A fix is available
APAR status
Closed as program error.
Error description
RSEAPI v1.1.3 internal defect fix
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: 1. All users * * 2. All users * * 3. All users * * 4. All users * * 5. All users * * 6. All users * * 7. All users * * 8. All users * * 9. All users * **************************************************************** * PROBLEM DESCRIPTION: 1. Similar as for RSED, RSEAPI can * * support the application protection. * * 2. RSE API datasets query with filter * * may miss to return a dataset when its * * CREATETIME property has a value. * * 3. RSE API now is using RACF JWT * * Bearer by default. Redirect filter * * needs to be able to read RACF JWT. * * 4. Duplicate values for headers, such * * as field for listing exposed header * * keys, could be found in a response * * from a non-get request of an overflow * * server change. * * 5. Callers of RSEAPI using JWT Bearer * * authentication may need to obtain a * * new JWT to authenticate to prolong * * their session. * * 6. Investigation to see way to * * minimize REXX call in mvs request * * processing. Multiple concurrent * * commands from the same user may reach * * the user system resource limit. * * 7. SAF JWT could be used for * * authentication, strengthening RSEAPI * * current Bearer authentication using * * Java JWT. * * 8. User log and server log are * * helpful in trouble shooting and * * monitoring the server. But setting * * with high level could consume lots of * * resources. Currently RSEAPI log level * * is set from start. Changing it * * requires a restart of the server. * * 9. For system that does not support * * data set migration, recall and * * deletion of migrated data sets, * * sending these request to the system * * could cause the server connection * * blocked. * **************************************************************** 1. RSEAPI can define an application protection profile to restrict which users from using the application. 2. RSE API incorrectly treats a symbol used in a dataset property CREATETIME as a reserved symbol, causing issue in parsing and the dataset being skipped. 3. Change to allow RSE API redirect filter to read the RACF JWT. 4. During the overflow's copying of the response back to the primary, it could duplicate the common fields. 5. JWT usually would be short-live for security reason. Callers of an on-going RSEAPI session using JWT Bearer authentication may need to request a new token to use ahead of the expiration time of the current token used previously. 6. MVS miner command processing involves REXX call will use shell commands for execution through Java process. High concurrent level of these command could exhaust user system limit. 7. SAF JWT could be used for strengthening current Bearer authentication with Java JWT, and as single sign-on perspective.. 8. Trouble shooting and monitoring by logging level change should be able to be done when the server is still running. 9. In system that does not support migration, for ex: HSM is not active, sending migrate/recall/delete request cause the system issuing wto message waiting for user interaction response that is not monitored by anyone. In such condition, the connection appears hanging. Detection on the fly whether or not the service is available is not feasible at the moment.
Problem conclusion
1. Similar as for RSED, RSEAP now with a defined application protection profile can restrict with users to use the server application. 2. The parsing issue has been fixed and the new createTime property has been added in dataset attributes display. RSE API now can display correctly the dataset entries. 3. RSE API redirect filter now can detect the JWT mode the server is running and read the JWT in the corresponding format. 4. Overflow server now would copying back only non-existing header's value. 5. Provide the new auth/refreshToken API to request a new fresh token which can be used in authentication, refresh the lifespan of the user session with the renewed expiration time of the token. The header Token-Expiration-Time will be included in the response header of the auth/login and auth/refreshToken to denote the expiration time of the newly generated token returned in the header.  6. Use ZFiles facility in secure thread to query for attributes required in RSEAPI request processing in some popular request such as download and upload, eliminating the corresponding REXX client command to MVS miner backend. Further improvement would be done for other relevant areas. 7. RSEAPI now implements the support of SAF JWT with the requisite requirement of RSE base SAF JWT support. 8. An admin user now can change the user and server log level during a server runtime without no restart required. It's helpful for troubleshooting on the spot when servers have issues. 9. Introduce the new server startup configuration environment DISABLE_MIGRATE_HRECALL_HDELETE to disable migrate, recall and deletion of migrated dataset, default to false. It can be used to prevent users from keep sending the unsupported commands, potential blocks the connection.
Temporary fix
Comments
APAR Information
APAR number
PH57572
Reported component name
EXP FOR ZOS RSE
Reported component ID
5655EXP33
Reported release
110
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-10-16
Closed date
2023-10-16
Last modified date
2023-11-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI94020
Modules/Macros
HUH1SMPE HUH2RCVE HUH3ALOC HUH4ZFS HUH5MKD HUH6DDEF HUH7APLY HUH8ACPT HUHCRYPT HUHFT000 HUHFT002 HUHFT003 HUHFT004 HUHMKDIR HUHMOUNT HUHPAX01 HUHRACF HUHSETUP HUHSHPAX HUHSTC
Fix information
Fixed component name
EXP FOR ZOS RSE
Fixed component ID
5655EXP33
Applicable component levels
R110 PSY UI94020
UP23/10/21 P F310
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"110"}]
Document Information
Modified date:
02 November 2023