Up to a point: If you are enabled to use User-Key CSA via RUCSA I believe you "have a ticket to THE party", the ONE AND ONLY party. Meaning you can access other users' allocations of User Key CSA.
Someone correct me if I've got this wrong. If I'm right auditors might not be quite so happy. Thanks, Martin Martin Packer zChampion, Systems Investigator & Performance Troubleshooter, IBM +44-7802-245-584 email: [email protected] Twitter / Facebook IDs: MartinPacker Blog: https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker Podcast Series (With Marna Walle): https://developer.ibm.com/tv/mpt/ or https://itunes.apple.com/gb/podcast/mainframe-performance-topics/id1127943573?mt=2 Youtube channel: https://www.youtube.com/channel/UCu_65HaYgksbF6Q8SQ4oOvA From: "Vernooij, Kees (ITOP NM) - KLM" <[email protected]> To: [email protected] Date: 10/09/2019 08:37 Subject: Re: APAR OA56180 / RUCSA Sent by: IBM Mainframe Discussion List <[email protected]> I think security auditors should be happy, provided they have done their homework. CSA was wide open to everybody since the beginning, the option to close the gate (userkeycsa(no)) is available for a decade already and now the gate can be controlled in detail. Kees. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Paul Gilmartin > Sent: 09 September, 2019 21:21 > To: [email protected] > Subject: Re: APAR OA56180 / RUCSA > > On Mon, 9 Sep 2019 13:19:40 -0400, Tom Conley wrote: > > >On 9/9/2019 1:04 PM, Mark Zelden wrote: > >> On Mon, 9 Sep 2019 07:55:29 -0500, Peter Fatzinger wrote: > >> > >>> The 1M increment for RUCSA storage was not chosen haphazardly. We > understand the scarcity of below-the-line memory, but in order to provide > the isolation needed to adequately protect the area we couldn't use any > increment smaller than 1M. > >> > >> I pretty much assumed that, but thanks for the confirmation. > >> > >>> Also, in case anyone is unaware, beginning in z/OS V2R4 RUCSA is a > separately ordered paid feature. > > > >Youse wants to break da rules, youse gotta pay. > > > How might security auditors look at RUCSA which: > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2 > r3.ieae100/ieae1-rucsa.htm > Accessible only from address spaces that are running under user IDs > that have > SAF READ authority to the IARRSM.RUCSA profile in the FACILITY class, > or > on z/OSĀ® V2R3 or earlier systems that have the VSM > ALLOWUSERKEYCSA(YES) > parameter specified > > I suppose it depends on the breadth of the exposure. > > This is vaguely similar to the changes introduced by IO11698: IBM found > it > impractical to make the facility secure so they wrapped it with SAF so the > onus can be placed on the customer. > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ******************************************************** For information, services and offers, please visit our web site: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.klm.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=BsPGKdq7-Vl8MW2-WOWZjlZ0NwmcFSpQCLphNznBSDQ&m=6Vh6B4IO9HnM8cMs55Vw5QY7Q0pcsq9sd3OqA2UDMu8&s=tDEyoxIOWwL4a9MCwt9GvM-X80I5rNFskT6bOxgCiLk&e= . This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 ******************************************************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
