IBM Support

PM23147: DFHIS1027 MESSAGE REPORTS SECURITY VIOLATION FOR WRONG USERID

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Within an IPIC enviornment, with USERAUTH coded to IDENTIFY
    or VERIFY, a security violation detected against a requesting
    userid will result in message DFHIS1027 being issued to report
    a security violation against the CICS region default userid.
    The security violation (in this case) is expected because the
    requesting userid does not have access to the transaction trying
    to be run. However, the DFHIS1027 message is reporting the
    violation against the CICS default userid. The DFHIS1027 message
    should report the userid that actually experienced the violation
    .
    ADDITIONAL KEYWORDS: MSGDFHIS1027 initialize_receiver
    add_user_without_password add_user add user without password
    set_user_token set token primary_client_init primary init
    usxm_init usxm sec_violation_detected sec detected
    .
    KIXREVDAM
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: IPIC security violation message         *
    *                      DFHIS1027 reports the wrong userid.     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The userid reported in the DFHIS1027 message is the
    transaction's userid. However, the security violations being
    reported by this message occur before the transaction
    switches to use the input userid, so at attach time this
    message is issued, the transaction is still running with the
    default userid. This means that the userid reported in the
    DFHIS1027 message is not userid that failed the security check.
    

Problem conclusion

  • The code has been changed to save the input userid,
    if supplied, and to report this in the DFHIS1027 message
    instead, as this will be the userid that failed the security
    check. If no userid was supplied or can be obtained, then
    '????????' will be displayed.
    
      In the CICS Transaction Server for z/OS Version 3 Release
      CICS Supplementary Data Areas manual, GC34-6864-02,replace
      the following portion of the 'ISSB - IS Session Block'
    
         "Offset Type  Len Name (dim)   Description
           Hex
    
          (A0) FULLWORD 4 ISSB_MSG_SEQNO   last msg
                                           sequence no.
                                           sent/received
          (A4) CHARACTER 2 ISSB_COMMAND    conversation
                                           level command
                                           in progress
          (A6) UNSIGNED 2 ISSB_CHAIN_SEQ_S last chain
                                           sequence no.
                                           sent
          (A8) UNSIGNED 2 ISSB_CHAIN_SEQ_R last chain
                                           sequence no.
                                           received
          (AA) UNSIGNED 2 ISSB_CCSID       client ccsid
                                           (0=no
                                           conversion)
          (AC) UNSIGNED 1 ISSB_CHAIN_COUNT no.of chain
                                           elems since
                                           pacing sent
          (AD) CHARACTER 0 ISSB_FIELDS_TAIL"
    
          with:-
    
         "Offset Type  Len Name (dim)   Description
           Hex
    
          (A0) FULLWORD 4 ISSB_MSG_SEQNO   last msg
                                           sequence no.
                                           sent/received
          (A4) CHARACTER 2 ISSB_COMMAND    conversation
                                           level command
                                           in progress
          (A6) UNSIGNED 2 ISSB_CHAIN_SEQ_S last chain
                                           sequence no.
                                           sent
          (A8) UNSIGNED 2 ISSB_CHAIN_SEQ_R last chain
                                           sequence no.
                                           received
          (AA) UNSIGNED 1 *
          (AB) UNSIGNED 1 ISSB_CHAIN_COUNT no.of chain
                                           elems since
                                           pacing sent
          (AC) UNSIGNED 2 ISSB_CCSID       client ccsid
                                           (0=no
                                           conversion
                                           -1=use
                                           CLINTCP)
          (B0) CHARACTER 10 ISSB_INPUT_USERID   userid
                                                received
                                                in is8
          (BA) CHARACTER 0 ISSB_FIELDS_TAIL"
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PM23147

  • Reported component name

    CICSTS V3 Z/OS

  • Reported component ID

    5655M1500

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-09-23

  • Closed date

    2010-12-29

  • Last modified date

    2011-01-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PM27255 UK63543

Modules/Macros

  •    DESISAL  DESISCO  DESISDM  DESISDUF DESISEM
    DESISIC  DESISIF  DESISIS  DESISRE  DESISRR  DESISSR  DESISST
    DESISTRI DESISUE  DESISUOW DESISXM  DESISZA  DFHISAL  DFHISALA
    DFHISALM DFHISALT DFHISBU  DFHISCO  DFHISCOA DFHISCOM DFHISCOP
    DFHISCOT DFHISCU  DFHISDCC DFHISDM  DFHISDUF DFHISEM  DFHISEMA
    DFHISEMM DFHISEMP DFHISEMT DFHISIC  DFHISICA DFHISICM DFHISICT
    DFHISIS  DFHISISA DFHISISM DFHISIST DFHISJU  DFHISRE  DFHISREA
    DFHISREM DFHISRET DFHISRR  DFHISRRA DFHISRRM DFHISRRP DFHISRRT
    DFHISSR  DFHISSRA DFHISSRM DFHISSRT DFHISST  DFHISTRI DFHISUE
    DFHISXM  DFHISZA  DFHISZAA DFHISZAM DFHISZAT
    

Publications Referenced
GC34686402    

Fix information

  • Fixed component name

    CICSTS V3 Z/OS

  • Fixed component ID

    5655M1500

Applicable component levels

  • R500 PSY UK63543

       UP10/12/31 P F012

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
14 January 2011