IBM Support

PI67905: CICS INSTALLATION DATA MISSING PHASE INFORMATION FOR CHANGE PASSORD AND PASSWORD VERIFICATION REQU 17/02/10 PTF PECHANGE

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CICS does not pass installation data to the ESM on the RACROUTE
REQUEST=VERIFY call made to change a password.
CICS only passes installation data to the ESM on the RACROUTE
REQUEST=VERIFYX call used for password verification if that
call was made as part of a signon.  In this case the UXPPHASE
value indicates to the ICHRIX01 exit that the request is a
signon and not a password verification request.
Symptom(s) Search Keyword(s): KIXREVxxx

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS Users with PI21866 applied.         *
****************************************************************
* PROBLEM DESCRIPTION: Performing a SIGNON with PHRASE and     *
*                      NEWPHRASE causes the PHRASE to be       *
*                      validated twice.  The SIGNON can then   *
*                      fail if the PHRASE contains a           *
*                      single use token.                       *
****************************************************************
A vendor security product is used to validate authentication
tokens supplied as part of a password phrase.

A SIGNON is performed specifying PHRASE and NEWPHRASE.  The
PHRASE contains the password and a single use token.  This
is validated by calling the R_Password (IRRSPW00) service.
Exit program IRRSXT00 extracts the token and successfully
validates it.  A RACROUTE REQUEST=VERIFY call is then made to
change the password.  The PHRASE and NEWPHRASE are passed on
this call.  Exit program ICHRIX01 extracts the token.
Validation of the token fails, because it has already been used
on the IRRSPW00 call.  The exit program rejects the attempt to
change the password and the signon fails.

    



Problem conclusion


    

  • UI22618 UI24130 UI25263 UI30326 UI43780

CICS has been updated to only issue a single RACROUTE
REQUEST=VERIFY call to change the password as part of
a signon. This means that any security exit program
will only be passed the PHRASE (or PASSWORD) once.

CICS has also been changed to always pass
installation data (if EMSEXITS=INSTLN is coded in
the SIT) on the RACROUTE REQUEST=VERIFY call used
to change the password and on the RACROUTE
REQUEST=VERIFYX call used in password verification
(when there has been a password failure or a
passticket is being used).  New UXPPHASE values
have been created to allow the ICHRIX01 exit to
correctly determine why it is being invoked.

The new UXPPHASE values are:

PASSWORD_CHANGE (x'90')
PASSWORD_VERIFICATION (x'91')

The CICS Transaction Server for z/OS 5.2
Customization Guide ( SC34-7269-00 ) will have the
following 2 fields added in Chapter 9 (Customizing
security processing), where it lists the possible
values that can be addressed by UXPPHASE thus:

PASSWORD_CHANGE        X'90'
     Change of password
PASSWORD_VERIFICATION  X'91'
     password being verified

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI67905
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    YesPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-08-22
    • 

  • Closed date
    2017-02-09
    • 

  • Last modified date
    2017-03-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI75324 PI75325 PI76141 UI44531
    

    • 



Modules/Macros


    

  • DFHSNTU  DFHUSAD  DFHXMAT  DFHXMTA  DFHXMXE  DFHXSAD  DFHXSCR
DFHXSCT  DFHXSDM  DFHXSDUF DFHXSEV  DFHXSFL  DFHXSIDT DFHXSIS
DFHXSKR  DFHXSLU  DFHXSPW  DFHXSRC  DFHXSRN  DFHXSSA  DFHXSSB
DFHXSSC  DFHXSSD  DFHXSSE  DFHXSSF  DFHXSSH  DFHXSSI  DFHXSSK
DFHXSTRI DFHXSTS  DFHXSUXP DFHXSXM

    




Publications Referenced


SC34726900    





Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R900  PSY  UI44531
       UP17/02/13  P  F702  {
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 March 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback