A fix is available
APAR status
Closed as new function.
Error description
NEW FUNCTION
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users wishing to encrypt individual datasets * * in an application transparent way. * **************************************************************** * PROBLEM DESCRIPTION: Enhancement to RACF to store a default * * label in the DFP segment of a dataset * * profile. * **************************************************************** * RECOMMENDATION: * **************************************************************** New support in RACF for storing a default label in the DFP segment of a dataset profile. As part of this enhancement, new keywords are added to the ADDSD, ALTSD, and PERMIT commands. Note that neither ISPF panel nor TSO HELP support is provided for the new command keywords.
Problem conclusion
Temporary fix
Comments
This APAR adds function utilized by DFSMS to allow for application transparent encryption of datasets. The RACF function consists of a new field in the DFP segment on data set profiles. The new field in the DFP segment contains a default label to be used for encrypting datasets created while the policy is in effect. All of the enhancements included in this APAR will also be documented in the next release of the following RACF publications: Security Server RACF Callable Services SA23-2293 Security Server RACF Command Language Reference SA23-2292 Security Server RACROUTE Macros Reference SA23-2294 Security Server RACF Security Administrator's Guide SA23-2289 Security Server RACF System Programmer's Guide SA23-2287 Security Server RACF Macros and Interfaces SA23-2288 Security Server RACF Messages and Codes SA23-2291 Security Server RACF Callable Services ---------------------------------------------------------------- Appendix A. R_admin reference information, Section "Data set administration", Table 170. DFP segment fields The following rows are added: Flag ADDSD/ALTDSD Allowed Allowed Field byte keyword on add on alter name value reference requests requests ------- ----- ---------------- -------- -------- DATAKEY 'Y' DFP(DATAKEY(xx)) Yes Yes 'N' DFP(NODATAKEY) No Yes Appendix A. R_admin reference information, Section "Access list administration", Table 175. Base segment fields The following rows are added: Flag ADDSD/ALTDSD Allowed Allowed Field byte keyword on add on alter name value reference requests requests ------- ----- ---------------- -------- -------- Field name Flag byte values PERMIT keyword reference ---------- ---------------- ------------------------ WHENSMS 'Y' WHEN(CRIT(SMS(...))) Security Server RACF Command Language Reference ---------------------------------------------------------------- Chapter 5. RACF command syntax, Section "ADDSD (Add data set profile)" [subsystem-prefix]{ADDSD | AD} [ DFP( [ RESOWNER(userid or group-name) | NORESOWNER ] [ DATAKEY(CKDS key label) ] ) ] ... DFP Specifies that for an SMS-managed data set, you can enter the following information: RESOWNER(userid or group-name) Specifies the user ID or group of the actual owner of the data sets protected by the profile specified in profile-name-1. This name must be that of a RACF-defined user or group. (The data set resource owner, specified with RESOWNER, is distinguished from the owner specified with OWNER, which represents the user or group that owns the data set profile). If RESOWNER is not specified, the user or group represented by the high level qualifier of the data set profile is assigned as the owner of data sets protected by the profile when SMS needs to determine the RESOWNER. DATAKEY(CKDS key label) Specifies the CKDS key label that SMS will associate with a data set protected by the profile specified in profile-name-1 at time of allocation. The label name cannot exceed 64 characters. The first character must be an alphabetic character or a national character (# , @ , or $). Subsequent characters can be a period character (.) or any alphanumeric or national character. If DATAKEY is not specified, no CKDS key label will be associated with a data set protected by the profile specified in profile-name-1 at time of allocation. Chapter 5. RACF command syntax, section "ALTDSD (Alter data set profile)" [subsystem-prefix]{ALTDSD | ALD} ... [ DFP( [ RESOWNER(userid or group-name) | NORESOWNER ] [ DATAKEY(CKDS key label) | NODATAKEY ] ) | NODFP ] DFP | NODFP DFP Specifies that for an SMS-managed data set, you can change the following information: You can control access to the entire DFP segment or to individual fields within the DFP segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide. RESOWNER(userid or group-name) | NORESOWNER Specifies the user ID or group name of the actual owner of the data sets protected by the profile specified in profile-name-1. The name specified for RESOWNER must be a RACF-defined user or group. (The data set resource owner, or RESOWNER, is distinguished from the OWNER, which represents the user or group that owns the data set profile). If NORESOWNER is specified, the user or group represented by the high level qualifier of the data set profile is assigned as the owner of data sets protected by the profile when SMS needs to determine the RESOWNER. DATAKEY(CKDS key label) | NODATAKEY Specifies the CKDS key label that SMS will associate with a data set protected by the profile specified in profile-name-1 at time of allocation. The label name cannot exceed 64 characters. The first character must be an alphabetic character or a national character (# , @ , or $). Subsequent characters can be a period character (.) or any alphanumeric or national character. If NODATAKEY is specified, no CKDS key label will be associated with a data set protected by the profile specified in profile-name-1 at time of allocation. NODFP Specifies that RACF should delete the DFP segment from the data set profile. Chapter 5. RACF command syntax, Section "LISTDSD (List data set profile)" ... The details RACF lists from the DFP segment of the profile: - The user ID or group name of the data set resource owner - The default CKDS label to associate with a data set at allocation time ... DFP Specifies that for a DFP-managed data set, you want to list the user ID or group name designated as the data set resource owner and the default CKDS label to be associated with a data set at allocation time. (The data set resource owner, or RESOWNER, is distinguished from the OWNER, which represents the user or group that owns the data set profile.) Chapter 5. RACF command syntax, Section "PERMIT (Maintain resource access lists)" ... WHEN(CRITERIA(criteria-name (criteria-value | *))) ... The criteria-name is a string of 1-8 characters. Lowercase alphabetic characters in the criteria-name are translated to upper case. The valid criteria-name values are SQLROLE and SMS. ... For SQLROLE, the criteria-value is stored in the RACF database exactly as you specify it: * Both uppercase and lowercase characters are preserved in the case in which they are specified. * Leading blanks are preserved when the string is quoted For SMS, the criteria-value is folded to uppercase and stored in the RACF database. ... WHEN(CRITERIA(SMS(DSENCRYPTION))) You can authorize conditional access to keys stored by label in the ICSF CKDS when being performed by DFSMS to encrypt or decrypt data via an encrypting access method. Security Server RACROUTE Macros Reference ---------------------------------------------------------------- Appendix B. RACF database templates, Section "Data set template for the RACF database" Template Field name Field (char Field Flag Flag length Default Field being data) ID 1 2 decimal value Type described ------- ----- ---- ---- -------- ------- ---- --------------- DFP 001 00 00 00000000 00 Start of segment fields RESOWNER 002 00 00 00000008 FF Char Resource owner; must represent a user ID or group name DATAKEY 003 00 00 00000000 00 Char CKDS label of default key Security Server RACF Security Administrator's Guide ---------------------------------------------------------------- Chapter 7. Protecting General Resources, Section "Field-level access checking", Table 18. "Fields in RACF segments that correspond to RACF command operands. Specify field-name as the third qualifier of the profile name for field-level access checking." DATAKEY is added: -------------------------------------------------------------- To control the use of this Specify this value as the operand: 1 field-name qualifier: -------------------------------------------------------- ... -------------------------------------------------------- DFP segment in data set profiles: -------------------------------------------------------- RESOWNER RESOWNER DATAKEY DATAKEY Security Server RACF System Programmer's Guide ---------------------------------------------------------------- Chapter 4. Operating considerations, Section "DFSMS considerations" ... In a data set profile, the DFP field, RESOWNER, contains the user ID or group name of the owner of the data set, rather than the owner of the profile. In general, the data set profile contains a specified RESOWNER field when the data set resource owner differs from the data set profile's high-level (first) qualifier. In a data set profile, the DFP field, DATAKEY, contains the CKDS key label that SMS will associate with a data set protected by the profile at time of allocation. Using a combination of the FIELD class and the command processors, the RACF administrator can decide which fields users can define and update in their DFP segment. Security Server RACF Macros and Interfaces ---------------------------------------------------------------- Chapter 9. RACF database unload utility (IRRDBU00) records, Section "Data set DFP data record (0410)" Add DSDFP_DATAKEY after DSDFP_RESOWNER_ID: Position Field Name Type Start End Comments --------------- ------ ----- ----- ---------------------------- DSDFP_DATAKEY Char 67 130 The default CKDS label of the data set. Security Server RACF Messages and Codes ---------------------------------------------------------------- Description of ICH06018I is updated: ICH06018I command-name failed. WHEN operand is incorrect without a value. Explanation: The user did not specify a keyword for the WHEN operand. Valid keywords are PROGRAM, JESINPUT, CONSOLE, APPCPORT, SERVAUTH, SYSID, TERMINAL, CRITERIA(SMS(...)), or CRITERIA(SQLROLE(...)). System action: Command processing stops. New message ICH06029I is added: ICH06029I PERMIT failed. The criteria-value is not valid. Explanation: The criteria-value specified is not valid for the the criteria-name. Refer to the Command Language Reference for valid criteria-values. System action: Command processing stops.
APAR Information
APAR number
OA50512
Reported component name
RACF
Reported component ID
5752XXH00
Reported release
7A0
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-05-13
Closed date
2017-03-21
Last modified date
2017-05-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA91403 UA91404
Modules/Macros
ICHCPE00 ICHCPE01 IRRADU20 IRRCPE0P IRRDPSDS IRRREQTB IRRREQ01
| SA23229300 | SA23229200 | SA23229400 | SA23228900 | SA23228700 |
| SA23228800 | SA23229100 |
Fix information
Fixed component name
RACF
Fixed component ID
5752XXH00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 May 2017