A fix is available
APAR status
Closed as program error.
Error description
Customer is making use of RACF exit ICHRIX01 which gets driven on RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX calls during Signon. These specific signons are being made with a dummy password to be passed to the ICHRIX01 exit program purposely. The exit is also expecting installation data (INSTLN) to be passed on these calls. The region is coded with ESMEXITS(INSTLN) in the DFHSIT to support INSTLN to be passed. All was working as expected until the customer applied maintenance to the RSU1412 level which included PI21866 that changed the password verification process in CICS to use IRRSPW00 and not to call VERIFYX at all. PI33454 was then applied to resolve the PE against PI21866 which also reinstated the VERIFYX call. However, this new process makes use of DFHXSSB to make these calls and DFHXSSB has never passed INSTLN data. Because INSTLN is not being passed, the ICHRIX01 exit program fails to set bit RIXPSCKN to tell RACF to ignore the password. Thus, RACF does fail the password and passes back bad return codes to CICS. CICS reacts by issuing the DFHXS1201 message to report INVALID PASSWORD. DFHXSSB needs to pass INSTLN data if ESMEXITS(INSTLN) is coded. Addtional Symptom(s) Search Keyword(s): KIXREVWJB inquire_password_data inquire password data
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: RACF exit ICHRIX01 no longer has access * * to both the user's password and the * * CICS installation data as part of a * * signon. * **************************************************************** * RECOMMENDATION: * **************************************************************** APAR PI21866 separated out the password processing done as part of a signon request. The password is processed using RACF service IRRSPW00 and RACROUTE REQUEST=VERIFYX. IRRSPW00 does not invoke any RACF exits. The VERIFYX invokes the ICHRIX01 exit but does not pass the CICS installation data. This means that the ICHRIX01 exit program cannot use the installation data to determine if password checking should be bypassed. This can cause valid signons with special password requirements to now fail. Installation data is still passed on the RACROUTE REQUEST=VERIFY that will create the ACEE and the ICHRIX01 exit will be invoked but the password is no longer available on that call. Additional Keywords: ESMEXITS INSTLN
Problem conclusion
CICS has been changed to now pass installation data on the RACROUTE REQUEST=VERIFYX that is done to validate the password as part of signon processing. Installation data is not passed when the call is part of a VERIFY PASSWORD command or equivalent internal function. The CICS Transaction Server for z/OS V5.1 and V5.2 Knowledge Center section "For RACF users - the RACF user exit parameter list" will be updated as follows; Add a Note 3: As a result of CICS APAR PI21866, CICS APAR PI39336 and RACF APAR OA43999 passwords will no longer be available to the ICHRIX01 user exit when the passwords are valid. In normal usage the exit will only have access to the password if the password was invalid. This is because the verification and changing of passwords is now performed separately from the signon. This has changed the RACF calls made during the signon, as well as the data available to user exits invoked as part of those calls. The following calls are made: 1. RACF service IRRSPW00 is called to verify the supplied password. This service does not drive any user exits. If the password verification fails, or the supplied password is a passticket, or the password is valid but there was a previous failure, then a RACROUTE REQUEST=VERIFYX call is made. The ICHRIX01 user exit is invoked and is passed installation data. 2. After the password is verified, if a new password was supplied, the password is changed using RACROUTE REQUEST=VERIFYX. This call invokes the ICHRIX01 user exit but does not pass any installation data. 3. The signon uses RACROUTE REQUEST=VERIFY. This call invokes the ICHRIX01 user exit and passes installation data. The password and any new password are not available.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI39336
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-04-17
Closed date
2015-09-30
Last modified date
2015-11-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI31633 UI31634 UI31635 UI31636
Modules/Macros
DFHESN DFHISXS DFHPITC DFHSOSE DFHSZREQ DFHUSAD DFHWBSR DFHWBXN DFHXSAD DFHXSDM DFHXSFL DFHXSIS DFHXSLU DFHXSPW DFHXSPWT DFHXSRC DFHXSSA DFHXSSB DFHXSSBT DFHXSTRI EYU0VBPC
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R80M PSY UI31634
UP15/10/08 P F510
R800 PSY UI31633
UP15/10/08 P F510
R90M PSY UI31635
UP15/10/08 P F510
R900 PSY UI31636
UP15/10/08 P F510
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 November 2015