A fix is available
APAR status
Closed as program error.
Error description
Customer is implementing CICS Web Support and testing the DFH$WB1A sample. The BSM (Basic Security Manager) is being used as the Security Manager. Message DFHXS1111 is being issued by CICS to indicate a security violation during the access check of the userid against transacton CWBA (alias transaction). Security prefixing is being used (SECPRFX=YES in DFHSIT) thus the resource being checked is userid.CWBA where 'userid' is less than 8 characters. The resource is correctly defined to the BSM and the userid does have access. However, the BSM is unable to find the resource as CICS has passed userid_length of 8. The BSM returns with return and reason codes of 8,0,8,4 to indicate NOTAUTH. The problem is within DFHWBXM's INIT_XM_CLIENT processing where he calls DFHUSAD for ADD_USER_WITHOUT_PASSWORD and passes a userid_length of 8. DFHWBXM is hard coding _ which is passing the userid_length of 8. DFHWBXM is hard coding userid_length with a load address command instead of determining the real length of the userid. . Additional keywords: INIT XM CLIENT ADD USER WITHOUT PASSWORD ADD_USER USAD KIXREVSCB
Local fix
Use an 8 byte userid
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Security violation when using the CICS * * Web Support with a default userid that * * is less than 8 characters long. * **************************************************************** * RECOMMENDATION: * **************************************************************** If a CICS Web Support request is processed and the userid is not specified, the DFLTUSER SIT parameter is used. DFHWBXM issues an INQUIRE_DEFAULT_USER call to get the default userid followed by an ADD_USER_WITHOUT_PASSWORD call. The ADD_USER_WITHOUT_PASSWORD call always passes a length of 8 for the userid. When this userid is used later to actually check the authority to use CWBA, it is possible that the userid is passed incorrectly to the BSM. However, the DFHXS1111 error message will show the userid correctly, and checking the authorisation for that userid will show that it should be able to use CWBA. If the default userid is 8 characters long or it is a Systems Administrator type, the error does not occur. This results in CICS DFHXS1111 and VSE BST120I security messages for transaction CWBA, e.g. DFHXS1111 date time applid CWBA Security violation by user xxxx for resource CWBA in class TCICSTRN. SAF codes are (X'00000008', X'00000000'). ESM codes are (X'00000008',X'00000000'). BST120I USER(xxxx ) NAME(xxxxxxxxxxxxxxxxxxxx) BST120I CWBA CL(TCICSTRN) BST120I INSUFFICIENT ACCESS AUTHORITY BST120I FROM CWBA BST120I ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Additional keywords: msgDFHXS1111 msgBST120I PQ86975
Problem conclusion
DFHWBXM has been changed to set the actual length of the userid on the ADD_USER_WITHOUT_PASSWORD call.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK94753
Reported component name
CICSTS FOR VSE
Reported component ID
564805400
Reported release
B0P
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-08-26
Closed date
2009-10-19
Last modified date
2010-03-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK51186
Modules/Macros
DESWBXM DFHWBXM
Fix information
Fixed component name
CICSTS FOR VSE
Fixed component ID
564805400
Applicable component levels
RB0P PSY UK51186
UP09/10/23 P E422
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
24 March 2010