A fix is available
APAR status
Closed as program error.
Error description
Customer has a process which periodically inquires on the CPSM workload status of a region using CPSM API calls. Recently he had a problem with a user getting a NOTPERMIT USRID condition. The CRCK entry indicated the correct RACF profile was checked and completed successfully. However, the PostExec entry showed the GET_cmd completed with NOTPERMIT USRID. The WABW MAL for the GET request was failing on a remote CMAS with an authorization failure. The customer confirmed this user does not have access to this system and feels it should not matter, from a business perspective, that a user running on System A does not have access to System B. Additional Keyword(s) and Symptom(s): KIXREVBDB
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICSPlex SM V4R1M0 and V4R2M0 Users * **************************************************************** * PROBLEM DESCRIPTION: You execute an API program in a * * CICSplex which spans LPARs with dif- * * fering security environments. If a * * request is rejected by the external * * security manager (ESM) in one or more * * CMASes, a response of NOTPERMIT and a * * reason of USRID is returned to the * * API program with no data, even though * * the request may have executed success- * * fully in other CMASes. * **************************************************************** * RECOMMENDATION: After applying the PTF that resolves this * * APAR, all CMASes and MASes must be recycled * * to pick up the updated code. Note that the * * restarts do not need to be done at the same * * time. * **************************************************************** When CPSM's Single System Image component does not receive the same response for a request from all target systems, the most severe response and reason code are propagated to the user. If a security validation exception was detected in one or more CMASes to which a request was routed, no data is returned to the caller even though the request may have executed successfully and retrieved data in other targets.
Problem conclusion
API modules EYU0XDP1 (XDP1 - API GET Processor), EYU0XDER (XDER - First Level MAS API Router), and EYU0ABM0 (ABM0 - First Level Batch API Router) were modified to return available data which the user is authorized to access, if the response and reason indicate that a security exception was detected in one or more CMASes to which a request was routed. A new CICSPlex SM system parameter (EYUPARM) of SECRPTLVL was defined to allow administrators to tailor the response returned to the caller if an API request results in a security validation exception. Specifying SECRPTLVL(NONE) causes the API command to return a response of OK or NODATA depending on whether data was received from other CMASes. SECRPTLVL(RESPONSE), the default, causes the API to return RESPONSE=NOTPERMIT, REASON=USRID. SECRPTLVL(DETAIL) results in the generation of a result set of MASQRYER resources identifying the system or systems in which a request was denied by the external security manager. MASQRYER resources can be retrieved by executing the FETCH command, and passing the QUERYERROR parameter.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PM42117
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
60M
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-06-21
Closed date
2011-08-04
Last modified date
2011-09-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK70494 UK70495
Modules/Macros
EYURXLEB EYUTXLPD EYU0ABM0 EYU0UQGQ EYU0XDER EYU0XDP1 EYU0XLBV EYU0XLSD EYU0XQGQ
GC34699501 | GC34717100 |
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 September 2011