Re: [EXTERNAL] Re: UA94606
VSM ALLOWUSERKEYCSA(NO) only prevents obtaining user key CSA. It does not prevent creating a user key CADS, or using CHANGKEY to change the key of subpool 247 or 248 (DREF SQA) storage to user key. The health check and the new SMF 30 field report all three of those types of security issues, and all three will be disallowed in the next release after z/OS 2.3. So I would think that you would want to keep the health check enabled. Jim Mulder z/OS Diagnosis, Design, Development, Test IBM Corp. Poughkeepsie NY IBM Mainframe Discussion List wrote on 04/05/2018 03:12:40 PM: > From: "Dyck, Lionel B. (TRA)" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/05/2018 03:30 PM > Subject: Re: [EXTERNAL] Re: UA94606 > Sent by: IBM Mainframe Discussion List > > Thank you > > Since we have the DIAG set to NO is there a reason to keep the > Health Check enabled? > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: UA94606
Thank you Since we have the DIAG set to NO is there a reason to keep the Health Check enabled? -- Lionel B. Dyck (Contractor) < Mainframe Systems Programmer - RavenTek Solution Partners -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jim Mulder Sent: Thursday, April 05, 2018 2:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: UA94606 x'A0' means that someone created a user key CADS (Common Area Data Space, aka SCOPE=COMMON Data Space). Jim Mulder z/OS Diagnosis, Design, Development, Test IBM Corp. Poughkeepsie NY IBM Mainframe Discussion List wrote on 04/05/2018 02:36:22 PM: > From: "Dyck, Lionel B. (TRA)" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/05/2018 03:04 PM > Subject: Re: [EXTERNAL] Re: UA94606 > Sent by: IBM Mainframe Discussion List > > We have VSM ALLOWUSERKEYCSA(NO) > > And yet when we run MXG to look at SMF 30 for that information we see > many with a value of '80' but also some with 'A0' and we're not sure > what that means. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: UA94606
x'A0' means that someone created a user key CADS (Common Area Data Space, aka SCOPE=COMMON Data Space). Jim Mulder z/OS Diagnosis, Design, Development, Test IBM Corp. Poughkeepsie NY IBM Mainframe Discussion List wrote on 04/05/2018 02:36:22 PM: > From: "Dyck, Lionel B. (TRA)" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/05/2018 03:04 PM > Subject: Re: [EXTERNAL] Re: UA94606 > Sent by: IBM Mainframe Discussion List > > We have VSM ALLOWUSERKEYCSA(NO) > > And yet when we run MXG to look at SMF 30 for that information we > see many with a value of '80' but also some with 'A0' and we're not > sure what that means. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: UA94606
On Thu, 5 Apr 2018 18:36:22 +, Dyck, Lionel B. (TRA) wrote: >What will happen with 2.3? Will this diag setting disappear as it becomes >hardened as NO? It doesn't change with 2.3, but after 2.3. >What will offenders encounter - some kind of x78 or 0C4 or something else? The Init and Tuning manual says VSM ALLOWUSERKEYCSA(NO|YES) NO prevents user key CSA from being allocated by failing any attempt to obtain user key from a CSA subpool (through GETMAIN or STORAGE OBTAIN) with a B04-5C, B0A-5C, or B78-5C abend. The default is NO. IBM recommends that you should not specify ALLOWUSERKEYCSA(YES). User key CSA creates a security risk because any unauthorized program can modify it. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: UA94606
We have VSM ALLOWUSERKEYCSA(NO) And yet when we run MXG to look at SMF 30 for that information we see many with a value of '80' but also some with 'A0' and we're not sure what that means. What will happen with 2.3? Will this diag setting disappear as it becomes hardened as NO? What will offenders encounter - some kind of x78 or 0C4 or something else? Thanks -- Lionel B. Dyck (Contractor) < Mainframe Systems Programmer – RavenTek Solution Partners -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Eells Sent: Thursday, April 05, 2018 1:22 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: UA94606 Jesse 1 Robinson wrote: > Good advice for the sandbox. However, identifying the offender is only the > first step. Fixing the problem may turn out to be a long and painful journey > through the whole enterprise. > Well, you might have more than one offender. Also, one or more offenders might not be running in your sandbox environment. Flipping the switch in production before knowing who the offenders are and getting them fixed first might be bad. Continuing to allow user key CSA to be used might also be bad. A friendly RSM developer (thanks, Steve!) tells me SMF30s can be used to identify any number of offenders after putting on the very same PTF you installed for OA53355, which also adds the SMF30_UserKeyCsaUsage field. This is in the APAR text, and I'm told it's in the DOC HOLD, but I didn't find it in the z/OS V2.3 SMF book (we will work on fixing that). It's hard to imagine anyone excluding the ever-useful SMF30 records from collection, but to process them you would need to turn them on, if they were off. Then, you have to run long enough to collect and process the records to show whether you will break something you care about when you flip the DIAGxx switch, and get the necessary offenders fixed before the flip. The risk avoidance aspect of this approach has to be balanced against the risk of allowing user key CSA until you finish. The APAR text is here: https://www-01.ibm.com/support/docview.wss?rs=63&uid=isg1OA53355 Happy hunting... -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
