A fix is available
APAR status
Closed as program error.
Error description
RSEAPI 1.1.4 Internal defect fix
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: 1. All users * * 2. All users * * 3. All users * * 4. All users * * 5. All users with ID containing 'W' or 'w' * **************************************************************** * PROBLEM DESCRIPTION: 1. Primary server that is started up * * in the same address space as the * * started task cannot spawn (executing * * catalina start scritp) a secondary * * overflow server directly and crashes. * * 2. fekfomvs is required to be APF * * (extended 'a' attribute), the * * required bit setting is 'aps'. When * * its bit setting is not proper, RSE * * may fail to properly authenticate a * * user. * * 3. Permission to use RSE API server * * new Administration API. * * 4. In the last release 1.1.3, RSEAPI * * has introduced the token refresh * * support. In this release, users are * * required to login using their user * * and password periodically. * * 5. RSEAPI misses to include the * * character 'W' in the standard rule to * * validate for userID input. * **************************************************************** 1. The spawn required to be done explicitly in a new shell. 2. When it is not APF, fekfomvs cannot perform its verifyUser command to authenticate a user. RSE authentication service fails to recognize the issue and let the authentication going through as sucessful. 3. RSE API should have a security admin requirement for users to access the new Administration API commands. 4. To avoid the possibility that a connection could use JWT bearer authentication for ever (with the new support of token refresh), the simple enforcement of periodically could be used. 5. It's a coding error.
Problem conclusion
1. Primary server now can spawn a secondary using "sh -c" shell. 2. Have authentication catch the issue and fails the authentication. This could also affect RSEAPI. 3. Users must have read permission to the RSEAPI admin security profile HUH.API.ADMIN.CMD to use the Administrator API. 4. With the introduction of the login using password interval enforcement, users now are required to log in (or re-log in) using user ID and password to an RSEAPI server periodically. It helps to strengthen the security in using token authentication. The interval is configurable through a new server environment RSEAPI_USER_PASS_INTERVAL_MINS. 5. Adding 'W' in the standard chars used as validation rule solves the issue.
Temporary fix
Comments
APAR Information
APAR number
PH60239
Reported component name
EXP FOR ZOS RSE
Reported component ID
5655EXP33
Reported release
110
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-03-08
Closed date
2024-03-08
Last modified date
2024-04-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI96011
Modules/Macros
HUH1SMPE HUH2RCVE HUH3ALOC HUH4ZFS HUH5MKD HUH6DDEF HUH7APLY HUH8ACPT HUHCRYPT HUHFT000 HUHFT002 HUHFT003 HUHFT004 HUHFT005 HUHFT006 HUHMKDIR HUHMOUNT HUHPAX01 HUHRACF HUHSETUP HUHSHPAX HUHSTC
Fix information
Fixed component name
EXP FOR ZOS RSE
Fixed component ID
5655EXP33
Applicable component levels
R110 PSY UI96011
UP24/03/16 P F403
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"110"}]
Document Information
Modified date:
11 April 2024