IBM Support

PI82748: RACF SECURITY MESSAGE ICH408I FOLLOWED BY DFHCE3541 SECURITY INTERFACE ERROR (00000030). SIGN-ON IS TERMINATED.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • You've installed maintenance to RSU/1701.  You start to receive
    RACF message:
    ICH408I USER(  ) GROUP(NOTERM  ) NAME(  )
      LOGON/JOB INITIATION - NOT AUTHORIZED TO TERMINAL CONSOLE1
    
    DFHCE3541  APPLID Security interface error (00000030). Sign-on
    is terminated.
    
    You also see DFHSN1108  APPLID Signon at console CONSOLE1 by
    user USERID has failed.
    
    The trace shows:
    XS FE04 XSSB  *EXC* FUNCTION(INQUIRE_PASSWORD_DATA)
    RESPONSE(EXCEPTION) REASON(UNKNOWN_ESM_RESPONSE)
    SAF_RESPONSE(8) SAF_REASON(0)
    ESM_RESPONSE(30) ESM_REASON(0) PASSWORD_FAILURES(0)
    
    The problem occurs after the installation of CICS APARs PI62428
    and PI64443.
    
    PI62428 added POE onto the RACROUTE REQUEST=VERIFYX call made
    by  DFHXSSB to verify the password.  It did not add the SESSION
    parameter to specify the type of the entry port.  The VERIFYX
    call was only ever used when the IRRSPW00 call failed.  In this
    case the pasword is valid so IRRSPW00 would work and the
    VERIFYX call would never get issued. The subsequent VERIFY
    ENVIR=CREATE passes both POE and SESSION and so
    the signon would succeed.
    
    
    PI64443 changed DFHXSSB to use the updated version of the
    IRRSPW00 and to set the fast fail option.  This causes the
    first IRRSPW00 call to fail immediately (because there isn't a
    cache entry) and for CICS to use the VERIFYX call to perform
    the valid signon.  This VERIFYX call fails because it passes
    POE but does not pass SESSION and the supplied
    port of entry is a console and not the default of a
    TSO/terminal session.
    
    Additional Symptom(s) Search Keyword(s): KIXREVSWM
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users with apars PI46508 and/or PI62428  *
    *                 applied.                                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: CICS signon error accompanied with      *
    *                      messages DFHCE3541 and ICH408I.         *
    ****************************************************************
    * RECOMMENDATION: .                                            *
    ****************************************************************
    UI33709 UI43780 UI33707 UI43779 UI38004 UI42764
    
    A user attempts to signon to CICS at a console.  This user only
    has access via certain consoles and has no access to CICS from
    a regular terminal.  After the fix for APAR PI46508 and/or
    PI62428 is applied the console signon will fail if the user
    currently has a non-zero password failure count.
                                                                   .
    The failure occurs because PI6508/PI62428 added the POE
    parameter to the RACROUTE REQUEST=VERIFYX call made by DFHXSSB
    but did not also add the SESSION parameter.  This causes the
    external security manager to use the default SESSION value which
    is a standard TSO terminal session.
    

Problem conclusion

  • UI33709 UI43780 UI33707 UI43779 UI38004 UI42764
    
    CICS security code has been amended to pass a SESSION parameter
    on the RACROUTE=VERIFYX call from within DFHXSSB.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI82748

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-06-07

  • Closed date

    2017-09-14

  • Last modified date

    2017-10-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI84714 PI87053 UI50300 UI50301 UI50302

Modules/Macros

  • DFHUSAD  DFHXSPW  DFHXSPWT DFHXSSB  DFHXSSBT
    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R000 PSY UI50300

       UP17/09/20 P F709

  • R800 PSY UI50301

       UP17/09/20 P F709

  • R900 PSY UI50302

       UP17/09/20 P F709

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 October 2017