A fix is available
APAR status
Closed as program error.
Error description
In an IMS environment where both encryption/decryption and compression/decompression are performed by using DECENCDV to control the processing, the encryption/decryption processing may be performed incorrectly. Incorrect processing will only occur for fixed length segments contained in a partitioned HALDB database. As long as DECENCDV is not used to drive the encryption/decryption processing there is not a problem. The incorrect encryption processing may cause some decompression routines to perform unpredictably, such that they cause storage overlays that result in IMS failures.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users * **************************************************************** * PROBLEM DESCRIPTION: DECENCDV has been modified to not * * change the DMBCPAC block for fixed * * length segments when calling the * * encryption/decryption routine. Instead, * * all of the encryption/decryption * * routines have been changed to know when * * they are being called by DECENCDV and * * to treat fixed length segments as if * * they were variable length. In addition, * * DECENCDV now validates that the length * * of the segment being * * encrypted/decrypted is reasonable based * * on the DMBCPAC data before proceeding. * **************************************************************** * RECOMMENDATION: * **************************************************************** Guidelines for installing DEC V1.2 maintenance ============================================== In order to avoid unnecessary service disruptions due to maintenance activities, please follow these recommendations when deciding how and when to install maintenance for the Encryption Tool: 1. Always keep the SMP/E environment up to date. This will ensure that any newly-built exits will have the latest code. 2. Do not relink existing exits to include new SMP/E maintenance unless one of the following is true: a. You are experiencing a problem/symptom described by a specific APAR b. You already have a planned outage (for instance, a planned key rotation procedure) c. The APAR is marked as HIPER d. IBM support has advised you to do so 3. When maintenance to an exit is performed, ensure that copies of the existing exits are retained prior to replacing the exits with newer versions. The copies could be useful in a scenario where you need to fall back or if there is a need to reference information from the older exit. 4. It is not necessary to perform a migration action (i.e. an UNLOAD with the old exit and RELOAD with the new exit) unless there are instructions associated with the APAR stating that it is necessary to do so. These instructions may be included in any of the following: a. APAR description b. APAR closing text c. ++HOLD ACTION 5. When a migration action is required, the DB2|IMS subsystem should be cycled to ensure that the new exit is loaded and used. End of Guidelines--- This PTF will do the following: Fix a problem where incorrect output may result during encryption/decryption processing when performing both IMS encryption and compression DECENCDV has been modified not change the DMBCPAC block for fixed length segments when calling the encryption/decryption routine. Instead, all of the encryption/decryption routines have been changed to know when they are being called by DECENCDV and to treat fixed length segments as if they were variable length. In addition, DECENCDV now validates that the length of the segment being encrypted/decrypted is reasonable based on the DMBCPAC data before proceeding. The following DEC Modules are updated, so DEC Links will be required, for all of these: DECENAA1 DECENBB1 DECENCDV DECENA01 DECENB01 DECENC01 If you are currently using any of the updated modules and meet one of the criteria for needing to relink the exit, execute the necessary link samplib member and verify that your IMS Exit library is refreshed. DECENAA1 and DECENBB1 both require the DECSSI10 subsystem to run. Execute the link samplib member DECIMSCB, for both DECENAA1 and DECENBB1. If you are using either DECENAA1 or DECENBB1 along with the DECSSI10 Modules, after successful linking of the DEC V1.2 module you should do either of the following actions: 1) Determine if the IMS EXIT library for the IMS Subsystem where DEC V1.2 is used is in the System Linklist concatenation. If so, issue the LLA Refresh command on that System LPAR. This will allow you to use the updated code without the need to Cycle the IMS Subsystem. 2) If the IMS EXIT library for the IMS Subsystem where DEC V1.2 is used is not in the System Linklist concatenation, you will need to Cycle the IMS Subsystem in order to use the updated code. You should note the Instructional Comments in samplib member DECIMSCB on how to activate the Exit named DECSSI10. This is a Required Prerequisite step for either DECENAA1 or DECENBB1 successful use. You can choose to perform this activation in either a Dynamic or Static mode. NOTE: The Encryption Tool subsystem interface must be installed on each z/OS system in the sysplex where DL/I batch jobs are executed. Dynamic installation Install the subsystem by issuing z/OS commands SETPROG and SETSSI. With a dynamic installation, you are not required to IPL the system to activate the subsystem interface. However, because the subsystem interface persists for the current IPL only, you must reinstall the subsystem interface after an IPL. Static installation Install the subsystem by adding module DECSSI10 to the z/OS Link Pack Area and adding the subsystem interface definition to SYS1.PARMLIB subsystem definition member IEFSSNxx. NOTE: With a static installation, you are required to immediately IPL the system to activate the subsystem interface. The subsystem interface persists across all IPLs.
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
PI68463
Reported component name
DATA ENCRYPTION
Reported component ID
5655P0300
Reported release
120
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-31
Closed date
2016-10-25
Last modified date
2016-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI41987
Modules/Macros
DECENAA1 DECENA01 DECENBB1 DECENB01 DECENCDV DECENC01
Fix information
Fixed component name
DATA ENCRYPTION
Fixed component ID
5655P0300
Applicable component levels
R120 PSY UI41987
UP16/11/09 P F611
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.2.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 December 2016