A fix is available
APAR status
Closed as program error.
Error description
Customer is starting a CMAS with the SEC=YES and XCMD=YES CICS DFHSIT parameters and SEC(YES) as a CICSPlex SM system parameter (EYUPARM). Documentation, within the CICS TS V3.1 Installation Guide and the CICSPlex SM Messages and Codes, indicates XCMD, XDCT, XFCT, XJCT,XPCT, and XPPT must all be defined as NO if the CICSPlex SM system parameter SEC(YES) is coded. Documentation indicates message EYUCR0008E will be issued and the CMAS will terminate if this restriction is not followed. Yet, this does not appear to be enforced.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICSPlex SM V3R1M0 Users. * **************************************************************** * PROBLEM DESCRIPTION: - Message EYUCR0008E: * * * * 'Mutually exclusive CICS and CICSplex * * SM security parameters specified. * * The CMAS will terminate.' * * * * is not issued when a CMAS is started * * with the CICS SIT option SEC=YES and * * the XFCT, XJCT, XDCT, XPPT, XPCT, * * XDB2 and XCMD options are not all set * * to NO. * * * * - Message EYUCR0009I may be issued * * with invalid ESMResponse and * * ESMReason values when SECLOGMSG is * * set to YES or ALL. For example: * * * * 'Security check: Userid=USERA, * * Class=CCICSCMD, Access=Read, * * Resource=STATISTICS, * * ESMResponse=1077952576, * * ESMReason=1077952576' * * * * The incorrect inserts will typically * * be issued for a simulated command * * security check involving multiple * * resources. * **************************************************************** * RECOMMENDATION: After applying the PTF that resolves this * * APAR, all CMASes must be recycled to pick * * up the new code. Note that the restarts * * do not need to be done at the same time. * **************************************************************** - CICSPlex SM Security operates independently from CICS Security. As part of CICSPlex SM simulated security, CICSPlex SM must issue a RACROUTE REQUEST=LIST (RACLIST) in the CMAS for security classes used by the MASes. As the CMAS CICS could also have issued a similar command for the same classes, the CICSPlex SM request could fail. To prevent this error, EYU0CRIN attempts to check the security classes specified in the CICS SIT (XFCT, XJCT, XDCT, XPPT, XPCT, XDB2 and XCMD options) to insure that they are all set to no to avoid the potential conflict. EYU0CRIN contains invalid offsets for checking these values, so the SIT check is never correctly processed. - When a simulated command security check is required for the CICSRGN object, a list of command security resource names are built and passed to the CICSPlex SM security processor. When the first resource name fails, the remaining resource names are not checked. If SECLOGMSG processing is active, The EYUCR0009I message can contain invalid ESMResponse and ESMReason inserts because no return codes have ever been set for the unprocessed resource names.
Problem conclusion
- The restriction requiring XFCT, XJCT, XDCT, XPPT, XPCT, XDB2 and XCMD to be set to NO when SEC is set to YES in the SIT options for a CMAS has been removed. To allow this change, the following changes have been made: - EYU0CRIN will no longer check the CMAS X... security related SIT options. - EYU9XSEC has been changed to determine if a RACROUTE REQUEST=LIST has failed due to the class already being RACLISTed. During shutdown, EYU9XSEC will only attempt to delete RACLISTed classes that it successfully issued the RACLIST for. - EYU0CRLT has been changed to maintain the security class related flags now set by EYU9XSEC. Additionally, new message EYUCR0010I: 'Security profiles not refreshed. Refresh must be performed using ESM.' has been added. This message will be issued by EYU0CRLT when the CMAS or CMASLIST SECREBUILD actions are issued as a reminder that the command has no effect and that the ESM should be used to refresh the profiles. For RACF, the TSO command would be 'SETR RACLIST(nnnnnnnn) REFRESH' - where nnnnnnnn is the RACF classname to be refreshed. - EYU0CRCK has been changed so that if the ESMResponse and ESMReason values are set to spaces (which means the security check was not performed), then message EYUCR0009I is not issued.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
- Message EYUCR0008E: 'Mutually exclusive CICS and CICSplex SM security parameters specified. The CMAS will terminate.' is not issued when a CMAS is started with the CICS SIT option SEC=YES and the XFCT, XJCT, XDCT, XPPT, XPCT, XDB2 and XCMD options are not all set to NO. - Message EYUCR0009I may be issued with invalid ESMResponse and ESMReason values when SECLOGMSG is set to YES or ALL. For example: 'Security check: Userid=USERA, Class=CCICSCMD, Access=Read, Resource=STATISTICS, ESMResponse=1077952576, ESMReason=1077952576' The incorrect inserts will typically be issued for a simulated command security check involving multiple resources. - CICSPlex SM Security operates independently from CICS Security. As part of CICSPlex SM simulated security, CICSPlex SM must issue a RACROUTE REQUEST=LIST (RACLIST) in the CMAS for security classes used by the MASes. As the CMAS CICS could also have issued a similar command for the same classes, the CICSPlex SM request could fail. To prevent this error, EYU0CRIN attempts to check the security classes specified in the CICS SIT (XFCT, XJCT, XDCT, XPPT, XPCT, XDB2 and XCMD options) to insure that they are all set to no to avoid the potential conflict. EYU0CRIN contains invalid offsets for checking these values, so the SIT check is never correctly processed. - When a simulated command security check is required for the CICSRGN object, a list of command security resource names are built and passed to the CICSPlex SM security processor. When the first resource name fails, the remaining resource names are not checked. If SECLOGMSG processing is active, The EYUCR0009I message can contain invalid ESMResponse and ESMReason inserts because no return codes have ever been set for the unprocessed resource names. - The restriction requiring XFCT, XJCT, XDCT, XPPT, XPCT, XDB2 and XCMD to be set to NO when SEC is set to YES in the SIT options for a CMAS has been removed. To allow this change, the following changes have been made: - EYU0CRIN will no longer check the CMAS X... security related SIT options. - EYU9XSEC has been changed to determine if a RACROUTE REQUEST =LIST has failed due to the class already being RACLISTed. During shutdown, EYU9XSEC will only attempt to delete RACLISTed classes that it successfully issued the RACLIST for. - EYU0CRLT has been changed to maintain the security class related flags now set by EYU9XSEC. Additionally, new message EYUCR0010I: 'Security profiles not refreshed. Refresh must be performed using ESM.' has been added. This message will be issued by EYU0CRLT when the CMAS or CMASLIST SECREBUILD actions are issued as a reminder that the command has no effect and that the ESM should be used to refresh the profiles. For RACF, the TSO command would be 'SETR RACLIST(nnnnnnnn) REFRESH' - where nnnnnnnn is the RACF classname to be refreshed. - EYU0CRCK has been changed so that if the ESMResponse and ESMReason values are set to spaces (which means the security check was not performed), then message EYUCR0009I is not issued.
APAR Information
APAR number
PK33335
Reported component name
CPSM CICS 3.1
Reported component ID
5655M1501
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2006-10-20
Closed date
2006-11-20
Last modified date
2006-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK19858
Modules/Macros
EYUBCRCL EYUBCRRR EYUTCMM0 EYUUCMEQ EYU0CRCK EYU0CRDK EYU0CRIN EYU0CRLT EYU0CRSI EYU9XSEC EYU9XSTC
GC34647103 | GC34642604 |
Fix information
Fixed component name
CPSM CICS 3.1
Fixed component ID
5655M1501
Applicable component levels
R100 PSY UK19858
UP06/11/22 P F611
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
{"0":{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},"438":{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Line of Business":{"code":"LOB35","label":"Mainframe SW"}},"1":null,"2":null,"3":null,"4":null,"5":null,"6":null,"7":null,"8":null,"9":null,"10":null,"11":null,"12":null,"13":null,"14":null,"15":null,"16":null,"17":null,"18":null,"19":null,"20":null,"21":null,"22":null,"23":null,"24":null,"25":null,"26":null,"27":null,"28":null,"29":null,"30":null,"31":null,"32":null,"33":null,"34":null,"35":null,"36":null,"37":null,"38":null,"39":null,"40":null,"41":null,"42":null,"43":null,"44":null,"45":null,"46":null,"47":null,"48":null,"49":null,"50":null,"51":null,"52":null,"53":null,"54":null,"55":null,"56":null,"57":null,"58":null,"59":null,"60":null,"61":null,"62":null,"63":null,"64":null,"65":null,"66":null,"67":null,"68":null,"69":null,"70":null,"71":null,"72":null,"73":null,"74":null,"75":null,"76":null,"77":null,"78":null,"79":null,"80":null,"81":null,"82":null,"83":null,"84":null,"85":null,"86":null,"87":null,"88":null,"89":null,"90":null,"91":null,"92":null,"93":null,"94":null,"95":null,"96":null,"97":null,"98":null,"99":null,"100":null,"101":null,"102":null,"103":null,"104":null,"105":null,"106":null,"107":null,"108":null,"109":null,"110":null,"111":null,"112":null,"113":null,"114":null,"115":null,"116":null,"117":null,"118":null,"119":null,"120":null,"121":null,"122":null,"123":null,"124":null,"125":null,"126":null,"127":null,"128":null,"129":null,"130":null,"131":null,"132":null,"133":null,"134":null,"135":null,"136":null,"137":null,"138":null,"139":null,"140":null,"141":null,"142":null,"143":null,"144":null,"145":null,"146":null,"147":null,"148":null,"149":null,"150":null,"151":null,"152":null,"153":null,"154":null,"155":null,"156":null,"157":null,"158":null,"159":null,"160":null,"161":null,"162":null,"163":null,"164":null,"165":null,"166":null,"167":null,"168":null,"169":null,"170":null,"171":null,"172":null,"173":null,"174":null,"175":null,"176":null,"177":null,"178":null,"179":null,"180":null,"181":null,"182":null,"183":null,"184":null,"185":null,"186":null,"187":null,"188":null,"189":null,"190":null,"191":null,"192":null,"193":null,"194":null,"195":null,"196":null,"197":null,"198":null,"199":null,"200":null,"201":null,"202":null,"203":null,"204":null,"205":null,"206":null,"207":null,"208":null,"209":null,"210":null,"211":null,"212":null,"213":null,"214":null,"215":null,"216":null,"217":null,"218":null,"219":null,"220":null,"221":null,"222":null,"223":null,"224":null,"225":null,"226":null,"227":null,"228":null,"229":null,"230":null,"231":null,"232":null,"233":null,"234":null,"235":null,"236":null,"237":null,"238":null,"239":null,"240":null,"241":null,"242":null,"243":null,"244":null,"245":null,"246":null,"247":null,"248":null,"249":null,"250":null,"251":null,"252":null,"253":null,"254":null,"255":null,"256":null,"257":null,"258":null,"259":null,"260":null,"261":null,"262":null,"263":null,"264":null,"265":null,"266":null,"267":null,"268":null,"269":null,"270":null,"271":null,"272":null,"273":null,"274":null,"275":null,"276":null,"277":null,"278":null,"279":null,"280":null,"281":null,"282":null,"283":null,"284":null,"285":null,"286":null,"287":null,"288":null,"289":null,"290":null,"291":null,"292":null,"293":null,"294":null,"295":null,"296":null,"297":null,"298":null,"299":null,"300":null,"301":null,"302":null,"303":null,"304":null,"305":null,"306":null,"307":null,"308":null,"309":null,"310":null,"311":null,"312":null,"313":null,"314":null,"315":null,"316":null,"317":null,"318":null,"319":null,"320":null,"321":null,"322":null,"323":null,"324":null,"325":null,"326":null,"327":null,"328":null,"329":null,"330":null,"331":null,"332":null,"333":null,"334":null,"335":null,"336":null,"337":null,"338":null,"339":null,"340":null,"341":null,"342":null,"343":null,"344":null,"345":null,"346":null,"347":null,"348":null,"349":null,"350":null,"351":null,"352":null,"353":null,"354":null,"355":null,"356":null,"357":null,"358":null,"359":null,"360":null,"361":null,"362":null,"363":null,"364":null,"365":null,"366":null,"367":null,"368":null,"369":null,"370":null,"371":null,"372":null,"373":null,"374":null,"375":null,"376":null,"377":null,"378":null,"379":null,"380":null,"381":null,"382":null,"383":null,"384":null,"385":null,"386":null,"387":null,"388":null,"389":null,"390":null,"391":null,"392":null,"393":null,"394":null,"395":null,"396":null,"397":null,"398":null,"399":null,"400":null,"401":null,"402":null,"403":null,"404":null,"405":null,"406":null,"407":null,"408":null,"409":null,"410":null,"411":null,"412":null,"413":null,"414":null,"415":null,"416":null,"417":null,"418":null,"419":null,"420":null,"421":null,"422":null,"423":null,"424":null,"425":null,"426":null,"427":null,"428":null,"429":null,"430":null,"431":null,"432":null,"433":null,"434":null,"435":null,"436":null,"437":null}
Document Information
Modified date:
22 February 2023