Datacom14 and ALLOWUSERKEYCSA

Document ID : KB000057640
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

Trying to implement IBM's recommendation of: VSM ALLOWUSERKEYCSA(NO)                                           

NO prevents user key CSA from being allocated by failing any attempt  to obtain user key from a CSA subpool (through GETMAIN or STORAGE     

OBTAIN) with a B04-5C, B0A-5C, or B78-5C abend. The default is NO. IBM recommends that you should not specify ALLOWUSERKEYCSA(YES).      

User key CSA creates a security risk because any unauthorized program can modify it.  

My management pointed out an old tech doc that mentions DATACOM compatibility:        http://supportconnectw.ca.com/public/datacom_ideal/infodocs/TEC432558.pdf

For several releases of CA Datacom, there has been an alternative to the use of ECSA for the execution of a CA Datacom MUF. CA Datacom/DB can execute in a mode where task-related storage (as described above) resides in an IBM “data space.” This data space designated for CA Datacom task storage is subject to modification only by CA Datacom programs as required to communicate with MUF.

To date, the majority of our CA Datacom customers have chosen to use the ECSA default implementation rather than the alternate data space implementation. However, IBM’s z/OS 1.9 default of AllowUserKeyCSA(NO) may trigger additional customers to review the available options and possibly switch to the data space option.

This doc does not mention Datacom R14.     Does this still hold true for rel14?       What would have to change, if anything, in our MUF configurations?

 

Answer:

CA Datacom/AD 14.0 is unaffected by that IBM parameter (ALLOWUSERKEYCSA)

With release 12 and above, CA Datacom will no longer allocate or use ECSA PROTECT KEY 8 storage; it is now using data space.

At startup Multi-User creates a small data space, which can be seen via message:

DB00278I - DATASPACE NAME 00021MUF   (as an example).

This is transparent to the user application and it takes care of the problem coming with that IBM parameter (ALLOWUSERKEYCSA).

 

Additional Information:

From CA Datacom/DB System and Administration Guide r14.0

Task Communications: Applications communicate with the Multi-User Facility through a task communications area (known as the DBRW or RWTSA). These task communications areas are allocated in the MUF address space and also a dedicated dynamically allocated Dataspace unique by the MUF name. In addition to the Dataspace, each MUF requires one 4k page ECSA for communication, a couple hundred bytes of identification, and about 100 bytes per task area, all in ECSA, key 0. Specific sizes are provided in the DBUTLTY REPORT MEMORY=MVS...

See also:  APAR #: QI83015 Title: *TIP:CA DATACOM USE OF KEY 8 AND THE COMMUNICATION DATASPACE