PK63063: QUERY SECURITY COMMAND WITH LOGMESSAGE(NOLOG) HAS NO EFFECT

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Customer's application issues many EXEC CICS Query Security
  commands with the LOGMESSAGE(NOLOG) option specified so that
  security violation messages will not be produced. For example
  message BST120I being written to the console log and possisbly
  message DFHXS1111 being written to CICS logs.
  .
  These security violation messages are not true violations as
  a user is not truly trying to access a resource. The query
  security command is simply making a determination if a user is
  or is not ABLE to access a resource.
  .
  Hundreds to thousands of messages can be produced in this manner
  and many customers may not wish to have them logged for the
  reason given above.
  .
  The Basic Security Manager (BSM) is being used in this scenario.
  It was discovered that the BSM does not currently support
  message suppression. APARs DY46880 (z/VSE 3.1) and DY46812
  (z/VSE 4.1) will supply the capability within the BSM. It will
  require CICS to pass MSGSUPP=YES on the associated RACROUTE
  call to cause the messages to be suppressed.
  .
  .
  Additional Symptom(s) Search Keyword(s):KIXREVJXD
  

Local fix

• Apply appropriate VSE APAR mentioned above and request usermod
  DFHXSS.VSERLF from CICS support.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: ALL                                          *
  ****************************************************************
  * PROBLEM DESCRIPTION: LOGMESSAGE(NOLOG) option of QUERY       *
  *                      SECURITY fails to suppress Basic        *
  *                      Security Manager messages when          *
  *                      querying an external resource.          *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  A Customer's application issues many EXEC CICS QUERY SECURITY
  commands, against an external resource, with the
  LOGMESSAGE(NOLOG) option. However, the request to suppress
  security messages is not being honored. Instead the VSE console
  contains many BST120I messages, each of which details a
  resource that had been the target of a QUERY SECURITY command.
  
  The lack of message suppression is due to there being no
  support for it in either CICS or z/VSE 3.1.1 or higher. For
  CICS, the RACROUTE call used to invoke the security manager did
  not request log message suppression. For z/VSE 3.1.1 or higher,
  the Basic Security Manager was found not to support this
  option, even when specified. That omission was corrected by the
  following VSE PTFs:-
  
       UD53333 ( APAR DY46880 ) - z/VSE V3.1
       UD53271 ( APAR DY46812 ) - z/VSE V4.1
  
  
  Additional Keyword: DFHXSS BSM msgBST120I
  

Problem conclusion

• Module DFHXSSC has been amended. The MSGSUP=YES option has been
  added to the RACROUTE call used when log message suppression has
  been requested.
  

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK36931

Modules/Macros

•    DESXSSC  DFHXSSC
  

Fix information

• Fixed component name

  CICSTS FOR VSE

• Fixed component ID

  564805400

Applicable component levels

• RB0P PSY UK36931

     UP08/05/30 P E420

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.