A fix is available
APAR status
Closed as program error.
Error description
In CICS TS 3.1, a successful EXEC CICS VERIFY PASSWORD will use RACROUTE EXTRACT commands to verify the password and no RACROUTE VERIFYX will be issued. If CICS determines that the password is invalid (by using RACROUTE EXTRACT commands) it will issue a RACROUTE VERIFYX to audit the failure. RACF will increment the REVOKECT figure for the RACF USERID at this point. If this is followed by a successful VERIFY PASSWORD against the same RACF USERID, there is no RACROUTE VERIFYX for the correct password so the REVOKECT does not get reset to zero. If this RACF USERID is used for a successful signon using something like CESN then the REVOKECT will get reset (CESN doesn't use EXEC CICS VERIFY PASSWORD for a SIGNON).
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: Userid revoked unexpectedly. * **************************************************************** * RECOMMENDATION: * **************************************************************** Using the CICS Web support security sample (DFH$WBSA), a user attempts to sign on but enters an invalid password. DFH$WBSA uses EXEC CICS VERIFY PASSWORD to authenticate the user. On a failing EXEC CICS VERIFY PASSWORD, RACROUTE VERIFYX will increase the revoke count for the user. The user then enters a valid password. On a successful EXEC CICS VERIFY PASSWORD, RACROUTE VERIFYX is bypassed so the revoke count is never reset. This process is repeated several times, where the first time an invalid password is input, followed by a valid password. After several repetitions (the number being dependant on the installation setting), the userid is revoked and the following message displayed on the console: ICH70003I YOU HAVE EXCEEDED THE MAXIMUM NUMBER OF RACF PASSWORD ATTEMPTS. The password should only be revoked when the password is entered incorrectly on consecutive occasions. This affects anything that uses EXEC CICS VERIFY PASSWORD to authenticate userids. Additional keywords: DFHXS1203 MSGDFHXS1202 MSGICH70003I ADD_USER_WITH_PASSWORD
Problem conclusion
DFHXSSB has been changed to issue a VERIFYX when the userid revoke count is greater than zero.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK14518
Reported component name
CICSTS 3.1 Z/OS
Reported component ID
5655M1500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2005-11-03
Closed date
2006-01-23
Last modified date
2009-10-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK11076
Modules/Macros
DESXSSB DFHXSSB
Fix information
Fixed component name
CICSTS 3.1 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R400 PSY UK11076
UP06/01/27 P F601
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
12 October 2009