LU13944 - This fix corrects incorrect processing of the R_usermap authorization process for IRR.RUSERMAP and IRR.IDIDMAP.QUERY
resources in the FACILITY resource class.
Currently, our implementation for R_usermap authorization call is incorrectly checking the TCB security environment ACEE if it exists.
This is an error, as the Address Space security level ACEE should be used instead for these calls, per the SAF Callable Services Guide.
Security Administrators should review the following three options before continuing.
After reviewing the options, choose one of the methods for resolution to avoid any service interruptions for existing R_usermap callers.
1. Enter the following ACF2 Subcommands:
ACF
? SET RESOURCE(FAC)
? DECOMP IRR
ACF75052 RESOURCE RULE IRR STORED BY ADMIN01 ON 06/19/24-10:36
$KEY(IRR) TYPE(FAC) ROLESET
IDIDMAP.QUERY USER(TUMUE002) SERVICE(READ) ALLOW
IDIDMAP.QUERY USER(TUMU1001) SERVICE(READ) ALLOW
IDIDMAP.QUERY USER(TUMU1004) SERVICE(READ) ALLOW
RUSERMAP USER(TUMUE002) SERVICE(READ) ALLOW
RUSERMAP USER(TUMU1001) SERVICE(READ) ALLOW
RUSERMAP USER(IZUSVR) SERVICE(READ) ALLOW
ACF75051 TOTAL RECORD LENGTH= 2255 BYTES, 6 PERCENT UTILIZED
?
2. Save the DECOMP output for IDIDMAP.QUERY & RUSERMAP entries.
3. List the STC users:
ACF
? SET TERSE
? LIST IF(STC)
FTPD FTPD TCP/IP STC ID
FTPD1 FTPD1 TCP/IP STC ID
IZUSVR IZUSVR ZOSMF STARTED TASK U
OMVS OMVS OPENMVS STC ID
SSHD SSHD
TCPIP TCPIP TCP/IP STC ID
4. Save the LIST output.
5. Run SHOW STC command.
? SHOW STC
-- STARTED TASK TABLE --
STCID LOGONID GROUP
======== ======== =======
IZUANG1 IZUSVR
IZUSRV1 IZUSVR
SNMPD SNMPD
SSHD OMVSKERN OMVSGRP
TCPTEL TCPIP
6. Save the SHOW STC output
7. Determine if LOGONIDs are Address Space ACEE users (End User Server IDs) by comparing
the outputs of the DECOMP, LIST & SHOW STC Subcommands.
a) Users that appear in all outputs, such as IZUSVR are Address
Space ACEE users. No change is required.
b) If the user only appears in the LIST/SHOW outputs,
permit READ access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in
the FACILITY resource class.
8. Apply PTF LU13944.
9. If the user is not in the previous LIST/SHOW outputs, determine if the
user requires READ access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY
in the FACILITY resource class.
Note: For workloads or callers which are not scheduled to run, a SAF OMVS SECTRACE does not capture all callers that are impacted by this PTF.
To continue to identify callers after applying PTF LU13944, occasionally run a SAF OMVS SECTRACE.
ST SET,TYPE=OMVS,SFUNC=RUSERMAP,MATCHLIM=matchlim_name, DEST=DATASET,DSN=dataset_name,END
Example of a successful caller. (on line 2)
13.13.14 JOB00058 CAS2205I REQUEST=R_Usermap ,EXIT=PRE ,RC=N/A
13.13.14 JOB00058 CAS2206I USER=IZUSVR,UID=N/A ,GROUP=* ,GID=N/A
13.13.14 JOB00058 CAS2206I Function=eMAIL Addr to User ID ,Option=0 ,MF userid=TUMU9001
13.13.14 JOB00058 CAS2206I Certificate=NO ,[email protected]
13.13.14 JOB00058 CAS2205I REQUEST=R_Usermap ,EXIT=POST,RC=0/0:0
2. Disable the trace and save the output.
3. List the STC users:
ACF
? SET TERSE
? LIST IF(STC)
FTPD FTPD TCP/IP STC ID
FTPD1 FTPD1 TCP/IP STC ID
IZUSVR IZUSVR ZOSMF STARTED TASK U
OMVS OMVS OPENMVS STC ID
SSHD SSHD
TCPIP TCPIP TCP/IP STC ID
4. Save the LIST output.
5. Run SHOW STC
? SHOW STC
-- STARTED TASK TABLE --
STCID LOGONID GROUP
======== ======== =======
IZUANG1 IZUSVR
IZUSRV1 IZUSVR
SNMPD SNMPD
SSHD OMVSKERN OMVSGRP
TCPTEL TCPIP
6. Save the SHOW STC output.
7. Determine if LOGONIDs are Address Space ACEE users
(End User Server IDs) by comparing the output of the trace
command to the LIST & SHOW Subcommands.
a. Users that appear in all outputs and have a return code of 0, such
as IZUSVR are Address Space ACEE users. No change is required.
b. If the user appears in all outputs and the return code is not 0,
permit READ access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the FACILITY resource class.
8. Apply PTF LU13944.
9. Enable the SAF OMVS SECTRACE to identify callers of R_usermap.
10. If a user ID appears on the trace output with a return code 0, but is not in the previous LIST/SHOW output, determine if the
user requires permission to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the FACILITY resource class.
Option 3. Identification of Impacted LOGONIDs Performed After PTF is Applied (Not Recommended)
Note: If you use this option, identification of Address Space ACEE users and TCB ACEE users is not completed before applying PTF LU13944. Both user types will be denied access after the PTF is applied.
ST SET,TYPE=OMVS,SFUNC=RUSERMAP,MATCHLIM=matchlim_name,DEST=DATASET,DSN=dataset_name,END
CAS2205I REQUEST=R_Usermap ,EXIT=PRE ,RC=N/A
CAS2206I USER=IZUSVR,UID=N/A ,GROUP=* ,GID=N/A
CAS2206I Function=User to eMAIL Addr ,Option=0 ,MF userid=TUMU9001
CAS2206I Certificate=NO ,[email protected]
CAS2205I REQUEST=R_Usermap ,EXIT=POST,RC=0/0:0
CAS2205I REQUEST=R_Usermap ,EXIT=PRE ,RC=N/A
CAS2206I USER=IZUSVRA,UID=N/A ,GROUP=* ,GID=N/A
CAS2206I Function=eMAIL Addr to User ID ,Option=0 ,MF userid=
CAS2206I Certificate=NO ,[email protected]
CAS2205I REQUEST=R_Usermap ,EXIT=POST,RC=8/8:20
3. Disable the trace and save the output.
4. List the STC users:
ACF
? SET TERSE
? LIST IF(STC)
FTPD FTPD TCP/IP STC ID
FTPD1 FTPD1 TCP/IP STC ID
IZUSVR IZUSVR ZOSMF STARTED TASK U
OMVS OMVS OPENMVS STC ID
SSHD SSHD
TCPIP TCPIP TCP/IP STC ID
5. Save the LIST output.
6. Run SHOW STC
? SHOW STC
-- STARTED TASK TABLE --
STCID LOGONID GROUP
======== ======== =======
IZUANG1 IZUSVR
IZUSRV1 IZUSVR
SNMPD SNMPD
SSHD OMVSKERN OMVSGRP
TCPTEL TCPIP
7. Save the SHOW STC output.
8. Identifying impacted R_usermap callers:
a. If the user appears in all outputs and the return code is not 0,
permit access to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the FACILITY resource class.
b. Users that appear in all outputs and have a return code of 0,
such as IZUSVR are Address Space ACEE users. No change is required.
c. If a user ID appears on the trace output with a return code 0, but is not in the previous LIST/SHOW outputs,
| determine if the user requires permission to IRR.RUSERMAP or IRR.IDIDMAP.QUERY in the FACILITY resource class.
Note: For workloads or callers which are not scheduled to always run, a SAF OMVS SECTRACE does not capture all callers that are
impacted by this PTF. To continue to identify callers after applying PTF LU13944, occasionally run a SAF OMVS SECTRACE.
SET RESOURCE(FAC)
RECKEY IRR ADD(RUSERMAP USER(LOGONID1) SERVICE(READ) ALLOW)
RECKEY IRR ADD(IDIDMAP.QUERY USER(LOGONID1) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
SET RESOURCE(FAC)
RECKEY IRR DEL(RUSERMAP USER(LOGONID1) SERVICE(READ) ALLOW)
RECKEY IRR DEL(IDIDMAP.QUERY USER(LOGONID1) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
SET RESOURCE(FAC)
RECKEY IRR ADD(RUSERMAP USER(-) SERVICE(READ) ALLOW)
RECKEY IRR ADD(IDIDMAP.QUERY USER(-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
OR
SET RESOURCE(FAC)
RECKEY IRR ADD(RUSERMAP ROLE(-) SERVICE(READ) ALLOW)
RECKEY IRR ADD(IDIDMAP.QUERY ROLE(-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
SET RESOURCE(FAC)RECKEY IRR DEL(RUSERMAP USER(-) SERVICE(READ) ALLOW)
RECKEY IRR DEL(IDIDMAP.QUERY USER(-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
OR
SET RESOURCE(FAC)
RECKEY IRR DEL(RUSERMAP ROLE(-) SERVICE(READ) ALLOW)
RECKEY IRR DEL(IDIDMAP.QUERY ROLE(-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
When using DEST=DATASET,DSN=dataset_name in the ST SET command, the data set needs to be pre-allocated with the following DCB attributes:
DSORG=PS
RECFM=FB
LRECL=133
BLKSIZE=1330
Note: Make sure that the data set is large enough to hold enough trace data. Otherwise, the trace stops when it is full.