A fix is available
APAR status
Closed as program error.
Error description
When using CICS Transaction Gateway version 7 release 1 and IPIC connectivity, message DFHIS1027 to report a security violation is incorrectly produced by CICS for z/OS if the IPCONN in use has USERAUTH(VERIFY) specified. This occurs even though a valid userid and password are supplied to CICS via the CICS Transaction Gateway. The problem is due to incorrect processing of a password by DFHXSAD. The password is handled in an encoded form by DFHXSAD but in doing so its length is incorrectly calculated. When the incorrect length is passed to an external security manager the password itself is reject as not authorized even though a correct password is in use.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: MsgDFHIS1027 "Security violation has * * been detected using IPCONN" is issued * * when using IPCONN with * * USERAUTH(VERIFY). * **************************************************************** * RECOMMENDATION: * **************************************************************** The CICS Transaction Gateway is communicating with CICS using an IPCONN connection installed with USERAUTH(VERIFY), and a userid with an encoded password is received by CICS. During ATTACH processing for the mirror transaction, DFHXSAD processes the userid and password in order to pass them to an external security manager. In processing the password, DFHXSAD incorrectly calculates the length of the password and supplies this incorrect length to the external security manager. This results in the password being unexpectedly rejected. CICS issues an exception trace entry: X'FE04' XSSA EXCEPTION PASSWORD_NOTAUTH, followed by message DFHIS1027, to report the resulting security violation. Additional Keywords: CPMI CTG IPIC ICH408I msgICH408I RACF
Problem conclusion
DFHXSAD has been altered to correctly calculate the length of an encoded password.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK51587
Reported component name
CICSTS V3 Z/OS
Reported component ID
5655M1500
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-08-23
Closed date
2007-09-06
Last modified date
2007-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK28917
Modules/Macros
DESXSAD DESXSDOM DFHXSAD
Fix information
Fixed component name
CICSTS V3 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R500 PSY UK28917
UP07/09/09 P F709
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 October 2007