PH47252: Z/OS EXPLORER SECURITY VIOLATION ON USER OWNED LIBRARIES

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Sporadic security violations on user owned data sets during
  normal daily work, probably due to client response delay in
  connection establishment, sometimes after
  the user started working.
  
  Operators see for example:
  RSED4    ACF99913 ACF2
  VIOLATION-04,00,RSED,VR6848,<dataset name>,N/A
  RSED4    ACF90913  -DATASET CANNOT BE OPENED; AUTHORIZATION IS
  REQUIRED.
  
  In ACF2 report this violation shows up as:
  RSED     21.099 09/04 12.59       DATASET  VIOLATION
  RSED4    VOL=<volser> DDN=SYS03261 DSN=<dataset name>
  STEP1    VOL=       PGM=BPXPRFC  LIB=SYS1.LINKLIB
           DA-OPN OUTPUT  NORULE   NAM=RSE DAEMONS
  ROL=OC01     SRC=STCINRDR            UID=STCRSE
  
  the security validation is done using the RSED started task
  ID instead of the users UID.
  
  
  FEKLOG shows at 2021.04.09 09:56:39:591:
  
  ELAQKK9,LOCK,ELAQKK9.PDS.PLI(F07J0)
  ELAQKK9,LOCK,ELAQKK9.PDS.PLI(F07J0),0
  ELAQKK9,READ,ELAQKK9.PDS.PLI(F07J0)
  ELAQKK9,READ,ELAQKK9.PDS.PLI(F07J0),0,%n%n%nFB%nN%n000%nN%n80%n2
  9764%n0%n0%n %nelaqkk9
  %nCRLFNL 0xD 0x240D 0x25 0x240A 0x15 0x2424 BADHEX
  %n363%n0%n0%n{RETRIEVEDATTRS:LEGACY;}
  and then after some time
  12:59:53:472 ELAQKK9,WRITE,ELAQKK9.PDS.PLI(F07J0)
  ELAQKK9,WRITE,NoDataReceived,0
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: 1. Users on the server.                      *
  *                 2. All user connection to system having      *
  *                 tape-type device dataset.                    *
  *                 3. all RSE connections that delay the mvs    *
  *                 files systems connections in more than       *
  *                 passticket timeout.                          *
  ****************************************************************
  * PROBLEM DESCRIPTION: 1. Debugging shows holder of            *
  *                      stdout/err (of ThreadPools) kept by     *
  *                      Daemon keeps growing with duplicates.   *
  *                      Daemon's message listener usually       *
  *                      would print out garbage when Daemon     *
  *                      stops.                                  *
  *                      2. Tape-device type currently is        *
  *                      logged at info level and as active.     *
  *                      The active status logging should be     *
  *                      corrected and at debug level only.      *
  *                      3. After the passticket life span is    *
  *                      expired, during the loading of the      *
  *                      mvsminer, for the mvs files system      *
  *                      connection operation, the lock          *
  *                      manager would need a newly generated    *
  *                      passticket to start up. The             *
  *                      generation of the passticket is also    *
  *                      required to be done under the           *
  *                      ThreadPool/Daemon user id.              *
  ****************************************************************
  1. Daemon has the holders for stdout/err fds of ThreadPools to
  collect their message for logging. It does not reset each
  round it scans the ThreadPools and keep accumulating
  duplicates fds.
  Daemon's message listener process terminates abruptly when
  exiting causing Daemon end printing out garbage when stops.
  2. Minimize the tape-device info as debug to avoid too much
  logging for system with high number of tape-device dataset.
  3. Lock manager should be started up under user security
  profile properly with a valid passticket.
  Only server id is required to have the permission to generate
  passticket. A user thread may fail to generate a passticket
  and could fail to load and set up the mvsminer properly in the
  described scenario.
  

Problem conclusion

• 1. Reset the std fd holder in each round of scan.
  Have the messaging process sending an exit back to Daemon
  for its message listener to display properly.
  2. Tape-device type active status is corrected and logged only
  at debug level
  3. Have the lock manager startup with valid passticket.
  Have passticket generation call used by the mvs Files System
  initialization and connection operation to run in a newly
  generated thread to inherit the process server id to be able
  to generate the passticket.
  Connection should be done with the newly generated ticket for
  the mvsminer's lock manager to work with proper security
  profile as the user.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI83251

Modules/Macros

• FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
  FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
  FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
  FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
  FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
  FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
  FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
  FEKATTR  FEKDSI   FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD  FEKFCIPH
  FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6
  FEKFCORE FEKFDBG  FEKFDBG6 FEKFDBGM FEKFDIR  FEKFDIR6 FEKFDIVP
  FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR
  FEKFENVS FEKFEPL  FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0
  FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU
  FEKFJLIC FEKFJSON FEKFJVM  FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP
  FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE
  FEKFOMVS FEKFPATT FEKFPLUG FEKFPTC  FEKFRIVP FEKFRMSG FEKFRSES
  FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL  FEKFSTUP FEKFT000 FEKFT001
  FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008
  FEKFT009 FEKFT010 FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015
  FEKFT016 FEKFT017 FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFT022
  FEKFT023 FEKFT024 FEKFT025 FEKFTIVP FEKFTSO  FEKFUTIL FEKFVERS
  FEKFXITA FEKFXITL FEKFZOS  FEKHCONF FEKHCUST FEKHDEB  FEKHDESC
  FEKHFLOW FEKHGEN  FEKHISPF FEKHIVP  FEKHIVPD FEKHJESJ FEKHMAIN
  FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT
  FEKHTAB1 FEKHTAB2 FEKINIT  FEKKEYS  FEKLOCKA FEKLOGR  FEKLOGS
  FEKM00   FEKM01   FEKM02   FEKMKDIR FEKMOUNT FEKMSGC  FEKMSGS
  FEKRACF  FEKRSED  FEKSAPF  FEKSAPPL FEKSBPX  FEKSCLAS FEKSCLOG
  FEKSCMD  FEKSCPYM FEKSCPYU FEKSDSN  FEKSENV  FEKSETUP FEKSISPF
  FEKSJCFG FEKSJCMD FEKSJMON FEKSLPA  FEKSPROG FEKSPTKT FEKSRSED
  FEKSSERV FEKSSTC  FEKSSU   FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM
  FEKXCFGT FEKXMAIN FEKXML   HUHFCOR6 HUHFCORE
  

Fix information

• Fixed component name

  EXP FOR Z/OS HO

• Fixed component ID

  5655EXP23

Applicable component levels

• R320 PSY UI83251

     UP22/11/22 P F211

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.