PK94753: SECURITY VIOLATION AGAINST USERID LESS THAN 8 CHARACTERS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Customer is implementing CICS Web Support and testing the
  DFH$WB1A sample. The BSM (Basic Security Manager) is being used
  as the Security Manager. Message DFHXS1111 is being issued by
  CICS to indicate a security violation during the access check of
  the userid against transacton CWBA (alias transaction). Security
  prefixing is being used (SECPRFX=YES in DFHSIT) thus the
  resource being checked is userid.CWBA where 'userid' is less
  than 8 characters. The resource is correctly defined to the BSM
  and the userid does have access. However, the BSM is unable to
  find the resource as CICS has passed userid_length of 8. The BSM
  returns with return and reason codes of 8,0,8,4 to indicate
  NOTAUTH.
    The problem is within DFHWBXM's INIT_XM_CLIENT processing
  where he calls DFHUSAD for ADD_USER_WITHOUT_PASSWORD and
  passes a userid_length of 8. DFHWBXM is hard coding       _
  which is passing the userid_length of 8. DFHWBXM is hard coding
  userid_length with a load address command instead of determining
  the real length of the userid.
  .
  Additional keywords: INIT XM CLIENT  ADD USER WITHOUT PASSWORD
                       ADD_USER USAD
  KIXREVSCB
  

Local fix

• Use an 8 byte userid
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Security violation when using the CICS  *
  *                      Web Support with a default userid that  *
  *                      is less than 8 characters long.         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  If a CICS Web Support request is processed and the userid is
  not specified, the DFLTUSER SIT parameter is used. DFHWBXM
  issues an INQUIRE_DEFAULT_USER call to get the default userid
  followed by an ADD_USER_WITHOUT_PASSWORD call.
  
  The ADD_USER_WITHOUT_PASSWORD call always passes a length of
  8 for the userid. When this userid is used later to actually
  check the authority to use CWBA, it is possible that the
  userid is passed incorrectly to the BSM. However, the DFHXS1111
  error message will show the userid correctly, and checking the
  authorisation for that userid will show that it should be
  able to use CWBA.
  
  If the default userid is 8 characters long or it is a Systems
  Administrator type, the error does not occur.
  
  This results in CICS DFHXS1111 and VSE BST120I security messages
  for transaction CWBA, e.g.
  
  DFHXS1111 date time applid CWBA Security violation by user xxxx
  for resource CWBA in class TCICSTRN. SAF codes are (X'00000008',
  X'00000000'). ESM codes are (X'00000008',X'00000000').
  BST120I USER(xxxx    ) NAME(xxxxxxxxxxxxxxxxxxxx)
  BST120I   CWBA CL(TCICSTRN)
  BST120I   INSUFFICIENT ACCESS AUTHORITY
  BST120I   FROM CWBA
  BST120I   ACCESS INTENT(READ    ) ACCESS ALLOWED(NONE    )
  
  Additional keywords: msgDFHXS1111 msgBST120I PQ86975
  

Problem conclusion

• DFHWBXM has been changed to set the actual length of the userid
  on the ADD_USER_WITHOUT_PASSWORD call.
  

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK51186

Modules/Macros

•    DESWBXM  DFHWBXM
  

Fix information

• Fixed component name

  CICSTS FOR VSE

• Fixed component ID

  564805400

Applicable component levels

• RB0P PSY UK51186

     UP09/10/23 P E422

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.