IBM Support

PK09921: CESN IS INCONSISTENT WHEN USING RACF EXIT ICHRIX01

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • 5697E9300
Customer is making use of RACF exit ICHRIX01 which will allow
a specific userid signing on via CESN to not require a password.
It does this by setting the RIXCKPSN flag (bypasses password
validation) which omits the check that a password was entered
for a particular userid.
  When CESN is used to signon this specific userid for the first
time, no password is entered and the ICHRIX01 exit does it's job
which allows the signon to complete normal. However, subsequent
signons using CESN with the same userid results in message
DFHCE3523 indicating "Please type your password". If then one or
more characters are entered into the Password field, the signon
is again successful.
  The inconsistency is due to two different paths taken in
DFHUSAD. On initial signon, DFHUSAD does an
ADD_USER_WITH_PASSWORD call which causes the Directory Domain to
be called to lookup the userid in USD1 directory. Because this
is the initial signon, the userid is not found. This causes the
first path to be taken which ends up as a call to RACF from
module DFHXSS for USER_SIGN_ON. RACF exit ICHRIX01 does it's
processing and all is well (good return code from RACF).
  The second path (inconsistent) is taken in DFHUSAD when the
Directory Domain lookup returns and the userid IS now found.
DFHUSAD does NOT have to do the processing ending up with the
call to RACF for the USER_SIGN_ON. Instead, within this second
path, DFHUSAD realizes password was not entered and produces the
DFHCE3523 message asking for password to be entered.
  This APAR is being taken to investigate the possiblity of
making both situations react the same for consistancy.

ADDITIONAL INFORMATION:
  With CICS Transaction Server (TS) 2.2 and 3.1 (before this
APAR), a VERIFY PASSWORD with a blank USERID and blank
PASSWORD will result in a NOTAUTH RESP with a RESP2=2.  After
the APAR/PTF for 3.1, it will result in an INVREQ RESP and a
RESP2=32.  CICS TS 2.2 and 3.1 (before this APAR) with an
invalid USERID and blank PASSWORD will result in a NOTAUTH
RESP with a RESP2=2.  After the APAR/PTF for 3.1 it will
result in a USERIDERR RESP with a RESP2=8.
  This is due to the change in DFHXSSB to remove code which
automatically rejects INQUIRE_PASSWORD_DATA calls which are
issued without passwords.  Previous to this, a blank PASSWORD
(treated as a zero-length password) would have been rejected
by DFHXSSB before RACF was called for RACROUTE EXTRACT, this
resulted in NOTAUTH.  After this APAR/PTF, RACF is called and
the response returned to the caller is based on RACF's error
response.  In either case, the VERIFY request is rejected
validly, but with 3.1 after this APAR/PTF, the response codes
are improved.  See also PK05286 for CICS TS 2.3.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS users.                              *
****************************************************************
* PROBLEM DESCRIPTION: Unexpected message DFHCE3523 indicating *
*                      "Please type your password" when        *
*                      signing on with CESN.                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
RACF exit ICHRIX01 is being used to allow a signon with a
specific USERID where password checking is disabled. This allows
an initial signon using CESN to succeed without the use of a
password. Later on, CESN is used to signon the same USERID at
the same terminal, again with no password. This signon attempt
is rejected by CICS with MSGDFHCE3523 indicating "Please type
your password".
The problem occurs because the second signon is issued when the
USERID/TERMID combination already exists in the CICS USD1
directory. When this occurs, the DFHUSAD ADD_USER_WITH_PASSWORD
call takes a different path to the initial signon and
automatically rejects it if no password is present.
The initial signon will call the external security manager if no
password is present and the signon will succeed providing the
external security manager does not reject it.

    



Problem conclusion


    

  • DFHUSAD has been changed to detect when an initial
ADD_USER_WITH_PASSWORD call succeeds without a password being
present. When this happens, an indicator will be set in the
USUD (user data block). When a subsequent ADD_USER_WITH_PASSWORD
is made for the same USERID/TERMID combination which matches the
USUD from the earlier signon, it will not be rejected by
DFHUSAD. Instead, DFHUSAD will call external security domain to
invoke the external security manager for this signon.
DFHXSSB has been changed to remove code which automatically
rejects INQUIRE_PASSWORD_DATA calls which are issued without
passwords.

The CICS TS 3.1 Supplementary Data Areas ( LY33610800 ) will be
changed. On page 590, the User Domain User Data Block (UDB) will
be changed at offset (1E) so the reserved flags of flag byte
USUD_USER_OPTIONS are altered from :-

Offset  Type         Len        Name(Dim)     Description

        ...1 111.               *             Reserved

to :-

Offset  Type         Len        Name(Dim)     Description

        ...1 ....               USUD_VERIFY_  No password
                                NO_PASSWORD
        .... 111.               *             Reserved

    



Temporary fix


    

  • FIX AVAILABLE BY PTF ONLY

    



Comments


    

  • 



APAR Information




    

  • APAR number
    PK09921
    • 

  • Reported component name
    CICSTS 3.1 Z/OS
    • 

  • Reported component ID
    5655M1500
    • 

  • Reported release
    400
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2005-08-05
    • 

  • Closed date
    2005-08-19
    • 

  • Last modified date
    2007-01-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PK05286
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK06431
    

    • 



Modules/Macros


    

  •    DESUSAD  DESXSSB  DFHUSAD  DFHUSUDC DFHUSUDD
DFHXSSB

    




Publications Referenced


LY33610800    





Fix information


    

  • Fixed component name
    CICSTS 3.1 Z/OS
    • 

  • Fixed component ID
    5655M1500
    • 



Applicable component levels


    

  • R400  PSY  UK06431
       UP05/08/24  P  F508
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 January 2007
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback