How to Authorize SMP/E Command Or Service Routine in Top Secret After Applying IBM APAR IO11698?

search cancel

How to Authorize SMP/E Command Or Service Routine in Top Secret After Applying IBM APAR IO11698?

book

Article ID: 52471

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

We have applied some IBM maintenance including APAR IO11698.After then, all SMP commands like APPLY or LIST failed with following messages;

GIM20703S/T cmd PROCESSING FAILED.  THE COMMAND OR SERVICE 
   ROUTINE IS NOT PROTECTED BY A SECURITY MANAGER.

GIM20704S/T cmd PROCESSING FAILED.  THE SYSTEM AUTHORIZATION 
   FACILITY (SAF) WAS NOT ABLE TO DETERMINE WHETHER USER
   userid IS AUTHORIZED TO INVOKE THIS SMP/E COMMAND OR 
   SERVICE ROUTINE.  THE SAF RETURN CODE IS safrc.  THE 
   SECURITY MANAGER RETURN CODE IS racfrc.  THE SECURITY
   MANAGER REASON CODE IS racfrsn.

It turned out that IO11698 introduces two PTFS that are adding Security Authorization Facility (SAF) checks to ensure only users that have sufficient access authority are allowed to invoke certain SMP/E functions.

How should we authorize the SMP/E command or service routine in Top Secret?

Solution:

The security calls are all in the IBMFAC class and have the following resource name formats:

- GIM.CMD.command for the SMP/E commands, where "command" is the name of the current SMP/E command being attempted. For example:

 TSS PERMIT(acid) IBMFAC(GIM.CMD.APPLY) ACCESS(READ)

for the APPLY command.

- GIM.PGM.program for the GIMZIP, GIMUNZIP or GIMIAP service routines, where "program" is the name of the service routine being processed. For example:

TSS PERMIT(acid) IBMFAC(GIM.PGM.GIMZIP) ACCESS(READ)

for the GIMZIP command.

To secure the SMP/E commands, define them in CA Top Secret
as a protected resource.

Example:

TSS ADD(owningacid) IBMFAC(GIM.)

We recommend that you write PERMITs for each SMP/E function; however, if you prefer to allow everyone access to these resources, you can issue PERMIT commands similar to the following::

 TSS PERMIT(ALL) IBMFAC(GIM.PGM.) ACCESS(READ) 
 TSS PERMIT(ALL) IBMFAC(GIM.CMD.) ACCESS(READ)

To identify all users that need specific functions permitted, add the SMP/E resource to the AUDIT record. This will log all accesses for that SMP/E resources. This will enable writing of future PERMIT commands at a more granular level.

TSS ADD(AUDIT) IBMFAC(GIM.PGM.) 
TSS ADD(AUDIT) IBMFAC(GIM.CMD.)

More information can be found in RI15989(for r12) or RI15990(for r14).

Environment

Release:
Component: AWAGNT

Feedback

thumb_up Yes

thumb_down No