IBM Support

SI78337 - OSP-XTND-OTHER-F/QP0LCCFN-T/QPZ1KRB1-MSGCPFA0AC KERBEROS PTF

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-XTND-OTHER-F/QP0LCCFN-T/QPZ1KRB1-MSGCPFA0AC KERBEROS PTF


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
PRE  5770SS1  V7R4M0    SI77636   00/00    0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
Kerberos PTF not applied at IPL, error in SCPF joblog CPFA0AC
Directory Contains Objects. Directory is
/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDS.

CORRECTION FOR APAR SE76926 :
-----------------------------
A check will be made to determine if a PTF from a previous
release has made the desired changes to the creds directory. If
it has, no additional changes will be made by the PTF for the
current release.

CIRCUMVENTION FOR APAR SE76926 :
--------------------------------
Before PTFs are applied you can run the following command:
QSYS/RMVDIR
DIR('/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDSOLD')
SUBTREE(*ALL)


Activation Instructions


None.




Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI78020 :
=================================================

To activate the fix, all existing signon server, TELNET device
manager, and NetServer jobs need to be ended and restarted.

To activate the fix for the signon server, the prestart jobs must be
ended and restarted. To end and restart the prestart jobs, do the
following:
1) See if any prestart jobs exist. As shipped, the prestart jobs run
in the QUSRWRK subsystem (you may have customized your system in order
to allow them to run in a different subsystem). Enter WRKACTJOB, then
press F14=Include. Look for jobs with the jobname QZSOSIGN. If any
exist, they must be ended and restarted in order to use the fixed code.

2) End the prestart jobs. Use the End Prestart Job (ENDPJ) command,
specifying the subsystem QUSRWRK (or the subsystem the prestart jobs
are configured to run in), program QZSOSIGN in library QSYS. Specify
*CNTRLD for the OPTION parameter to end the prestart jobs in a
controlled manner. Specify *IMMED for the option parameter to end the
prestart jobs immediately. Message CPC0905 is sent to the system
operator message queue when the prestart jobs have ended.

3) Restart the prestart jobs. Use the Start Prestart Job (STRPJ)
command, specifying the subsystem QUSRWRK (or the subsystem the
prestart jobs are configured to run in), program QZSOSIGN in library
QSYS. This starts the prestart jobs for the signon server.

To activate the fix for the TELNET device manager jobs, the following
must be done.
1) End TELNET with the following command: ENDTCPSVR SERVER(*TELNET)
2) Find all active TELNET device manager jobs: WRKACTJOB
JOB(QTVDEVICE).
3) End all jobs found above using Option 4=End. You can speed this
process by using the parameter OPTION(*IMMED) on the command line of
the WRKACTJOB panel. You must wait for all jobs to end before
proceeding to the next step.
4) Start both the TELNET server and device manager jobs with the
command: STRTCPSVR SERVER(*TELNET)

To activate the fix for NetServer, it must be stopped and restarted.
1) Stop NetServer by issuing the following command: ENDTCPSVR *NETSVR
2) Start NetServer by issuing the following command: STRTCPSVR *NETSVR

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI77749 :
=================================================

This fix only applies to the FTP server. The FTP server must be stopped
and restarted.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI77570 :
=================================================

If you are a multiple system user, and intend on installing PTFs on
the host system, then saving and restoring the system onto other
systems, then you need to do the following on the other/non host
systems:

The contents of the kerberos creds directory must be deleted.

If you do not currently have a kerberos creds directory
(/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDS) on your
system, no action is needed.

Otherwise, follow these instructions when the system is not actively
being used for kerberos authentications.

/* Rename the current creds directory to CREDSOLD             */
QSYS/RNM OBJ('/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDS')
NEWOBJ('CREDSOLD')

/* Create a new creds directory                                */
QSYS/MKDIR
DIR('/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDS')
DTAAUT(*RX) OBJAUT(*NONE) CRTOBJSCAN(*PARENT)
CRTOBJAUD(*SYSVAL) STDRNMUNL(*NO)

/* Change the owner of the new directory to QSYS               */
QSYS/CHGOWN
OBJ('/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDS')
NEWOWN(QSYS) RVKOLDAUT(*YES) SUBTREE(*NONE) SYMLNK(*NO)


A batch job will be submitted by kerberos code to delete the CREDSOLD
directory when kerberos activity resumes.

You can delete the CREDSOLD directory at any time using the
following command:
QSYS/RMVDIR
DIR('/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/CREDSOLD')
SUBTREE(*ALL)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI75406 :
=================================================

To activate the fix, all existing signon server, TELNET device
manager, and NetServer jobs need to be ended and restarted.

Signon Server:
To activate the fix for the signon server, the prestart jobs must be
ended and restarted. To end and restart the prestart jobs, do the
following:
1) See if any prestart jobs exist. As shipped, the prestart jobs run
in the QUSRWRK subsystem (you may have customized your system in order
to allow them to run in a different subsystem). Enter WRKACTJOB, then
press F14=Include. Look for jobs with the jobname QZSOSIGN. If any
exist, they must be ended and restarted in order to use the fixed code.

2) End the prestart jobs. Use the End Prestart Job (ENDPJ) command,
specifying the subsystem QUSRWRK (or the subsystem the prestart jobs
are configured to run in), program QZSOSIGN in library QSYS. Specify
*CNTRLD for the OPTION parameter to end the prestart jobs in a
controlled manner. Specify *IMMED for the option parameter to end the
prestart jobs immediately. Message CPC0905 is sent to the system
operator message queue when the prestart jobs have ended.

3) Restart the prestart jobs. Use the Start Prestart Job (STRPJ)
command, specifying the subsystem QUSRWRK (or the subsystem the
prestart jobs are configured to run in), program QZSOSIGN in library
QSYS. This starts the prestart jobs for the signon server.

Telnet:
To activate the fix for the TELNET device manager jobs, the following
must be done.
1) End TELNET with the following command: ENDTCPSVR SERVER(*TELNET)
2) Find all active TELNET device manager jobs: WRKACTJOB
JOB(QTVDEVICE).
3) End all jobs found above using Option 4=End. You can speed this
process by using the parameter OPTION(*IMMED) on the command line of
the WRKACTJOB panel. You must wait for all jobs to end before
proceeding to the next step.
4) Start both the TELNET server and device manager jobs with the
command: STRTCPSVR SERVER(*TELNET)

Netserver:
To activate the fix for NetServer, it must be stopped and restarted.
1) Stop NetServer by issuing the following command: ENDTCPSVR *NETSVR
2) Start NetServer by issuing the following command: STRTCPSVR *NETSVR


Default Instructions

THIS IS A DELAYED PTF TO BE APPLIED AT IPL TIME.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI78020      OSP qkrbspi updates to delete old directory
   SI77749      OSP Export qkrb_get_service_name from qkrbspi srvpgm
   SI77570      OSP Cleanup EBCDIC kerberos credentials files using batch jo
   SI75406      OSP-OTHER-PERFM KERBEROS SYSTEM HEAP LEAK CAUSING INTERMITTE
   SI75231      OSP Use ASCII CCSID for data in kerberos creds file
   SI71407      OSP CHGKRBPWD not accepting current password correctly

Summary Information

System..............................  i
Models..............................  
Release.............................  V7R4M0
Licensed Program....................  5770SS1
APAR Fixed..........................  View details for APAR SE76926
Superseded by:......................  
Recompile...........................  N
Library.............................  QSYS
MRI Feature ........................  NONE
Cum Level...........................  C2125740


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.4.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
25 May 2022