Re: KEY8 CSA

Thu, 29 Jun 2006 08:20:49 -0700 

Mark Zelden wrote:

While the code path may be virtually the exact same in z/OS 1.8
with the new support as the TRAP in prior versions, "supported" means
that I would have been able to specify TRAPS NAME(IgvNoUserKeyCSA) on
any release since OS/390 R6 up to z/OS 1.8 (while the OS was still
supported) and IBM would debug / APAR any problem I had by specifying it.
I don't think that is the case.



Huh???! If you discover and report a user key CSA allocation in IBM 
code, they *will* take an APAR because it represents a potential 
integrity exposure. The issue is not which tool you use to find the 
exposure. The issue is the exposure itself!!



When you report an exposure of this type, you don't say, "I enabled the 
undocumented IgvNoUserKeyCSA trap and experienced a B78-5C abend at 
PGMXYZ+2F3C." Rather, you say something like, "PGMXYZ acquires key 8 
CSA, which introduces a potential integrity exposure to my system!" If 
you're concerned about sending IBM an SVC dump of the "unsupported" 
B78-5C abend, then just don't do it. Set an IF SLIP at PGMXYZ+2F3C with 
A=SYNCSVCD instead. In both cases, the system trace clearly shows the 
CSA GETMAIN request parameters, but the latter case uses only 
"supported" tools.



The only time I ever saw this issue handled in a less than satisfactory 
manner was with IXFP. And, I don't really consider IBM to be at fault. 
IBM took APAR OW53788 (it's one of those "secret" integrity APARs that 
doesn't show up on your IBMLink SIS screen). Karl Schmitz (IBM's 
integrity expert) got involved. It took a while, but eventually he was 
able to convince STK that their key 8 CSA allocation created an 
exposure. The APAR was closed FIN, but there never was a new release of 
IXFP. (I got my RVA very late in its life cycle. Had I discovered this 
exposure when RVAs were still new technology, there almost certainly 
would have been a more positive outcome.)



** Warning ** If you still run IXFP, be sure to specify 
ALLOWUSERKEYCSA(YES) in z/OS 1.8 and higher!


--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html






















					Reply via email to