VM66895: Z/VM 7.4 DIRMAINT FEATURE PACK - FEATURE 02 FIX 00

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• This is the APAR for z/VM 7.4 DIRMAINT Feature Pack 2.  As such,
  
  
  it contains DirMaint product code for following new features.
  
  1. Add Support for Enhanced Authorization Controls for Guest
  Crypto Domains in DirMaint.
  
  2. Enhance DirMaint command, CHNGID, to rename a user to update
  RACF profile properties.
  
  3. Enhance generic profile handling while updating the logonby
  permission for a user when RACF is enabled.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of z/VM DirMaint                   *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  This featurepack contains enhancement for following:
  
  1. Add Support for Enhanced Authorization Controls for Guest
  Crypto Domains in DirMaint.
  DirMaint support for enhanced authorization controls for guest
  crypto domains enables a virtual machine to be granted
  control-only access to crypto domains. This enhancement
  introduces a new CONTROL keyword on the CRYPTO directory
  statement, allowing control-only authorization for specified
  domains.
  In addition, the CRYPTO statement syntax is enhanced to support
  CONTROL domains and to allow APDEDICATED to be specified before
  DOMAIN, removing the current ordering limitation.
  
  2. Enhance DirMaint command, CHNGID, to rename a user to update
  RACF profile properties.
  
  DirMaint already provides a command to rename a user, with the
  expectation that all existing properties and configurations are
  preserved. This requirement also applies to the associated RACF
  profiles. However, the issues currently observed involve RACF
  profile attributes not being fully or correctly retained during
  the rename operation.
  Renaming a RACF profile involves creating a new profile with
  the updated name while duplicating the configuration of the
  original profile, followed by removal of the old profile.
  The issues addressed by this enhancement focuses on improving
  the replication of certain RACF properties and attributes
  during this process.
  
  3. Enhanced generic profile handling while updating the logonby
  permission for a user.
  
  In environments where RACF is enabled and LOGONBY
  authentication is controlled by RACF using a generic profile,
  any attempt to modify LOGONBY permissions with the
  DIRM LOGONBY command will not result in the creation of a
  discrete RACF profile.
  Since authentication is governed by the existing generic
  profile no RACF permissions are modified.
  

Problem conclusion

Temporary fix

Comments

• The following changes have been made to DirMaint:
  
  1. Add Support for Enhanced Authorization Controls for Guest
     Crypto Domains in DirMaint.
  
   The input command structure for the CRYPTO statement will be
   redefined to support CONTROL domains. Additionally, it will
   allow specification of APDEDICATED before DOMAIN, contrary
   to the current implementation where APDEDICATED could only
   succeed DOMAIN.
  
   The support for CSU, KEYENTRY, MODIFY, and SPECIAL keywords
   from CRYPTO command, and CRYPTO keyword from CPU and SETCPU
   commands will be removed.
   The directory stanza will now have separate statement(s)
   for DOMAIN, DOMAIN CONTROL and APDEDICATED keywords and not
   be merged into a single statement, like,
    CRYPTO DOMAIN 1 2 3 4 5
    CRYPTO DOMAIN CONTROL 6 7 8 9
    CRYPTO APDEDICATED 21 22 23 24
  
   This support will also remove keywords based upon the
   removal of support in CP:
   - Removed support for keywords CSU, KEYENTRY, MODIFY, and
     SPECIAL from the CRYPTO command.
   - Removed support for CRYPTO keyword from the CPU and
     SETCPU commands.
   - Relevant information about current support in the
     "z/VM: Directory Maintenance Facility Commands
     Reference" will be removed.
  
   Example for supported directory statements:
   - DIRM CRYPTO DOMAIN 11 12 13 CONTROL 17 18 APDEDICATED 41 42
   - DIRM CRYPTO DOMAIN 11 12 13 CONTROL 17 18 19
   - DIRM CRYPTO DOMAIN CONTROL 17 18 19 APDEDICATED 41 42 43
   - DIRM CRYPTO APDEDICATED 41 42 43 44 DOMAIN 11 12 13
   - DIRM CRYPTO APDEDICATED 41 42 43 44
   - DIRM CRYPTO APDEDICATED 41 42 43 DOMAIN 11 12 CONTROL 14
   - DIRM CRYPTO DOMAIN 11-13 15 CONTROL 17-19 25-28 APDED 41-44
   - DIRM CRYPTO DOMAIN CONTROL 11 12 13 APDEDICATED 41 42 43
  
   In the above examples, nature of domains for DOMAIN keyword
   will remain same (usage+control), whereas domains mentioned
   for CONTROL keyword will have control access only.
   Domain numbers and AP processor numbers can now be provided
   in the form of ranges.
   DOM and CONT will be accepted as abbreviations for DOMAIN
   and CONTROL respectively.
  
  2. Enhance DirMaint command, CHNGID, to rename a user to
     update RACF profile properties.
  
   Based on the old user, following RACF profile properties
   are updated for new profile:
   - The default RACF group name
   - Olduser's group authority to any connected groups
   - New user is PROTECTED if old user is protected
   - SURROGAT profile
   - Other aspects a USER has that will be copied are,
     Name, Owner, User revoke and resume dates, Installation data,
     Privilege attributes, Class authorizations, Group membership
     and attributes, Group revoke/resume dates, Default group,
     Secuity label.
  
  3. Enhanced generic profile handling while updating the logonby
     permission for a user.
  
   If the target ID (LOGONBY.<target-id>) is covered by a generic
   profile, DirMaint will not create a discrete profile.
   That means no RACF permissions will be modified.
  
  NOTE:
  
  CRYPTO command is updated.
  The following messages are added/updated by this support:
   DVH3908, DVH3658W, DVH3658E, DVH1217, DVH3655,
   DVH1234, DVH1233
  
  The following z/VM 7.4 publications are updated to reflect
  this support:
   GC24-6282-74: Directory Maintenance Facility Messages
   SC24-6281-74: Directory Maintenance Facility Commands
                 Reference
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UV99459

Modules/Macros

• CRYPTO   DVHADZ   DVHAEZ   DVHBBXED DVHBBXIB DVHCHGID DVHCPU
  DVHCRYPT DVHLOGBY DVHMENUS DVHRLB   DVHRUN   DVHSLVL  DVHULVL
  DVH1217  DVH1233  DVH1234  DVH3655  DVH3658E DVH3658W DVH3908
  150ASERV 150AUSER 7VMDIR40
  

Fix information

• Fixed component name

  IBM DIRMAINT-VM

• Fixed component ID

  5749DVH00

Applicable component levels

• R740 PSY UV99459

     UP26/05/05 I 1000

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.