PM03817: DFHXS1111 & DFHAC2003 FOR TRANSACTIONS STARTED OVER ISC SESSIONS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Customer has a ISC connection to CICS TS VSE 1.1.1 . CICS TS VSE
  is the AOR in this case .During normal work DFHXS1111 and
  DFHAC2003 comes up for the transcations started over the ISC
  connection/session .
  The first DFHXS1111 and DFHAC2003 both refer to CICSUSER.
  Subsequent DFHXS1111 refer to CICSUSER whereas DFHAC2003 refer
  to CICSPROD!
  DFLTUSER:
  On z/VSE AOR (DCIA) is CICSUSER.
  Region USERID:
  On z/VSE AOR (DCIA) is CICSPROD.
  Connection definition shows
  SECURITYNAME(CICSPROD) ATTACHSEC(LOCAL)
  A CEMT PERFORM SECURITY REBUILD did not solve the issue.
  Only a restart of CICS TS VSE solved it.
  CICS internal trace shows that in the failing case the wrong
  security token is used at the session TCTTE and therefore the
  DFHXS1111 comes up.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Unexpected DFHXS1111, DFHAC2003 and     *
  *                      BST120I messages when using ISC         *
  *                      connection with ATTACHSEC(LOCAL).       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When using transaction routing over ISC where CICS security is
  active and link security is predefined using ATTACHSEC(LOCAL),
  it is possible to receive VSE message BST120I ('INSUFFICIENT
  ACCESS AUTHORITY') followed by CICS messages DFHXS1111 and
  DFHAC2003, even though the security was set up correctly.
  The ISC connection and sessions have predefined security
  correctly set by ATTACHSEC(LOCAL) with a SECURITYNAME that is
  correctly defined to VSE security.
  
  The use of transaction routing results in the creation of a
  surrogate TCTTE on the AOR. The terminal sharing program
  DFHZTSP performs a SIGNON_SURROGATE operation to transfer
  the link security to the surrogate, leaving the link with only
  default security. When a transaction terminates normally on the
  AOR, DFHZTSP performs a SIGNOFF_SURROGATE to restore the APPC
  session security. However in this case an RTIMOUT abend caused
  DFHZTSP's error routine to be driven and this incorrectly freed
  the session without first restoring its security. The session
  was then reused and the signoff was never performed, leaving
  it with only default security.
  
  When subsequent transactions use the link they failed due to
  inadequate authority and CICS had to be restarted.
  
  Additional keywords: msgBST120I msgDFHXS1111 msgDFHAC2003
  

Problem conclusion

• DFHZTSP has been changed to remove the DFHTC TYPE=FREE that
  frees the session. This has been moved to DFHZISP so that it
  is executed just before the session security is restored.
  

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK55073

Modules/Macros

•    DFHZISP  DFHZTSP
  

Fix information

• Fixed component name

  CICSTS FOR VSE

• Fixed component ID

  564805400

Applicable component levels

• RB0P PSY UK55073

     UP10/03/11 P E430

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.