IBM Support

PK35565: SUBSTITUTION OF DFHWS-USERID IS NOT HONORED ON AOR WHEN TRANSACTION IS DYNAMICALLY ROUTED

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When a webservice request arrives at the TOR, it runs under a
    common transaction with little RACF protection using the CICS
    default userid. A terminal handler in the Pipeline extracts the
    userid from the Soap header and replaces the userid and tranid
    within containers DFHWS-USERID and DFHWS-TRANID.
       After substitution of userid and tranid the webservice
    application will run under RACF protection of the substituted
    userid to provide the audit trail.
    
    If the webservice is allowed to execute locally in the TOR it is
    executed with the replaced userid as expected. If however the
    transaction stored in DFHWS-TRANID is routed to a backend AOR,
    the backend transaction will run under the appropriate tranid
    that was substituted. However, the transacton also runs under
    the CICS default userid rather than the userid substituted
    within DFHWS-USERID. Thus, a security violation is produced due
    to the default userid not having authority to the transaction.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: A remote web service transaction        *
    *                      does not run under the supplied         *
    *                      DFHWS-USERID, irrespective of the       *
    *                      ATTACHSEC setting in the connection.    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    CICS is being used as a webservice provider.  A handler program
    in the pipeline is used to change the userid by putting a value
    into the DFHWS-USERID container. The handler program also
    changes the transaction id that the webservice will run under
    by putting a value into the DFHWS-TRANSID container. The
    webservice transaction is defined to run remotely across a
    connection defined as ATTACHSEC=IDENTIFY.
    When DFHZIS2 builds the FMH5 to pass to the remote system,
    the userid field is not updated from the Request Stream
    used to transport the Web Service request. This results in the
    userid of the current pipeline task being used and potential
    security violations on the target system.
    An additional problem fixed by this APAR is that DFHMRXM does
    an unnecessary ADD_USER_WITHOUT_PASSWORD call for non-terminal
    signon processing to add the associated userid to the US domain.
    However, there is no corresponding DELETE_USER call at task
    termination.
    The consequence is the ACEE for the associated userid is never
    released because the userid use count never goes to zero in the
    US domain.
    Additional keywords: USRDELAY DFHXS1111 msgDFHXS1111
                         MSGICH408I ICH408I ACF2 RACF
    

Problem conclusion

  • DFHZIS2 has been modified for Request Streams to extract the
    userid field and copy this into the FMH5 userid field.
    The unnecessary ADD_USER_WITHOUT_PASSWORD call has also been
    removed.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PK35565

  • Reported component name

    CICSTS 3.1 Z/OS

  • Reported component ID

    5655M1500

  • Reported release

    400

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2006-12-01

  • Closed date

    2007-08-09

  • Last modified date

    2007-09-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PK48572 UK28062

Modules/Macros

  •    DESMRXM  DESPGCH  DESRZCON DESRZRS  DESRZST
    DESRZTC  DESRZTR  DFHMRXM  DFHPGCH  DFHPGCHA DFHPGCHI DFHPGCHM
    DFHPGCHT DFHPGCRA DFHPGCRM DFHRZCON DFHRZRMC DFHRZRMD DFHRZRSC
    DFHRZRSD DFHRZRS1 DFHRZSO  DFHRZSOA DFHRZSOJ DFHRZSOM DFHRZSOT
    DFHRZSOV DFHRZSO1 DFHRZTA  DFHRZTAA DFHRZTAM DFHRZTAT DFHRZTCC
    DFHRZTCX DFHRZTRC DFHRZTRD DFHRZTR1 DFHZIS2
    

Fix information

  • Fixed component name

    CICSTS 3.1 Z/OS

  • Fixed component ID

    5655M1500

Applicable component levels

  • R400 PSY UK28062

       UP07/08/14 P F708

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
04 September 2007