IBM Mainframe Discussion List <[email protected]> wrote on 05/05/2008 10:05:27 AM:
> Eileen Barkow of the IBM Mainframe Discussion List <[email protected]> > wrote on 05/05/2008 08:10:03 AM: > > > we have an old vendor written product (MEMO) which we could not change > > and which was getting a b0a-5c abend under z/os 1.9 and we had to change > > the default to ALLOWUSERKEYCSA=YES. > > > > Instead of an all inclusive ALLOWUSERKEYCSA=YES, why not something like > ALLOWUSERKEYCSA=(program1,program2,...) for situations where there is no > source code or support. From a system integrity point of view, there is no benefit to doing that. If you have a system which on which all users and all programs are trusted (i.e. a system where you would be willing to APF authorize every program library, and give every user Superuser authority and RACF Special authority, or turn off your security product), then it is acceptable to specify ALLOWUSERKEYCSA(YES). If you do not trust all users and all programs on a system, a single product which uses user key CSA is likely to be allowing an untrusted program or user to be able to do things which it should not be permitted to do, and may be allowing an untrusted user or program to be gain complete control of the system and do anything it desires. So the question is, on a system where you have any security requirements, are you willing to incur the risks presented by running a product which uses user key CSA and may be allowing untrusted users or programs to bypass security? Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
