Db2 for z/OS & Db2ZAI

 View Only
  • 1.  New Db2 subsystem parameter DISALLOW_SSARAUTH

    Posted Fri May 01, 2020 01:40 PM
    ​Hello,

    PTF UI65769 added new Db2 subsystem parameter DISALLOW_SSARAUTH that determines whether user address spaces are blocked from setting a Db2 address space as a secondary address space. 

    No (default)
    Yes 

    Normally we would just choose the default value of No but I'd like to know the repercussions first if possible.  Is it considered a security risk if we have No? 

    Does anyone have some advice on this new zparm?

    Thanks.
    Gloria Fries

    ------------------------------
    Gloria Fries
    ------------------------------

    #Db2forz/OS


  • 2.  RE: New Db2 subsystem parameter DISALLOW_SSARAUTH

    Posted Mon May 04, 2020 08:13 AM

    Hi Gloria,
    I found this PMR hope it helps you

    IDescription:

    04:37 pm
    03/24
    Hi,
    
    PTF UI66853 enables a new ZPARM DISALLOW_SSARAUTH='YES' to prevents the user address spaces from setting a Db2 address space as a secondary address space. We are not quite sure what exact benefits if set with 'YES". Please advise.
    
    Thanks..

    Posts:

    • Tue Mar 24 2020
    • 07:02 pm
      03/24
      Action Taken: Cross Memory Communications
      1) SRB
      2) Basic Cross memory mode
      3) Access Register mode
      4) Synchronous Cross Memory
      
      Basic Cross Memory : Cross memory mode was introduced after the SRB, and allowed a program to access memory in another address space before the invention of access registers and PC instructions. To use this, the caller:
       * Sets AXSET=1 to allow access to any address space.
       * Uses SSAR to set the secondary space to the remote address space.
       * Uses MVCS and MVCP to move data between address spaces.
       * Uses SSAR to set secondary space back.
       * Sets AXSET=0.
      
      
      This is not very clearly documented by IBM, but works fine when the target address space is non-swappable. If the target address space is swapped out, a S0C4 abend will occur.
      Advantages
       * Easy to understand – no complicated synchronous cross memory.
       * Easy to code.
      
      Disadvantages
       * Remote address space must be non-swappable.
       * If another task has set AXSET to something other than 1 or 0, you can't then set it to 1. You're locked out.
       * Cannot access memory in more than two address spaces (primary and secondary) at the same time.
       * Caller must be APF authorised.
       * Must use MVCP and MVCS to move data between the primary and secondary address spaces - cannot use other instructions like CLC, MVST, MVCL to address anything in the secondary address space.
      
      Sample Code
      In this sample routine, the ASID of the target (remote) address space is already stored in the RMTASID word.
      * ---------------------------------------------------
      * Setup everything
      * ---------------------------------------------------
      XC RMTASN,RMTASN
      LH R1,RMTASID Get remote ASID
      ST R1,REQASN+2 Save it
      XR R2,R2
      ESAR R2 Get Our ASN
      ST R2,HOMEASN Save Our ASN
      
      * ---------------------------------------------------
      * Get into cross memory mode
      * ---------------------------------------------------
      MODESET KEY=ZERO,MODE=PROB Into key 0
      LA R2,1
      AXSET AX=(R2) Auth index = 1 (all)
      L R2,RMTASN
      SSAR R2 Into Cross memory mode
      
      * ---------------------------------------------------
      * Move storage
      * ---------------------------------------------------
      (use MVCS and MVCP for copying storage)
      
      * ---------------------------------------------------
      * Get out of cross memory mode
      * ---------------------------------------------------
      MODESET KEY=NZERO,MODE=PROB Back to key 8
      L R2,OURASN
      SSAR R2 
      XR R2,R2 
      AXSET AX=(R2) Auth index = 0 (none)
      
      * ---------------------------------------------------
      * Back to caller
      * ---------------------------------------------------
      BR R14
      
      * ---------------------------------------------------
      * Storage
      * ---------------------------------------------------
      HOMEASN DS F Home ASN
      RMTASN DS F Remote ASN 
      
      The basic cross memory facility introduced the idea of home, primary and secondary address spaces:
       * Home - where the program was called from, or where the program's TCB is.
       * Primary - where the instructions for the program are, and the default area where the data is.
       * Secondary - a second address space where data can be accessed.
      
      In the above example, the instruction SSAR is used to set the secondary address space, and ESAR to get it. EPAR can be used to get the primary address space (but there's no instruction to set it).
      Many macros and services cannot be called in cross memory mode. Check the relevant documentation before using them.
    • 07:35 pm
      03/24
      Hi Patrick, Thanks for the help.
    • 05:52 pm
      03/24
      Action Taken:
      Q. We are not quite sure what exact benefits if set with 'YES". Please advise.
      
      A. Hi Jim, its really a security benefit. YES: Means that user address spaces are blocked from setting a Db2 address space as a secondary address space.
      Db2 address spaces usually have specialized authorizations. example is encryption. If a user address space
      could set a Db2 address space as a secondary address space it may be able to gain access to authorizations that
      are not set for user.
      Important: The DISALLOW_SSARAUTH subsystem parameter takes effect only after the PTF for APAR  PH01725 is applied. Do not set the value to YES before that APAR is applied, and you have verified that all of your tools support this parameter. Also, set the DISALLOW_SSARAUTH subsystem parameter to YES inyour test environment before you do so in production
    • 06:41 pm
      03/24
      Hi Patrick,
      
      Thanks for the info. 
      Could you please have an example/or situation that user allied address space use Db2 address space as a secondary address space to gain access to authorizations that
       not set for user?
      
      Thanks..


    ------------------------------
    Selma Soares
    ------------------------------



  • 3.  RE: New Db2 subsystem parameter DISALLOW_SSARAUTH

    IBM Champion
    Posted Mon May 04, 2020 09:30 AM
    Hello Gloria,

    https://www.ibm.com/support/knowledgecenter/SSEPEK_12.0.0/inst/src/tpc/db2z_ipf_disallowssarauth.html

    The DISALLOW_SSARAUTH subsystem parameter takes effect only after the PTF for APAR PH01725 is applied. Do not set the value to YES before that APAR is applied, and you have verified that all of your tools support this parameter. Also, set the DISALLOW_SSARAUTH subsystem parameter to YES in your test environment before you do so in production.​
    .
    I found that there could be problems with NGT UNLOAD of BMC.
    .
    Hope this can help you.
    Regards Chiara

    ------------------------------
    Chiara Baldan
    ------------------------------



  • 4.  RE: New Db2 subsystem parameter DISALLOW_SSARAUTH

    Posted Mon May 04, 2020 01:59 PM
    ​Thank you for this information.  It is very helpful and I have a much better understanding of this system parameter now.

    ------------------------------
    Gloria Fries
    ------------------------------