A fix is available
APAR status
Closed as program error.
Error description
The CPSM administrator adds a user to an existing group with authority to access CPSMOBJ. But, when the user tries to interact with those resources, they get a security failure. RACF issues message ICH408I. If the user stays logged off CPMS long enough, they are able to use the resources. . CPSM's CMAS caches the ACEE in a similar way to CICS. With CICS, if you change a user e.g. by connecting them to a new group, you need to get the ACEE refreshed, you can do this by signing off CICS and back on again (to update a local region). But, if you have used remote CICS resources, you have to leave the user unused for the USRDELAY period (set in the remote region). CICS can then flush the ACEE remembered for the user. . CICSPlex SM has a similar scheme. Although CPSM runs in a CICS region, it does not use CICS security services. When CICSPlex SM automatically signs on the user in the CMAS, then the ACEE will be cached for at least 60 minutes after it is last used. Because the scan for unused ACEE's is scheduled to run every 60 minutes after CMAS startup. It is then that ACEEs that have not been used for 60 minutes are removed. This means that in the worst case scenario, you might have to wait up to almost 120 minutes for the ACEE to be deleted. . Unlike CICS, with USRDELAY, the timeout value (60 minutes) is not externalised. There are no commands to forcibly remove a user from the CMASes ACEE Cache. . It is proposed that a CMAS EYUPARM be created to specify a timeout value. The customer could shorten the amount of time needed for CPSM to remove the old ACEE.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICSPlex SM V3R1M0 Users. * **************************************************************** * PROBLEM DESCRIPTION: After connecting a CICSPlex SM EUI, API * * or WUI User to a new RACF group, the * * updated access is not picked up in the * * CMAS for up to two hours after the User * * has not used CICSPlex SM. * **************************************************************** * RECOMMENDATION: After applying the PTF that resolves this * * APAR, all CMASes and WUI Servers must be * * recycled to pick up the new code. Note * * that the restarts do not need to be done at * * the same time. * * * * After applying the PTF that resolves this * * APAR, users of the CICSPlex SM supplied * * starter set viewsets and menus must reimport * * the starter set viewset and menu definitions * * into each Web User Interface (WUI) server's * * repository in order to pick up the changes. * * * * The starter set viewsets and menus can be * * reimported either via the AUTOIMPORTTDQ WUI * * server initialization parameter or the * * IMPORT function of the COVC WUI transaction. * * If COVC is used to re-import the starter * * set, ensure that the OVERWRITE import option * * is specified if the WUI server repository * * previously contained that starter set * * viewsets and menus. * * * * For details on the AUTOIMPORTTDQ parameter * * and the COVC IMPORT function see 'Specify * * the Web User Interface server initialization * * parameters' and 'The CICSPlex SM Web User * * Interface transaction (COVC)' in the * * CICSPlex SM Web User Interface Guide * * (SC34-6461-00). * **************************************************************** CICSPlex SM calls the System Authorization Facility (SAF) to build ACEE control blocks to represent Users signed onto CICSPlex SM. These ACEEs and the User Ids associated with them are managed in a table called the SCIL (SeCurity Inherit List). After a User is signed on, subsequent security checks will use the previously built ACEE, which is located via the SCIL. As the SCIL is finite in size, EYU0CRLT (CRLT - Security Services Long-Running Task) will periodically check for Users that have not recently been used and destroy the ACEE and SCIL entry. When a user is connected or removed from a group, the User's ACEE must be rebuilt in order for security checks to pick up the changed group information. As CRLT only checks the SCIL once every 60 minutes for users that have been inactive for 60 minutes, that means a user may have to remain inactive in CICSPlex SM for up to 120 minutes before the ACEE is deleted.
Problem conclusion
The following changes are being made: - A new CICSPlex SM CMAS EYUPARM has been added: SECTIMEOUT. SECTIMEOUT is specified in minutes and defaults to 30. This value controls how often the SCIL table is checked and also the age of unused entries that should be removed. A value of 30 means that a user may need to remain inactive in CICSPlex SM for up to 60 minutes before the ACEE is deleted. - A new action has been added to the CMAS and CMASLIST Resource Tables. This new Action is called RESET. It can be used from the CICSPlex SM API or WUI. No support for this action has been added to the TSO EUI. The CMAS and CMASLIST RESET action requires one parameter: USERID. USERID specifies the User Id of a user that should have its ACEE rebuilt the next time it is used. Using the RESET action means you do not have to wait for the SECTIMEOUT interval in order to pick up a change in user groups. - In order to improve security problem determination, a new CICSPlex SM CMAS EYUPARM called SECLOGMSG has been added. The default value of SECLOGMSG is NO, which does not enable this change. When a value of YES is specified, new message EYUCR0009I is issued : EYUCR0009I Security check: Userid=<userid>, Class=<classname>, Access=<access>, Resource=<resource>, ESMResponse=<esmresp>, ESMReason=<esmrson> This message is issued when a non 0 response is received from the External Security Manager. Setting SECLOGMSG(YES) is useful when investigating a security issue and the External Security Manager does not issue messages of its own. SECMSGLOG may also be set to the value ALL. This operand is intended to be used under the direction of IBM Support. It causes message EYUCR0009I to be issued whenever the External Security Manager is called for a security check, even when the response is 0. SECMSGLOG(ALL) may cause a large amount of EYUCR0009I messages to be produced. - A new command has been added to the CICSPlex SM debug transaction (COD0) called SET. It can be used to dynamically change the CMAS EYUPARM SECLOGMSG. This allows SECLOGMSG to be changed without restarting the CMAS.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK08152
Reported component name
CPSM CICS 3.1
Reported component ID
5655M1501
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2005-06-29
Closed date
2005-09-23
Last modified date
2005-10-03
APAR is sysrouted FROM one or more of the following:
PK07080
APAR is sysrouted TO one or more of the following:
UK07475
Modules/Macros
CMAS CMASLIST EYUA2450 EYUA2451 EYUBCREQ EYUBCRIL EYUBCRRB EYUCCRSR EYUCXLAC EYUC2450 EYUC2451 EYUEVX01 EYUE2450 EYUE2451 EYUKVX01 EYUK2450 EYUK2451 EYUL2450 EYUL2451 EYUN2450 EYUN2451 EYUP2450 EYUP2451 EYUQCRIN EYUQCRSR EYUQXLAC EYURCOEB EYURCRIN EYURCRSR EYURXLAC EYUR2450 EYUR2451 EYUSVX01 EYUS2450 EYUS2451 EYUTCMM0 EYUTRCOM EYUTRKNL EYUTXLM0 EYUTXLPD EYUT2450 EYUT2451 EYUUCMEQ EYUUXLEQ EYUYCRIN EYUYCRSR EYUYXLAC EYUY2450 EYUY2451 EYUZCRIN EYUZCRSR EYUZXLAC EYU0CRCK EYU0CRDK EYU0CRIN EYU0CRLT EYU0CRSI EYU0CRSR EYU0DSET EYU0DTRM EYU0DTXT EYU2CRSR EYU2XLAC EYU9CMPU EYU9CMP3 EYU9CMP4 EYU9CMRU EYU9CMR3 EYU9CMR4 EYU9DBG1 EYU9XLPU EYU9XLP3 EYU9XLP4 EYU9XSEC
GC34642603 | GC34647200 | SC34645405 | SC34626401 | GC34626502 |
Fix information
Fixed component name
CPSM CICS 3.1
Fixed component ID
5655M1501
Applicable component levels
R100 PSY UK07475
UP05/09/24 P F509
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
22 February 2023