PH57572: RSEAPI V1.1.3 INTERNAL DEFECT FIX

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• RSEAPI v1.1.3 internal defect fix
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: 1. All users                                 *
  *                 2. All users                                 *
  *                 3. All users                                 *
  *                 4. All users                                 *
  *                 5. All users                                 *
  *                 6. All users                                 *
  *                 7. All users                                 *
  *                 8. All users                                 *
  *                 9. All users                                 *
  ****************************************************************
  * PROBLEM DESCRIPTION: 1. Similar as for RSED, RSEAPI can      *
  *                      support the application protection.     *
  *                      2. RSE API datasets query with filter   *
  *                      may miss to return a dataset when its   *
  *                      CREATETIME property has a value.        *
  *                      3. RSE API now is using RACF JWT        *
  *                      Bearer by default. Redirect filter      *
  *                      needs to be able to read RACF JWT.      *
  *                      4. Duplicate values for headers, such   *
  *                      as field for listing exposed header     *
  *                      keys, could be found in a response      *
  *                      from a non-get request of an overflow   *
  *                      server change.                          *
  *                      5. Callers of RSEAPI using JWT Bearer   *
  *                      authentication may need to obtain a     *
  *                      new JWT to authenticate to prolong      *
  *                      their session.                         *
  *                      6. Investigation to see way to          *
  *                      minimize REXX call in mvs request       *
  *                      processing. Multiple concurrent         *
  *                      commands from the same user may reach   *
  *                      the user system resource limit.         *
  *                      7. SAF JWT could be used for            *
  *                      authentication, strengthening RSEAPI    *
  *                      current Bearer authentication using     *
  *                      Java JWT.                               *
  *                      8. User log and server log are          *
  *                      helpful in trouble shooting and         *
  *                      monitoring the server. But setting      *
  *                      with high level could consume lots of   *
  *                      resources. Currently RSEAPI log level   *
  *                      is set from start. Changing it          *
  *                      requires a restart of the server.       *
  *                      9. For system that does not support     *
  *                      data set migration, recall and          *
  *                      deletion of migrated data sets,         *
  *                      sending these request to the system     *
  *                      could cause the server connection       *
  *                      blocked.                                *
  ****************************************************************
  1. RSEAPI can define an application protection profile to
  restrict which users from using the application.
  2. RSE API incorrectly treats a symbol used in a dataset
  property CREATETIME as a reserved symbol, causing issue in
  parsing and the dataset being skipped.
  3. Change to allow RSE API redirect filter to read the RACF JWT.
  4. During the overflow's copying of the response back to the
  primary, it could duplicate the common fields.
  5. JWT usually would be short-live for security reason.
  Callers of an on-going RSEAPI session using JWT Bearer
  authentication may need to request a new token to use ahead of
  the expiration time of the current token used previously.
  6. MVS miner command processing involves REXX call will use
  shell commands for execution through Java process. High
  concurrent level of these command could exhaust user system
  limit.
  7. SAF JWT could be used for strengthening current Bearer
  authentication with Java JWT, and as single sign-on
  perspective..
  8. Trouble shooting and monitoring by logging level change
  should be able to be done when the server is still running.
  9. In system that does not support migration, for ex: HSM is
  not active, sending migrate/recall/delete request cause the
  system issuing wto message waiting for user interaction
  response that is not monitored by anyone.
  In such condition, the connection appears hanging. Detection
  on the fly whether or not the service is available is not
  feasible at the moment.
  

Problem conclusion

• 1. Similar as for RSED, RSEAP now with a defined application
  protection profile can restrict with users to use the server
  application.
  2. The parsing issue has been fixed and the new createTime
  property has been added in dataset attributes display. RSE API
  now can display correctly the dataset entries.
  3. RSE API redirect filter now can detect the JWT mode the
  server is running and read the JWT in the corresponding format.
  4. Overflow server now would copying back only non-existing
  header's value.
  5. Provide the new auth/refreshToken API to request a new
  fresh token which can be used in authentication, refresh the
  lifespan of the user session with the renewed expiration time
  of the token. The header Token-Expiration-Time will be
  included in the response header of the auth/login and
  auth/refreshToken to denote the expiration time of the newly
  generated token returned in the header.  
  6. Use ZFiles facility in secure thread to query for
  attributes required in RSEAPI request processing in some
  popular request such as download and upload, eliminating the
  corresponding REXX client command to MVS miner backend.
  Further improvement would be done for other relevant areas.
  7. RSEAPI now implements the support of SAF JWT with the
  requisite requirement of RSE base SAF JWT support.
  8. An admin user now can change the user and server log level
  during a server runtime without no restart required. It's
  helpful for troubleshooting on the spot when servers have
  issues.
  9. Introduce the new server startup configuration environment
  DISABLE_MIGRATE_HRECALL_HDELETE to disable migrate, recall and
  deletion of migrated dataset, default to false. It can be used
  to prevent users from keep sending the unsupported commands,
  potential blocks the connection.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI94020

Modules/Macros

• HUH1SMPE HUH2RCVE HUH3ALOC HUH4ZFS  HUH5MKD  HUH6DDEF HUH7APLY
  HUH8ACPT HUHCRYPT HUHFT000 HUHFT002 HUHFT003 HUHFT004 HUHMKDIR
  HUHMOUNT HUHPAX01 HUHRACF  HUHSETUP HUHSHPAX HUHSTC
  

Fix information

• Fixed component name

  EXP FOR ZOS RSE

• Fixed component ID

  5655EXP33

Applicable component levels

• R110 PSY UI94020

     UP23/10/21 P F310

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.