A fix is available
APAR status
Closed as program error.
Error description
When the CICS Atom feed manager links to one of the CICS-supplied service routines (DFHW2FI or DFHW2TS), and SEC=YES and XPPT=YES are both active, an unexpected security violation may occur, which is treated a logic error and results in an HTTP 500 (Server Error) response. . When a custom service routine is used, but the client userid is not authorized to link to it, then a security violation should occur, but it should cause an HTTP 403 (Forbidden) response, not a 500.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: Message DFHXS1111 'Security violation' * * is issued when one of the CICS * * supplied Atom service routines * * (DFHW2FI or DFHW2TS) is referenced. * **************************************************************** * RECOMMENDATION: * **************************************************************** If program link resource security is active (SEC=YES, XPPT=YES) a security violation may occur when one of the CICS-supplied Atom service routines (DFHW2FI or DFHW2TS) is referenced. The violation is not handled and causes an HTTP 500 Service routine error message to be sent to the client and message DFHXS1111 is issued. A security violation should not occur when CICS is accessing its own internal programs (DFHW2FI and DFHW2TS). If a user-supplied service routine is specified using RESOURCETYPE(PROGRAM) in the ATOMSERVICE definition, and the end user is not authorized to access it, then a security violation should occur, but it should cause an HTTP 403 (Forbidden) response instead of an HTTP 500. Additional keyword: msgDFHXS1111
Problem conclusion
DFHXSRC will be modified to omit the security check for programs DFHW2FI and DFHW2TS. DFHW2FD will be modified to handle an NOT AUTHORIZED response from the LINK to a custom service routine, and will respond with an HTTP 403 response instead of an HTTP 500.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK93369
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-08-07
Closed date
2009-09-18
Last modified date
2009-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK50190
Modules/Macros
DESW2FD DESXSRC DFHW2FD DFHXSRC
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
R600 PSY UK50190
UP09/09/23 P F909
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 October 2009