|
- Description:
- This check examines the setting of the ALLOWUSERKEYCSA(YES|NO)
DIAGxx option and compares it to the IBM® recommended
setting of ALLOWUSERKEYCSA(NO). A warning is issued if the setting
is YES.
- Reason for check:
- Allowing programs to obtain user key CSA creates a security risk
because CSA storage can then be modified by any unauthorized program. IBM recommends that ALLOWERUSERKEYCSA(NO)
be coded in the active DIAGxx parmlib member.
Note: Coding ALLOWUSERKEYCSA(NO)
for this option will cause user key programs attempting to obtain
CSA storage to ABEND with abend code B78, reason code xxxxxx5C. (The
first three bytes of the reason code provide internal failure details.)
The default setting for this option is ALLOWUSERKEYCSA(NO).
- z/OS® releases the check
applies to:
- z/OS V1R4 and later.
- Parameters accepted:
- No.
- User override of IBM values:
- The following shows keywords you can use to override check values
on either a POLICY statement in the HZSPRMxx parmlib member or on
a MODIFY command. This statement may be copied and modified to override
the check defaults:
UPDATE,
CHECK(IBMVSM,VSM_ALLOWUSERKEYCSA),
ACTIVE,
INTERVAL(ONETIME),
SEVERITY(LOW),
DATE('20060201'),
- Reference:
- No
- Messages:
- This check issues the following exception messages:
See the IGVH messages in z/OS MVS System Messages, Vol 9 (IGF-IWM).
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for
information on using SECLABELs.
|