PH66886: IBM EXPLORER FOR Z/OS INTERNAL DEFECTS AND ENHANCEMENTS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• IBM Explorer for z/OS internal defects and enhancements
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: 1.All users                                  *
  *                 2.All users                                  *
  *                 3.All users                                  *
  *                 4.All users                                  *
  *                 5.sysprogs running version.sh                *
  *                 6.All users                                  *
  *                 7.All users                                  *
  *                 8.All users                                  *
  *                 9.All users                                  *
  *                 10.All users                                 *
  *                 11.All users                                 *
  ****************************************************************
  * PROBLEM DESCRIPTION: 1.RSED always does crypto initilization *
  *                        even for unencrypted communication    *
  *                      2.Update default Java version from      *
  *                        Java 8 31-bit to Java 8 64-bit        *
  *                      3.Update encrypted communication        *
  *                        defaults for RSED                     *
  *                      4.Update encrypted communication        *
  *                        defaults for RSED daemon IVP          *
  *                      5.version.sh might always report GA     *
  *                        version                               *
  *                      6.z/OS Explorer host z/OS UNIX service  *
  *                        returns incorrect expiration date     *
  *                        for user who has a passphrase         *
  *                      7.RSED does not detect the special      *
  *                        case of 'never expires' password or   *
  *                        passpharse                            *
  *                      8.RFE to audit the client versions      *
  *                      9.RFE to only allow X.509               *
  *                        authentication                        *
  *                      10.RFE to adjust naming of temporary    *
  *                        data set for load module copy         *
  *                      11.RFE to reduce log messages for       *
  *                        AT-TLS validation                     *
  ****************************************************************
  1.It's no harm but non-relevant cipher processing logging is
    confusing
  2.Update default Java from Java 8 31-bit to Java 8 64-bit
  3.RSED now self-manages default cryptographic ciphers instead of
    relying on System SSL defaults, TLS 1.3 is now enabled by
    default, and RSED uses 4-character cipher IDs by default;
    TLS 1.3: 1301,1302,1303
    TLS 1.2: C030,C02C,C02F,C02B (or 35,2F in 2-character ID mode)
  4.Update encrypted communication defaults for RSED daemon IVP
  5.When no RSE initialization is done, the RSE version reporting
    script (zexpl/bin/version.sh) will report the GA version
    instead of the current service level
  6.When using a passphrase, the date on which the passphrase was
    activated is retireved incorrectly, resulting in incorrect
    expiration date calculation
  7.A Password/passphrase expiration policy of 255 days is
    interpreted literally, not as non-expiring password
  8.Enhancement to audit client versions, see
    MINIMUM_CLIENT_VERSIONS and
    MINIMUM_CLIENT_VERSIONS_VALIDATION_LEVEL in rse.env
  9.Enhancement to only allow X.509 authentication, see
    RSE_CLIENT_CERT_AUTH_ONLY in rse.env
  10.Enhancement to adjust the naming of temporary work data sets
    for load module copy, See _RSE_MVS_TEMP_QUALIFIER in rse.env
  11.Enhancement to reduce log messages for AT-TLS validation
  

Problem conclusion

• 1.Simply skip cipher setup when running in non-SSL mode.
  2.Update default Java from Java 8 31-bit to Java 8 64-bit
  3.RSED now self-manages default cryptographic ciphers instead of
    relying on System SSL defaults, TLS 1.3 is now enabled by
    default, and RSED uses 4-character cipher IDs by default.
  4.Update encrypted communication defaults for RSED daemon IVP
  5.Script updated to report correct service level
  6.Correct the retrieval of last reset for passphrase and
    expiration policy number-of-days to calculate the expiration
    date.
  7.RSED to set a flag when a never-expires pass is detected.
  8.Client now provides the information of client product
    registration (product ID, name and versions) during connection
    setup time, and server logs product name and version of the
    offerings in server audit.log along with the connection entry.
  9.Server can now be tld to only accept X.509 authentication.
  10.To follow customer's specific SMS naming rules, the sysprog
    cancustomize the second qualifier of the temporary data sets
    used during load module copy.
  11.Removed standard stream non-error logging for AT-TLS check.
     ServerThread's logging is in dstore trace.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO03550

Modules/Macros

• FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
  FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
  FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
  FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
  FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
  FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
  FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
  FEKATTR  FEKDSI   FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD  FEKFCIPH
  FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6
  FEKFCORE FEKFDIR  FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2
  FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL  FEKFERRF
  FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI
  FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU FEKFJLIC FEKFJSON FEKFJVM
  FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6
  FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPKCS
  FEKFPLUG FEKFPTC  FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD
  FEKFSEND FEKFSSL  FEKFSTUP FEKFT000 FEKFT002 FEKFT003 FEKFT004
  FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFTEAM FEKFTIVP FEKFTSO
  FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZOS  FEKHCONF FEKHCUST
  FEKHDEB  FEKHDESC FEKHFLOW FEKHGEN  FEKHISPF FEKHIVP  FEKHIVPD
  FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1
  FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT  FEKKEYS  FEKLOCKA
  FEKLOGR  FEKLOGS  FEKM00   FEKM01   FEKM02   FEKMKDIR FEKMOUNT
  FEKMSGC  FEKMSGS  FEKPKCS1 FEKRACF  FEKRSED  FEKSAPF  FEKSAPPL
  FEKSBPX  FEKSCLAS FEKSCLOG FEKSCMD  FEKSCPYM FEKSCPYU FEKSDSN
  FEKSENV  FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSJWT
  FEKSJWTU FEKSLPA  FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC
  FEKSSU   FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN
  FEKXML   HUHFCOR6 HUHFCORE
  

Fix information

• Fixed component name

  EXP FOR Z/OS HO

• Fixed component ID

  5655EXP23

Applicable component levels

• R340 PSY UO03550

     UP25/06/13 P F506

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.