Required changes to accommodate IBM SMP/E Signed Package Verification (GIMZIP)
search cancel

Required changes to accommodate IBM SMP/E Signed Package Verification (GIMZIP)

book

Article ID: 411817

calendar_today

Updated On:

Products

Common Components and Services for z/OS Common Services Top Secret ACF2 - z/OS

Issue/Introduction

This article discusses the downloading of both SIGNED and UNSIGNED packages, and the impact that this IBM change will have on vendors.

  • SMP/e and z/OSMF will require signature validation for all digitally signed GIMZIP packages.
  • Broadcom Receive Order and Service Order packages are SIGNED.
  • z/OSMF product packages may not currently be SIGNED.  However, new PSWIs that become generally available after August 26, 2025 will be signed.

What actions will you need to take as a Broadcom Mainframe customer?

Resolution

In order to successfully download SIGNED and UNSIGNED packages, you will need to take some required actions.

You should review the below steps for both Signed and Unsigned packages which are fully discussed in the Managing Package Signing section of the the Mainframe Common Maintenance Procedures technical document.

SIGNED Packages:

  • Download the signing (CA) certificate
  • Add the signing (CA) certificate to your ESMs (ACF2, TSS, RACF) database and connect to a keyring
  • Add the signaturekeyring option in the <CLIENT> section for Receive Order or Service Order

Refer to Prepare for Signed Package Verification for details on the above mentioned steps.

 

UNSIGNED Packages:

For any packages that are currently not signed, you will need to define SAF security permissions to allow this action.

Refer to Prepare for Unsigned Packages for details pertaining to each Enterprise Security Manager (ESM)

 

Consult your security administrator or support team for further assistance.

Additional Information

Failure to specify an appropriate signaturekeyring value in Receive Order or Service Order jobs may cause failure with the following message:


GIM69277S cmd_or_pgm PROCESSING FAILED. DIGITAL SIGNATURES FOR SIGNED GIMZIP PACKAGES MUST BE VERIFIED, BUT THE SIGNATUREKEYRING ATTRIBUTE IS NOT SPECIFIED ON THE <CLIENT> TAG, OR THE <CLIENT> TAG IS MISSING.

 

Failure to define a SAF resource before for an unsigned package will cause an SMP/E RECEIVE failure with the following message:

GIM69276S cmd_or_pgm PROCESSING FAILED. THE GIMZIP PACKAGE IS NOT DIGITALLY SIGNED. USER userid IS NOT AUTHORIZED TO DOWNLOAD OR USE GIMZIP
PACKAGES THAT ARE NOT DIGITALLY SIGNED.

Powered by Wolken Software