A fix is available
APAR status
Closed as program error.
Error description
You would like to allow both basic authentication and client authentication on the same TCPIPSERVICE definition. You change your TCPIPSERVICE from SSL(YES) and AUTHENTICATE(BASIC) to SSL(CLIENTAUTH) and AUTHENTICATE(AUTOMATIC). Now, when the client connects using basic authentication, they receive message ICH70001I. A client connecting with a client certificate does not receive this message. The ICH70001I messages are excessive in a production environment since you have many connections that will continue to use basic authentication. The messages get issued because CICS is attempting to register the client certificate to the userid obtained via basic authentication in the case where there is not a certificate. The registration should only be done if a valid certificate and userid have been supplied. Additional Symptom(s) Search Keyword(s): ICH70001I userid LAST ACCESS AT hh:mm:ss ON day_of_week, month, day, year MSGICH70001I KIXREVSCB
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: Message ICH70001I is issued for every * * client request not passing a * * certificate when using AUTOMATIC * * authentication. * **************************************************************** * RECOMMENDATION: * **************************************************************** A TCPIPSERVICE with an AUTHENTICATE attribute of AUTOMATIC has been installed. A client makes requests without sending a certificate so the server uses HTTP basic authentication. For every request from the client for which the server expects authentication information the following message is issued: ICH70001I userid LAST ACCESS AT hh:mm:ss ON day_of_week, month, day, year When AUTOMATIC authentication is used, but the client does not supply a certificate, CICS still tries to register a certificate in RACF and message ICH7001I is issued for every client request. Additional keywords:msgICH70001I Authenticate_user INITACEE
Problem conclusion
DFHWBSR has been altered so that RACF is no longer called when a TCPIPSERVICE specifies AUTHENTICATE(AUTOMATIC) and a client certificate is not supplied.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK90113
Reported component name
CICSTS V3 Z/OS
Reported component ID
5655M1500
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-06-29
Closed date
2009-09-04
Last modified date
2009-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK93352 UK49878
Modules/Macros
DESWBAP DESWBDM DESWBRQ DESWBRQF DESWBSR DESWBXM DFHWBAP DFHWBAPA DFHWBAPF DFHWBAPJ DFHWBAPM DFHWBAPT DFHWBAPV DFHWBDM DFHWBRQD DFHWBRQS DFHWBSR DFHWBSRA DFHWBSRM DFHWBSRT DFHWBXM DFHWBXMA DFHWBXMT
Fix information
Fixed component name
CICSTS V3 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R500 PSY UK49878
UP09/09/09 P F909
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 October 2009