A fix is available
APAR status
Closed as program error.
Error description
5655M1500 EXEC CICS VERIFY PASSWORD is issued by application where userid and password were valid and not revoked. CICS reports USERID_REVOKED in exception trace entry. DFHXSSB has a routine DETERMINE_REVOKED_STATUS which determines the status. CICS TS 3.1 has four new bits (user_is_revoked, group_is_revoked, master_user_revoke and master_group_revoke) which are never initialized prior to entering the DETERMINE_REVOKED_STATUS routine. The INQUIRE_PASSWORD_DATA call from DFHXSSB results in a RACROUTE EXTRACT call to the security manager. USER_IS_REVOKED flag is only updated correctly if the security manager passes back ESM_FLAG4 Length to indicate its existance. If this is not passed back then residual data is used to determine the revoked status. Thus, CICS should initialize these four new bits at entry to DETERMINE_REVOKED_STATUS routine.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: EXEC CICS VERIFY PASSWORD * * returns NOTAUTH invalidly. * **************************************************************** * RECOMMENDATION: * **************************************************************** If an EXEC CICS VERIFY PASSWORD command is issued it causes DFHXSSB to call the External Security Manager with an EXTRACT command. If the ESM has "revoked" information, it can set a flag to show that this information is being returned. If however, there is no revoked information to return, then the flag is set to nulls and CICS should not process revoke data. In this case the ESM is setting the flag to nulls. CICS is using the residual values in the "revoked data fields" and invalidly returning the USERID as revoked. Additional Keywords: user_is_revoked group_is_revoked master_user_revoked master_group_revoked esm_flag4
Problem conclusion
DFHXSSB has been changed to set the "revoked data flags" to nulls before processing the information returned from the ESM. This means that if there is no revoke information returned from the ESM then the USERID will not be incorrectly returned as revoked when it isn't.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK05437
Reported component name
CICSTS 3.1 Z/OS
Reported component ID
5655M1500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2005-05-09
Closed date
2005-06-14
Last modified date
2005-07-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK04528
Modules/Macros
DESXSSB DFHXSSB
Fix information
Fixed component name
CICSTS 3.1 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R400 PSY UK04528
UP05/06/21 P F506
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 July 2005