Mark Zelden wrote:
IBM has supported this since OS/390 V2R6 via the undocumented -- yet
heavily discussed here, at SHARE, and elsewhere -- TRAPS
NAME(IgvNoUserKeyCSA) statement in DIAGxx.
"Supported"? Isn't this really an unsupported method intended
for use by ISVs or test environments? What if you ran this way on
your production / mission critical LPAR and it caused an unforseen
problem or outage?
It wasn't my place (legally) to "spill the beans" on the z/OS 1.8
enhancement to DIAGxx. But, since the "skunkworks" developer himself has
done so, I'll add that ALLOWUSERKEYCSA(NO) is equivalent to specifying
TRAPS NAME(IgvNoUserKeyCSA) in DIAGxx and that Healthchecker will supply
a check to warn of the potential security risk when ALLOWUSERKEYCSA(YES)
is in effect. Naturally, since the z/OS 1.8 default will be
ALLOWUSERKEYCSA(YES) for compatibility, the Healthchecker check will be
shipped inactive, though you will be able to activate it if you so desire.
Supported? Yes. Any less risky than the existing "undocumented" support?
No. If you prohibit the allocation of user key CSA on a production /
mission critical LPAR running z/OS 1.8, you could still experience an
outage. And there is no short-term relief other than disabling the support.
When IBM finally changes the ALLOWUSERKEYCSA default (in that future
z/OS release) to NO, it will mean that -- as of the release date of that
future release -- IBM *believes* that none of *its* software allocates
user key CSA and that they will gladly take an APAR to remove any such
allocations that a customer might discover the "hard" way. It says
nothing about ISV or installation written software.
--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
