IBM Support

VM66242: IBM FIBRE CHANNEL ENDPOINT SECURITY SUPPORT

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • IBM Fibre Channel Endpoint Security Support
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All z/VM users that exploit IBM Fibre        *
    *                 Channel Endpoint Security hardware.          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    z/VM provides support for z15 Fibre Channel Endpoint Security,
    by providing the following:
    
    - Query the encryption status of target worldwide port names
      (WWPNs) associated with a Fibre Channel Protocol (FCP)
      device via the QUERY FCP command (Q FCP ENCryption_status).
    
    - Query the encryption and authentication capability of
      a FICON channel path via the QUERY PATHS command.
    
    - Track encryption state changes by recognizing Store Event
      Information channel report data and creating an event monitor
      record for each state change.
    

Problem conclusion

Temporary fix

Comments

  • IBM Fibre Channel Endpoint Security is an end-to-end
    solution that ensures the integrity and confidentially
    of all data flowing on Fibre Channel links between a
    IBM Z15 or LinuxONE III server and a DS8900F within
    the data center, as the data moves between trusted entities.
    
    The minimum hardware required is the following:
    
    - Driver D41C bundle level as documented in IBM Support -
      Preventive Service Planning buckets, Upgrade 8561DEVICE,
      Subset 8561/ZVM (http://www-01.ibm.com/support/docview.
        wss?uid=isg1_8561DEVICE_8561-ZVM)
    
    - FICON Express16SA Adapter
    
    - Endpoint Security Enablement
    
    - CPACF enablement
    
    - IBM Security Key Lifecycle Manager version 3.0.1
    
    - DS8900F enabled for EndPoint Security
    
    - SAN Hardware requirements and software requirements and
      pre-requisites required for support of IFCES can be found
      in Resource Link:
    https://www-01.ibm.com/servers/resourcelink/lib03020.nsf/pages
    /switchesAndDirectorsQualifiedForIbmSystemZRFiconRAndFcpChannels
    
    
    ==============================================================
    
    The following contains information about all the publication
    hits that go along with VM66242 on z/VM 6.4.0. and z/VM 7.1.0.
    
    Publication Title:   z/VM CP Commands and Utilities Reference
    Order Number         SC24-6175-13      SC24-6268-04
    System + Release     z/VM 6.4.0        z/VM 7.1.0
    
    
    The QUERY PATHS command information was modified by adding
    encrypted link and authenticated link lines to the command
    response explained in Response 1:
    
     Response 1 (Generic):
    
     The following is the full, generic response to the QUERY
     PATHS command.  Normally, you will see only pieces of this
     response, as CP displays only the lines that have data.
     For example, if the device does not have any offline
     channel paths, CP would not display lines 6 through 10.
     The maximum number of channel paths is 8, as shown in the
     example.  CP displays only the number of channel paths
     attached to the device. The responses that follow this
     generic one will show examples of these shortened responses.
    
      1     Device rdev, Status status
      2      CHPIDs to Device rdev (PIM)  : chpid1 ...... chpid8
      3       Physically Available (PAM)  :  +/-   .....   +/-
      4       Online               (LPM)  :  +/-   .....   +/-
      5       Preferred                   :  +/-   .....   +/-
      6       Offline by Authorized User  :  +/-   .....   +/-
      7       Offline by ESCON Manager    :  +/-   .....   +/-
      8       Out of Path Group by Guest  :  +/-   .....   +/-
      9       Offline by Control Unit     :  +/-   .....   +/-
     10       Offline, Wrong CU Connection:  +/-   .....   +/-
     11       Transport Mode Supported    :  +/-   .....   +/-
     12       Encrypted Link              :  +/-   .....   +/-
     13       Authenticated Link          :  +/-   .....   +/-
     14                            Legend     + Yes - No
    
     Line    Explanations
    
     12      identifies the paths that are enabled for
             encryption.
    
     13      identifies the paths that are enabled for
             authentication.
    
    ----------------------------------------------------------------
    
    The QUERY FCP command was modified by adding information
    about the new ENCryption_status parameter in the railroad
    track diagram, the Operands section and the Responses
    section:
    
    
    QUERY FCP
    
    
                     .-ACTive----------------------------------.
     >>--Query--FCP--+-----------------------------------------+--><
                     |-AGEnt-----------------------------------|
                     |-ALL-------------------------------------|
                     |-ATTach--.--------.----------------------|
                     |         '-userid-'                      |
                     |-BOXed-----------------------------------|
                     |-ENCryption_status--rdev--.------------.-|
                     |                          '-WWPN--wwpn-' |
                     |                                         |
                     |-FREe------------------------------------|
                     |-OFFline---------------------------------|
                     |       .-ALL-----------------.           |
                     '-WWPN--+---------------------+-----------'
                             | <-----------------< |
                             '--.-rdev----------.--'
                                '-.-----------.-'
                                  '-rdev-rdev-'
    
    
    Operands
    
     .
     .
     .
    
     ENCryption_status
         indicates the encryption status of a target WWPN (if a
         WWPN is specified) or the encryption status of all the
         target WWPNs associated with the specified FCP device.
    
     WWPN <wwpn>
         indicates a target WWPN on the storage controller
         (associated with the HBA).
    
    
    Responses
    
     .
     .
     .
    
    
     Response 9:
    
     When you enter a QUERY FCP ENCryption_status command for an
     FCP device, you see something like this:
    
       q fcp enc 8181
       FCP 8181 WWPN 50050763091493CA AVAILABLE
       FCP 8181 WWPN 50050763091193CA AUTHENTICATED
       FCP 8181 WWPN 50050763090193CA ENCRYPTED
       Ready;
    
     Response 10:
    
     When you enter a QUERY FCP ENCryption_status command for
     an FCP device and a target WWPN you see something like this:
    
       q fcp enc 8181 wwpn 50050763090193CA
       FCP 8181 WWPN 50050763090193CA ENCRYPTED
       Ready;
    
     .
     .
     .
    
     Messages:
    
     .
     .
     .
    
       o HCP6004E This command is not supported on your system.
    
    ================================================================
    
    Publication Title:   z/VM CP Messages and Codes
    Order Number         GC24-6177-12      GC24-6270-03
    System + Release     z/VM 6.4.0        z/VM 7.1.0
    
    
    The information for message HCP600402E has been updated to the
    following:
    
    HCP600402E
    
    --        This command is not supported on your system.
    
    Explanation:  The command you entered is not supported because
                  your z/VM system is running in a virtual machine
                  or the processor that your system is running
                  on does not support the command.
    
    System Action:  CP rejects the command.
    
    User Response:  If your system is running in a virtual machine,
                    then reissue the command on a z/VM system
                    that is running natively.
    

APAR Information

  • APAR number

    VM66242

  • Reported component name

    VM CP

  • Reported component ID

    568411202

  • Reported release

    640

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2019-01-02

  • Closed date

    2020-03-19

  • Last modified date

    2020-03-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UM35614 UM35615 UM35616

Modules/Macros

  • CPLOAD   FCP      HCPCCO   HCPCIO   HCPIOX   HCPMC    HCPMDLAT
    HCPMES   HCPMESA  HCPMESB  HCPMONEQ HCPMXD   HCPMXD$  HCPMXI
    HCPMXRBK HCPQFC   HCPQPS   HCPRP    HCP6004E MRIODSEC PATHS
    

Publications Referenced
GC24617712SC24617513GC24627003SC24626804 

Fix information

  • Fixed component name

    VM CP

  • Fixed component ID

    568411202

Applicable component levels

  • R640 PSY UM35615

       UP20/03/24 I 1000

  • R710 PSY UM35616

       UP20/03/24 I 1000

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"640","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
24 March 2020