM DESCRIPTION: 1. Improper detecting TLSv1.3 protocol * * and ciphers definitions may cause * * improper ssl translation to sync * * between Daemon and Server Thread. * * 2. JESMiner does not disconnect JMON * * connection when client idle connection * * timed out * * 3. JesJobUtil.getJobReturnCode() * * returns a CC 0000 when the submitted * * job returned JCL ERROR by * * getJobReturnInfo(). * * 4. Enable JESMiner trusted TCP/IP * * support to connect JMON * * 5. Enhance JesJobUtil.submit method * * to support callback mechanism. * * 6. It may be expected that the SMS * * attributes from the source is to be * * copied to the target in a copy&paste * * operation. * * 7. An error code in PTF UI79568 or * * UI79780 causes the input RACF class * * and resource not retrieved when calling * * the profile routine. * * 8. A hacker could attempt to send code * * for us to execute instead of the * * expected data. * * Enter an http command from a browser * * with the RSE Daemon port could cause * * the command string sent as credential * * login to the RSE service. * * Some z/OS network configuration, like * * load balancing or proxy, may also * * wrongly direct some http command to * * the RSE service port. * * 9. JESMiner C_SEARCHPLUS command does * * not handle the JMON return message * * "101 Usage error." * * 10. When a user disconnects, all of * * its extended lock info tracking will be * * cleaned up. But, when a server is * * shutdown, i.e. without user * * disconnects on time, all records in * * VSAM remained. * * The obsolete records could be self * * auto-corrected only when they are * * referred on the same system. * * Race in deletion from all servers * * sharing the same VSAM could leave * * some obsolete records behind, too. * * 11. Under the assumption that CRLF * * newline on Windows is equivalent with * * LF on Unix-like and should be convert * * in the same way when uploading to z/OS * * datatset. The last newline of the file * * should be translated to an empty * * record for the last block of the * * dataset file. Unix-like uploading is * * currently missing the last record for * * the last LF of the file. * * 12. ATTLS is preferred mechanism for * * securing connections. IBM Developer * * for z/OS, including Enterprise Edition * * should implement ATTLS support. * * 13. When fail to open VSAM for reading * * or deleting the records, it ends with * * error and no records, causing * * misleading error. Could be mistakenly * * interpreted as no record found. * * 14. Updating password field with a * * longer-than-8 new value returns * * successful improperly with the new * * password cut off to 8 bytes. * * 15. Potential of overflow in string * * copy. * **************************************************************** 1. The masking is used in GSK filtering for the protocols supported by an RSE server. It was used in bitwise & op filtering, so the definition should go by bit position. The existing bits 0 (i.e. 1),1 (i.e 2), 2 (i.e 4) used for TLS1, TLSv1.1 and TLSv1.2. So the mask for TLSv1.3 should be 8 (bit 3), not 5 as currently defined. 2. When client idle connection timed out, the JESMiner did not disconnect from JMON connection. If the JMON TIME_OUT property is set to 0 (JMON idle connection clean up is disabled), the JMON connection will be left behind. Thus maximum number of the JMON connection is reached and causing the connection failure. 3. Update JesJobUtil.getJobReturnCode() to return error code as getJobReturnInfo() instead of CC 0000 in error situations. 4. Trusted TCP/IP will be enabled by default (or disable by specifying property JES_ENABLE_TRUSTED_TCPIP to false in rse.env) in JESMiner to connect JMON. 5. Provide new JesJobUtil submit APIs to run user provided logic after job finished execution 6. For the copy&paste using the same connection (i.e. same system as used interchangeably by GUI client), if asked by the new option selected from the GUI, query the SMS attributes of the source and use it in the allocation of the target dataset. 7. For system using ACF2, the improper input cause a RACF errors and fails the login. 8. Some network command directing to the RSE Daemon port could cause it intercept as login attempt with strange credential login. This could also be done by hacker. 9. When JMON return usage error when running the JESMiner C_SEARCHPLUS command, JESMiner is not able to process the error message, thus it causes the C_SEARCHPLUS command to hang until the JMON terminates the connection after the timeout occurs. 10. An RSE Daemon operator command to clean up expired records from the VSAM tracker, which could run once in a while during not-too busy time, could help to clean up the obsolete entries. 11. The last CRLF on Windows and LF on Unix-like should be treated the same in uploading to z/OS dataset. The missing of the last LF translation on Unix-like causes a diff between original and the download file. 12. ATTLS port rule checking is thread-based. User threads (user security switching using pthread secure) fails ATTLS handshake where permission is set under RSE started task user ID. 13. Failure in open the VSAM is an error and should be differentiated clearly from non-record found scenario. 14. RSE backend routine assumes the new credential have the same type as the old credential and processes the password/passphrase under that assumption. Longer-than-max new password was cut off to 8. 15. fekfomvs profile command calling strcpy with a fixed size destination buffer without checking on the size of the target string.
Problem conclusion
1. The supported ciphers definition is needed for GSK cipher filter merge to sync up with java Server ssl. Note: With this change, the java handshake still fails. It just helps to straighten up the ssl sync and trouble shooting later. 2. Disconnect JMON connection when the client idle connection timed out. To work around it by leaving the JMON TIME_OUT as default so that JMON will clean up the JMON idle connections. 3. Users will get the same error code in JesJobUtil.getJobReturnCode() and JesJobUtil.getJobReturnInfo() in error situations. 4. JESMiner will connect to JMON using trusted TCP/IP without passing in user id and pass ticket. 5. Users can run the new JesJobUtil submit API to submit a job and run their specific logic after job finished executing. 6. User now has a new option (supported with the new client GUI) to request the SMS attributes to be included in the copy&paste operation to a SEQ dataset (from a PDS member or a SEQ source). Note that for PDS member copy, the request is included in the options of the client command, no change in the host required in this scenario. 7. Fix the error in parsing to feed the input properly to the check routine. 8. For the entrance of external input for setting up a connection to RSE service, i.e. authentication, validate the input with characters usually seen with command execution before passing to RACF for authentication. 9. Update JESMiner C_SEARCH command to handle the usage error return message from JMON and return the error response and message to the caller. 10. The obsolete records from the extended tracker's VSAM should be cleaned up to sanitize the tracking operation from obsolete information and also improve the performance. 11. Adding and empty record for the Unix-like detected LF newline at its EOF, assuming file feed from Windows newline always have CRLF as newline correctly. 12. Have the user security thread switching delayed after the ATTLS handshake. In this release, only userid/password authentication is supported. Client-cert authentication with AT-TLS is not supported yet. 13. Have the mvs lock tracker to return an error to differentiate the error state from no-record state. ThreadPool and Daemon in turn treat and return proper message. 14. Update should be allowed only for credentials of the same types, either both are password or both are passphrase, no mixed. Adding or removing a password or passphrase is not supported by RSE/RSEAPI. It can be done using RACF command directly. 15. Use strncpy with length count adjusted to fix into the destination buffers. Note: non-null terminated string is allow for class resource as an input for RACF ASM routine.
Temporary fix
Comments
APAR Information
APAR number
PH45939
Reported component name
EXP FOR Z/OS HO
Reported component ID
5655EXP23
Reported release
320
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-04-26
Closed date
2022-05-18
Last modified date
2022-06-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI80571
Modules/Macros
FEJENF70 FEJJCNFG FEJJJCL FEJJMON FEJTSO FEK1SMPE FEK2RCVE FEK3ALOC FEK4ZFS FEK5MKD FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR FEK@CONE FEK@CONF FEK@CUST FEK@DEB FEK@DESC FEK@FLOW FEK@GEN FEK@GENW FEK@ISPF FEK@IVP FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1 FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX FEKATTR FEKDSI FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD FEKFCIPH FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6 FEKFCORE FEKFDBG FEKFDBG6 FEKFDBGM FEKFDIR FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU FEKFJLIC FEKFJSON FEKFJVM FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPLUG FEKFPTC FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL FEKFSTUP FEKFT000 FEKFT001 FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFT009 FEKFT010 FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015 FEKFT016 FEKFT017 FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFT022 FEKFT023 FEKFTIVP FEKFTSO FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZOS FEKHCONF FEKHCUST FEKHDEB FEKHDESC FEKHFLOW FEKHGEN FEKHISPF FEKHIVP FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT FEKKEYS FEKLOCKA FEKLOGR FEKLOGS FEKM00 FEKM01 FEKM02 FEKMKDIR FEKMOUNT FEKMSGC FEKMSGS FEKRACF FEKRSED FEKSAPF FEKSAPPL FEKSBPX FEKSCLAS FEKSCLOG FEKSCMD FEKSCPYM FEKSCPYU FEKSDSN FEKSENV FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSLPA FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC FEKSSU FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML HUHFCOR6 HUHFCORE
Fix information
Fixed component name
EXP FOR Z/OS HO
Fixed component ID
5655EXP23
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"320","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
06 July 2022