A fix is available
APAR status
Closed as program error.
Error description
5697E9300 Customer is making use of RACF exit ICHRIX01 which will allow a specific userid signing on via CESN to not require a password. It does this by setting the RIXCKPSN flag (bypasses password validation) which omits the check that a password was entered for a particular userid. When CESN is used to signon this specific userid for the first time, no password is entered and the ICHRIX01 exit does it's job which allows the signon to complete normal. However, subsequent signons using CESN with the same userid results in message DFHCE3523 indicating "Please type your password". If then one or more characters are entered into the Password field, the signon is again successful. The inconsistency is due to two different paths taken in DFHUSAD. On initial signon, DFHUSAD does an ADD_USER_WITH_PASSWORD call which causes the Directory Domain to be called to lookup the userid in USD1 directory. Because this is the initial signon, the userid is not found. This causes the first path to be taken which ends up as a call to RACF from module DFHXSS for USER_SIGN_ON. RACF exit ICHRIX01 does it's processing and all is well (good return code from RACF). The second path (inconsistent) is taken in DFHUSAD when the Directory Domain lookup returns and the userid IS now found. DFHUSAD does NOT have to do the processing ending up with the call to RACF for the USER_SIGN_ON. Instead, within this second path, DFHUSAD realizes password was not entered and produces the DFHCE3523 message asking for password to be entered. This APAR is being taken to investigate the possiblity of making both situations react the same for consistancy. ADDITIONAL INFORMATION: With CICS Transaction Server (TS) 2.2 and 3.1 (before this APAR), a VERIFY PASSWORD with a blank USERID and blank PASSWORD will result in a NOTAUTH RESP with a RESP2=2. After the APAR/PTF for 3.1, it will result in an INVREQ RESP and a RESP2=32. CICS TS 2.2 and 3.1 (before this APAR) with an invalid USERID and blank PASSWORD will result in a NOTAUTH RESP with a RESP2=2. After the APAR/PTF for 3.1 it will result in a USERIDERR RESP with a RESP2=8. This is due to the change in DFHXSSB to remove code which automatically rejects INQUIRE_PASSWORD_DATA calls which are issued without passwords. Previous to this, a blank PASSWORD (treated as a zero-length password) would have been rejected by DFHXSSB before RACF was called for RACROUTE EXTRACT, this resulted in NOTAUTH. After this APAR/PTF, RACF is called and the response returned to the caller is based on RACF's error response. In either case, the VERIFY request is rejected validly, but with 3.1 after this APAR/PTF, the response codes are improved. See also PK05286 for CICS TS 2.3.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Unexpected message DFHCE3523 indicating * * "Please type your password" when * * signing on with CESN. * **************************************************************** * RECOMMENDATION: * **************************************************************** RACF exit ICHRIX01 is being used to allow a signon with a specific USERID where password checking is disabled. This allows an initial signon using CESN to succeed without the use of a password. Later on, CESN is used to signon the same USERID at the same terminal, again with no password. This signon attempt is rejected by CICS with MSGDFHCE3523 indicating "Please type your password". The problem occurs because the second signon is issued when the USERID/TERMID combination already exists in the CICS USD1 directory. When this occurs, the DFHUSAD ADD_USER_WITH_PASSWORD call takes a different path to the initial signon and automatically rejects it if no password is present. The initial signon will call the external security manager if no password is present and the signon will succeed providing the external security manager does not reject it.
Problem conclusion
DFHUSAD has been changed to detect when an initial ADD_USER_WITH_PASSWORD call succeeds without a password being present. When this happens, an indicator will be set in the USUD (user data block). When a subsequent ADD_USER_WITH_PASSWORD is made for the same USERID/TERMID combination which matches the USUD from the earlier signon, it will not be rejected by DFHUSAD. Instead, DFHUSAD will call external security domain to invoke the external security manager for this signon. DFHXSSB has been changed to remove code which automatically rejects INQUIRE_PASSWORD_DATA calls which are issued without passwords. The CICS TS 3.1 Supplementary Data Areas ( LY33610800 ) will be changed. On page 590, the User Domain User Data Block (UDB) will be changed at offset (1E) so the reserved flags of flag byte USUD_USER_OPTIONS are altered from :- Offset Type Len Name(Dim) Description ...1 111. * Reserved to :- Offset Type Len Name(Dim) Description ...1 .... USUD_VERIFY_ No password NO_PASSWORD .... 111. * Reserved
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK09921
Reported component name
CICSTS 3.1 Z/OS
Reported component ID
5655M1500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2005-08-05
Closed date
2005-08-19
Last modified date
2007-01-17
APAR is sysrouted FROM one or more of the following:
PK05286
APAR is sysrouted TO one or more of the following:
UK06431
Modules/Macros
DESUSAD DESXSSB DFHUSAD DFHUSUDC DFHUSUDD DFHXSSB
LY33610800 |
Fix information
Fixed component name
CICSTS 3.1 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R400 PSY UK06431
UP05/08/24 P F508
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
17 January 2007