IBM Support

IBM Security zSecure V2.2.0 Incompatibility Warnings

News


Abstract

The incompatibility warnings in the Release Notes for zSecure V2.2.0 have changed.

Content

For APAR OA50610, recreate user scripts CKRXRUS and CKGXRUS have been updated. As a result, the behavior of zSecure Admin option RA.4.6 Recreate user has changed.

As a result of the IBM Security zSecure 64-bit Service Stream Enhancement, the section Additional program names was updated and the section Select program to run was added to these V2.2.0 Incompatibility Warnings.

Also, PTFs are available through OA49690 to resolve the Access Monitor abend B37-04.




New XFACILITY resource for User Interface-based queries
    A new resource profile is used in the XFACILITY resource class. The new CKR.CONTROL.MASK resource has no effect on CARLa queries running in the batch environment. However, in the ISPF user interface, the new CKR.CONTROL.MASK resource controls the possibility to specify short patterns for the profile selections. This affects options RA.U, RA.G, RA.D, and RA.R. If a user has READ access or higher, the panels allow pattern specification as before. If a user has no access, the profile field on these selection panels requires a pattern that starts with at least three non-generic characters. On the RA.U panel, it is also possible to specify a name pattern of at least three characters. In addition, the selection panel for option RA.R requires the full specification of the resource class.

    If the user does not have READ access to the new resource, the ISPF user interface automatically adds an OPTION statement to select OPTIMIZE=STORAGE.

    If you have defined a backstop profile like CKR.**, this existing profile also matches the new CKR.CONTROL.MASK resource. In this situation, you might need to define a more specific profile to allow users to specify more generic patterns for their interactive CARLa queries.

Additional program names
    zSecure V2.2.0 introduces two new program names. If you are using program control for the zSecure programs, or using Program Access to Data Sets (PADS) for your RACF input source, you might need to add new program or conditional access list definitions.

    Starting with zSecure V2.2.0, CKRCARLA is, architecturally, a stub program that might decide which CARLa engine variant to call based on, for example, hardware considerations. With the IBM Security zSecure 64-bit Service Stream Enhancement, zSecure now also offers a 64-bit version of the IBM Security zSecure Suite software. This allows processing of larger amounts of data.

    zSecure currently always invokes the CKR4Z program, which is a CARLa engine that does not use 64-bit addressing. The CKR4Z program identifies itself in SYSPRINT and other programs as CKRCARLA.
    The CKR8Z196 program is the CARLa engine variant that does use 64-bit addressing.

    It is possible to call CKR4Z or CKR8Z196 directly instead of calling CKRCARLA. For RACF or ACF2, if you consider to call CKR4Z or CKR8Z196 directly, you might have to grant this program extra authorizations:
    • For RACF: be sure to think about Program Access to Data Sets.
    • For ACF2: be sure to think about program pathing.

    For program control, every program must be either undefined or specifically authorized. If you explicitly defined CKR* with NONE access, then you must also add profiles for the following programs:
    • CKRCARLA
    • CKRCARLX
    • CKRPRLD0
    • CKRPRLD1
    • CKR4Z
    • CKR8Z196
    Except for CKRCARLX, these programs must be accessible to all zSecure users.

    If you use PADS access to your RACF source and if you run program CKR4Z directly, for example because you selected option 2 in SE.0, or because you coded EXEC PGM=CKR4Z in your JCL, you must put program CKR4Z in the conditional access list of your RACF source. If you always use program CKRCARLA, you do not need to modify the conditional ACL of your RACF source.

Change in allocation of Access Monitor data sets
    The way that Access Monitor data sets are used has changed. If your C2PAMCLT member in the Access Monitor parmlib data set uses the combination of the RELEASE parameter and disposition MOD, you might experience space abends for the daily collection data sets.
    C2PACMON now closes the working file (xxxx.C2PACMON.D160108.T0000) every half hour (depending on the SMF recording interval). If the data set was allocated in C2PAMCLT with the
    RELEASE parameter, excess space is removed at the first CLOSE; that is, at 00:30. The next half hour uses a new extent etc. until C2PACMON runs into an abend E37 (or B37 in some cases). To prevent this abend, remove the RELEASE parameter from member C2PAMCLT. You do not have to
    remove the parameter in member C2PAMCNT.

    As an alternative, you can also disable the closing and opening of the data set by coding the ALLOC command in C2PAMCLT using the default NEW disposition, instead of the explicit MOD disposition. In that situation, in-storage buffers are not flushed to disk. If the C2PACMON started task is


    terminated without recovery, for example as the result of a FORCE command, you lose all data collected in the data set.

    Note: APAR OA49690 provides PTFs for zSecure V2.1.1 and V2.2.0 to remove the RELEASE keyword from the supplied sample SCKRSAMP(C2PAMCLT).

zSecure Access Monitor and zSecure buffer allocation
    The C2PACMON and C2POLICE programs now allocate their buffers above the 2 GB boundary. Ensure that the associated started tasks specify a sufficiently large value for the MEMLIMIT to accommodate the required buffer space as specified in their startup parameters.

Select program to run
    This is an Incompatibility Warning for Select program to run, SE.0 second panel (panel ID C2RP3S01) and directly in JCL.

    For option 2. 2GB virtual storage limitation / zArchitecture version (CKR4Z), the zSecure V2.2.0 announcement specifies the following Hardware requirements: A supported IBM z Systems server capable of supporting IBM z/OS V2.1, or later, or V1.13.
    The z/OS Version 1 Release 13 Installation Plan Checklist includes the following information: Ensure a System z server is available (z196, z10, z9, z990, z900, z890, z800).
    The z9 (2094, 2096) and z10 (2097, 2098) do not yet have a Service Discontinued date.
    The Service Discontinued date for z890 (2086) is October 31, 2016.

    For option 3. Exploit 64 bit virtual storage / z196 or higher version (CKR8Z196), zSecure needs a machine with a specific level of 64-bit support to mitigate the performance impact of bigger addresses, z196 or higher. At this moment, this means z196 (2817), z114 (2818) , BC12 (2828), EC12 (2827), or z13 (2964).

Recreate user
    As a result of updates in the user scripts CKRXRUS and CKGXRUS, the behavior of zSecure Admin option RA.4.6 Recreate user has changed.
    • If RA.4.6 option Use CKGRACF to update the user profile is not selected:
      • The recreated user IDs are always protected.
      • The password interval settings of user IDs are not recreated.
    • If RA.4.6 Recreate user option Use CKGRACF to update the user profile is selected:
      • Commands are generated to recreate PROTECTED attributes and password interval settings.
      • Execution of the generated CKGRACF USER subcommands INTERVAL, NOINTERVAL, and RECREATE requires UPDATE access to the corresponding USER subcommand resources.
      • No CKGRACF FIELD commands are generated. Therefore, access to CKG.CMD.FIELD.** resources is not needed to recreate users.

[{"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSPN95","label":"IBM Security zSecure Audit"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSPLQS","label":"IBM Security zSecure Alert"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSRPQG","label":"IBM Security zSecure CICS Toolkit"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSRM9V","label":"IBM Security zSecure Command Verifier"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSRMQU","label":"IBM Security zSecure Visual"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSDR89","label":"IBM Security zSecure Adapters for QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21974855

Page Feedback