We have applied some IBM maintenance including APAR IO11698.After then, all SMP commands like APPLY or LIST failed with following messages;
GIM20703S/T cmd PROCESSING FAILED. THE COMMAND OR SERVICE
ROUTINE IS NOT PROTECTED BY A SECURITY MANAGER.
GIM20704S/T cmd PROCESSING FAILED. THE SYSTEM AUTHORIZATION
FACILITY (SAF) WAS NOT ABLE TO DETERMINE WHETHER USER
userid IS AUTHORIZED TO INVOKE THIS SMP/E COMMAND OR
SERVICE ROUTINE. THE SAF RETURN CODE IS safrc. THE
SECURITY MANAGER RETURN CODE IS racfrc. THE SECURITY
MANAGER REASON CODE IS racfrsn.
It turned out that IO11698 introduces two PTFS that are adding Security Authorization Facility (SAF) checks to ensure only users that have sufficient access authority are allowed to invoke certain SMP/E functions.
How should we authorize the SMP/E command or service routine in Top Secret?
The security calls are all in the IBMFAC class and have the following resource name formats:
- GIM.CMD.command for the SMP/E commands, where "command" is the name of the current SMP/E command being attempted. For example:
TSS PERMIT(acid) IBMFAC(GIM.CMD.APPLY) ACCESS(READ)
for the APPLY command.
- GIM.PGM.program for the GIMZIP, GIMUNZIP or GIMIAP service routines, where "program" is the name of the service routine being processed. For example:
TSS PERMIT(acid) IBMFAC(GIM.PGM.GIMZIP) ACCESS(READ)
for the GIMZIP command.
To secure the SMP/E commands, define them in CA Top Secret
as a protected resource.
TSS ADD(owningacid) IBMFAC(GIM.)
We recommend that you write PERMITs for each SMP/E function; however, if you prefer to allow everyone access to these resources, you can issue PERMIT commands similar to the following::
TSS PERMIT(ALL) IBMFAC(GIM.PGM.) ACCESS(READ)
TSS PERMIT(ALL) IBMFAC(GIM.CMD.) ACCESS(READ)
To identify all users that need specific functions permitted, add the SMP/E resource to the AUDIT record. This will log all accesses for that SMP/E resources. This will enable writing of future PERMIT commands at a more granular level.
TSS ADD(AUDIT) IBMFAC(GIM.PGM.)
TSS ADD(AUDIT) IBMFAC(GIM.CMD.)
More information can be found in RI15989(for r12) or RI15990(for r14).