PH47294: PORTABLE SOFTWARE INSTANCE DOWNLOAD CLIENT XML HTTPPROXY TAGS DISPLAY PROXY AUTHENTICATION IN PLAIN TEXT

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When downloading software directly from IBM, we have to
  authenticate through our proxy. As things stand with zOSMF, the
  proxy authentication is held in plain text in zOSMF; any user
  who logs on can then see the authentication details (ie, my
  Windows login and password), which is a huge security flaw from
  my perspective. And once the PSWI has been downloaded, that
  information is static and can't be removed without removing the
  whole PWSI (although the download stays).
  
  The user should have the option to specify the Client XML
  directly in the page, in a file in Unix System Services, or a
  standard dataset (with or without member name).
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of the z/OSMF Software Management, *
  *                 Portable Software Instances, Add - From      *
  *                 Download Server task.                        *
  ****************************************************************
  * PROBLEM DESCRIPTION: When using the z/OSMF Software          *
  *                      Management, Portable Software           *
  *                      Instances, Add - From Download Server   *
  *                      task, the Client XML is saved and       *
  *                      displayed in plain text and it may      *
  *                      contain passwords to authenticate with  *
  *                      proxies. Therefore, z/OSMF should allow *
  *                      the Client XML to be provided in a data *
  *                      set or UNIX file, thus the XML and any  *
  *                      passwords or other information it       *
  *                      contains will not be saved or displayed *
  *                      in z/OSMF.                              *
  ****************************************************************
  z/OSMF Software Management, Portable Software Instances,
  Add - From Download Server task has been updated to allow the
  user to specify the Client XML in either a text input field or
  a data set or Unix file.
  
  The Portable Software Instances - View page has also been
  updated to display the Client XML text input or the data set
  or Unix file name.
  

Problem conclusion

• z/OSMF Software Management, Portable Software Instances,
  Add - From Download Server task has been updated in z/OS 2.4
  and 2.5 to allow the user to specify the Client XML in a
  partitioned data set member, sequential data set, or UNIX file
  and the generated Download JCL will refer to the specified data
  set or UNIX file.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

• IZUDMAPI IZUDMHLP IZUDMJNI IZUDMUI  IZUDXAPL
  

Fix information

• Fixed component name

  Z/OSMF DEPLYMNT

• Fixed component ID

  5655S2804

Applicable component levels

• R244 PSY UI83645

     UP22/12/21 P F212

• R254 PSY UI83644

     UP22/12/21 P F212

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.