CA Top Secret Security for z/OS 15.0 CA RS 1403 … · CA Top Secret Security for z/OS 4 CA RS 1403 Service List for CAKOF01 FMID Service Description Hiper CAKOF01 RO61990 CICS NON

CA Top Secret Security for z/OS 15.0 1

CA RS 1403 Service ListCA Top Secret Security for z/OS 15.0 1

CA RS 1403 Service List

Release Service Description Hiper

15.0 RO56578 S378 ABENDS ON CPF COMMANDS WITH ARCHIVE KEYWORD

RO58844 UPDATE CIA REAL-TIME TO RE-SYNC WITH COMMON CODE

RO60107 CIA DATACOM INSTALL JCL IMPROVEMENTS

RO61554 S878 ISSUING CIARTUPD,STATUS COMMANDS

RO61990 CICS NON QR TCB BYPASSING SECURITY CHECKS

RO62598 IMS: ADD SUPPORT FOR IMS 13.1


RO62765 ABEND 0C4 WITH CIA, GARBAGE HI-ORDER WORD 64-BIT ADDRESSES

RO62836 CICS QUERY SECURITY WITH "+A" SUPPORT

RO63094 ABEND S0C4 IN TSSKECA+30EC WITH FLOATING MASK '-'

RO63236 TSSXTEND JCL DEFAULTS SUPPLIED WITH VSAM FILES COMMENTED OUT

RO64045 PASSWORD CHANGE IN CLEAR TEXT SENT TO CMGR

RO64145 CIA0821E CIA/RT SQL ERROR - SQLCODE= - 180

RO64540 SP-252 KEY-0 DEADMAIN STORAGE SAFKDATA

RO64641 NEW RDT ENTRY DB2VAR FOR DB2 11

RO64820 TSS LIST ARCHIVE CONTAINS ACEDEFAU

RO64829 LIST/ARCHIVE COMMAND OF SCTYKEY(*ALL*) ERROR

RO64897 CICS TIGHTEN STORAGE MANAGEMENT FOR THREADSAFE

RO64997 TSS ADD(USER) GID(?) GETS DUPLICATE ENTRY IN SAF TABLE

RO65119 IDMS 18.5 APPLICATION GETS RC=16 W/ TSSMAI

RO65209 LIST NDT SESSKEY W/OUT ADMIN DATA(SESSKEY)

RO65237 SPECIFYING LABLPKDS INVALID DURING RENEWAL OF CERTIFICATE

RO65643 PRIVATE KEY NOT REMOVED FROM ICSF WHEN FORCE SPECIFIED

RO65763 SA03 ABEND AT TSS SHUTDOWN

RO65913 ENHANCE CLIST TSSBRWZ IN SPLIT SCREEN ENV

RO67514 GETUMAP RETURN '*MSCA*' EVEN IF ACEE HAS UID=0 **HIPER**

RO67810 AUTOUID/UNIQUSER NOT WORKING IF TCBSENV POPULATED **HIPER**

The CA RS 1403 service count for this release is 27


CA RS 1403 Service ListCA Top Secret Security for z/OS 14.0 2

CA RS 1403 Service List

Release Service Description Hiper

14.0 NO-SRVC CA RS 1403 Contains No Service For This Release of This Product.

The CA RS 1403 service count for this release is 0

CA Top Secret Security for z/OS 3

CA RS 1403 Service List for CAKOF00CA Top Secret Security for z/OS 3

CA RS 1403 Service List for CAKOF00

FMID Service Description Hiper

CAKOF00 RO56578 S378 ABENDS ON CPF COMMANDS WITH ARCHIVE KEYWORD

RO58844 UPDATE CIA REAL-TIME TO RE-SYNC WITH COMMON CODE

RO60107 CIA DATACOM INSTALL JCL IMPROVEMENTS

RO61554 S878 ISSUING CIARTUPD,STATUS COMMANDS


RO62765 ABEND 0C4 WITH CIA, GARBAGE HI-ORDER WORD 64-BIT ADDRESSES

RO63094 ABEND S0C4 IN TSSKECA+30EC WITH FLOATING MASK '-'

RO63236 TSSXTEND JCL DEFAULTS SUPPLIED WITH VSAM FILES COMMENTED OUT

RO64045 PASSWORD CHANGE IN CLEAR TEXT SENT TO CMGR

RO64145 CIA0821E CIA/RT SQL ERROR - SQLCODE= - 180

RO64540 SP-252 KEY-0 DEADMAIN STORAGE SAFKDATA

RO64641 NEW RDT ENTRY DB2VAR FOR DB2 11

RO64820 TSS LIST ARCHIVE CONTAINS ACEDEFAU

RO64829 LIST/ARCHIVE COMMAND OF SCTYKEY(*ALL*) ERROR

RO64997 TSS ADD(USER) GID(?) GETS DUPLICATE ENTRY IN SAF TABLE

RO65209 LIST NDT SESSKEY W/OUT ADMIN DATA(SESSKEY)

RO65237 SPECIFYING LABLPKDS INVALID DURING RENEWAL OF CERTIFICATE

RO65643 PRIVATE KEY NOT REMOVED FROM ICSF WHEN FORCE SPECIFIED

RO65763 SA03 ABEND AT TSS SHUTDOWN

RO65913 ENHANCE CLIST TSSBRWZ IN SPLIT SCREEN ENV

RO67514 GETUMAP RETURN '*MSCA*' EVEN IF ACEE HAS UID=0 **HIPER**

RO67810 AUTOUID/UNIQUSER NOT WORKING IF TCBSENV POPULATED **HIPER**

The CA RS 1403 service count for this FMID is 22





CAKOF01 RO61990 CICS NON QR TCB BYPASSING SECURITY CHECKS

RO62836 CICS QUERY SECURITY WITH "+A" SUPPORT

RO64897 CICS TIGHTEN STORAGE MANAGEMENT FOR THREADSAFE






CAKOF02 RO62599 IMS: ADD SUPPORT FOR IMS 13.1






CAKOF03 RO65119 IDMS 18.5 APPLICATION GETS RC=16 W/ TSSMAI



CA RS 1403 - PTF RO56578 DetailsCA Top Secret Security for z/OS 15.0 7

CA RS 1403 - PTF RO56578 Details

Release Service Details15.0 RO56578 RO56578 M.C.S. ENTRIES = ++PTF (RO56578)

S378 ABENDS ON CPF COMMANDS WITH ARCHIVE KEYWORD

PROBLEM DESCRIPTION:

If a TSS LIST command with the ARCHIVE keyword is sent to another

system using CPF, an S378 abend will occur while processing the

command.

SYMPTOMS:

TSS9190A CA-TSS COMMAND PROCESSOR ABEND S378 IN TSSAUTH1+xxxxx

CCSR010E TSSAUTHZ S378 at 1D6905AA LMOD TSSAUTH CSECT TSSAUTAR+xxxxxx

IMPACT:

Command will abend on all remote systems and will likely hang on the

sending system, making the command processor unavailable for further

commands. Since all outbound CPF commands with WAIT(Y) may use this

processor, no such commands can be issued.

CIRCUMVENTION:

Run any ARCHIVE commands with TARGET(=) specified.

PRODUCT(S) AFFECTED: CA-TOP SECRET-MVS Release 15.0

Star Problem(s):

TSSMVS 9415

Copyright (C) 2013 CA. All rights reserved. R00765-TSS150-SP1

DESC(S378 ABENDS ON CPF COMMANDS WITH ARCHIVE KEYWORD) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO22442 RO25119 RO35644 RO36198 )

SUP ( TR56578 )

++HOLD (RO56578) SYSTEM FMID(CAKOF00)

REASON (ACTION ) DATE (13312)

COMMENT (

+----------------------------------------------------------------------+

| CA Top Secret for z/OS Release 15.0 |

+----------+-----------------------------------------------------------+

|SEQUENCE | After APPLY |

+----------+-----------------------------------------------------------+

|PURPOSE | Resolve S378 abends on CPF commands with ARCHIVE keyword |

+----------+-----------------------------------------------------------+

|USERS | |

|AFFECTED | All users that leverage the TSS ARCHIVE command and CPF |

+----------+-----------------------------------------------------------+

|KNOWLEDGE | 1- Product Administration 2- SMP/E |

|REQUIRED | 3- z/OS Systems Programming 4- Security Administration |

+----------+-----------------------------------------------------------+

|ACCESS | |

|REQUIRED | SMP/E CSI libraries |

+----------+-----------------------------------------------------------+

**************************

* STEPS TO PERFORM *

**************************

SMP APPLY, LLA REFRESH and a restart of TSS with REINIT

is required to install this APAR.

).





UPDATE CIA REAL-TIME TO RE-SYNC WITH COMMON CODE


Changes were made to the common code for the CIA REAL-TIME product.

This apar will just keep the Top Secret specific code for REAL-TIME

in sync with the common code update.

SYMPTOMS:

None.

IMPACT:

None. The code works correctly as distributed.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9442


DESC(UPDATE CIA REAL-TIME TO RE-SYNC WITH COMMON CODE) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO36198 RO36912 RO47730 RO50925 )

SUP ( TR58844 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+

|SEQUENCE | After Apply |

+----------+-----------------------------------------------------------+

|PURPOSE | Keep CIA Real Time code in sync with common code. |

+----------+-----------------------------------------------------------+

|USERS | |

|AFFECTED | None. No external symptoms. |

+----------+-----------------------------------------------------------+

|KNOWLEDGE | |

|REQUIRED | SMP/E knowledge. |

+----------+-----------------------------------------------------------+

|ACCESS | 1- Product Administration 2-SMP/E |

|REQUIRED | 3- z/OS Systems programming 4- Security Administration |

+----------+-----------------------------------------------------------+

**************************


**************************



).





CIA DATACOM INSTALL JCL IMPROVEMENTS


JCL member CIADCOM does not delete existing data sets IXX3600,

G013600, and G023600 prior to re-allocation.

JCL member CIALINKC updated target data set SYSLMOD to point at

the Datacom CUSLIB and eliminate the CAI.CIADCOM reference.

JCL member CIAMUF updated to remove reference to unnecessary

data set CAI.CIADCOM.

SYMPTOMS:

CIADCOM job step ALLOCATE will fail if you run JCL CIADCOMD to

delete a previously installed CIA Datacom data base.

IMPACT:

You will have to physically delete the listed data sets in order for

the ALLOCATE step to run successfully.

CIRCUMVENTION:

Use ISPF to delete data sets IXX3600, G013600, and G023600.


Star Problem(s):

TSSMVS 9454


DESC(CIA DATACOM INSTALL JCL IMPROVEMENTS) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO47608 RO47730 RO50925 )

SUP ( TR60107 )





S878 ISSUING CIARTUPD,STATUS COMMANDS


Issuing CIA real-time status commands can cause a DEADMAIN of buffers in

below the line memory, subpool 0 key 8. The problem can occur when

issuing numerous STATUS commands over time.

SYMPTOMS:

The CIARTUPD address space ABENDS with S878-10 in module CIARTSTS.

IMPACT:

CIA real-time events will no longer be sent.

CIRCUMVENTION:

Do not issue CIA STATUS commands numerous times. If the region ABENDS the

CIARTUPD address space can be restarted.

PRODUCT(S) AFFECTED: TSSMVS Release 15.0

Star Problem(s):

TSSMVS 9475


DESC(S878 ISSUING CIARTUPD,STATUS COMMANDS) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO36198 RO47730 )

SUP ( TR61554 )



COMMENT (

PRODUCT: CA-TOP SECRET-MVS RELEASE 15.0

SEQUENCE:

AFTER APPLY.

Purpose:

This APAR corrects the following problems:

1. S878-10 while issue numerous CIA STATUS commands

Relevance:

All users that are using CIA REALTIME

Knowledge required:

1- Product Administration

2- SMP/E

3- z/OS Systems Programming

4- Security Administration

Access required:

SMP/E CSI libraries

Steps to Perform:

SMP APPLY, LLA REFRESH and a restart CIA REALTIME


).





CICS NON QR TCB BYPASSING SECURITY CHECKS


Code designed to prevent cache box corruption under non-QR TCB validations

may cause validations to be bypassed. The non-QR TCB authorization checking

is normally done within Non-terminal high performance transactions such as

JAVA or other workloads running under non-QR TCB's.

SYMPTOMS:

Security checks could be treated as if the transaction was on the TRANID

bypass list. Example: Query security calls will not function correctly.

IMPACT:

Potentially those running and securing these types of transactions may

experience them running outside of the QR TCB.

CIRCUMVENTION:

None


Release 14.0

Star Problem(s):

TSSMVS 9481


DESC(CICS NON QR TCB BYPASSING SECURITY CHECKS) .

++VER (Z038)

FMID (CAKOF01)

SUP ( AR43979 TR48398 RO48398 TR61990 )



COMMENT (

+----------------------------------------------------------------------+

| CA Top Secret for z/OS CICS Component Release 15.0 |

+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | Correct the cachebox bypass processing for NON QR TCB |

+----------+-----------------------------------------------------------+

|USERS | |

|AFFECTED | All CICS Regions executing Non QR TCB's. |

+----------+-----------------------------------------------------------+

|KNOWLEDGE | 1- Product Adminstration 2- SMP/E |

|REQUIRED | 3- Z/OS Systems programming 4- Security Administration |

+----------+-----------------------------------------------------------+

|ACCESS | |

|REQUIRED | SMP/E CSI Libraries |

+----------+-----------------------------------------------------------+

**************************


**************************

SMP APPLY, LLA REFRESH and a restart CICS region is

required to install this APAR.

).





IMS: ADD SUPPORT FOR IMS V13


IBM has released IMS V13. The solutions for this problem provide

support for IMS V13 in the CA Top Secret for z/OS IMS option under

Top Secret release 15.0.

SYMPTOMS:

Not applicable.

IMPACT:

Without this support, the Top Secret IMS interface will not function in

an IMS V13 environment.

CIRCUMVENTION:

Not applicable.

PRODUCT(S) AFFECTED: CA-Top Secret-IMS Release 15.0

Star Problem(s):

TSSMVS 9325


DESC(IMS: ADD SUPPORT FOR IMS 13.1) .

++VER (Z038)

FMID (CAKOF00)

SUP ( TR27587 RO27587 TR52677 TR62598 )

++IF FMID(CAKOF02) REQ( RO62599) .



COMMENT (


SEQUENCE:

AFTER APPLY

Purpose:

Add support for IMS V13

Relevance:

All IMS clients that are running IMS V13

Knowledge required:

1. Product Administration

2. SMP/E

3. z/OS Systems Programming

Access required:

SMP/E CSI libraries

Steps to Perform:

1. F LLA,REFRESH

2. Restart TSS with ,,,REINIT

3. Bring up IMS V13

).





IMS: ADD SUPPORT FOR IMS V13


IBM has released IMS V13. The solutions for this problem provide

support for IMS V13 in the CA Top Secret for z/OS IMS option under

Top Secret release 15.0.

SYMPTOMS:

Not applicable.

IMPACT:

Without this support, the Top Secret IMS interface will not function in

an IMS V13 environment.

CIRCUMVENTION:

Not applicable.

PRODUCT(S) AFFECTED: CA-Top Secret-IMS Release 15.0

Star Problem(s):

TSSMVS 9325


DESC(IMS: ADD SUPPORT FOR IMS 13.1) .

++VER (Z038)

FMID (CAKOF02)

SUP ( TR52678 TR62599 )

++IF FMID(CAKOF00) REQ( RO62598) .



COMMENT (


SEQUENCE:

F LLA,REFRESH, THEN RESTART TSS WITH ,,,REINIT

Bring up the IMS V13 region

Purpose:

Add support for IMS V13

Relevance:

All IMS client that are running IMS V13

Knowledge required:


2- SMP/E


Access required:

SMP/E CSI libraries

Steps to Perform:

F LLA,REFRESH, then restart TSS with ,,,REINIT

Bring up IMS V13

).





ABEND 0C4 WITH CIA, GARBAGE HI-ORDER WORD 64-BIT ADDRESSES


There is a possibility of an S0C4 abend in various CIA logger

modules due to garbage in the hi-order word of a 64-bit address.

This will only happen when the z/OS system trap IEAINITREGSTASK

is active and the control option CIART(ACTIVE) is selected.

SYMPTOMS:

The following abends / messages occur during initialization:

CAS2260E CIARTLGI S0C4 at xxxxxxxx LMOD CIARTLGI CSECT N/A

CAS2260E CIARTLGR S0C4 at xxxxxxxx LMOD CIARTLGM CSECT N/A

IMPACT:

The CIA real time logger task will not activate correctly.

CIRCUMVENTION:

Turn off the z/OS sytem diagnostic trap IEAINITREGSTASK.

PRODUCT(S) AFFECTED: CA Top Secret for z/OS Release 15.0

Star Problem(s):

TSSMVS 9485


DESC(ABEND 0C4 WITH CIA, GARBAGE HI-ORDER WORD 64-BIT ADDRESSES) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO36198 RO36929 )

SUP ( TR62765 )



COMMENT (

+----------+-----------------------------------------------------------+

|SEQUENCE | AFTER APPLY |

+----------+-----------------------------------------------------------+

|PURPOSE | Allow use of CIA real time logger task without abends |

| | when using diagnostic trap IEAINITREGSTASK. |

+----------+-----------------------------------------------------------+

|USERS | |

|AFFECTED | All users that leverage CIA Real Time feature. |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+

|ACCESS | |


+----------+-----------------------------------------------------------+

**************************


**************************

1. F LLA,REFRESH

2. TSS,REFRESH(SAF)

3. TSS,CIART(DISCONNECT)

4. TSS,CIART(INACTIVE)

5. TSS,CIART(ACTIVE)

).





CICS QUERY SECURITY WITH "+A" SUPPORT


The EXEC CICS Query Security command does not work with "+A" support for the

TRANID bypass list.

SYMPTOMS:

Security checks that should be allowed are failed, even though the

transaction id is in the TRANID bypass with "+A".

IMPACT:

One cannot use "+A" support to monitor query security calls.

CIRCUMVENTION:

None.

PRODUCT(S) AFFECTED: CA Top Secret for Z/OS Release 15.0

CA Top Secret for z/OS Release 14.0

Star Problem(s):

TSSMVS 9486


DESC(CICS QUERY SECURITY WITH "+A" SUPPORT) .

++VER (Z038)

FMID (CAKOF01)

SUP ( TR49273 TR49994 TR57223 TR57586 RO49994 RO57586

TR62836 )



COMMENT (

PRODUCT: CA TOP SECRET FOR Z/OS CICS COMPONENT RELEASE 15.0

SEQUENCE:

AFTER APPLY

Purpose:

CICS Query Security Commands to work with "+A" TRANID bypass list

support.

Relevance:

Client using the "+A" support to bypass list and Query Security

command in CICS.

Knowledge required:


2- SMP/E


4- CICS Systems Programming

Access required:

SMP/E CSI libraries

Steps to Perform:

F LLA,REFRESH, then recycle CICS region

).





ABEND S0C4 IN TSSKECA+30EC WITH FLOATING MASK '-'


When using Compliance Manager, an S0C4 abend can occur in program

TSSKECA at offset 30EC. This can occur if the permission used to grant or

deny resource access has been defined with the floating mask character '-'.

When an abend does not occur, the event record delivered to Compliance

Manager will contain invalid data in the CA Top Secret permission area

of the event record.

SYMPTOMS:

TSS9999E CA-TSS SECURITY SVC ABEND S0C4 IN TSSKERNL+1228C (TSSKECA+30EC)

IMPACT:

An SVCDUMP will be taken for the abend. The task issuing the resource

check that abends should recover.

CIRCUMVENTION:

Do not use floating mask permissions for prefixed resources.


Star Problem(s):

TSSMVS 9490


DESC(ABEND S0C4 IN TSSKECA+30EC WITH FLOATING MASK '-') .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO26450 RO47730 RO55678 )

SUP ( RO24344 RO25077 RO27279 RO41076 RO48059 RO53077

RO54379 RO55069 TR24211 TR24344 TR25077 TR27279

TR41076 TR44357 TR48059 TR53077 TR54379 TR54504

TR55069 TR63094 )



COMMENT (

PRODUCT: CA TOP SECRET FOR Z/OS RELEASE 15.0

SEQUENCE:

AFTER APPLY.

Purpose:

Allow use of Compliance Manager event generation without abends

when resource permissions contain a floating mask.

Relevance:

All clients using Compliance Manager with Top Secret.

Knowledge required:


2- SMP/E


Access required:

SMP/e CSI libraries

Steps to Perform:

1. F LLA,REFRESH

2. Restart TSS with ,,,REINIT

).





TSSXTEND JCL DEFAULTS SUPPLIED WITH VSAM FILES COMMENTED OUT


The TSSXTEND JCL sample supplied with the product includes the

SECOVSM and SECNVSM files commented out.

SYMPTOMS:

TSSXTEND will run in this situation but will not produce an r15

usable security file as there will be no VSAM companion file.

IMPACT:

No security certificates will exist.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9239


DESC(TSSXTEND JCL DEFAULTS SUPPLIED WITH VSAM FILES COMMENTED OUT) .

++VER (Z038)

FMID (CAKOF00)

SUP ( TR55338 TR55343 RO55343 TR63236 )





PASSWORD CHANGE IN CLEAR TEXT SENT TO CMGR


If a 'TSS REPL(userid)PASSWORD(abcdefgh)' command is issued, the

password will be recorded in the CA Compliance Manager logstream

in clear text. It should be 'TSS REPL(userid)PASSWORD(SUPPRESSED)'

SYMPTOMS:

Password change is recorded in clear text to CA Compliance Manager.

IMPACT:

Password change is recorded in clear text to CA Compliance Manager.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9495


DESC(PASSWORD CHANGE IN CLEAR TEXT SENT TO CMGR) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO26450 RO47730 RO55678 )

SUP ( RO24344 RO25077 RO27279 RO41076 RO48059 RO53077

RO54379 RO55069 RO63094 TR24211 TR24344 TR25077

TR27279 TR41076 TR44357 TR48059 TR53077 TR54379

TR54504 TR55069 TR63094 TR63379 TR64045 )



COMMENT (

+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | Password change in CMGR displays in clear text. |

+----------+-----------------------------------------------------------+

|USERS | |

|AFFECTED | All users that leverage CMGR. |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+

|ACCESS | |


+----------+-----------------------------------------------------------+

**************************


**************************



).





CIA0821E CIA/RT SQL ERROR - SQLCODE= - 180


If using CIA/RT and a 'TSS ADD(deptacid) DSN(xxxx) UNDERCUT' command is

issued, it is possible that the SQL command for 'Event: ADDTO org ACID'

could fail with the following error message:


DSNT408I SQLCODE = -180, ERROR: THE DATE, TIME, OR TIMESTAMP VALUE *N IS

INVALID

SYMPTOMS:

SQL command fails as reported in the CIA/RT journal file with:


DSNT408I SQLCODE = -180, ERROR: THE DATE, TIME, OR TIMESTAMP VALUE *N IS

INVALID

IMPACT:

Updates for the TSS command will not be reflected in the DB2 or CA DATACOM

databases.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9503


DESC(CIA0821E CIA/RT SQL ERROR - SQLCODE= - 180) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO36198 )

SUP ( TR64145 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |Address CIA/RT SQL ERROR -180. |

+----------+-----------------------------------------------------------+

|USERS |All users that leverage CIA/RT. |

|AFFECTED | |

+----------+-----------------------------------------------------------+

|KNOWLEDGE |1- Product Administration 3- z/OS Systems Programming |

|REQUIRED |2- SMP/e 4- Security Administration |

+----------+-----------------------------------------------------------+

|ACCESS |SMP/e CSI libraries |

|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************

SMP APPLY, LLA REFRESH and a restart of CIA/RT region to

install this APAR.

).





SP-252 KEY-0 DEADMAIN STORAGE SAFKDATA


If a large number of R_datalib Function=DataGetFirst are issued the

data passed, getmained in SP-252 KEY=0 with an eyecatcher of SAFKDATA

is not being released and could result in the address space running

out of storage.

SYMPTOMS:

S878 and out of storage condition.

IMPACT:

The region needs to be recycled.

CIRCUMVENTION:

Recycle of address space.


Star Problem(s):

TSSMVS 9487


DESC(SP-252 KEY-0 DEADMAIN STORAGE SAFKDATA) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO25900 RO35644 RO36198 RO55678 )

SUP ( TR62950 TR64540 )



COMMENT (

+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |Address SP-252 KEY-0 DEADMAIN STORAGE |

+----------+-----------------------------------------------------------+

|USERS |All users issuing large number R_datalib |

|AFFECTED |Function=DataGetFirst |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



).





NEW RDT ENTRY DB2VAR FOR DB2 11

ROBLEM DESCRIPTION:

Add new RDT entry for resource DB2VAR. This resource is needed for DB2 11.

SYMPTOMS:

Missing RDT entry DB2VAR.

IMPACT:

Not applicable.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9397


DESC(NEW RDT ENTRY DB2VAR FOR DB2 11) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO18634 RO19256 RO35644 RO36198 )

SUP ( TR31217 RO31217 TR55095 TR56352 TR64641 )



COMMENT (

+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |NEW RDT ENTRY DB2VAR FOR DB2 V11 |

+----------+-----------------------------------------------------------+

|USERS |All users that levarge DB2 V11 |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************

SMP APPLY, LLA REFRESH and a restart of TSS


).





TSS LIST ARCHIVE CONTAINS ACEDEFAU


If a user has the XSUSPEND attribute a 'TSS LIST(acid) ARCHIVE' results in

an invalid 'TSS ADDTO(acid) ACEDEFAU' command being generated.

SYMPTOMS:

Invalid 'TSS ADDTO(acid) ACEDEFAU' command after ARCHIVE.

IMPACT:

Command generated by 'TSS LIST() ARCHIVE' will fail.

CIRCUMVENTION:

Command can be removed manually from generated output.


Star Problem(s):

TSSMVS 9494


DESC(TSS LIST ARCHIVE CONTAINS ACEDEFAU) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO48091 RO52580 RO53544 RO59130 )

SUP ( RO18633 RO19414 RO21317 TR17158 TR17988 TR18043

TR18633 TR19414 TR21317 TR25830 RO25830 TR29063 RO29063

TR30280 RO30280 TR55736 AR52580 RO55736 TR56568 TR57038

RO57038 TR63353 TR64820 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |TSS LIST ARCHIVE CONTAINS ACEDEFAU |

+----------+-----------------------------------------------------------+

|USERS |All users that levarge TSS LIST ARCHIVE cmd. |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



).





LIST/ARCHIVE COMMAND OF SCTYKEY(*ALL*) ERROR


If a LIST/ARCHIVE command is issued for an acid that has all 256 security

keys, the command being generated is:

TSS ADDTO(userid1) SCTYKEY(*AL,* ,)

SYMPTOMS:

LIST/ARCHIVE command produces invalid TSS command.

IMPACT:

LIST/ARCHIVE command produces invalid TSS command.

CIRCUMVENTION:

Manually modify TSS command.


Star Problem(s):

TSSMVS 9478


DESC(LIST/ARCHIVE COMMAND OF SCTYKEY(*ALL*) ERROR) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO18634 RO19256 RO20497 )

SUP ( TR21636 RO21636 TR23570 RO23570 TR52490 RO52490

TR59797 RO59797 TR61760 TR64829 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |Correct LIST/ARCHIVE command for SCTYKEY(*ALL*) |

+----------+-----------------------------------------------------------+

|USERS |All users that leverage LIST/ARCHIVE command. |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



).





CICS TIGHTEN STORAGE MANAGEMENT FOR THREADSAFE


CA Top Secret for z/OS CICS support assumes that all of its internal

storage management requests will occur under the QR TCB and thus

will be implicitly serialized. CICS programs defined with the

THREADSAFE or FULLAPI attribute will run under separate L8 and L9

TCBs respectively, and this can cause requests from CA Top Secret/CICS

to its subtask to become lost. Additionally, a timing interplay

between the CA Top Secret storage requestor and the subtask can cause

a request to be lost. Either of these situations, if it occurs, will

cause a KR02 abend in the task which was requesting a new KTRT or KSRT

control block. The KR02 abend may be followed by other abends caused

by the fact that the expected control block was not obtained.

SYMPTOMS:

If either of these problems occurs, a transaction will abend with a KR02

CICS abend code. ASRA abends and/or CICS DFHxxxxx messages may

follow.

IMPACT:

The task on whose behalf Top Secret/CICS was attempting to get a

control block will be terminated. Normally the CICS region does not

abend, although it is possible that the succeeding abends as the

original task is removed from the system may bring the region down.

CIRCUMVENTION:

None. This is purely a timing problem and nothing the site can do

will prevent it completely.

PRODUCTS AFFECTED:

CA Top Secret for z/OS CICS option Release 14.0

Release 15.0


Star Problem(s):

TSSMVS 9113


DESC(CICS TIGHTEN STORAGE MANAGEMENT FOR THREADSAFE) .

++VER (Z038)

FMID (CAKOF01)

PRE ( RO26389 RO32608 RO35678 RO43979 RO55378 )

SUP ( TR25733 AR35678 RO25733 TR31788 TR38667 RO38667

TR46000 TR46119 RO46119 TR50439 AR50439 TR53765 RO50439

RO53765 TR64897 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |CICS tighten storage management for threadsafe |

+----------+-----------------------------------------------------------+

|USERS |All users that levarge CICS. |

|AFFECTED | |

+----------+-----------------------------------------------------------+

+----------------------------------------------------------------------+

| CA Top Secret for z/OS CICS Component Release 15.0 |


+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************




Release Service Details**************************

SMP APPLY, LLA REFRESH and a restart of the CICS region


).





TSS ADD(USER) GID(?) GETS DUPLICATE ENTRY IN SAF TABLE


When a GID is added to a user that already has a GID, the SAF table may get

a duplicate entry. TSS ADD(user) GID(?) was the command issued.

SYMPTOMS:

OMVS ID command may list 2 groups for the user.

IMPACT:

Incorrect output for OMVS ID command.

CIRCUMVENTION:

Remove the GID before adding the new one.


Star Problem(s):

TSSMVS 9507


DESC(TSS ADD(USER) GID(?) GETS DUPLICATE ENTRY IN SAF TABLE) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO55678 RO63740 )

SUP ( TR64896 TR64997 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | Eliminate duplicate entries in SAF UID/GID table |

+----------+-----------------------------------------------------------+

|USERS | All users that leverage OMVS |

|AFFECTED | |

+----------+-----------------------------------------------------------+

|KNOWLEDGE | 1- Product Administration 3- z/OS Systems Programming |

|REQUIRED | 2- SMP/e 4- Security Administration |

+----------+-----------------------------------------------------------+

|ACCESS | SMP/e CSI libraries |

|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



).





IDMS 18.5 APPLICATION GETS RC=16 W/ TSSMAI


An application program that calls TSSMAI gets RC=16 when IDMS

release 18.5 is used. This apar provides TSSMAI support for

IDMS release 18.5.

SYMPTOMS:

On return from an Application Interface call the calling program

would receive Return Code 16 and Stat code 8.

IMPACT:

Application Interface calls in IDMS v18.5 fail.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9514


DESC(IDMS 18.5 APPLICATION GETS RC=16 W/ TSSMAI) .

++VER (Z038)

FMID (CAKOF03)

PRE ( RO23580 RO60755 )

SUP ( TR65119 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |IDMS 18.5 APPLICATION GETS RC=16 W/ TSSMAI |

+----------+-----------------------------------------------------------+

|USERS |All users that leverage TSSMAI in IDMS 18.5 |

|AFFECTED | |

+----------+-----------------------------------------------------------+

+----------------------------------------------------------------------+

| CA Top Secret for z/OS IDMS Component Release 15.0 |


+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************

SMP APPLY, LLA REFRESH and recycle region to install

this APAR

).





LIST NDT SESSKEY W/OUT ADMIN DATA(SESSKEY)


An admininstrator without ADMIN DATA(SESSKEY) authority, can still view

SESSKEY information by issuing the following command:

TSS LIST(NDT) DATA(ALL,SESSKEY)

The SESSKEY is displayed along with the associated application.

SYMPTOMS:

SESSKEY data displayed without ADMIN DATA(SESSKEY).

IMPACT:

Administrator can view SESSKEY data without proper authorization.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9515


DESC(LIST NDT SESSKEY W/OUT ADMIN DATA(SESSKEY)) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO18634 RO19256 RO20497 )

SUP ( TR21636 RO21636 TR23570 RO23570 TR52490 RO52490

TR59797 RO59797 TR61760 TR64829 RO64829 TR65209 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |Correct LIST(NDT) DATA(ALL,SESSKEY) W/OUT ADMIN SESSKEY |

+----------+-----------------------------------------------------------+

|USERS |All users that leverage TSS command. |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



).





SPECIFYING LABLPKDS INVALID DURING RENEWAL OF CERTIFICATE


During a renewal of certificate, it is invalid to specify LABLPKDS parm, if

the add of the signed certificate is reattaching the private key.

SYMPTOMS:

When listing the newly added certificate, the LABLPKDS will be corrupted.

Attempting to remove the certificate it will fail with:

'CAS20E0E ICSF CSNDKRD service error - RC=8 RSN=16032'

IMPACT:

The certificate cannot be used.

CIRCUMVENTION:

Do not specify LABLPKDS with the TSS ADD command, when renewing a

certificate. To remove the certificate, specify 'FORCE' keyword at the end of

the TSS REMOVE command.

Ex: TSS REMOVE(XXXXXXXX) DIGICERT(CERTONE) FORCE



Star Problem(s):

TSSMVS 9508


DESC(SPECIFYING LABLPKDS INVALID DURING RENEWAL OF CERTIFICATE) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO25900 RO35644 RO36198 RO55678 RO63740 RO63941 )

SUP ( TR55073 TR55074 TR64623 TR65237 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | To prevent one from specifying LABLPKDS when renewing |

| | a certificate sharinf a private key |

+----------+-----------------------------------------------------------+

|USERS | All users leveraging TSS Digital Certificate |

|AFFECTED | |

+----------+-----------------------------------------------------------+

|KNOWLEDGE | 1 - Product Administration |

|REQUIRED | 2 - SMP/E |

| | 3 - z/OS Systems Programming |

| | 4 - Security Administration |

+----------+-----------------------------------------------------------+

|ACCESS | SMP/E CSI Libraries |

|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************

1. LLA Refresh

2. Recycle the TSS,,,REINIT

).





PRIVATE KEY NOT REMOVED FROM ICSF WHEN FORCE SPECIFIED


Private key not removed from ICSF when FORCE specified on TSS REMOVE

command for a certificate. The certificate is removed.

SYMPTOMS:

TSS REM(user) DIGICERT(cert) FORCE does not remove the private key from

ICSF.

IMPACT:

Data is left in ICSF.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9519


DESC(PRIVATE KEY NOT REMOVED FROM ICSF WHEN FORCE SPECIFIED) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO25900 RO35644 RO36198 RO55678 RO63740 RO63941 )

SUP ( TR55073 TR55074 TR64623 TR65237 RO65237 TR65643 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | To delete private key from ICSF when TSS REMOVE |

| | command is issued to remove a digital certificate. |

+----------+-----------------------------------------------------------+

|USERS | All users leveraging TSS Digital Certificate |

|AFFECTED | |

+----------+-----------------------------------------------------------+

|KNOWLEDGE | 1 - 1- Product Administration |

|REQUIRED | 2 - SMP/E |

| | 3 - z/OS Systems Programming |

| | 4 - Security Administration |

+----------+-----------------------------------------------------------+

|ACCESS | SMP/E CSI Libraries |

|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************

1. LLA Refresh

2. Recycle the TSS,,,REINIT

).





SA03 ABEND AT TSS SHUTDOWN


When CSA storage allocation reaches a high percentage due to TSS table

reloads, TSS defers updating the tables until the storage usage is reduced.

AT that time TSSTIMER issues a PTABL call to reload all tables. SFSBSCER

call LOAD_CA_CERTS which will attach a subtask to load the predefined

certificates. This causes multiple subtasks to be loaded and TSSSFS will

only detach one of them. This will cause a SA03 abend at shutdown.

SYMPTOMS:

TSS gets a SA03 abend at shutdown.

IMPACT:

A system dump is taken.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9522


DESC(SA03 ABEND AT TSS SHUTDOWN) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO18784 RO36198 RO38472 RO43262 RO55678 RO58366

RO63740 )

SUP ( TR16707 TR18055 TR24214 TR24363 RO24363 TR26651

RO26651 TR28221 RO28221 TR28502 RO28502 TR34459 TR34711

TR36584 TR38053 TR41151 TR32201 TR41664 TR41767 TR45152

AR41767 TR45566 RO38053 RO41151 RO41767 RO45152 RO45566

TR50024 RO50024 TR52334 RO52334 TR65763 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | Avoid SA03 abend at shutdown. |

+----------+-----------------------------------------------------------+

|USERS | All users. |

|AFFECTED | |

+----------+-----------------------------------------------------------+


|REQUIRED | 2- SMP/e |

+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



).





ENHANCE CLIST TSSBRWZ IN SPLIT SCREEN ENV


Enhance the TSSBRWZ clist to enter a tss command multiple times in a

split screen environment.

SYMPTOMS:

TSSBRWZ can not be used in a split screen environment.

IMPACT:

TSSBRWZ can not be used in a split screen environment.

CIRCUMVENTION:

None.


Star Problem(s):

TSSMVS 9530


DESC(ENHANCE CLIST TSSBRWZ IN SPLIT SCREEN ENV) .

++VER (Z038)

FMID (CAKOF00)

SUP ( TR65913 )


REASON (DYNACT ) DATE (13353)

COMMENT (


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE |Enhance CLIST TSSBRWZ in split screen environment |

+----------+-----------------------------------------------------------+

|USERS |All users that leverage the TSSBRWZ clist. |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************

SMP APPLY, LLA REFRESH is required to install this APAR.

).





GETUMAP RETURN '*MSCA*' EVEN IF ACEE HAS UID=0


After CA Top Secret r15 PTF RO63740, if an application issues a getUMAP for

UID(0), CA Top Secret returns '*MSCA*'. This change was implemented

to provide consistent results for this type of call. Since the MSCA ACID is

the actual owner of UID(0), '*MSCA*' was returned (not the actual name of

the MSCA ACID). This change is most visible on the output of a USS 'ls -l

or ls -E' command.

Prior to RO63740, CA Top Secret would return the current USERID if the

caller of getUMAP (or the issuer of ls-l or ls-E) had UID(0). Otherwise,

the first USERID in the UID table with UID(0) would be returned. With this

corrective solution implemented, CA Top Secret reverts back to the way

UID(0) was processed prior to PTF RO63740.

SYMPTOMS:

After RO63740, a different USERID is returned on GETUMAP calls for UID(0).

The symptom of this change varies by application.

IMPACT:

Applications started with a USERID that had UID(0) such as WebSphere or

OnDemand may not be able to handle the USERID of '*MSCA*'.

CIRCUMVENTION:

Change the UID for the ACID to something other than UID(0) and then permit

the various SUPERUSER Granularity permissions that are needed. Refer to the

CA Secret Cookbook for the various permissions for SUPERUSER Granularity.

File ownerships may also need to be changed for USS files owned for the

ACID that was UID(0).

Star Problem(s):

TSSMVS 9550


DESC(GETUMAP RETURN '*MSCA*' EVEN IF ACEE HAS UID=0) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO18784 RO36198 RO38472 RO43262 RO55678 RO58366

RO63740 )

SUP ( TR16707 TR18055 TR24214 TR24363 RO24363 TR26651

RO26651 TR28221 RO28221 TR28502 RO28502 TR34459 TR34711

TR36584 TR38053 TR41151 TR32201 TR41664 TR41767 TR45152

AR41767 TR45566 RO38053 RO41151 RO41767 RO45152 RO45566

TR50024 RO50024 TR52334 RO52334 RO64997 RO65763 TR64896

TR64997 TR65763 TR67205 TR67466 TR67514 BR63740 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | Address name rename for UID(0) on getUMAP |

+----------+-----------------------------------------------------------+

|USERS | All users that leverage getUMAP |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |

+----------+-----------------------------------------------------------+

**************************


**************************



Release Service DetailsSMP APPLY, LLA REFRESH, TSS,,,REINIT then issue 'F TSS,REFRESH(SAFAL)'

to install this APAR.

).





AUTOUID/UNIQUSER NOT WORKING IF TCBSENV POPULATED


With options UNIQUSER/MODLUSER set, if INITUSP callable service

is called in an environment where TCB field TCBSENV is not NULL,

and the user which is the subject of INITUSP has no OMVS segment,

the INITUSP request fails with 8/8/24.

SYMPTOMS:

INITUSP callable service failes with RC/RSN = 8/8/24.

IMPACT:

Applications dependent on INITUSP functionality may terminate with

errors.

CIRCUMVENTION:

Manually add OMVS segment fields and DFLTGRP to ACID records for

which INITUSP previously failed.

PRODUCT(S) AFFECTED:


Star Problem(s):

TSSMVS 9551

ADD GROUP DURING UNIQUSER/MODLUSER LOGON


With options UNIQUSER/MODLUSER set, a GROUP will be added to an

ACID that logs on to USS/OMVS if the user does not already have an

OMVS segment. The GROUP will match the DFLTGRP found in the MODLUSER

and added to the ACID as part of this process as well.

SYMPTOMS:

None, this an enhancement to add this functionality to the existing

UNIQUSER/MODLUSER processing.

IMPACT:

The ACID logging on to USS/OMVS will now have a group assignment

in the ACID record after completion of the logon.

CIRCUMVENTION:

You can add a GROUP entry to any ACID that needs it through Top

Secret command administration.


Star Problem(s):

TSSMVS 9541


DESC(AUTOUID/UNIQUSER NOT WORKING IF TCBSENV POPULATED) .

++VER (Z038)

FMID (CAKOF00)

PRE ( RO55678 RO61359 RO63740 )

SUP ( RO54316 TR54316 TR66462 TR66605 TR67221 TR67801

TR67810 CR63740 )



COMMENT (

+----------------------------------------------------------------------+


+----------+-----------------------------------------------------------+


+----------+-----------------------------------------------------------+

|PURPOSE | Add MODLUSER DFLTGRP as a GROUP on user |

+----------+-----------------------------------------------------------+

|USERS | All users that leverage UNIQUSER and MODLUSER. |

|AFFECTED | |

+----------+-----------------------------------------------------------+



+----------+-----------------------------------------------------------+


|REQUIRED | |



Release Service Details+----------+-----------------------------------------------------------+

**************************


**************************

SMP APPLY, LLA REFRESH, TSS,,,REINIT

to install this APAR.

).

Documents

CA Top Secret Security for z/OS 15.0 CA RS 1403 … · CA Top Secret Security for z/OS 4 CA RS 1403 Service List for CAKOF01 FMID Service Description Hiper CAKOF01 RO61990 CICS NON