What are the steps to avoid service disruption after applying PTF - LU13138: SAF R_USERMAP - INCORRECT USE OF TCB LEVEL ACEE ?

LU13138 - This fix corrects incorrect processing of the R_usermap authorization process for IRR.RUSERMAP and IRR.IDIDMAP.QUERY resources in the IBMFAC resource class.

Currently, our implementation for R_usermap authorization call is incorrectly checking the TCB security environment ACEE if it exists. This is an error, as the Address Space security level ACEE should be used instead for these calls, per the SAF Callable Services Guide.

Security Administrators should review the following three options before continuing. After reviewing the options, choose one of the methods for resolution to avoid any service interruptions for existing R_usermap callers.

Option 1: Identification Using WHOHAS

1. Enter the following TSS WHOHAS commands:

TSS WHOHAS IBMFAC(IRR.RUSERMAP) 
TSS WHOHAS IBMFAC(IRR.IDIDMAP.QUERY) 

Sample Output:

IBMFAC     = IRR                                           OWNER(MASTER  )
 XAUTH     = IRR.RUSERMAP                                   ACID(IZUSVR  )
   ACCESS  = READ
   ADMIN BY= BY(ADMNID01 )    SMFID(M10J)   ON(05/03/2024)  AT(13:53:26)
 XAUTH     = IRR.RUSERMAP                                   ACID(TUMUE002)
   ACCESS  = READ
   ADMIN BY= BY(ADMNID01 )    SMFID(M40J)   ON(05/08/2024)  AT(22:43:32)
 XAUTH     = IRR.RUSERMAP                                   ACID(TUMU1003)
   ACCESS  = READ
   ADMIN BY= BY(ADMNID01 )    SMFID(M40J)   ON(05/08/2024)  AT(22:43:33)
 XAUTH     = IRR.RUSERMAP                                   ACID(TUMU1004)
   ACCESS  = READ
   ADMIN BY= BY(ADMNID01 )    SMFID(M40J)   ON(05/08/2024)  AT(22:43:33)
TSS0300I  WHOHAS   FUNCTION SUCCESSFUL 
***

2. Save the WHOHAS output.

3. List the STC users:

READY
TSS LIST STC
 ACCESSORID = *STC*     NAME       = STARTED-TASKS
 TYPE       = GLOBAL    SIZE       =     4352  BYTES
 CREATED    = 06/29/99  00:00  LAST MOD   = 05/10/24  11:16
 STC        = IXGLOGR   ACID       = *BYPASS*
 STC        = IZUINSTP  ACID       = IZUSVR
 STC        = JCLREST   ACID       = STCOMVS

4. Save the TSS LIST STC output.

5. Determine if ACIDs are Address Space ACEE users (End User Server IDs) by comparing the output of the WHOHAS command to the TSS LIST STC command.
     a. Users that appear in both outputs, such as IZUSVR are Address Space ACEE users. No change is required.
     b. If the user only appears in the TSS LIST STC output, permit READ access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the IBMFAC resource class.

6. Apply PTF LU13138.

7. If the user is not in the previous TSS LIST STC output, determine if the user requires READ access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the IBMFAC resource class.

Option 2:  Identification Using SAF OMVS SECTRACE

Note: For workloads or callers which are not scheduled to always run, a SAF OMVS SECTRACE does not capture all callers that are impacted by this PTF. To continue to identify callers after applying PTF LU13138, occasionally run a SAF OMVS SECTRACE.

1. Start a SAF OMVS SECTRACE to identify callers of R_usermap:
    a. Refer to Appendix B for DCB attributes when DEST=DATASET.

ST SET,ID=xxx,TYPE=OMVS,SFUNC=RUSERMAP,MATCHLIM=matchlim_name,DEST=DATASET,DSN=dataset_name,END

Example of a successful caller. (on line 2)
13.13.14 JOB00058  CAS2205I REQUEST=R_Usermap       ,EXIT=PRE ,RC=N/A
13.13.14 JOB00058  CAS2206I USER=IZUSVR,UID=N/A       ,GROUP=*       ,GID=N/A
13.13.14 JOB00058  CAS2206I Function=eMAIL Addr to User ID   ,Option=0   ,MF userid=TUMU9001
13.13.14 JOB00058  CAS2206I Certificate=NO ,[email protected]
13.13.14 JOB00058  CAS2205I REQUEST=R_Usermap       ,EXIT=POST,RC=0/0:0

2. Disable the trace and save the output.

ST DEL,ID=xxx

3. List the STC users:

READY
TSS LIST STC
 ACCESSORID = *STC*     NAME       = STARTED-TASKS
 TYPE       = GLOBAL    SIZE       =     4352  BYTES
 CREATED    = 06/29/99  00:00  LAST MOD   = 05/10/24  11:16
 STC        = IXGLOGR   ACID       = *BYPASS*
 STC        = IZUINSTP  ACID       = IZUSVR
 STC        = JCLREST   ACID       = STCOMVS

4. Save the TSS LIST STC output.

5. Determine if ACIDs are Address Space ACEE users (End User Server IDs) by comparing the output of the trace command to the TSS LIST STC command.
    a. Users that appear in both outputs and have a return code of 0, such as IZUSVR are Address Space ACEE users. No change is required.
    b. If the user appears in both outputs and the return code is not 0, permit READ access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the IBMFAC resource class.

6. Apply PTF LU13138.

7. Enable the SAF OMVS SECTRACE to identify callers of R_usermap.

8. If a user ID appears on the trace output with a return code 0, but are not in the previous TSS LIST STC output, determine if the user requires permission to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the IBMFAC resource class.

Option 3. Identification of Impacted ACIDs Performed After PTF is Applied (Not Recommended) 

Note: If you use this option, identification of Address Space ACEE users and TCB ACEE users is not completed before applying PTF LU13138. Both user types will be denied access after the PTF is applied. 

1. Apply PTF LU13138.

2. Start a SAF OMVS SECTRACE to identify callers of R_usermap:
    a. Refer to Appendix B for DCB attributes when DEST=DATASET.

ST SET,ID=xxx,TYPE=OMVS,SFUNC=RUSERMAP,MATCHLIM=matchlim_name,DEST=DATASET,DSN=dataset_name,END

13.13.13 JOB00058  CAS2205I REQUEST=R_Usermap       ,EXIT=PRE ,RC=N/A
13.13.13 JOB00058  TSS7250E 136 J=ADMNID0Z A=IZUSVR TYPE=IBMFAC RESOURCE=IRR.RUSERMAP
13.13.13 JOB00058  CAS2206I USER=TUMU1001,UID=N/A       ,GROUP=*       ,GID=N/A
13.13.13 JOB00058  CAS2206I Function=eMAIL Addr to User ID   ,Option=0   ,MF userid=
13.13.13 JOB00058  CAS2206I Certificate=NO ,[email protected]
13.13.13 JOB00058  CAS2205I REQUEST=R_Usermap       ,EXIT=POST,RC=8/8:20

3. Disable the trace and save the output.

ST DEL,ID=xxx

4. List the STC users:

READY
TSS LIST STC
 ACCESSORID = *STC*     NAME       = STARTED-TASKS
 TYPE       = GLOBAL    SIZE       =     4352  BYTES
 CREATED    = 06/29/99  00:00  LAST MOD   = 05/10/24  11:16
 STC        = IXGLOGR   ACID       = *BYPASS*
 STC        = IZUINSTP  ACID       = IZUSVR
 STC        = JCLREST   ACID       = STCOMVS 

5. Save the TSS LIST STC output.

6. Identifying impacted R_usermap callers:
    a. If the user appears in both outputs and the return code is not 0, permit access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the IBMFAC resource class.
    b. Users that appear in both outputs and have a return code of 0, such as IZUSVR are Address Space ACEE users. No change is required.
    c. If a user ID appears on the trace output with a return code 0, but are not in the previous TSS LIST STC output, determine if the user requires permission to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the IBMFAC resource class..

Note: For workloads or callers which are not scheduled to always run, a SAF OMVS SECTRACE does not capture all callers that are impacted by this PTF. To continue to identify callers after applying PTF LU13138, occasionally run a SAF OMVS SECTRACE.

Appendix A: Sample TSS PERMIT commands.

Permit access to specific ACIDs:

TSS PERMIT(ACID0001) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
TSS PERMIT(ACID0001) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ)

Revoke access from specific ACIDs:

TSS REVOKE(ACID0001) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
TSS REVOKE(ACID0001) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ)

Permit access to ALL record:

TSS PERMIT(ALL) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
TSS PERMIT(ALL) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ)

Revoke access from ALL record:

TSS REVOKE(ALL) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
TSS REVOKE(ALL) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ)