OA57046: IFA742I SMF SIGNATURE VALIDATION FAILED FOR SMF RECORDS AFTER IFASMFDL ARCHIVE WITH NOSIGSTRIP AND RELATIVEDATE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• If the IFASMFDL ARCHIVE with NOSIGSTRIP and  RELATIVEDATE
  options are used to extract digitally signed data from a
  logstream, that data may fail IFASMFDP signature validation for
  the interval ending at  midnight (by way of the END(2400)
  option).  In this case, either of the following IFASMFDP
  messages may be seen:
  
  IFA741I UNABLE TO PERFORM SMF SIGNATURE VALIDATION
  IFA742I SMF SIGNATURE VALIDATION FAILED DUE TO
          MISSING RECORDS - STARTING INTERVAL
  
  or
  
  IFA741I UNABLE TO PERFORM SMF SIGNATURE VALIDATION
  IFA742I SMF SIGNATURE VALIDATION FAILED DUE TO
          INCONSISTENT RECORDS - RECORDS DO NOT MATCH
          EXPECTED COUNTS
  
  For ARCHIVE and RELATIVEDATE processing with NOSIGSTRIP, the
  IFASMFDL selection criteria may be insufficient for IFASMFDP to
  be able to successfully validate the data that is extracted.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Installations running HBB77B0 or above that use SMF          *
  * recording to logstreams and the SMFPRMxx RECSIGN, and        *
  * IFASMFDP SIGVA:ODATE options.                                *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * SMF records dumped by IFASMFDL with ARCHIVE, RELATIVEDATE,   *
  * and NOSIGSTRIP may fail IFASMFDP digital signature           *
  * validation.                                                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  *                                                              *
  ****************************************************************
  If SMF records that are digitally signed are dumped from the
  logstream by IFASMFDL with the ARCHIVE, RELATIVEDATE, and
  NOSIGSTRIP options, IFASMFDP signature validation may fail for
  the intervals that begin or end at the midnight boundary. This
  is because SMF write processing does not separate SMF digital
  signature metadata from different days into separate log blocks.
  Since IFASMFDL ARCHIVE processing selects data at the log block
  scope, this can lead to SMF digital signature data being dumped
  that cannot be successfully validated.
  
  Additional keywords: SMFLGS/K
  

Problem conclusion

• SMF digital signature write processing is changed to ensure
  that SMF digital signature metadata records with time stamps
  from before and after midnight are written to separate log
  blocks.  IFASMFDL processing for the ARCHIVE, RELATIVEDATE, and
  NOSIGSTRIP options is changed to dump records only up to the
  ending log block for the requested end date.
  
  The following documentation updates are also made with this
  APAR:
  ORDER NO   - SA38-0667
  Book Title - MVS System Management Facilities (SMF)
  
  +--- LOCATION IN PUBLICATION -------------------------------+
  |                                                           |
  | In:  Section:    Signing and validating SMF records       |
  |      Subsection: Setting up and using digitally           |
  |                  SMF records                              |
  |      Subsection: Using IFASMFDL to carry signatures       |
  |                  to data sets                             |
  |                                                           |
  +-----------------------------------------------------------
  - Add the following text, as flagged with "|":
  
    :
    :
  
    Procedure
    Run the IFASMFDL program with the NOSIGSTRIP parameter.
    For details, see Specifying parameters for the SMF log
    stream dump program and Running the SMF log stream dump
    program.
  
    Results
    IFASMFDL carries signature records to the OUTDD data sets.
    The IFASMFDL output will report a type 2 record as output
    for each signature record.
  
  | Considerations:
  | In order to validate data from a full day, use the
  | IFASMFDL ARCHIVE, RELATIVEDATE, and NOSIGSTRIP options
  | to dump data from a full day or range of days. IFASMFDP
  | can then validate data for a full day from the resulting
  | dump data set. See the 'Using IFASMFDP to validate
  | records' section for details.
  
  
  +--- LOCATION IN PUBLICATION -------------------------------+
  |                                                           |
  | In:  Section:    Signing and validating SMF records       |
  |      Subsection: Setting up and using digitally           |
  |                  SMF records                              |
  |      Subsection: Using IFASMFDP to validate records       |
  |                                                           |
  +-----------------------------------------------------------
  - Add the following text, as flagged with "|":
  
    :
    :
  
    Procedure
  
     Procedure
  
    Run the IFASMFDP program with the following SYSIN
    parameters:
  
    :
    :
  
  
  || d. To validate data from a single full day, run the
  |    IFASMFDL utility with the ARCHIVE, RELATIVEDATE, and
  |    NOSIGSTRIP options to dump data from a day or range of
  |    days that are previous to the current date.  Data from
  |    a single full day can then be validated by IFASMFDP.
  |
  |    Here is an example of this procedure:
  |
  |    Dump the signed data from the logstream using
  |    ARCHIVE, RELATIVEDATE and NONOSIGSTRIP ...
  |    //SMFDL    EXEC PGM=IFASMFDL
  |    //DUMPOUT  DD DSN=PROD1.SMF.BYDAY,
  |    //            DISP=(NEW,CATLG),
  |    //            DCB=(RECFM=VB,LRECL=32756,BLKSIZE=32760),
  |    //            SPACE=(CYL,(50,5),RLSE)
  |    //SYSPRINT DD  SYSOUT=*
  |    //SYSIN    DD  *
  |     LSNAME(IFASMF.MULTSYS.STREAM1,OPTIONS(ARCHIVE))
  |     NOSIGSTRIP
  |     OUTDD(DUMPOUT,TYPE(0:255))
  |     RELATIVEDATE(BYDAY,1,1)
  |    /*
  |
  |    The data from PROD1.SMF.BYDAY can be validated
  |    by IFASMFDP as follows ...
  |    //SMFDMP   EXEC PGM=IFASMFDP
  |    //DUMPIN   DD DSN=PROD1.SMF.BYDAY,DISP=SHR
  |    //DUMPOUT  DD DSN=PROD1.SMF.BYDAY.VALID,
  |    //            DISP=(NEW,CATLG),
  |    //            DCB=(RECFM=VB,LRECL=32756,BLKSIZE=32760),
  |    //            SPACE=(CYL,(50,5),RLSE)
  |    //SYSPRINT DD    SYSOUT=*
  |    //SYSIN    DD    *
  |     INDD(DUMPIN,OPTIONS(DUMP))
  |     OUTDD(DUMPOUT,TYPE(0:255))
  |     NOSIGSTRIP
  |     DATE(2019140,2019140)
  |     START(0000) END(2400)
  |     SIGVALIDATE(HASH(SHA256),
  |        TOKENNAME(TAMPER#RESISTANT#SMF#TOKEN#NAME1))
  |    /*
  

Temporary fix

• *********
  * HIPER *
  *********
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA99517 UA99518

Modules/Macros

• IFALS834 IFASMFDL
  

Fix information

• Fixed component name

  SMF

• Fixed component ID

  5752SC102

Applicable component levels

• R7B0 PSY UA99517

     UP19/06/12 P F906

• R7C0 PSY UA99518

     UP19/06/12 P F906

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.