According to IBM's announcement of OA54807, "This APAR introduces the OSPROTECT system parameter which specifies the operating system protection mode for unauthorized programs and users."
IBM has published APAR OA54807, which introduces a new feature called OSPROTECT. Is this compatible with CA IDMS?
This IBM APAR is applicable only in a Z/OS environment.
It could pertain to the full suite of IDMS, including Culprit and ADS, in addition to IDMS-DB and IDMS-DC.
The IDMS-DC system does not run APF authorized; IDMS always runs unauthorized, even if a site has turned off ALLOWUSERKEYCSA. During startup, the IDMS system will ensure the authorized bit in the JSCB is off. Because of this, our level 2 team does not see the OSPROTECT=SYSTEM option as having any impact,
However, as of today we have no experience with this option.
Our recommendation would be to use OSPROTECT=SYSTEM which in reading the documentation indicates this is the default mode which we believe is the way systems run today, OSPROTECT=1 looks to be implementing a higher level of security which prevents looking at Storage; this sounds like Fetch Protection.
This is something we are going to need to test here; we can then publish our findings. For now, we recommend you not use OSPROTECT=1.
In addition to adding OSPROTECT, this IBM APAR also reuses an old PSA field PSASTAK. However, IDMS does not make reference to or use field PSASTAK, so that is does not pose any compatibility problem.
If you have a test LPAR then we suggest you turn on the option and test your IDMS systems there, especially if you have other vendor software involved with the IDMS system, as we would have no idea how that software will react. We are pursuing this internally at CA with Product Management to let them know we have to get this into the backlog for testing with a higher priority.
IBM's notification of this PTF can be found here: