FLAM Issue Tracker - FL5
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000879FL52.2 Subprogram FLUC (CONV)public2017-06-12 08:192019-06-17 16:02
ReporterFalk Reichbott 
Assigned ToFalk Reichbott 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusresolvedResolutionfixed 
PlatformSystem zOSz/OSOS VersionV2R20
Product Version5.1.19 
Target Version5.1.21Fixed in Version5.1.21 
Summary0000879: Support SAF request in SW implementations for key access and other resources
DescriptionWith ICSF support you can use SAF class CSFKEYS and CSFSERV togehter with policies to prevent missuse of keys.

If a software implementation e.g. for PGP (PGP key Rings, or Truststore with ICSF) used, then the control which PGP user ID can be used is lost.

Add corresponding SAF requests for such implementations.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0000880resolved Falk Reichbott Support encryption and key management policies 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2017-06-12 08:19Falk ReichbottNew Issue
2017-06-12 08:19Falk ReichbottStatusnew => assigned
2017-06-12 08:19Falk ReichbottAssigned To => Mykhailo Moldavskyy
2017-06-12 08:27Falk ReichbottRelationship addedrelated to 0000880
2017-08-31 16:51Falk ReichbottTarget Version5.1.16 => 5.1.18
2018-06-18 09:36Falk ReichbottTarget Version5.1.18 => 5.1.19
2018-08-01 09:00Falk ReichbottTarget Version5.1.19 => 5.1.20
2018-11-02 12:50Falk ReichbottAssigned ToMykhailo Moldavskyy => Falk Reichbott
2019-02-28 17:33Falk ReichbottTarget Version5.1.20 => 5.1.21
2019-06-13 12:46Falk ReichbottNote Added: 0001258
2019-06-13 12:47Falk ReichbottProduct Version5.1.15 => 5.1.19
2019-06-13 13:01Falk ReichbottNote Added: 0001260
2019-06-17 16:02Falk ReichbottNote Added: 0001268
2019-06-17 16:02Falk ReichbottStatusassigned => resolved
2019-06-17 16:02Falk ReichbottFixed in Version => 5.1.21
2019-06-17 16:02Falk ReichbottResolutionopen => fixed

Notes
(0001258)
Falk Reichbott   
2019-06-13 12:46   
Hallo Herr Schöller

Danke für dieses Issue, wir werden dem nachgehen.

Grundsätzlich ist es in sich aber schon flasch, was hier passiert.
Sie lesen ein FLAMFILE, was als Member einen KSDS enthält und dieses wird als PSVB vom FLUC in eine temporäre Datei geschrieben. Dann startet die CLIST den ISPF-Editor, sie ändern auf der temproären Datei rum und wollen nun mit PF3 speichern. Sprich der ISPF-Editor beendet sich und die überschriebene temproäre Datei wird nun mit dem Inverskommende über den FLUC von der CLIST zurückgeschrieben. Was sie hierbei erhalten, wenn es keinen Fahler geben würde, ist ein PSVB-Member in dem FLAMFILE, was glaube ich nicht ihren Erwartungen entspricht. Denn sie hoffen, dass dies ein KSDS ist oder?

Dies wird über FLVEDIT nicht funktionieren. Da ja von Ihnen die nativen Records und kein XML oder ähnliches bearbeitet wird, sollten sie hier mit FLEDIT arbeiten, dann sollte es gehen.

Das Protokoll, was sie uns geschickt haben, zeigt aber eindeutig, dass wir hier einen Bug haben, denn wir, sofern wir ihn nachvollziehen können fixen, so dass ein PSVB-Member nach dem PF3 in dem FLAMFILE steht. Hier wieder einen KSDS als Member zu erzeugen, ist leider nicht möglich, denn dafür müste die Temporäre Datei ein KSDS sein, was ja nicht geht.

Also FLVEDIT macht nur für PS sinn. Weil es nach PS überführt. Der FLUC kann nur sequentiell lesen und schreiben.

Mfg
Falk Reichbott
(0001260)
Falk Reichbott   
2019-06-13 13:01   
Hallo Herr Schöller

Habe gerade mit der FLAM4-Fraktion gesprochen und FLEDIT hat das gleiche Problem, wie FLVEDIT und in ihrem Fall ist das FLAMFILE selbst noch ein VSAM-KSDS, wo wir nicht zurückschrieben dürfen, was der FF.0000E8 besagt.

MfG
Falk Reichbott
(0001268)
Falk Reichbott   
2019-06-17 16:02   
A first set of additional SAF checks are implemented

SAF configuration
~~~~~~~~~~~~~~~~~

Since version 5.1.21 FLAM supports additional SAF checks for the classes
and entities below. Each FLAM class starts with '$FL'. To be backward
compatible with previous releases, an undefined resource (return code 4)
will be accepted by default. This also forces that the prefix cannot be
changed. Only a return code greater or equal 8 will result in an authorization
or license error. With the first class the 6 byte long feature code can be
controlled.

CLASS: '$FLFEATR' - Feature de/activation
    Entities: Are equal to FLAM feature names (show in your license)
        Attribute: 'READ' deactivates the feature
        Attribute: 'ALTER' activates the feature

This support will fail with a license error. The class is global and is
only available if a new license module requested. All checks below are
part of the FL5 components, can be controlled over a global master class
and will result in an authorization error.

CLASS: '$FLGLOBL' - Global master class to activate several SAF checks
    Entity: 'MUSTDEF' - Don't accept return code 4 anything must be defined
        Attribute: 'READ' activate the strong SAF checking (return code must be 0 else fail)
        Attribute: 'ALTER' only simple SAF checking active (return code must >=8 to fail)
    Entity: 'POLICIES' - General policies ($FLPOLCY)
    Entity: 'CLP.CONTROL' - Parameter string ($FLCLPAR)
    Entity: 'AVE.CONTROL' - Anti virus exit ($FLAV*)
    Entity: 'CPE.CONTROL' - Column processing exit ($FLCP*)
    Entity: 'KME.CONTROL' - Key management exit ($FLKM*)
    Entity: 'SSH.CONNECT' - SSH connections ($FLSSH*)
    Entity: 'PGP.KEYMNGM' - PGP key management ($FLPGP*)
    Entity: 'SMF.LOGGING' - Enforce SMF-Logging
    Entity: 'PGP.USERID' - Access to user ids ($FLPGUID)
    Entity: 'PGP.KEYID' - Access to key ids ($FLPGKID)
        Attribute: 'READ' activate the SAF checking
        Attribute: 'ALTER' allow to do this without SAF

The classes below are control by the global master above:

CLASS: '$FLPOLCY' - Several policies
    Entity: 'SSH.PCAP.NOT.ALLOWED' - Packet capturing is not allowed
    Entity: 'SSH.WAEK.HOST.KEY.CHECK.NOT.ALLOWED' - WARN and ACCEPT is not allowed
    Entity: 'SSH.CUSTOM.HOST.KEY.NOT.ALLOWED' - A custom host key is not allowed
    Entity: 'SSH.CUSTOM.KNOWN.HOST.FILE.NOT.ALLOWED' - A custom known host key file is not allowed
    Entity: 'KEY.GENERATE.PGP.EXPIRD.REQIRED' - Expiration date required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN1024' - Minimum 1024 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN2048' - Minimum 2048 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN3072' - Minimum 3072 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN4096' - Minimum 4096 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.NOT.ALLOWED' - DSA algorithm is not allowed
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN1024' - Minimum 1024 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN2048' - Minimum 2048 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN3072' - Minimum 3072 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN4096' - Minimum 4096 bit required
    Entity: 'KEY.IMPORT.PGP.KIDVER.REQ04' - A minimum of 4 byte finger print for import
    Entity: 'KEY.IMPORT.PGP.KIDVER.REQ08' - A minimum of 8 byte finger print for import
    Entity: 'PGP.READ.PWD' - Read with passwords is not allowed (enforce PKA)
    Entity: 'PGP.WRITE.PWD' - Write with passwords is not allowed (enforce PKA)
    Entity: 'PGP.REENC.PWD' - Re encryption with passwords is not allowed (enforce PKA)
    Entity: 'PGP.READ.ENFORCE.ENCRYPTION' - Enforce encryption at read of PGP files
    Entity: 'PGP.READ.ENFORCE.INTEGRITY' - Enforce integrity protection at read of PGP files
    Entity: 'PGP.READ.ENFORCE.SIGNING' - Enforce signing at read of PGP files
    Entity: 'PGP.WRITE.ENFORCE.ENCRYPTION' - Enforce encryption at write of PGP files
    Entity: 'PGP.WRITE.ENFORCE.INTEGRITY' - Enforce integrity protection at write of PGP files
    Entity: 'PGP.WRITE.ENFORCE.SIGNING' - Enforce signing at write of PGP files
        Attribute: 'READ' enforced the policy
        Attribute: 'ALTER' allow to do this

CLASS: '$FLCLPAR' - Command line parser
    Entities: Path to this parameter
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHUS' - SSH user
    Entities: SSH user id
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHHO' - SSH host
    Entities: IP oder DSN for SSH daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHPO' - SSH port
    Entities: Port of SSH daemon (decimal number)
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVLIB' - FAVE library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVFUC' - FAVE Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVPAR' - FAVE Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVIPH' - FAVE IP host
    Entities: IP address of AV daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVIPS' - FAVE IP service/port
    Entities: IP service of AV daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPLIB' - FCPE library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPFUC' - FCPE Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPPAR' - FCPE Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMLIB' - FKME library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMFUC' - FKME Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMPAR' - FKME Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLPGPGN' - PGP generate
    Entities: User ID to be generated
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPEX' - PGP export
    Entities: User ID to be exported
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPIM' - PGP import
    Entities: User ID to be imported
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPDL' - PGP delete
    Entities: User ID to be deleted
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGUID' - Operational PGP user
    Entities: User ID mainly at write
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGKID' - Operational PGP key ID
    Entities: Key ID at read and write
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done