A fix is available
APAR status
Closed as program error.
Error description
Your CMAS comes up and issues message EYUXL0010I CMAS initialization complete. Yet your WUI and other MASes can not connect to the CMAS. In the CMAS job output, you may find various DFHAC2003 messages for a number of different CPSM-owned transactions, such as the following: . DFHAC2003 Security violation has been detected term id = ????, trans id = XMLT, userid = xxxxxxx. . The problem is that although CPSM issued START requests for the transactions it needed, some may have failed at task attach time due to a security violation. The symptoms of this type of problem may vary widely, as it depends upon the tasks that fail to start. This APAR is being submitted to have CPSM check and ensure it has proper authority in the ESM for its transactions during CMAS or MAS initialization, and take action based on those findings. . Additional Symptoms/Keywords: KIXREVSVR
Local fix
Ensure that no CPSM tasks encounter security violations and are able to run.
Problem summary
**************************************************************** * USERS AFFECTED: All CICSPlex SM V4R1M0 and V4R2M0 Users * **************************************************************** * PROBLEM DESCRIPTION: You start a CMAS, a CPSM managed * * CICS region (MAS), or a CICS System * * Managed Single Server (SMSS) and * * notice instances of message: * * . * * DFHAC2003 Security violation has * * been detected term id = ????, * * trans id = cccc, userid = xxxxxxx. * * . * * where each cccc is a CPSM transaction * * ID identified in CICS Transaction * * Server for z/OS RACF Security Guide * * and xxxxxxxx is the CICS region userid. * * Your CPSM region experiences various * * problems including, but not limited to, * * spontaneous shutdown of your CMAS or * * the MAS agent in your MAS, failure of * * specific functions (for example MASes * * or API programs which fail to connect * * to the CMAS or failure of communica- * * tions between CMASes), or inoperative * * CPSM services. * **************************************************************** * RECOMMENDATION: After applying the PTF that resolves this * * APAR, all CMASes and MASes must be recycled * * to pick up the new code. Note that the * * restarts do not need to be done at the same * * time. * **************************************************************** CPSM has a number of internal transactions which are started during CPSM agent initialization, or later for transient func- tions. These transactions are usually started under the region userid. If one or more of the transaction IDs are not defined, or are defined incorrectly, to the external security manager, START commands for affected transactions will return a normal response but a security exception will occur when transaction manager attempts to start the transaction. Message DFHAC2003 is issued and the function provided by the failed transaction will not be available, but because the START command returned a normal response, the task which initiated the START is not notified of the failure. In extreme cases this may result in spontaneous shutdown of the CMAS or the MAS agent, but symptoms vary widely depending upon which transactions failed and the functions that they are designed to provide.
Problem conclusion
The modules responsible for creating required resources in a CMAS (EYU9XLCD), MAS (EYU9NXLM), and SMSS region (EYU9NXRM) were modified to execute QUERY SECURITY RESTYPE(TRANSATTACH) for each internal CPSM transaction. New messages EYUXL0158E (in a CMAS) or EYUNX0102E (in a MAS or SMSS) will be issued for each trans- action which is not defined properly to the external security manager. If the region userid does not have permission to START one or more transactions, message EYUXL0159E (in a CMAS) or EYUNX0103E (in a MAS or SMSS) will be issued, and the CMAS region, or the MAS agent in a MAS or SMSS, will shut down. After correctly defining any identified transactions to the external security manager, the CMAS region or MAS agent may be restarted.
Temporary fix
********* * HIPER * ********* FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PM60036
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
70M
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt
Submitted date
2012-03-08
Closed date
2012-03-16
Last modified date
2012-04-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK77139 UK77140
Modules/Macros
EYUTXEMS EYUUNAEQ EYUUXLEQ EYU9NXLM EYU9NXRM EYU9XLCD
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 April 2012