A fix is available
APAR status
Closed as program error.
Error description
Sporadic security violations on user owned data sets during normal daily work, probably due to client response delay in connection establishment, sometimes after the user started working. Operators see for example: RSED4 ACF99913 ACF2 VIOLATION-04,00,RSED,VR6848,<dataset name>,N/A RSED4 ACF90913 -DATASET CANNOT BE OPENED; AUTHORIZATION IS REQUIRED. In ACF2 report this violation shows up as: RSED 21.099 09/04 12.59 DATASET VIOLATION RSED4 VOL=<volser> DDN=SYS03261 DSN=<dataset name> STEP1 VOL= PGM=BPXPRFC LIB=SYS1.LINKLIB DA-OPN OUTPUT NORULE NAM=RSE DAEMONS ROL=OC01 SRC=STCINRDR UID=STCRSE the security validation is done using the RSED started task ID instead of the users UID. FEKLOG shows at 2021.04.09 09:56:39:591: ELAQKK9,LOCK,ELAQKK9.PDS.PLI(F07J0) ELAQKK9,LOCK,ELAQKK9.PDS.PLI(F07J0),0 ELAQKK9,READ,ELAQKK9.PDS.PLI(F07J0) ELAQKK9,READ,ELAQKK9.PDS.PLI(F07J0),0,%n%n%nFB%nN%n000%nN%n80%n2 9764%n0%n0%n %nelaqkk9 %nCRLFNL 0xD 0x240D 0x25 0x240A 0x15 0x2424 BADHEX %n363%n0%n0%n{RETRIEVEDATTRS:LEGACY;} and then after some time 12:59:53:472 ELAQKK9,WRITE,ELAQKK9.PDS.PLI(F07J0) ELAQKK9,WRITE,NoDataReceived,0
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: 1. Users on the server. * * 2. All user connection to system having * * tape-type device dataset. * * 3. all RSE connections that delay the mvs * * files systems connections in more than * * passticket timeout. * **************************************************************** * PROBLEM DESCRIPTION: 1. Debugging shows holder of * * stdout/err (of ThreadPools) kept by * * Daemon keeps growing with duplicates. * * Daemon's message listener usually * * would print out garbage when Daemon * * stops. * * 2. Tape-device type currently is * * logged at info level and as active. * * The active status logging should be * * corrected and at debug level only. * * 3. After the passticket life span is * * expired, during the loading of the * * mvsminer, for the mvs files system * * connection operation, the lock * * manager would need a newly generated * * passticket to start up. The * * generation of the passticket is also * * required to be done under the * * ThreadPool/Daemon user id. * **************************************************************** 1. Daemon has the holders for stdout/err fds of ThreadPools to collect their message for logging. It does not reset each round it scans the ThreadPools and keep accumulating duplicates fds. Daemon's message listener process terminates abruptly when exiting causing Daemon end printing out garbage when stops. 2. Minimize the tape-device info as debug to avoid too much logging for system with high number of tape-device dataset. 3. Lock manager should be started up under user security profile properly with a valid passticket. Only server id is required to have the permission to generate passticket. A user thread may fail to generate a passticket and could fail to load and set up the mvsminer properly in the described scenario.
Problem conclusion
1. Reset the std fd holder in each round of scan. Have the messaging process sending an exit back to Daemon for its message listener to display properly. 2. Tape-device type active status is corrected and logged only at debug level 3. Have the lock manager startup with valid passticket. Have passticket generation call used by the mvs Files System initialization and connection operation to run in a newly generated thread to inherit the process server id to be able to generate the passticket. Connection should be done with the newly generated ticket for the mvsminer's lock manager to work with proper security profile as the user.
Temporary fix
Comments
APAR Information
APAR number
PH47252
Reported component name
EXP FOR Z/OS HO
Reported component ID
5655EXP23
Reported release
320
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-06-15
Closed date
2022-11-10
Last modified date
2022-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI83251
Modules/Macros
FEJENF70 FEJJCNFG FEJJJCL FEJJMON FEJTSO FEK1SMPE FEK2RCVE FEK3ALOC FEK4ZFS FEK5MKD FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR FEK@CONE FEK@CONF FEK@CUST FEK@DEB FEK@DESC FEK@FLOW FEK@GEN FEK@GENW FEK@ISPF FEK@IVP FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1 FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX FEKATTR FEKDSI FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD FEKFCIPH FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6 FEKFCORE FEKFDBG FEKFDBG6 FEKFDBGM FEKFDIR FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU FEKFJLIC FEKFJSON FEKFJVM FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPLUG FEKFPTC FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL FEKFSTUP FEKFT000 FEKFT001 FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFT009 FEKFT010 FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015 FEKFT016 FEKFT017 FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFT022 FEKFT023 FEKFT024 FEKFT025 FEKFTIVP FEKFTSO FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZOS FEKHCONF FEKHCUST FEKHDEB FEKHDESC FEKHFLOW FEKHGEN FEKHISPF FEKHIVP FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT FEKKEYS FEKLOCKA FEKLOGR FEKLOGS FEKM00 FEKM01 FEKM02 FEKMKDIR FEKMOUNT FEKMSGC FEKMSGS FEKRACF FEKRSED FEKSAPF FEKSAPPL FEKSBPX FEKSCLAS FEKSCLOG FEKSCMD FEKSCPYM FEKSCPYU FEKSDSN FEKSENV FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSLPA FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC FEKSSU FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML HUHFCOR6 HUHFCORE
Fix information
Fixed component name
EXP FOR Z/OS HO
Fixed component ID
5655EXP23
Applicable component levels
R320 PSY UI83251
UP22/11/22 P F211
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"320","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
01 December 2022