PK48343: WS-TRUST: UNABLE TO DIAGNOSE "FAILURE TO AUTHENTICATE"

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When using the CICS supplied security handler, configured for
  STS Authentication in a Provider pipeline and expecting a
  specific name identity token, no message is issued if the
  specified token is not found in the request security header.
  Trace will indicate the issue in an exception trace but the
  problem can be caused by a mistake in the configuration of the
  security handler, either in the namespavce or local name
  supplied.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS Users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION:  No message is issued when a CICS       *
  *                       supplied security handler is used      *
  *                       in a provider pipeline and an expected *
  *                       security token is not found to send to *
  *                       the STS.                               *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The CICS supplied security handler was configured for
  STS Authentication in a Provider pipeline and expected a
  specific named identity token, but none was found in the
  security header for the request.
  DFHPITC (the CICS pipeline manager trust handler) issues
  a PI 170B exception trace entry to report the missing
  credentials but does not issue a message.
  
  Additional keywords: PI170B MISSING_CREDENTIALS msgDFHPI0514
  

Problem conclusion

• DFHPITC has been altered to issue a new message, DFHPI0514,
  to report the missing credentials.
  DFHMEPIE has been altered to add the new message.
  
  The CICS Transaction Server for z/OS Version 3 Release 2
  Messages and Codes manual, GC34-6827-00, has been altered
  to add message DFHPI0514, after message DFHPI0513, on page 758
  as follows:
  
  DFHPI0514  DATE TIME APPLID TRANID  The CICS
            pipeline manager has failed to find the required
            credentials in a request. An element :
            LOCAL_NAME  , in namespace:  NAMESPACE ,
            was expected.
  
  EXPLANATION:  The CICS pipeline manager trust handler,
  DFHPITC, failed to find the required credentials in a
  request, when it was expecting a specific type of identity
  token.  This is commonly due to the expected token type not
  being present in the message, but may be caused by a config-
  uration error in the security handler.
  
  SYSTEM ACTION:  A fault is created and the pipeline
  returns it to the requester.
  
  USER RESPONSE:  Check the CICS trace and the security
  handler configuration to determine the cause of the error.
  
  DESTINATION:  CPIO
  
  MODULE:  DFHPITC
  
  XMEOUT PARAMETERS: date, time, applid,
  tranid, local_name, namespace
  

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK28473

Modules/Macros

•    DESPITC  DFHMEPIC DFHMEPIE DFHMEPIK DFHPITC
  DFHPITCA DFHPITCM DFHPITCT DFH48343
  

Fix information

• Fixed component name

  CICSTS V3 Z/OS

• Fixed component ID

  5655M1500

Applicable component levels

• R500 PSY UK28473

     UP07/08/25 P F708

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.