PI79774: CPSM SECURITY CHECKS ON INCORRECT RESOURCE NAME AFTER PTF APPLIED 17/06/20 PTF PECHANGE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• You apply one of the following PTFs to your CPSM environment:
  .
  Release    PTF        APAR
  4.1        UI40460    PI66813
  4.2        UI40461    PI66813
  5.1        UI40462    PI66814
  5.2        UI40463    PI66814
  5.3        UI40464    PI66792
  .
  Afterward, you find security checks being made for the wrong
  resource names. For example, you retrieve definitions for
  transactions. That should generate a check against resource
  BAS.DEF.xxxxx but instead it generates one for BAS.TRAN.xxxxxx.
  This may result in RACF violations against the new resource
  names.
  .
  The BAS.TRAN.xxxxx or BAS.FILE.xxxxx type resource names, with
  a resource type in the second node, is only supposed to be used
  for installing the resources, not viewing them. The
  BAS.DEF.xxxxxx resource name is what CPSM should be checking
  when they are viewed.
  .
  Additional Symptom(s) Search Keyword(s): KIXREVSVR
  

Local fix

• Temporarily permit RACF access.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICSPlex SM V5R1M0, V5R2M0 and V5R3M0    *
  *                 Users                                        *
  ****************************************************************
  * PROBLEM DESCRIPTION: After applying PTF UI40462 (CPSM 5.1)   *
  *                      or UI40463 (CPSM 5.2) for APAR PI66814, *
  *                      or UI40464 (CPSM 5.3) for APAR PI66792, *
  *                      you might not be able to retrieve the   *
  *                      following resource definitions through  *
  *                      WUI, CPSM Explorer or CPSM GET API, due *
  *                      to security check failure:              *
  *                                                              *
  *                      ATOMDEF         MAPDEF                  *
  *                      BUNDDEF         MQCONDEF                *
  *                      CONNDEF         PARTDEF                 *
  *                      DB2CDEF         PIPEDEF                 *
  *                      DB2EDEF         PROCDEF                 *
  *                      DB2TDEF         PROFDEF                 *
  *                      DOCDEF          PROGDEF                 *
  *                      EJCODEF         PRTNDEF                 *
  *                      EJDJDEF         RQMDEF                  *
  *                      ENQMDEF         SESDEF                  *
  *                      FENODDEF        TCPDEF                  *
  *                      FEPOODEF        TDQDEF                  *
  *                      FEPRODEF        TERMDEF                 *
  *                      FETRGDEF        TRANDEF                 *
  *                      FILEDEF         TRNCLDEF                *
  *                      IPCONDEF        TSMDEF                  *
  *                      JRNMDEF         TYPTMDEF                *
  *                      JVMSVDEF        URIMPDEF                *
  *                      LIBDEF          WEBSVDEF                *
  *                      LSRDEF                                  *
  ****************************************************************
  * RECOMMENDATION: This fix is being provided across all        *
  *                 supported releases of CPSM as follows:       *
  *                                                              *
  *                  -  CPSM V4R1M0  -  APAR PI79362             *
  *                  -  CPSM V4R2M0  -  APAR PI79362             *
  *                  -  CPSM V5R1M0  -  APAR PI79774             *
  *                  -  CPSM V5R2M0  -  APAR PI79774             *
  *                  -  CPSM V5R3M0  -  APAR PI79774             *
  *                                                              *
  *                 After applying the PTF that resolves this    *
  *                 APAR, all CMASes must be recycled to pick    *
  *                 up the new code.  Note that CMASes do not    *
  *                 need to be brought down and restarted at     *
  *                 the same time.                               *
  ****************************************************************
  When you retrieve the BAS resource definitions through WUI, CPSM
  API or CICS Explorer, method EYU0BAGQ ( BAGQ - BAS Frontend Data
  Repository Get ) is driven to get requested definitions from the
  data repository.
  
  Prior to the execution of BAGQ, method EYU0CRCK ( CRCK - Access
  Authority Checking ) is called to check if the user has
  authority to execute the requested service. CRCK calls method
  EYU0XLML to build main XLXS and alternative XLXS. Based on the
  XLXSes, CRCK populates the profile name, and passes it along
  with other information to RACF for security check.
  
  Due to a previous change for APAR PI66814 (CPSM 5.1 and 5.2) and
  APAR PI66792 (CPSM 5.3), CRCK might populate an incorrect
  profile name, which causes the failure of RACF security check.
  

Problem conclusion

• Module EYU0CRCK has been updated to populate correct profile
  name for BAGQ services.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PI79362

• APAR is sysrouted TO one or more of the following:

  UI47079 UI47080 UI47081 PI83342

Modules/Macros

• EYU0CRCK EYU0XDOX EYU9BAP3 EYU9BAP4 EYU9BAP6 EYU9BAPU EYU9BAR3
  EYU9BAR4 EYU9BAR6 EYU9BARU
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R00M PSY UI47081

     UP17/05/15 P F705 {

• R80M PSY UI47079

     UP17/05/15 P F705 {

• R90M PSY UI47080

     UP17/05/15 P F705 {

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.