SECINT HOLDDATA is now available with SMP/E RECEIVE ORDER

Background

The SMP/E RECEIVE ORDER command (also known as SMP/E Internet Service Retrieval) is overwhelmingly used by most customers to acquire PTFs for the entire z/OS stack of products. This method has been heavily automated by customers for years, such that they acquire both SMP/E HOLDDATA (HIPER, PRP, and FIXCAT information) and PTFs in the background with little or no manual effort involved. The IBM Z and LinuxONE Security Portal is the primary source of the complete security related information for IBM System Z. This IBM Confidential security information is applicable to the z/OS stack. For those SMP/E packaged products on the IBM z/OS stack, this Portal provides IBM Confidential SMP/E HOLDDATA and ASSIGN statements to identify Security and Integrity (SECINT) fixes, along with other important necessary information. Permitted customers have long desired a way to acquire the SMP/E HOLDDATA and ASSIGN statements from the Portal, with the convenience and simplicity of the SMP/E RECEIVE ORDER automated solution. Of course, customers not permitted to the IBM Z and LinuxONE Security Portal do not have this need, as they do not have access to the IBM Confidential z/OS stack security information.

Overview of New Enhancement as of 16 October 2025

Addressing a longstanding customer requirement, as of 16 October 2025 when an SMP/E RECEIVE ORDER request is sent to the IBM server for a user that is permitted to the IBM Z and LinuxONE Security Portal, the order content will automatically include the IBM Confidential SECINT HOLDDATA and ASSIGN statements.

Likewise, when an SMP/E RECEIVE ORDER request is sent to the IBM server for a user that is not permitted to the IBM Z and LinuxONE Security Portal, the order content will not include the IBM Confidential SECINT HOLDDATA and ASSIGN statements. This means there is no change to the process or order content for those that are not permitted to the IBM Z and LinuxOne Security Portal.

The "user" for an SMP/E RECEIVE ORDER request is identified in the annual Service certificate generated by Shopz. If the IBM userid that logged in to Shopz and generated the Service certificate is also registered to the IBM Z and LinuxONE Security Portal, then an SMP/E RECEIVE ORDER request running with that certificate will be permitted to obtain the IBM Confidential SECINT HOLDDATA and ASSIGN statements.

Criteria for use

For an SMP/E RECEIVE ORDER command request to include the IBM Confidential SMP/E HOLDDATA and ASSIGN information, the following criteria must be met:

1. You must have an IBM id that is permitted to the IBM Z and LinuxONE Security Portal.
2. Your SMP/E RECEIVE ORDER command must use an IBM Shopz generated user certificate that is associated with the same IBM id that is permitted to the IBM Z and LinuxONE Security Portal.

If both the above criteria are true, the IBM Confidential information will be returned on the RECEIVE ORDER request. If the IBM id associated with the Shopz Service Certificate is not permitted to the Portal, then processing will continue without returning the IBM Confidential information.

Special Considerations

As a reminder and which is not changed, the personnel permitted to view the IBM Z and LinuxONE Security Portal are to control access to IBM Confidential information inside their enterprise. The updates to the SMP/E RECEIVE ORDER processing only provide an additional method to acquire the SMP/E HOLDDATA and ASSIGN statements for SECINT information into your enterprise.  Control of that IBM Confidential information remains the same, just as if you had acquired it directly from the IBM Z and LinuxONE Security Portal.

Frequently Asked Questions (FAQs)

1. What is changing?

   Under certain conditions, users of the SMP/E RECEIVE ORDER command will automatically acquire security and integrity (SECINT) information (SMP/E ++ASSIGN and SMP/E ++HOLD) during service acquisition. Before, this information was only retrievable directly from the IBM Z and LinuxONE Security Portal. The conditions under which SECINT information will be included in the SMP/E RECEIVE ORDER contents are when this condition is true: The IBM id which was issued a Shopz Service Certificate which is provided on the SMP/E RECEIVE ORDER command, is the same IBM id which is permitted to the IBM Z and LinuxONE Security Portal.

2. How is the Shopz Service Certificate specified on SMP/E RECEIVE ORDER, so that I can ensure that I can use this function?

   The generated Shopz Service Certificate for SMP/E RECEIVE ORDER is specified in the <ORDERSERVER> XML for the command. For example, see the "certificate" attribute in this example:

   <ORDERSERVER
   url="https://eccgw01.boulder.ibm.com/services/projects/ecc/ws/"
   keyring="SMPEKeyring"
   certificate="SMPE Client Certificate">
   </ORDERSERVER>
   

   For example, suppose the IBM id joe@company.com is permitted to the IBM Z and LinuxONE Security Portal.  Further suppose this same IBM id, joe@company.com, logs into IBM Shopz and generates a Service Certificate.  When this certificate is added to a security manager keyring on z/OS, and this certificate's label is specified on the "certificate" attribute in the <ORDERSERVER> XML for the RECEIVE ORDER command, then SECINT HOLDDATA and ASSIGN statements will be returned in the request because:

   1. IBM Z and LinuxONE Security Portal access is for joe@company.com,
   2. the Shopz Service Certificate was generated for joe@company,com,
   3. and the SMP/E RECEIVE ORDER job, submitted by the z/OS userid for joe@company.com, specified the keyring and Shopz Service Service certificate generated for joe@company.com.
3. My IBM id is permitted to the IBM Z and LinuxONE Security Portal, and I used my same IBM id to acquire the Shopz Service Certificate. Should I expect to see ++HOLD and ++ASSIGN information for SECINT in my SMP/E RECEIVE ORDER, when I use that certificate?

   Yes. Because all the criteria was met, you should expect to receive SECINT information. Notice, this requires you to treat this information as IBM Confidential in your enterprise, as if it had been acquired directly from the IBM Z and LinuxONE Security Portal.

4. I am not permitted to the IBM Z and LinuxONE Security Portal, and I do have a Shopz Service Certificate for SMP/E RECEIVE ORDER processing. Will I see SECINT information when I submit an SMP/E RECEIVE ORDER job?

   No. You will not have any SECINT information in the order content, because you are not permitted to the IBM Z and LinuxONE Security Portal.

5. When I do an SMP/E RECEIVE ORDER command today, I sometimes only retrieve HOLDDATA. Sometimes I retrieve PTFs. Will this SECINT information, if I’m permitted to it, be included on both types of SMP/E RECEIVE ORDER commands?

   Orders for CONTENT(HOLDDATA) will continue to return only HOLDDATA, but the HOLDDATA will include HIPER, PE, FIXCAT, and SECINT.  HOLDDATA only orders do not currently return ASSIGN statements, therefore, they will also not return the SECINT ASSIGN statements. Orders for PTFs (any other CONTENT selection) will continue to return PTFs, ASSIGN statements, and HOLDDATA, but the ASSIGN statements and HOLDDATA will include SECINT.

6. How do I stop acquiring SECINT information from SMP/E RECEIVE ORDER?

   If you meet all the criteria for acquiring SECINT information, and for some reason you wish to stop this SECINT acquisition, the easiest way is to specify a Shopz Service Certificate in your RECEIVE ORDER job (on the certificate attribute in the <ORDERSERVER> XML) which is associated with an IBM id which is NOT permitted to the IBM Z and LinuxONE Security Portal.

7. Will this SECINT information be available when I order PTFs from Shopz or other service acquisition methods?

   No. If you use Shopz or another method for service acquisition, SECINT information will not be provided to you. SMP/E RECEIVE ORDER is the preferred service acquisition method, so this enhancement is only available using this method. IBM strongly recommends using SMP/E RECEIVE ORDER if your z/OS network connectivity permits it.  Refer to Preparing to use Internet service retrieval to learn how to setup and use the SMP/E RECEIVE ORDER command.

8. What other SECINT information is found in the IBM Z and LinuxONE Security Portal that SMP/E RECEIVE ORDER processing will NOT return?

   The IBM Z and LinuxONE Security Portal contains several security and integrity related materials. Among those materials are SMP/E files which contain ASSIGN information for the SECINT SOURCEID, and HOLD information. Only these two SMP/E-related materials have been provided for those permitted users on the SMP/E RECEIVE ORDER command. The IBM Z and LinuxONE Security Portal still must be used to review other security and integrity related materials.

9. If I retrieve the SECINT information from SMP/E RECEIVE ORDER, do I still have to retrieve the ++ASSIGN and ++HOLD information from the IBM Z and LinuxONE Security Portal?

   No. The information is the same from both SMP/E RECEIVE ORDER and the IBM Z and LinuxONE Security Portal. You do not need to retrieve it from the IBM Z and LinuxONE Security Portal if you prefer to acquire it with SMP/E RECEIVE ORDER.

10. Is there any special considerations I need to understand when using SMP/E RECEIVE ORDER with SECINT?

    Although SMP/E RECEIVE ORDER with SECINT is a helpful and requested solution, it does come with some reminders of existing restrictions on z/OS SECINT information that you have within your enterprise. Per the IBM Z and LinuxONE Security Portal agreement, the z/OS SECINT information is IBM Confidential. By accessing the IBM Z and LinuxONE Security Portal, it has been agreed the information contained in it is IBM Confidential, provided AS IS, may be used for internal purposes only and may not be disclosed to any third party without IBM's prior written consent. With that in mind, once the SECINT information has been made available on your enterprise systems, its access must be controlled to only those permitted to IBM Confidential data. Meaning, if you had acquired this same SECINT ASSIGN and HOLD information from the IBM Z and LinuxONE Security Portal and had manually SMP/E RECEIVEd it into your SMP/E GLOBAL zone, the same controls must be in place for that SMP/E GLOBAL zone when using RECEIVE ORDER.

11. Can you show me an example of ASSIGN and HOLD information that would be returned if I am permitted to the IBM Z and LinuxONE Security Portal?

    This is an example of fictitious SMP/E ASSIGN and HOLD information, which will be included in your SMP/E RECEIVE ORDER contents. Per SMP/E processing today, if you specified TRANSFERONLY, this information would be in your SMPNTS. If you choose to RECEIVE it into your GLOBAL zone, it would be found in your SMP/E GLOBAL CSI.

    HOLDDATA file content example:

    ++NULL. /********************************************************/              
    ++NULL. /*                                                      */              
    ++NULL. /* * *  IBM Confidential  * *                           */              
    ++NULL. /*                                                      */              
    ++NULL. /********************************************************/              
    ++NULL. /* Security/Integrity (SECINT) HOLDDATA file.           */              
    ++NULL. /* Update period from 2022-10-13 to 2025-10-15          */              
    ++NULL. /* Questions or concerns can be addressed to:           */              
    ++NULL. /*  syszsec@us.ibm.com                                  */              
    ++NULL. /* Usage of this file is described in the SMP/E         */              
    ++NULL. /*  Reference manual and the Enhanced HOLDATA web page  */              
    ++NULL. /*  service.software.ibm.com/holdata/390holddata.html   */              
    ++NULL. /********************************************************/              
    ++ HOLD    (HFMID01) FMID(HFMID01) REASON(AAPAR01) ERROR DATE(25289)            
     COMMENT(SMRTDATA(FIX(UIPTF01) SYMP(B1.1,T1.1)                                  
     CHGDT(251016))) CLASS(SECINT).
    

    ASSIGN file content example:

    ++ ASSIGN  SOURCEID(SECINT) TO(UIPTF01).
    

    Note: ASSIGN information is returned only when the CONTENT operand on the RECEIVE ORDER command specifies one of the PTF choices; ALL, CRITICAL, RECOMMENDED, APARS, PTFS. If CONTENT(HOLDDATA)is specified, only the HOLDDATA information is returned.

12. How do I get a Shopz Service Certificate?

    After logging into IBM Shopz, click "create new software orders", select Package category “z/OS – Service” and select “Service Certificate” in the drop down list. Then continue through the wizard to generate and download the certificate.  The steps to get a certificate are documented in Obtaining a user certificate.  Here is a sample screenshot from Shopz:

    
13. I’m not seeing SECINT information on my SMP/E RECEIVE ORDER and I thought I was permitted to the IBM Z and LinuxONE Security Portal, what should I do?
    1. First, confirm you are permitted to the IBM Z and LinuxONE Security Portal (register here). Logon to the IBM Z and LinuxONE Security Portal to verify your access.
    2. Ensure that the IBM id that is registered to the IBM Z and LinuxONE Security Portal, is the same IBM id that logged onto IBM Shopz to generate the Shopz Service Certificate. Notice the customer number you used for acquiring the Shopz Service Certificate (for example: S01999999)
    3. On your SMP/E RECEIVE ORDER job, examine the certificate you have specified. Use this RACF command to view the certificate details.

       RACDCERT ID(user) +
         LIST(LABEL('SMPE Client Certificate'))
       

       In the "Subject's Name" field, does the customer number match what your Shopz customer number?

       Subject's Name: 
            >CN=IBM Customer Number: S01999999.OU=123456897.O=zOSService.C=US<
       

What's new

• October 20, 2025

  Clarify ASSIGNs are returned only when the CONTENT operand on RECEIVE is not HOLDDATA.

• October 16, 2025

  Initial publication.