PK08152: LONG TIME TO WAIT TO PICK UP USER SECURITY CHANGE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The CPSM administrator adds a user to an existing group with
  authority to access CPSMOBJ.  But, when the user tries to
  interact with those resources, they get a security failure.
  RACF issues message ICH408I.
    If the user stays logged off CPMS long enough, they are able
  to use the resources.
  .
   CPSM's CMAS caches the ACEE in a similar way to CICS.
  With   CICS, if you change a user e.g. by connecting them to a
  new group, you need to get the ACEE refreshed, you can do this
  by signing off CICS and back on again
  (to update a local region).  But, if you have used remote CICS
  resources, you have to leave the user unused for the
  USRDELAY period (set in the remote region).  CICS can then
  flush the ACEE remembered for the user.
  .
    CICSPlex SM has a similar scheme.  Although CPSM runs in a
  CICS region, it does not use CICS security services.
  When CICSPlex SM automatically signs on the user in the CMAS,
  then the ACEE will be cached for at least 60 minutes after it
  is last used.  Because the scan for unused ACEE's is scheduled
  to run every 60 minutes after CMAS startup. It is then that
  ACEEs that have not been used for 60 minutes are removed.
    This means that in the worst case scenario, you might have to
  wait up to almost 120 minutes for the ACEE to be deleted.
  .
    Unlike CICS, with USRDELAY, the timeout value (60 minutes) is
  not externalised. There are no commands to forcibly remove a
  user from the CMASes ACEE Cache.
  .
    It is proposed that a CMAS EYUPARM be created to specify a
  timeout value.  The customer could shorten the amount of time
  needed for CPSM to remove the old ACEE.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICSPlex SM V3R1M0 Users.                *
  ****************************************************************
  * PROBLEM DESCRIPTION: After connecting a CICSPlex SM EUI, API *
  *                      or WUI User to a new RACF group, the    *
  *                      updated access is not picked up in the  *
  *                      CMAS for up to two hours after the User *
  *                      has not used CICSPlex SM.               *
  ****************************************************************
  * RECOMMENDATION: After applying the PTF that resolves this    *
  *                 APAR, all CMASes and WUI Servers must be     *
  *                 recycled to pick up the new code.  Note      *
  *                 that the restarts do not need to be done at  *
  *                 the same time.                               *
  *                                                              *
  *                 After applying the PTF that resolves this    *
  *                 APAR, users of the CICSPlex SM supplied      *
  *                 starter set viewsets and menus must reimport *
  *                 the starter set viewset and menu definitions *
  *                 into each Web User Interface (WUI) server's  *
  *                 repository in order to pick up the changes.  *
  *                                                              *
  *                 The starter set viewsets and menus can be    *
  *                 reimported either via the AUTOIMPORTTDQ WUI  *
  *                 server initialization parameter or the       *
  *                 IMPORT function of the COVC WUI transaction. *
  *                 If COVC is used to re-import the starter     *
  *                 set, ensure that the OVERWRITE import option *
  *                 is specified if the WUI server repository    *
  *                 previously contained that starter set        *
  *                 viewsets and menus.                          *
  *                                                              *
  *                 For details on the AUTOIMPORTTDQ parameter   *
  *                 and the COVC IMPORT function see 'Specify    *
  *                 the Web User Interface server initialization *
  *                 parameters' and 'The CICSPlex SM Web User    *
  *                 Interface transaction (COVC)' in the         *
  *                 CICSPlex SM Web User Interface Guide         *
  *                 (SC34-6461-00).                              *
  ****************************************************************
  CICSPlex SM calls the System Authorization Facility (SAF) to
  build ACEE control blocks to represent Users signed onto
  CICSPlex SM. These ACEEs and the User Ids associated with them
  are managed in a table called the SCIL (SeCurity Inherit List).
  
  After a User is signed on, subsequent security checks will use
  the previously built ACEE, which is located via the SCIL.
  
  As the SCIL is finite in size, EYU0CRLT (CRLT - Security
  Services Long-Running Task) will periodically check for Users
  that have not recently been used and destroy the ACEE and SCIL
  entry.
  
  When a user is connected or removed from a group, the User's
  ACEE must be rebuilt in order for security checks to pick up
  the changed group information.
  
  As CRLT only checks the SCIL once every 60 minutes for users
  that have been inactive for 60 minutes, that means a user
  may have to remain inactive in CICSPlex SM for up to 120 minutes
  before the ACEE is deleted.
  

Problem conclusion

• The following changes are being made:
  
   - A new CICSPlex SM CMAS EYUPARM has been added: SECTIMEOUT.
  
     SECTIMEOUT is specified in minutes and defaults to 30.
     This value controls how often the SCIL table is checked and
     also the age of unused entries that should be removed. A
     value of 30 means that a user may need to remain inactive
     in CICSPlex SM for up to 60 minutes before the ACEE is
     deleted.
  
   - A new action has been added to the CMAS and CMASLIST Resource
     Tables. This new Action is called RESET. It can be used from
     the CICSPlex SM API or WUI. No support for this action has
     been added to the TSO EUI.
  
     The CMAS and CMASLIST RESET action requires one parameter:
     USERID. USERID specifies the User Id of a user that should
     have its ACEE rebuilt the next time it is used.
  
     Using the RESET action means you do not have to wait for the
     SECTIMEOUT interval in order to pick up a change in user
     groups.
  
   - In order to improve security problem determination, a new
     CICSPlex SM CMAS EYUPARM called SECLOGMSG has been added.
     The default value of SECLOGMSG is NO, which does not enable
     this change. When a value of YES is specified, new message
     EYUCR0009I is issued :
  
       EYUCR0009I Security check: Userid=<userid>,
              Class=<classname>, Access=<access>,
              Resource=<resource>, ESMResponse=<esmresp>,
              ESMReason=<esmrson>
  
     This message is issued when a non 0 response is received from
     the External Security Manager. Setting SECLOGMSG(YES) is
     useful when investigating a security issue and the External
     Security Manager does not issue messages of its own.
  
     SECMSGLOG may also be set to the value ALL. This operand is
     intended to be used under the direction of IBM Support. It
     causes message EYUCR0009I to be issued whenever the External
     Security Manager is called for a security check, even when
     the response is 0.  SECMSGLOG(ALL) may cause a large amount
     of EYUCR0009I messages to be produced.
  
   - A new command has been added to the CICSPlex SM debug
     transaction (COD0) called SET.  It can be used to dynamically
     change the CMAS EYUPARM SECLOGMSG. This allows SECLOGMSG to
     be changed without restarting the CMAS.
  

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PK07080

• APAR is sysrouted TO one or more of the following:

  UK07475

Modules/Macros

•    CMAS     CMASLIST EYUA2450 EYUA2451 EYUBCREQ
  EYUBCRIL EYUBCRRB EYUCCRSR EYUCXLAC EYUC2450 EYUC2451 EYUEVX01
  EYUE2450 EYUE2451 EYUKVX01 EYUK2450 EYUK2451 EYUL2450 EYUL2451
  EYUN2450 EYUN2451 EYUP2450 EYUP2451 EYUQCRIN EYUQCRSR EYUQXLAC
  EYURCOEB EYURCRIN EYURCRSR EYURXLAC EYUR2450 EYUR2451 EYUSVX01
  EYUS2450 EYUS2451 EYUTCMM0 EYUTRCOM EYUTRKNL EYUTXLM0 EYUTXLPD
  EYUT2450 EYUT2451 EYUUCMEQ EYUUXLEQ EYUYCRIN EYUYCRSR EYUYXLAC
  EYUY2450 EYUY2451 EYUZCRIN EYUZCRSR EYUZXLAC EYU0CRCK EYU0CRDK
  EYU0CRIN EYU0CRLT EYU0CRSI EYU0CRSR EYU0DSET EYU0DTRM EYU0DTXT
  EYU2CRSR EYU2XLAC EYU9CMPU EYU9CMP3 EYU9CMP4 EYU9CMRU EYU9CMR3
  EYU9CMR4 EYU9DBG1 EYU9XLPU EYU9XLP3 EYU9XLP4 EYU9XSEC
  

Fix information

• Fixed component name

  CPSM CICS 3.1

• Fixed component ID

  5655M1501

Applicable component levels

• R100 PSY UK07475

     UP05/09/24 P F509

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.