Anonymous | Login | Signup for a new account | 2024-11-21 13:37 CET |
My View | View Issues | Change Log | Roadmap | Search |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000879 | FL5 | 2.2 Subprogram FLUC (CONV) | public | 2017-06-12 08:19 | 2019-06-17 16:02 | ||||
Reporter | Falk Reichbott | ||||||||
Assigned To | Falk Reichbott | ||||||||
Priority | normal | Severity | feature | Reproducibility | N/A | ||||
Status | resolved | Resolution | fixed | ||||||
Platform | System z | OS | z/OS | OS Version | V2R20 | ||||
Product Version | 5.1.19 | ||||||||
Target Version | 5.1.21 | Fixed in Version | 5.1.21 | ||||||
Summary | 0000879: Support SAF request in SW implementations for key access and other resources | ||||||||
Description | With ICSF support you can use SAF class CSFKEYS and CSFSERV togehter with policies to prevent missuse of keys. If a software implementation e.g. for PGP (PGP key Rings, or Truststore with ICSF) used, then the control which PGP user ID can be used is lost. Add corresponding SAF requests for such implementations. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Relationships | ||||||
|
Notes | |
(0001258) Falk Reichbott (administrator) 2019-06-13 12:46 |
Hallo Herr Schöller Danke für dieses Issue, wir werden dem nachgehen. Grundsätzlich ist es in sich aber schon flasch, was hier passiert. Sie lesen ein FLAMFILE, was als Member einen KSDS enthält und dieses wird als PSVB vom FLUC in eine temporäre Datei geschrieben. Dann startet die CLIST den ISPF-Editor, sie ändern auf der temproären Datei rum und wollen nun mit PF3 speichern. Sprich der ISPF-Editor beendet sich und die überschriebene temproäre Datei wird nun mit dem Inverskommende über den FLUC von der CLIST zurückgeschrieben. Was sie hierbei erhalten, wenn es keinen Fahler geben würde, ist ein PSVB-Member in dem FLAMFILE, was glaube ich nicht ihren Erwartungen entspricht. Denn sie hoffen, dass dies ein KSDS ist oder? Dies wird über FLVEDIT nicht funktionieren. Da ja von Ihnen die nativen Records und kein XML oder ähnliches bearbeitet wird, sollten sie hier mit FLEDIT arbeiten, dann sollte es gehen. Das Protokoll, was sie uns geschickt haben, zeigt aber eindeutig, dass wir hier einen Bug haben, denn wir, sofern wir ihn nachvollziehen können fixen, so dass ein PSVB-Member nach dem PF3 in dem FLAMFILE steht. Hier wieder einen KSDS als Member zu erzeugen, ist leider nicht möglich, denn dafür müste die Temporäre Datei ein KSDS sein, was ja nicht geht. Also FLVEDIT macht nur für PS sinn. Weil es nach PS überführt. Der FLUC kann nur sequentiell lesen und schreiben. Mfg Falk Reichbott |
(0001260) Falk Reichbott (administrator) 2019-06-13 13:01 |
Hallo Herr Schöller Habe gerade mit der FLAM4-Fraktion gesprochen und FLEDIT hat das gleiche Problem, wie FLVEDIT und in ihrem Fall ist das FLAMFILE selbst noch ein VSAM-KSDS, wo wir nicht zurückschrieben dürfen, was der FF.0000E8 besagt. MfG Falk Reichbott |
(0001268) Falk Reichbott (administrator) 2019-06-17 16:02 |
A first set of additional SAF checks are implemented SAF configuration ~~~~~~~~~~~~~~~~~ Since version 5.1.21 FLAM supports additional SAF checks for the classes and entities below. Each FLAM class starts with '$FL'. To be backward compatible with previous releases, an undefined resource (return code 4) will be accepted by default. This also forces that the prefix cannot be changed. Only a return code greater or equal 8 will result in an authorization or license error. With the first class the 6 byte long feature code can be controlled. CLASS: '$FLFEATR' - Feature de/activation Entities: Are equal to FLAM feature names (show in your license) Attribute: 'READ' deactivates the feature Attribute: 'ALTER' activates the feature This support will fail with a license error. The class is global and is only available if a new license module requested. All checks below are part of the FL5 components, can be controlled over a global master class and will result in an authorization error. CLASS: '$FLGLOBL' - Global master class to activate several SAF checks Entity: 'MUSTDEF' - Don't accept return code 4 anything must be defined Attribute: 'READ' activate the strong SAF checking (return code must be 0 else fail) Attribute: 'ALTER' only simple SAF checking active (return code must >=8 to fail) Entity: 'POLICIES' - General policies ($FLPOLCY) Entity: 'CLP.CONTROL' - Parameter string ($FLCLPAR) Entity: 'AVE.CONTROL' - Anti virus exit ($FLAV*) Entity: 'CPE.CONTROL' - Column processing exit ($FLCP*) Entity: 'KME.CONTROL' - Key management exit ($FLKM*) Entity: 'SSH.CONNECT' - SSH connections ($FLSSH*) Entity: 'PGP.KEYMNGM' - PGP key management ($FLPGP*) Entity: 'SMF.LOGGING' - Enforce SMF-Logging Entity: 'PGP.USERID' - Access to user ids ($FLPGUID) Entity: 'PGP.KEYID' - Access to key ids ($FLPGKID) Attribute: 'READ' activate the SAF checking Attribute: 'ALTER' allow to do this without SAF The classes below are control by the global master above: CLASS: '$FLPOLCY' - Several policies Entity: 'SSH.PCAP.NOT.ALLOWED' - Packet capturing is not allowed Entity: 'SSH.WAEK.HOST.KEY.CHECK.NOT.ALLOWED' - WARN and ACCEPT is not allowed Entity: 'SSH.CUSTOM.HOST.KEY.NOT.ALLOWED' - A custom host key is not allowed Entity: 'SSH.CUSTOM.KNOWN.HOST.FILE.NOT.ALLOWED' - A custom known host key file is not allowed Entity: 'KEY.GENERATE.PGP.EXPIRD.REQIRED' - Expiration date required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN1024' - Minimum 1024 bit required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN2048' - Minimum 2048 bit required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN3072' - Minimum 3072 bit required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN4096' - Minimum 4096 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.NOT.ALLOWED' - DSA algorithm is not allowed Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN1024' - Minimum 1024 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN2048' - Minimum 2048 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN3072' - Minimum 3072 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN4096' - Minimum 4096 bit required Entity: 'KEY.IMPORT.PGP.KIDVER.REQ04' - A minimum of 4 byte finger print for import Entity: 'KEY.IMPORT.PGP.KIDVER.REQ08' - A minimum of 8 byte finger print for import Entity: 'PGP.READ.PWD' - Read with passwords is not allowed (enforce PKA) Entity: 'PGP.WRITE.PWD' - Write with passwords is not allowed (enforce PKA) Entity: 'PGP.REENC.PWD' - Re encryption with passwords is not allowed (enforce PKA) Entity: 'PGP.READ.ENFORCE.ENCRYPTION' - Enforce encryption at read of PGP files Entity: 'PGP.READ.ENFORCE.INTEGRITY' - Enforce integrity protection at read of PGP files Entity: 'PGP.READ.ENFORCE.SIGNING' - Enforce signing at read of PGP files Entity: 'PGP.WRITE.ENFORCE.ENCRYPTION' - Enforce encryption at write of PGP files Entity: 'PGP.WRITE.ENFORCE.INTEGRITY' - Enforce integrity protection at write of PGP files Entity: 'PGP.WRITE.ENFORCE.SIGNING' - Enforce signing at write of PGP files Attribute: 'READ' enforced the policy Attribute: 'ALTER' allow to do this CLASS: '$FLCLPAR' - Command line parser Entities: Path to this parameter Attribute: 'READ' not allowed Attribute: 'ALTER' can be used CLASS: '$FLSSHUS' - SSH user Entities: SSH user id Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLSSHHO' - SSH host Entities: IP oder DSN for SSH daemon Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLSSHPO' - SSH port Entities: Port of SSH daemon (decimal number) Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVLIB' - FAVE library Entities: Library name name Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVFUC' - FAVE Function Entities: Function name used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVPAR' - FAVE Parameter Entities: Parameter string used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVIPH' - FAVE IP host Entities: IP address of AV daemon Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVIPS' - FAVE IP service/port Entities: IP service of AV daemon Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLCPLIB' - FCPE library Entities: Library name name Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLCPFUC' - FCPE Function Entities: Function name used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLCPPAR' - FCPE Parameter Entities: Parameter string used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLKMLIB' - FKME library Entities: Library name name Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLKMFUC' - FKME Function Entities: Function name used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLKMPAR' - FKME Parameter Entities: Parameter string used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLPGPGN' - PGP generate Entities: User ID to be generated Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGPEX' - PGP export Entities: User ID to be exported Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGPIM' - PGP import Entities: User ID to be imported Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGPDL' - PGP delete Entities: User ID to be deleted Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGUID' - Operational PGP user Entities: User ID mainly at write Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGKID' - Operational PGP key ID Entities: Key ID at read and write Attribute: 'READ' not allowed Attribute: 'ALTER' can be done |
Issue History | |||
Date Modified | Username | Field | Change |
2017-06-12 08:19 | Falk Reichbott | New Issue | |
2017-06-12 08:19 | Falk Reichbott | Status | new => assigned |
2017-06-12 08:19 | Falk Reichbott | Assigned To | => Mykhailo Moldavskyy |
2017-06-12 08:27 | Falk Reichbott | Relationship added | related to 0000880 |
2017-08-31 16:51 | Falk Reichbott | Target Version | 5.1.16 => 5.1.18 |
2018-06-18 09:36 | Falk Reichbott | Target Version | 5.1.18 => 5.1.19 |
2018-08-01 09:00 | Falk Reichbott | Target Version | 5.1.19 => 5.1.20 |
2018-11-02 12:50 | Falk Reichbott | Assigned To | Mykhailo Moldavskyy => Falk Reichbott |
2019-02-28 17:33 | Falk Reichbott | Target Version | 5.1.20 => 5.1.21 |
2019-06-13 12:46 | Falk Reichbott | Note Added: 0001258 | |
2019-06-13 12:47 | Falk Reichbott | Product Version | 5.1.15 => 5.1.19 |
2019-06-13 13:01 | Falk Reichbott | Note Added: 0001260 | |
2019-06-17 16:02 | Falk Reichbott | Note Added: 0001268 | |
2019-06-17 16:02 | Falk Reichbott | Status | assigned => resolved |
2019-06-17 16:02 | Falk Reichbott | Fixed in Version | => 5.1.21 |
2019-06-17 16:02 | Falk Reichbott | Resolution | open => fixed |
Copyright © 2000 - 2024 MantisBT Team |