CA Top Secret Security for z/os CA RS 1708 Service List

Transcription

1 CA Top Secret Security for z/os CA RS 1708 List Description Type RO91733 CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS PTF RO91735 TSS COMMAND ABEND S0C4 IN TSSKERNL PTF RO94015 CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS PTF RO94449 SAFHFSEC ABEND WITH S0C4-3B AT OFFSET X'244C' PTF RO95752 DURING SECCACHE CLEAR POSSIBLE ECSA/CSA LOSS PTF RO96135 CICS: U752 ABEND ON VERIFY PASSWORD PTF RO96225 NEW CHANGES TO SECCACHE PROCESSING PTF RO96542 SECURE TRANSACTION TSS VIA OPTIONS(92) PTF RO96670 S0C4 TSSCFBK +334E RUNNING TSSCFILE AGAINST BACKUP FILE ** PRP ** RO96857 RACROUTE POE= IGNORED DURING SIGNON PROCESSING PTF RO96977 ENHANCEMENTS TO MULTI-FACTOR AUTHENTICATION (MFA) SUPPORT PTF RO96998 SUPPORT CICS EXTRACT OF FLAG7 & FLAG8 PTF RO97041 TSS0319E INVALID SPECIFICATION FOR KEYWORD PASSWORD ** PRP ** The CA RS 1708 service count for this release is 13

2 CA Top Secret Security for z/os 2 CA RS 1708 List for FMID Description Type RO91735 TSS COMMAND ABEND S0C4 IN TSSKERNL PTF RO94015 CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS PTF RO94449 SAFHFSEC ABEND WITH S0C4-3B AT OFFSET X'244C' PTF RO95752 DURING SECCACHE CLEAR POSSIBLE ECSA/CSA LOSS PTF RO96225 NEW CHANGES TO SECCACHE PROCESSING PTF RO96542 SECURE TRANSACTION TSS VIA OPTIONS(92) PTF RO96670 S0C4 TSSCFBK +334E RUNNING TSSCFILE AGAINST BACKUP FILE ** PRP ** RO96857 RACROUTE POE= IGNORED DURING SIGNON PROCESSING PTF RO96977 ENHANCEMENTS TO MULTI-FACTOR AUTHENTICATION (MFA) SUPPORT PTF RO96998 SUPPORT CICS EXTRACT OF FLAG7 & FLAG8 PTF RO97041 TSS0319E INVALID SPECIFICATION FOR KEYWORD PASSWORD ** PRP ** The CA RS 1708 service count for this FMID is 11

3 CA Top Secret Security for z/os 3 CA RS 1708 List for CAKOG01 FMID Description Type CAKOG01 RO91733 CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS PTF RO96135 CICS: U752 ABEND ON VERIFY PASSWORD PTF The CA RS 1708 service count for this FMID is 2

4 CA Top Secret Security for z/os CA RS PTF RO91733 RO91733 RO91733 M.C.S. ENTRIES = ++PTF (RO91733) CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS Product updates are required to support the new release of CICS TS 5.4. * Support APAR for Level: CTS 5.4 GA * In addition to recognizing the new release, The following new Category 1 transaction codes are recognized: CMPE COHT, COIE, COIR, COI0, CONA, COND, CONH, CONL, CONM, COWC Message "TSS6006I - TSS/CICS Security Inactive. : jobname" displays at region startup. You are unable to use the CA Top Secret CICS interface with CICS TS 5.4. None. TSSMVS 9838 Copyright (C) 2017 CA. All rights reserved. R00173-TSS160-SP1 DESC(CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS FMID (CAKOG01) PRE ( RO85964 RO86093 RO87961 ) SUP ( TR91733 ) ++IF FMID() REQ(RO94015 ). ++HOLD (RO91733) SYSTEM FMID(CAKOG01) REASON (DEP ) DATE (17206) CA Top Secret for z/os CICS Component Version 16.0 PURPOSE Enable updated code USERS All users AFFECTED KNOWLEDGE Linklist contents (optional) REQUIRED Console commands ACCESS Master console REQUIRED 1. Perform an LLA REFRESH (if applicable) 2. Perform an ENF,REFRESH(CAKSCINT) 3. Ensure one of the following ENF SYSMODs are installed: Release 14.1: APAR TR91406 or PTF RO Ensure Top Secret PTFs RO96998 & RO96135 are installed 5. Recycle the CICS TS region.

5 CA Top Secret Security for z/os CA RS PTF RO91735 RO91735 RO91735 M.C.S. ENTRIES = ++PTF (RO91735) The following items are included in this solution: 1. TSS COMMAND ABEND S0C4 IN TSSKERNL 2. INVALID RECOVERY RECORDS > 128 LENGHT MAY BE INVALID ========================================================================== TSS COMMAND ABEND S0C4 IN TSSKERNL An S0C4 abend in TSSKERNL module TSSKCHG at offset AC0 may occur during the generation of the recovery file entry for a TSS command. The specific TSS command was a DELETE for an ACID whose name ended with the letters 'PAS'. This could happen for any TSS command where the last 3 letters of the command matched 'PAS' or 'PHR'. TSS9190A CA-TSS COMMAND PROCESSOR ABEND S0C4 IN TSSKERNL CCSR010E TSSAUTHZ S0C4 at A0 LMOD TSSKERNL CSECT TSSKCHG +000AC0 The recovery file record for this command does not get written. If recovery was attempted using records from this time period, the ACID would not be deleted as expected. None available. CA Top Secret for z/os Release 15.0 TSSMVS 9857 ========================================================================== INVALID RECOVERY RECORDS > 128 LENGHT MAY BE INVALID Command recovery records that are greater than 128 characters have the potential to be marked with an invalid change code. The TSS commands complete successfully. The problem only shows up with TSSAUDIT showing invalid entries. Example of a command greater than 128 positions: TSS REM(USERA ) ASUSPEND + Comment length that added together exceeds 128 May show in the TSSAUDIT report as: USERZ 06/01/18 13:05:06 LPXX PW TSS REP(USERA ) PASSWORD(????????) FACILITY(XXXXXXX ) If recovery is attempted using records from this time period, the ACID would not be updated as expected. None available. CA Top Secret for z/os Release 15.0 TSSMVS 9962 Copyright (C) 2017 CA. All rights reserved. R00174-TSS160-SP1 DESC(TSS COMMAND ABEND S0C4 IN TSSKERNL FMID () PRE ( RO84794 RO86945 ) SUP ( TR91735 ) ++HOLD (RO91735) SYSTEM FMID() REASON (DYNACT ) DATE (17180)

6 CA Top Secret Security for z/os CA RS PTF RO91735 PURPOSE Load module into LLA and activate USERS All AFFECTED KNOWLEDGE 1. Console commands REQUIRED 2. Top Secret administration ACCESS 1. Console authority REQUIRED 2. TSS administrative authority SMP APPLY, LLA REFRESH and restart CA Top Secret with TSS,,,REINIT

7 CA Top Secret Security for z/os CA RS PTF RO94015 RO94015 RO94015 M.C.S. ENTRIES = ++PTF (RO94015) CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS Product updates are required to support the new release of CICS TS 5.4. * Support APAR for Level: CTS 5.4 GA * In addition to recognizing the new release, The following new Category 1 transaction codes are recognized: CMPE COHT, COIE, COIR, COI0, CONA, COND, CONH, CONL, CONM, COWC Message "TSS6006I - TSS/CICS Security Inactive. : jobname" displays at region startup. You are unable to use the CA Top Secret CICS interface with CICS TS 5.4. None. TSSMVS 9838 Copyright (C) 2017 CA. All rights reserved. R00173-TSS160-SP1 DESC(CICS: SUPPORT CICS TS (CTS) REL 5.4 FOR Z/OS FMID () SUP ( RO79805 TR79805 TR87654 TR87710 TR94015 ) ++IF FMID(CAKOG01) REQ(RO91733 ).

8 CA Top Secret Security for z/os CA RS PTF RO94449 RO94449 RO94449 M.C.S. ENTRIES = ++PTF (RO94449) SAFHFSEC ABEND WITH S0C4-3B AT OFFSET X'244C' With HFSSEC active, one can abend with S0C4-3B during a security check in SAFHFSEC while scanning the UID table. CARR290E - Error recovery routine entered for CARRZOPD. CARR299E - CARRPCZ USS Abend 00C4: PSW = 070C0601 AC8731EC Offset: +244C. Batch job fails. Issue: 'F TSS,OMVSTABS' to rebuild the OMVS UID table. CA Top Secret for z/os Release 15.0 TSSMVS 9921 Copyright (C) 2017 CA. All rights reserved. R00239-TSS160-SP1 DESC(SAFHFSEC ABEND WITH S0C4-3B AT OFFSET X'244C' FMID () PRE ( RO87918 RO89750 ) SUP ( TR94449 ) ++HOLD (RO94449) SYSTEM FMID() REASON (DYNACT ) DATE (17181) PURPOSE Activate change without IPL USERS Sites with CA SAF HFS security enabled AFFECTED KNOWLEDGE Operator commands REQUIRED ACCESS z/os Operator console REQUIRED 1. LLA Refresh 2. Execute console command 'F TSS,REFRESH(SAFHFSEC)'

9 CA Top Secret Security for z/os CA RS PTF RO95752 RO95752 RO95752 M.C.S. ENTRIES = ++PTF (RO95752) DURING SECCACHE CLEAR POSSIBLE ECSA/CSA LOSS During a SECCACHE clear, if a new logon is driven, TSS will allocate ECSA storage which will not be freed. This could result in ECSA/CSA shortage. TSS9403E INSUFFICIENT CSA OR LOCAL STORAGE TSS9999E CA-TSS SECURITY SVC ABEND S0C4 IN TSSKERNL+52A3C Loss of ECSA/CSA storage. None. TSSMVS 9942 Copyright (C) 2017 CA. All rights reserved. R00269-TSS160-SP1 DESC(DURING SECCACHE CLEAR POSSIBLE ECSA/CSA LOSS FMID () PRE ( RO80127 ) SUP ( TR95752 ) ++HOLD (RO95752) SYSTEM FMID() REASON (DYNACT ) DATE (17138) PURPOSE Load module into LLA and activate USERS All AFFECTED KNOWLEDGE 1. Console commands REQUIRED 2. Top Secret administration ACCESS 1. Console authority REQUIRED 2. TSS administrative authority SMP APPLY, LLA REFRESH and restart CA Top Secret with TSS,,,REINIT

10 CA Top Secret Security for z/os CA RS PTF RO96135 RO96135 RO96135 M.C.S. ENTRIES = ++PTF (RO96135) CICS: U752 ABEND ON VERIFY PASSWORD CICS TS 5.4 and possibly later levels of earlier releases may issue a RACROUTE VERIFY CREATE while processing VERIFY PASSWORD. During this call, the TSS callback code attempts to locate the user's ACEE that would have been built as part of a normal signon, of which the VERIFY CREATE is assumed to be part. When it is not found, the U751 abend is raised. DFHXS0001 A58IOCIC An abend (code ---/0751) has occurred at offset X'FFFF' in module DFHXSPW. Unit of work failure None Version 15.0 TSSMVS 9956 Copyright (C) 2017 CA. All rights reserved. R00284-TSS160-SP1 DESC(CICS: U752 ABEND ON VERIFY PASSWORD FMID (CAKOG01) PRE ( RO80996 ) SUP ( TR96135 ) ++HOLD (RO96135) SYSTEM FMID(CAKOG01) REASON (DYNACT ) DATE (17192) CA Top Secret for z/os CICS Component Version 16.0 PURPOSE Correct U752 Abend during EXEC CICS VERIFY USERS User of EXEC CICS VERIFY AFFECTED KNOWLEDGE 1- SMP/E 2- z/os Systems Programming REQUIRED 3- Security Administration ACCESS SMP/E CSI libraries REQUIRED 1. LLA REFRESH 2. Recycle CICS region

11 CA Top Secret Security for z/os CA RS PTF RO96225 RO96225 RO96225 M.C.S. ENTRIES = ++PTF (RO96225) The following items are included in this solution: 1. NEW CHANGES TO SECCACHE PROCESSING 2. SECCACHE 'EXP HRS' CHANGED TO 'EXP UNT' ========================================================================== NEW CHANGES TO SECCACHE PROCESSING This fix will introduce the following changes to the SECCACHE processing: 1) When a NOSPACE condition occurs, we record the size of the ACID record and exit. Any subsequent new record condition where the acid size is equal or greater than the current saved size will be stored again and exit without attempting to look for available space. We will clear the stored acid size upon clearing of SECCACHE. 2) Change the EXPIRATION unit size equate from 1 hour to 15 minutes (4 units would equate to 1 hour) for better expiration granularity. 3) After the first clear of SECCACHE following the TSS1366W message, we continue to clear SECCACHE at rate of 60 times the TIMER interval. No new entries can be added to SECCACHE and the NOSPACE value continues to increase. New sigons will require an I/O to the security file. Issue TSS MODIFY(SECCACHE(CLEAR,EXP=001)) TSSMVS 9939 ========================================================================== SECCACHE 'EXP HRS' CHANGED TO 'EXP UNT' With the introduction of this fix, the 'SECCACHE STATISTICS' display, message 'TSS1359I Exp Hrs 001', will no longer equate to an hour but a unit. A unit of 1 equates to 15 minutes, 4 units would equate to 1 hour. Invalid display of EXPIRATION in message 'TSS1359I'. Better expiration granularity. None. TSSMVS 9957 Copyright (C) 2017 CA. All rights reserved. R00287-TSS160-SP1 DESC(NEW CHANGES TO SECCACHE PROCESSING FMID () PRE ( RO80127 RO90627 ) SUP ( TR78447 TR95581 TR96211 TR96225 ) ++HOLD (RO96225) SYSTEM FMID() REASON (DYNACT ) DATE (17139) PURPOSE Load module into LLA and activate USERS All AFFECTED

12 CA Top Secret Security for z/os CA RS PTF RO96225 KNOWLEDGE 1. Console commands REQUIRED 2. Top Secret administration ACCESS 1. Console authority REQUIRED 2. TSS administrative authority SMP APPLY, LLA REFRESH and restart CA Top Secret with TSS,,,REINIT

13 CA Top Secret Security for z/os CA RS PTF RO96542 RO96542 RO96542 M.C.S. ENTRIES = ++PTF (RO96542) SECURE TRANSACTION TSS VIA OPTIONS(92) A security call driven for transaction TSS is currenlty being bypassed with a RC=00. By setting control option OPTIONS(92) in the TSS parameter file, the security call for the TSS transaction, if owned in resource class OTRAN and not permitted, will fail. No security failure if transaction TSS is owned and not permitted. No security failure if transaction TSS is owned and not permitted. Security for the TSS transaction can be controlled entirely through administrative authorities. TSSMVS 9963 Copyright (C) 2017 CA. All rights reserved. R00294-TSS160-SP1 DESC(SECURE TRANSACTION TSS VIA OPTIONS(92) FMID () PRE ( RO87918 ) SUP ( TR96542 ) ++HOLD (RO96542) SYSTEM FMID() REASON (DYNACT ) DATE (17177) PURPOSE Load module into LLA and activate USERS All AFFECTED KNOWLEDGE 1. Console commands REQUIRED 2. Top Secret administration ACCESS 1. Console authority REQUIRED 2. TSS administrative authority SMP APPLY, LLA REFRESH and restart CA Top Secret with TSS,,,REINIT

14 CA Top Secret Security for z/os CA RS PTF RO96670 RO96670 RO96670 M.C.S. ENTRIES = ++PTF (RO96670) S0C4 TSSCFBK +334E RUNNING TSSCFILE AGAINST BACKUP FILE A S0C4 abend may occur at TSSCFBK +334e when running TSSCFILE against the backup file. The abend occurs in module TSSBAUTQ+37A. Insufficient storage was allocated for the numeric acid index. S0C4 abend when running TSSCFBK. Batch job fails. None CA Top Secret for z/os Release 16.0 TSSMVS 9965 Copyright (C) 2017 CA. All rights reserved. R00296-TSS160-SP1 DESC(S0C4 TSSCFBK +334E RUNNING TSSCFILE AGAINST BACKUP FILE FMID () PRE ( RO95454 ) SUP ( AR95454 TR96670 ) ++HOLD (RO96670) SYSTEM FMID() REASON (DYNACT ) DATE (17186) PURPOSE Correct S0C4 abend in TSSCFBK. USERS All AFFECTED KNOWLEDGE 1- SMP/E 2- z/os Systems Programming REQUIRED ACCESS SMP/E CSI libraries REQUIRED LLA Refresh and REINIT of TSS

15 CA Top Secret Security for z/os CA RS PTF RO96857 RO96857 RO96857 M.C.S. ENTRIES = ++PTF (RO96857) The following items are included in this solution: 1. RACROUTE POE= IGNORED DURING SIGNON PROCESSING 2. CHANGE SOURCE VIOLATION RC TO X'30' 3. ACCEPT SERVAUTH= ON VERIFY CALL AS SOURCE/TERMINAL 4. OPTIONS(88) - LOG OF SOURCE IF POE= PASSED ON RACROUTE 5. TSO LOGON DORM MODE S0C4 IN TSSKERNL+550D4 ========================================================================== RACROUTE POE= IGNORED DURING SIGNON PROCESSING Unable to secure CA-SYSVIEW signons using TSS SOURCE protection. SYSVIEW issues a RACROUTE with POE=, which TSS is not honoring. TSS SOURCE protection is not working for CA-SYSVIEW. Can not secure CA-SYSVIEW signon processing with POE SOURCE. n/a CA Top Secret for z/os Release 15.0 TSSMVS 9795 ========================================================================== CHANGE SOURCE VIOLATION RC TO X'30' SOURCE violation sets an incorrect RACF return code of X'1C'. Changing this code to X'30' in order for other products, like CA SYSVIEW, to display the right message if a violation on a SOURCE occurs during logon. Wrong security error message displayed. Because the wrong message is displayed, the type of security violation may be unclear to the terminal user. n/a CA Top Secret for z/os Release 15.0 CA Top Secret for z/os Release 16.0 TSSMVS 9804 ========================================================================== ACCEPT SERVAUTH= ON VERIFY CALL AS SOURCE/TERMINAL The SERVAUTH= value is not honored appropriately for RACROUTE VERIFY CREATE calls. If the NETACCESS statement is contained in the TCPIP PROFILE file, this will signal other products using TCPIP services to issue a security check in the SERVAUTH resource class with an entity names of EZB.NETACCESS.*. Some of these calls are issued by products themselves, such as FTP. Others should be issued by the security product, in our case CA Top Secret, when the SERVAUTH= parameter is passed on a RACROUTE REQUEST=VERIFY SAF call. CA Top Secret was not performing this check. Effective with this maintenance, sites will now have the option of enabling these CA Top Secret generated checks via: 1) Applying this maintenance 2) Turning on OPTIONS(90) in the TSS parameter file at startup The new expected security checks issued by CA Top Secret will occur if: 1) The NETACCESS statement is set up in the TCPIP PROFILE file 2) Applications pass the SERVAUTH= parameter on the RACROUTE REQUEST=VERIFY security signon call This change is being implemented via the OPTIONS(90) control option so that sites can decide when they would like to implement these new calls.

16 CA Top Secret Security for z/os CA RS PTF RO96857 Note that OPTIONS(90) will have no effect on the issuance of SERVAUTH NETACCESS checks issued by other products such as FTP. If the NETACCESS statement is inserted into the TCPIP PROFILE file then security checks will begin to be issued from products such as FTP regardless of the setting of this new OPTIONS(90) control option. Improper source or terminal restrictions may be used to verify the point of system access. Users may be allowed or disallowed system access incorrectly. None available. CA Top Secret for z/os Release 15.0 TSSMVS 9863 ========================================================================== OPTIONS(88) - LOG OF SOURCE IF POE= PASSED ON RACROUTE With the introduction of fix RO88216, if a POE= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE security call, TSS will honor the value passed in the POE= and check for a SOURCE restriction in the user's record or profile. If the acid has a SOURCE restriction that does NOT match the value passed in the POE=, then the sign on will fail with TSS7171E Unauthorized Source of System Entry. Prior to fix RO88216, RACROUTE calls with a POE= were not going through our SOURCE security processing. SOURCE restriction was honored only if a TERMID= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE. With this fix, along with setting OPTIONS(88) in the TSS parameter file, if a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with POE= is issued, and the acid has a SOURCE restriction that does NOT match the POE= passed, we will allow the call to succeed but log it with the following message to our ATF file: ++ TSS ADD(acid/profile) SOURCE(xxxxxxxx) Where xxxxxxxx is the POE passed on the RACROUTE security call. FMID () PRE ( RO83104 RO84794 RO86945 RO87918 RO88603 RO88796 RO89334 RO91603 RO92696 RO92771 RO94971 RO95793 RO96696 ) SUP ( AR87918 AR88603 AR89334 AR90069 BR88603 RO87875 RO88651 RO89203 RO89210 RO89888 RO89889 RO90069 RO90317 RO90784 RO91469 RO92584 RO94168 RO95692 TR86962 TR87875 TR87890 TR87917 TR88651 TR88994 TR89004 TR89180 TR89203 TR89210 TR89665 TR89691 TR89888 TR89889 TR89997 TR90069 TR90317 TR90753 TR90784 TR91469 TR92584 TR94168 TR95423 TR95692 TR96855 TR96857 ) ++HOLD (RO96857) SYSTEM FMID() REASON (DYNACT ) DATE (17180) PURPOSE Load module into LLA and activate USERS All AFFECTED KNOWLEDGE 1. Console commands REQUIRED 2. Top Secret administration

17 CA Top Secret Security for z/os CA RS PTF RO96857 ACCESS 1. Console authority REQUIRED 2. TSS administrative authority SMP APPLY, LLA REFRESH and restart CA Top Secret with TSS,,,REINIT

18 CA Top Secret Security for z/os CA RS PTF RO96977 RO96977 RO96977 M.C.S. ENTRIES = ++PTF (RO96977) ENHANCEMENTS TO MULTI-FACTOR AUTHENTICATION (MFA) SUPPORT ENHANCEMENT DESCRIPTION: This APAR contains the following MFA enhancements: 1. Adds support for CA Privileged Access Manager (CA-PAM 2. Adds FACILITY activation option for IBM RSA factor.request=extract. 3. Updates TSS command process to only allow 1 MFA factor to be activated at any given time. 4. Adds Passphrase "expiration time" calculation during RACROUTE REQUEST=EXTRACT for CICS EXEC VERIFY USER PHRASE command. This is a PRODUCT ENHANCEMENT. 1. Provides support for a common access card (CAC) or a personal identity smart card (through CA Privileged Access Manager 2. Allows IBM RSA users to activate MFA controls using FACILITY permission. 3. When adding, or replacing MFA segment factors to a user: only 1 factor to be activated, the other factors (if present) will be set to NO. Affects keyword MFACTIVE(NO YES FACILITY 4. Password phrase expiration information for CICS EXEC VERIFY USER PHRASE now reflects corrected expiry date. N/A TSSMVS 9879 Copyright (C) 2017 CA. All rights reserved. R00309-TSS160-SP1 DESC(ENHANCEMENTS TO MULTI-FACTOR AUTHENTICATION (MFA) SUPPORT FMID () PRE ( RO80995 RO82138 RO83157 RO83426 RO84470 RO84794 RO86945 RO87883 RO87918 RO88415 RO88932 RO89334 RO89361 RO91447 RO92696 RO92771 RO92854 RO93298 RO94971 RO95026 RO95454 RO95793 ) SUP ( AR93059 AR94686 BR92696 RO79659 RO81855 RO82305 RO85843 RO85956 RO85987 RO88473 RO89682 RO90165 RO90186 RO91002 RO91707 RO92619 RO92808 RO92888 RO92967 RO93059 RO93171 RO93744 RO93757 RO94101 RO94686 RO94913 RO95244 RO95291 RO95424 RO95428 RO95857 RO96001 RO96103 TR79659 TR81855 TR82305 TR84431 TR85843 TR85956 TR85970 TR85973 TR85987 TR88473 TR89682 TR89833 TR90165 TR90186 TR91002 TR91707 TR92609 TR92619 TR92808 TR92888 TR92967 TR93059 TR93171 TR93729 TR93744 TR93757 TR94101 TR94600 TR94686 TR94779 TR94913 TR95109 TR95191 TR95244 TR95291 TR95424 TR95428 TR95857 TR95960 TR96001 TR96103 TR96977 ) ++HOLD (RO96977) SYSTEM FMID() REASON (DEP ) DATE (17191) PURPOSE Advanced Authentication for Mainframe (AAM) CO-Req's USERS Any users requiring support for one of the following AFFECTED features: CA-PAM, RSA Next Token Mode, RSA New Pin. KNOWLEDGE 1- SMP/E 2- z/os Systems Programming REQUIRED 3- Security Administration

19 CA Top Secret Security for z/os CA RS PTF RO96977 ACCESS SMP/E CSI libraries REQUIRED If you require PIV/CAC smart card support under CA-PAM, or AAM processing of RSA Next Token Mode or RSA New PIN functions, you must SMPe apply AAM APAR RO96463, along with prereqisites: AAM APAR's RO96108 and RO HOLD (RO96977) SYSTEM FMID() REASON (DYNACT ) DATE (17191) PURPOSE Adds support for CA Privileged Access Manager (PAM USERS Users who enable via TSS control option CAPAM support AFFECTED KNOWLEDGE 1- SMP/E 2- z/os Systems Programming REQUIRED 3- Security Administration ACCESS SMP/E CSI libraries REQUIRED LLA Refresh and Restart TSS with REINIT

20 CA Top Secret Security for z/os CA RS PTF RO96998 RO96998 RO96998 M.C.S. ENTRIES = ++PTF (RO96998) SUPPORT CICS EXTRACT OF FLAG7 & FLAG8 CTS 5.4 signon processing fails CICS extract with 4/16:36. TSS was not returning values for Flag7 and Flag8 during the extract. One would see following message at the bottom of the screen: DFHCE3541 Security interface error ( Sign-on is terminated. One could not signon to CICS via a terminal N / A Version 15.0 TSSMVS 9964 Copyright (C) 2017 CA. All rights reserved. R00310-TSS160-SP1 DESC(SUPPORT CICS EXTRACT OF FLAG7 & FLAG8 FMID () PRE ( RO84794 RO89334 RO92696 RO92771 RO96977 ) SUP ( RO87883 RO95857 TR87883 TR95857 TR96675 TR96763 TR96998 ) ++HOLD (RO96998) SYSTEM FMID() REASON (DYNACT ) DATE (17207) PURPOSE Load module into LLA and activate USERS CTS 5.4 AFFECTED KNOWLEDGE 1. Console commands REQUIRED 2. Top Secret administration ACCESS 1. Console commands REQUIRED 2. Top Secret administration LLA,REFRESH Restart TSS: S TSS,,,REINIT

21 CA Top Secret Security for z/os CA RS PTF RO97041 RO97041 RO97041 M.C.S. ENTRIES = ++PTF (RO97041) TSS0319E INVALID SPECIFICATION FOR KEYWORD PASSWORD After TSS r15 PTF RO92953 or TSS r16 PTF RO92967, administrators cannot change their own password via the TSS REPLACE command with either the expiration interval or expired parameters. The following formats of the TSS REPLACE command will fail: TSS REPL(myacid) PASS(xxxxx,30) TSS REPL(myacid) PASS(xxxxx,,EXP) TSS REPL(myacid) PASS(xxxxx,30,EXP) TSS0319E INVALID SPECIFICATION FOR KEYWORD PASSWORD TSS0301I REPLACE FUNCTION FAILED, RETURN CODE = 4 The TSS REPLACE command will fail. Have another administrator perform the TSS REPLACE function. CA Top Secret for z/os Release 15.0 TSSMVS 9947 Copyright (C) 2017 CA. All rights reserved. R00312-TSS160-SP1 DESC(TSS0319E INVALID SPECIFICATION FOR KEYWORD PASSWORD FMID () PRE ( RO82138 RO82305 RO84794 RO86945 RO92696 RO94913 RO95428 RO95454 RO96977 ) SUP ( AR96977 RO91002 RO92619 RO92967 RO93757 RO94101 RO95291 RO96103 TR91002 TR92609 TR92619 TR92967 TR93757 TR94101 TR95109 TR95291 TR96103 TR97041 ) ++HOLD (RO97041) SYSTEM FMID() REASON (DYNACT ) DATE (17198) PURPOSE Load modules in memory USERS All administrators changing their owns passwords AFFECTED KNOWLEDGE Console commands REQUIRED CA Top Secret Administration ACCESS Console authority REQUIRED CA Top Secret Administration Authority LLA REFRESH and a restart of TSS

22 CA Top Secret Security for z/os CA RS 1708 Product/Component Listing Product Family Product Release Security CA TOP SECRET FOR Z/OS The CA RS 1708 Product/Component Count for this release is 1

23 CA Top Secret Security for z/os All CA RS Levels List CA RS Level FMID CAR1708 RO97041 RO96998 RO96977 RO96857 RO96670 RO96542 RO96225 RO96135 RO95752 RO94449 RO94015 RO91735 RO91733 CAKOG01 CAKOG01 CAR1707 RO96696 RO96321 RO96125 RO96103 RO96081 CAR1706 RO96001 RO95981 RO95938 RO95857 RO95818 RO95793 RO95454 RO95428 RO95424 RO92920 CAR1705 RO95692 RO95291 RO95244 RO95201 RO95061 RO88301 CAR1704 RO95026 RO94971 RO94913 RO94909 RO94718 RO94686 RO94168 RO93932 CAR1703 RO94517 RO94383 RO94298 RO94101 RO93840 CAR1702 RO93979 RO93757 RO93744 RO93398 CAR1701 RO93171 RO92888 RO92584 CAR1612 RO93298

24 CA Top Secret Security for z/os All CA RS Levels List CA RS Level FMID RO93059 RO92967 RO92772 RO92771 RO92742 RO92581 RO92412 RO92198 RO92092 RO92039 CAKOG01 CAKOG01 CAR1611 RO92854 RO92811 RO92809 RO92808 RO92696 RO92675 RO92619 RO92560 RO92502 RO91873 RO91186 RO88880 CAR1610 RO91454 RO91447 CAR1609 RO91707 RO91702 RO91603 RO91469 RO91248 RO91172 RO90979 RO90633 CAKOG01 CAR1608 RO91002 RO90784 RO90627 RO90626 RO90186 RO89750 RO88433 RO86556 CAKOG01 CAR1607 RO90358 RO90317 RO90165 RO89936 RO89828 CAR1606 RO90184 CAKOG01 RO90069 RO89965 RO89889 RO89888 RO89682 RO89668 RO89233 CAR1605 RO89361 RO89334

25 CA Top Secret Security for z/os All CA RS Levels List CA RS Level FMID RO89210 RO89203 CAR1604 RO88969 CAKOG02 RO88968 RO88932 RO88848 RO88796 RO88651 RO88603 RO88551 RO88473 RO88415 RO87918 RO87883 RO87515 CAR1603 RO88130 RO87961 RO87881 RO87875 RO87826 CAKOG01 CAR1602 RO87827 RO87738 RO87735 RO86945 RO86559 RO86552 RO86294 RO85890