A fix is available
APAR status
Closed as new function.
Error description
IBM Fibre Channel Endpoint Security Support
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All z/VM users that exploit IBM Fibre * * Channel Endpoint Security hardware. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** z/VM provides support for z15 Fibre Channel Endpoint Security, by providing the following: - Query the encryption status of target worldwide port names (WWPNs) associated with a Fibre Channel Protocol (FCP) device via the QUERY FCP command (Q FCP ENCryption_status). - Query the encryption and authentication capability of a FICON channel path via the QUERY PATHS command. - Track encryption state changes by recognizing Store Event Information channel report data and creating an event monitor record for each state change.
Problem conclusion
Temporary fix
FOR RELEASE VM/ESA CP/ESA R640 : PREREQ: VM65942 VM66095 VM66105 VM66357 VM66248 CO-REQ: NONE IF-REQ: NONE FOR RELEASE VM/ESACP/ESAR710 : PREREQ: VM66219 VM66357 VM66248 CO-REQ: NONE IF-REQ: NONE
Comments
IBM Fibre Channel Endpoint Security is an end-to-end solution that ensures the integrity and confidentially of all data flowing on Fibre Channel links between a IBM Z15 or LinuxONE III server and a DS8900F within the data center, as the data moves between trusted entities. The minimum hardware required is the following: - Driver D41C bundle level as documented in IBM Support - Preventive Service Planning buckets, Upgrade 8561DEVICE, Subset 8561/ZVM (http://www-01.ibm.com/support/docview. wss?uid=isg1_8561DEVICE_8561-ZVM) - FICON Express16SA Adapter - Endpoint Security Enablement - CPACF enablement - IBM Security Key Lifecycle Manager version 3.0.1 - DS8900F enabled for EndPoint Security - SAN Hardware requirements and software requirements and pre-requisites required for support of IFCES can be found in Resource Link: https://www-01.ibm.com/servers/resourcelink/lib03020.nsf/pages /switchesAndDirectorsQualifiedForIbmSystemZRFiconRAndFcpChannels ============================================================== The following contains information about all the publication hits that go along with VM66242 on z/VM 6.4.0. and z/VM 7.1.0. Publication Title: z/VM CP Commands and Utilities Reference Order Number SC24-6175-13 SC24-6268-04 System + Release z/VM 6.4.0 z/VM 7.1.0 The QUERY PATHS command information was modified by adding encrypted link and authenticated link lines to the command response explained in Response 1: Response 1 (Generic): The following is the full, generic response to the QUERY PATHS command. Normally, you will see only pieces of this response, as CP displays only the lines that have data. For example, if the device does not have any offline channel paths, CP would not display lines 6 through 10. The maximum number of channel paths is 8, as shown in the example. CP displays only the number of channel paths attached to the device. The responses that follow this generic one will show examples of these shortened responses. 1 Device rdev, Status status 2 CHPIDs to Device rdev (PIM) : chpid1 ...... chpid8 3 Physically Available (PAM) : +/- ..... +/- 4 Online (LPM) : +/- ..... +/- 5 Preferred : +/- ..... +/- 6 Offline by Authorized User : +/- ..... +/- 7 Offline by ESCON Manager : +/- ..... +/- 8 Out of Path Group by Guest : +/- ..... +/- 9 Offline by Control Unit : +/- ..... +/- 10 Offline, Wrong CU Connection: +/- ..... +/- 11 Transport Mode Supported : +/- ..... +/- 12 Encrypted Link : +/- ..... +/- 13 Authenticated Link : +/- ..... +/- 14 Legend + Yes - No Line Explanations 12 identifies the paths that are enabled for encryption. 13 identifies the paths that are enabled for authentication. ---------------------------------------------------------------- The QUERY FCP command was modified by adding information about the new ENCryption_status parameter in the railroad track diagram, the Operands section and the Responses section: QUERY FCP .-ACTive----------------------------------. >>--Query--FCP--+-----------------------------------------+-->< |-AGEnt-----------------------------------| |-ALL-------------------------------------| |-ATTach--.--------.----------------------| | '-userid-' | |-BOXed-----------------------------------| |-ENCryption_status--rdev--.------------.-| | '-WWPN--wwpn-' | | | |-FREe------------------------------------| |-OFFline---------------------------------| | .-ALL-----------------. | '-WWPN--+---------------------+-----------' | <-----------------< | '--.-rdev----------.--' '-.-----------.-' '-rdev-rdev-' Operands . . . ENCryption_status indicates the encryption status of a target WWPN (if a WWPN is specified) or the encryption status of all the target WWPNs associated with the specified FCP device. WWPN <wwpn> indicates a target WWPN on the storage controller (associated with the HBA). Responses . . . Response 9: When you enter a QUERY FCP ENCryption_status command for an FCP device, you see something like this: q fcp enc 8181 FCP 8181 WWPN 50050763091493CA AVAILABLE FCP 8181 WWPN 50050763091193CA AUTHENTICATED FCP 8181 WWPN 50050763090193CA ENCRYPTED Ready; Response 10: When you enter a QUERY FCP ENCryption_status command for an FCP device and a target WWPN you see something like this: q fcp enc 8181 wwpn 50050763090193CA FCP 8181 WWPN 50050763090193CA ENCRYPTED Ready; . . . Messages: . . . o HCP6004E This command is not supported on your system. ================================================================ Publication Title: z/VM CP Messages and Codes Order Number GC24-6177-12 GC24-6270-03 System + Release z/VM 6.4.0 z/VM 7.1.0 The information for message HCP600402E has been updated to the following: HCP600402E -- This command is not supported on your system. Explanation: The command you entered is not supported because your z/VM system is running in a virtual machine or the processor that your system is running on does not support the command. System Action: CP rejects the command. User Response: If your system is running in a virtual machine, then reissue the command on a z/VM system that is running natively.
APAR Information
APAR number
VM66242
Reported component name
VM CP
Reported component ID
568411202
Reported release
640
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2019-01-02
Closed date
2020-03-19
Last modified date
2021-06-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UM35614 UM35615 UM35616
Modules/Macros
CPLOAD FCP HCPCCO HCPCIO HCPIOX HCPMC HCPMDLAT HCPMES HCPMESA HCPMESB HCPMONEQ HCPMXD HCPMXD$ HCPMXI HCPMXRBK HCPQFC HCPQPS HCPRP HCP6004E MRIODSEC PATHS
GC24617712 | SC24617513 | GC24627003 | SC24626804 |
Fix information
Fixed component name
VM CP
Fixed component ID
568411202
Applicable component levels
RA64 PSY UM35812
UP21/02/17 I 1000
R640 PSY UM35615
UP20/03/24 I 1000
R710 PSY UM35616
UP20/03/24 P 2101
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27M"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"640","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
Document Information
Modified date:
30 June 2021