Top Secret Requirements for IBM apar OA46280 IWM4HLTH Security

Document ID : KB000030401
Last Modified Date : 14/02/2018
Show Technical Document Details

IBM Apar OA46280 states the following:

Actions to perform before the first IPL with this PTF Installed: 

To identify unauthorized callers of the IWM4HLTH macro which 
set the health indicator for an address space other than the 
caller's home address space, it is recommended to temporarily 
define the IWM.SERVER.HEALTH resource profile with the WARNING 
parameter. 
After the first IPL with the PTF installed, RACF issues the 
following warning message for callers of the macro with 
insufficient authorization: 
ICH408I USER(user) IWM.SERVER.HEALTH CL(FACILITY) 
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED 

Take one of the following steps if there are unauthorized 
callers: 
- Change the program so that it no longer calls the IWM4HLTH 
macro or no longer run the program. 
- Change the caller's authorization to supervisor state or PKM 
allowing at least one of the keys 0-7. 
- Give the User ID associated with the program UPDATE authority 
to the resource profile IWM.SERVER.HEALTH or an 
appropriate generic profile when generic profile checking 
is active. 

After all necessary steps have been taken, alter the resource 
profile and specify NOWARNING or delete the profile if there 
are no unauthorized callers of the IWM4HLTH macro.).

Top Secret clients should do the following:

To identify unauthorized callers of the IWM4HLTH macro which 
set the health indicator for an address space other than the 
caller's home address space, it is recommended to temporarily 
perform the following CA Top Secret administration: 

TSS ADD(adept) IBMFAC(IWM.SERV) (if required. It is possible this ownership may already exist) 
TSS PER(ALL) IBMFAC(IWM.SERVER.HEALTH) ACCESS(UPDATE) ACTION(AUDIT) 

After the first IPL with the PTF installed, any unauthorizedusage of IWM4HLTH macro will result in audit records being written to the TSS Audit Tracking File and/or SMF depending upon your logging options. TSSUTIL may be run regularly to report on all occurrences of resource checks against the IBMFAC(IWM.SERVER.HEALTH) resource. The presence of these events implies there are unauthorized callers of the IWM4HLTH macro. 

Take one of the following steps if there are unauthorized callers: 

- Change the program so that it no longer calls the IWM4HLTH macro or no longer run the program. 
- Change the caller's authorization to supervisor state or PKM allowing at least one of the keys 0-7. 
- Give the ACID or an associated PROFILE UPDATE authority to the resource IBMFAC(IWM.SERVER.HEALTH). 

After all necessary steps have been taken either: 
- REVOKE permission and REMOVE ownership of the resource via: 
TSS REV(ALL) IBMFAC(IWM.SERVER.HEALTH) 
TSS ADD(adept) IBMFAC(IWM.SERV) 
- Change the ALL record permission to: 
TSS PER(ALL) IBMFAC(IWM.SERVER.HEALTH) ACCESS(NONE)