IBM Support

PI27349: CICS DOES NOT KEEP COUNT OF THE NUMBER OF VERIFY PASSWORD CALLS

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CICS does not record the number of VERIFY PASSWORD calls made.
It also does not track how many are handled using the fastpath
mechanism and which require an expensive RACF call.  This makes
it very difficult to evaluate the effect of the SECVFYFREQ SIT
parameter.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS Users                               *
****************************************************************
* PROBLEM DESCRIPTION: There is no data collected to evaluate  *
*                      the effect of the SECVFYFREQ SIT        *
*                      parameter.                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The CICS Transaction Server Knowledge Center includes a
description of the SECVFYFREQ and USRDELAY
system initialization parameters with guidance on how to set
them. However, CICS does not collect data to help determine
appropriate values for these parameters.

Additional keywords: usa_verify_password_count
usa_secvfyfreq_add_count usa_secvfyfreq_auth_count
xsa_inq_pswd_count xsa_inq_pswd_fast

    



Problem conclusion


    

  • CICS is changed to add counts to aid tuning of the SECVFYFREQ
and USRDELAY system initialization parameters
These counts appear in the User (US) Domain summary and
the Security (XS) Domain summary in a formatted CICS system
dump.

The following information will be added to the description of
the USRDELAY SIT parameter in the CICS Transaction Server for
z/OS Version 5 Release 1 System Definition Guide (SC34-2871-00)
and in the CICS Transaction Server 5.2.0 Knowledge Center:

'A formatted CICS system dump includes some counts you can
use to review the effect of setting the SECVFYFREQ
parameter with the USRDELAY option.
The USER DOMAIN SUMMARY, in the formatted dump for the US
component, contains the following counts:
- VRFY PASSWORD num: the total number of verify requests
  processed by User Domain

- SECVFYFREQ ADDs: the number of verify requests, when
  SECVFYFREQ=USRDELAY, that add a user ID to the system.
  If a user ID is unused for more than the USRDELAY limit, it is
  removed from the system and a subsequent verify request
  leads to another add request.

- SECVFYFREQ AUTHs: the number of verify requests, when
  SECVFYFREQ=USRDELAY, that make RACF record the
  date and time of last access for the user ID, and write user
  statistics.
  This occurs when the user logs on after the USRDELAY
  interval has expired. CICS also applies a maximum limit of
  one day between full verification requests at user login.

The SECURITY DOMAIN SUMMARY, in the formatted CICS
system dump for the XS component contains the following counts.
- Inquire password count. The total number of inquire password
  requests processed by Security Domain

- Inquire password fastpath count. The number of inquire
  password requests that used the fastpath mechanism.
A difference between these figures indicates full verification
requests were required. This may be because attempts at
password verification have failed, a passticket was used, or
because of the USRDELAY option being used for SECVFYFREQ.

All the counts described above are accumulated from when CICS is
initialised and they are not reset while the region is running.'

    



Temporary fix


    

  • FIX AVAILABLE BY PTF ONLY

    



Comments


    

  • 



APAR Information




    

  • APAR number
    PI27349
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2014-10-09
    • 

  • Closed date
    2015-06-02
    • 

  • Last modified date
    2015-07-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI28205 UI28206
    

    • 



Modules/Macros


    

  • DFHUSAD  DFHUSDM  DFHUSDUF DFHXSDM  DFHXSDUF DFHXSPW

    




Publications Referenced


SC34287100    





Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R800  PSY  UI28205
       UP15/06/11  P  F506
    • 

  • R900  PSY  UI28206
       UP15/06/11  P  F506
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 April 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback