IBM Support

PI64175: INCREASED CPU FOR PASSWORD VERIFICATIONS IN CICS AFTER RACF DATABASE CHANGED TO USE KDFAES ENCRYPTION.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After changing the RACF database to use KDFAES encryption, the
    password verifications and signons performed by CICS use
    significantly more CPU than before.
    

Local fix

  • Change the application or configuration settings to avoid
    checking the password when the userid is a shared system or
    functional userid and requests come from a trusted source.
    .
    Alternatively change the RACF database back to using DES
    encryption.  Any passwords created while KDFAES encryption was
    active will need to be changed again to return to the pre-KDFAES
    CPU usage.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Decrease in performance when CICS uses  *
    *                      a KDFAES RACF database.                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    With KDFAES support in RACF, passwords are encrypted with
    KDFAES on the database. However a check on the KDFAES is very
    expensive, so RACF creates a cached DES version of the password
    which will be used if available. CICS currently uses the V1 of
    R_Password interface, which will use the cached DES version, and
    if this fails will check the KDFAES version of the password.
    However, it does not create a cached entry. So if CICS is using
    the V1 of R_Password interface exclusively for password checking
    (such as web traffic), CICS will never create a cached entry and
    so requests will always use the KDFAES check.
    This is also the case if passtickets are always used.
    

Problem conclusion

  • CICS has been changed to use the V2 R_Password interface.
    Using this interface, CICS will do a check using the cache, if
    there is no cache the request fails and a full RACROUTE VERIFY
    request is made. This request will create a cache entry.
    .
    RACF APARs OA50748 and OA50749 are required to use V2 of the
    R_Password interface. If these are not installed then the V1
    interface will be used.
    

Temporary fix

  •             *********
                * HIPER *
                *********
    FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PI64175

  • Reported component name

    CICS TS Z/OS V4

  • Reported component ID

    5655S9700

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-06-14

  • Closed date

    2016-11-21

  • Last modified date

    2016-12-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI64442 PI64443 UI42815

Modules/Macros

  • DFHSNTU  DFHXMTA  DFHXMXE  DFHXSAD  DFHXSCR  DFHXSCT  DFHXSDM
    DFHXSDUF DFHXSEJ  DFHXSEV  DFHXSFL  DFHXSIS  DFHXSKR  DFHXSLU
    DFHXSPW  DFHXSRC  DFHXSSA  DFHXSSB  DFHXSSBT DFHXSSC  DFHXSSD
    DFHXSSE  DFHXSSF  DFHXSSH  DFHXSSI  DFHXSTRI DFHXSTS  DFHXSXM
    

Fix information

  • Fixed component name

    CICS TS Z/OS V4

  • Fixed component ID

    5655S9700

Applicable component levels

  • R700 PSY UI42815

       UP16/11/29 P F611 ¢

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
01 December 2016