IBM Support

PK33335: MESSAGE EYUCR0008E IS NOT PRODUCED WHEN DFHSIT PARM XCMD=YES IS CODED FOR CMAS

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer is starting a CMAS with the SEC=YES and XCMD=YES CICS
DFHSIT parameters and SEC(YES) as a CICSPlex SM system parameter
(EYUPARM). Documentation, within the CICS TS V3.1  Installation
Guide and the CICSPlex SM Messages and Codes, indicates XCMD,
XDCT, XFCT, XJCT,XPCT, and XPPT must all be defined as NO if the
CICSPlex SM system parameter SEC(YES) is coded. Documentation
indicates message EYUCR0008E will be issued and the CMAS will
terminate if this restriction is not followed. Yet, this does
not appear to be enforced.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICSPlex SM V3R1M0 Users.                *
****************************************************************
* PROBLEM DESCRIPTION: - Message EYUCR0008E:                   *
*                                                              *
*                        'Mutually exclusive CICS and CICSplex *
*                        SM security parameters specified.     *
*                        The CMAS will terminate.'             *
*                                                              *
*                        is not issued when a CMAS is started  *
*                        with the CICS SIT option SEC=YES and  *
*                        the XFCT, XJCT, XDCT, XPPT, XPCT,     *
*                        XDB2 and XCMD options are not all set *
*                        to NO.                                *
*                                                              *
*                      - Message EYUCR0009I may be issued      *
*                        with invalid ESMResponse and          *
*                        ESMReason values when SECLOGMSG is    *
*                        set to YES or ALL. For example:       *
*                                                              *
*                        'Security check: Userid=USERA,        *
*                        Class=CCICSCMD, Access=Read,          *
*                        Resource=STATISTICS,                  *
*                        ESMResponse=1077952576,               *
*                        ESMReason=1077952576'                 *
*                                                              *
*                        The incorrect inserts will typically  *
*                        be issued for a simulated command     *
*                        security check involving multiple     *
*                        resources.                            *
****************************************************************
* RECOMMENDATION: After applying the PTF that resolves this    *
*                 APAR, all CMASes must be recycled to pick    *
*                 up the new code.  Note that the restarts     *
*                 do not need to be done at the same time.     *
****************************************************************
- CICSPlex SM Security operates independently from CICS
  Security.  As part of CICSPlex SM simulated security, CICSPlex
  SM must issue a RACROUTE REQUEST=LIST (RACLIST) in the CMAS
  for security classes used by the MASes. As the CMAS CICS could
  also have issued a similar command for the same classes, the
  CICSPlex SM request could fail.

  To prevent this error, EYU0CRIN attempts to check the security
  classes specified in the CICS SIT (XFCT, XJCT, XDCT, XPPT,
  XPCT, XDB2 and XCMD options) to insure that they are all set
  to no to avoid the potential conflict. EYU0CRIN contains
  invalid offsets for checking these values, so the SIT check is
  never correctly processed.

- When a simulated command security check is required for the
  CICSRGN object, a list of command security resource names are
  built and passed to the CICSPlex SM security processor. When
  the first resource name fails, the remaining resource names
  are not checked. If SECLOGMSG processing is active, The
  EYUCR0009I message can contain invalid ESMResponse and
  ESMReason inserts because no return codes have ever been set
  for the unprocessed resource names.

    



Problem conclusion


    

  • - The restriction requiring XFCT, XJCT, XDCT, XPPT, XPCT, XDB2
  and XCMD to be set to NO when SEC is set to YES in the SIT
  options for a CMAS has been removed.

  To allow this change, the following changes have been made:

  - EYU0CRIN will no longer check the CMAS X... security related
    SIT options.
  - EYU9XSEC has been changed to determine if a RACROUTE
    REQUEST=LIST has failed due to the class already being
    RACLISTed.  During shutdown, EYU9XSEC will only attempt to
    delete RACLISTed classes that it successfully issued the
    RACLIST for.
  - EYU0CRLT has been changed to maintain the security class
    related flags now set by EYU9XSEC.  Additionally, new
    message EYUCR0010I:

      'Security profiles not refreshed.  Refresh must be
      performed using ESM.'

    has been added. This message will be issued by EYU0CRLT when
    the CMAS or CMASLIST SECREBUILD actions are issued as a
    reminder that the command has no effect and that the ESM
    should be used to refresh the profiles. For RACF, the TSO
    command would be 'SETR RACLIST(nnnnnnnn) REFRESH' - where
    nnnnnnnn is the RACF classname to be refreshed.

- EYU0CRCK has been changed so that if the ESMResponse and
  ESMReason values are set to spaces (which means the security
  check was not performed), then message EYUCR0009I is not
  issued.

    



Temporary fix


    

  • FIX AVAILABLE BY PTF ONLY

    



Comments


    

  • - Message EYUCR0008E:

  'Mutually exclusive CICS and CICSplex
  SM security parameters specified.
  The CMAS will terminate.'

  is not issued when a CMAS is started
  with the CICS SIT option SEC=YES and
  the XFCT, XJCT, XDCT, XPPT, XPCT,
  XDB2 and XCMD options are not all set
  to NO.

- Message EYUCR0009I may be issued
  with invalid ESMResponse and ESMReason
  values when SECLOGMSG is set to YES or
  ALL. For example:

  'Security check: Userid=USERA,
  Class=CCICSCMD, Access=Read,
  Resource=STATISTICS,
  ESMResponse=1077952576,
  ESMReason=1077952576'

  The incorrect inserts will typically
  be issued for a simulated command
  security check involving multiple
  resources.

- CICSPlex SM Security operates independently from CICS
  Security.  As part of CICSPlex SM simulated security, CICSPlex
  SM must issue a RACROUTE REQUEST=LIST (RACLIST) in the CMAS
  for security classes used by the MASes. As the CMAS CICS could
  also have issued a similar command for the same classes, the
  CICSPlex SM request could fail.

  To prevent this error, EYU0CRIN attempts to check the security
  classes specified in the CICS SIT (XFCT, XJCT, XDCT, XPPT,
  XPCT, XDB2 and XCMD options) to insure that they are all set
  to no to avoid the potential conflict. EYU0CRIN contains
  invalid offsets for checking these values, so the SIT check is
  never correctly processed.

- When a simulated command security check is required for the
  CICSRGN object, a list of command security resource names are
  built and passed to the CICSPlex SM security processor. When
  the first resource name fails, the remaining resource names
  are not checked. If SECLOGMSG processing is active, The
  EYUCR0009I message can contain invalid ESMResponse and
  ESMReason inserts because no return codes have ever been set
  for the unprocessed resource names.

- The restriction requiring XFCT, XJCT, XDCT, XPPT, XPCT, XDB2
  and XCMD to be set to NO when SEC is set to YES in the SIT
  options for a CMAS has been removed.

  To allow this change, the following changes have been made:

  - EYU0CRIN will no longer check the CMAS X... security related
    SIT options.
  - EYU9XSEC has been changed to determine if a RACROUTE
    REQUEST =LIST has failed due to the class already being
    RACLISTed.  During shutdown, EYU9XSEC will only attempt to
    delete RACLISTed classes that it successfully issued the
    RACLIST for.
  - EYU0CRLT has been changed to maintain the security class
    related flags now set by EYU9XSEC.  Additionally, new
    message EYUCR0010I:

      'Security profiles not refreshed.  Refresh must be
      performed using ESM.'

    has been added. This message will be issued by EYU0CRLT when
    the CMAS or CMASLIST SECREBUILD actions are issued as a
    reminder that the command has no effect and that the ESM
    should be used to refresh the profiles. For RACF, the TSO
    command would be 'SETR RACLIST(nnnnnnnn) REFRESH' - where
    nnnnnnnn is the RACF classname to be refreshed.

- EYU0CRCK has been changed so that if the ESMResponse and
  ESMReason values are set to spaces (which means the security
  check was not performed), then message EYUCR0009I is not
  issued.

    



APAR Information




    

  • APAR number
    PK33335
    • 

  • Reported component name
    CPSM CICS 3.1
    • 

  • Reported component ID
    5655M1501
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2006-10-20
    • 

  • Closed date
    2006-11-20
    • 

  • Last modified date
    2006-12-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK19858
    

    • 



Modules/Macros


    

  •    EYUBCRCL EYUBCRRR EYUTCMM0 EYUUCMEQ EYU0CRCK
EYU0CRDK EYU0CRIN EYU0CRLT EYU0CRSI EYU9XSEC EYU9XSTC

    




Publications Referenced


GC34647103GC34642604   





Fix information


    

  • Fixed component name
    CPSM CICS 3.1
    • 

  • Fixed component ID
    5655M1501
    • 



Applicable component levels


    

  • R100  PSY  UK19858
       UP06/11/22  P  F611
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              {"0":{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},"438":{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Line of Business":{"code":"LOB35","label":"Mainframe SW"}},"1":null,"2":null,"3":null,"4":null,"5":null,"6":null,"7":null,"8":null,"9":null,"10":null,"11":null,"12":null,"13":null,"14":null,"15":null,"16":null,"17":null,"18":null,"19":null,"20":null,"21":null,"22":null,"23":null,"24":null,"25":null,"26":null,"27":null,"28":null,"29":null,"30":null,"31":null,"32":null,"33":null,"34":null,"35":null,"36":null,"37":null,"38":null,"39":null,"40":null,"41":null,"42":null,"43":null,"44":null,"45":null,"46":null,"47":null,"48":null,"49":null,"50":null,"51":null,"52":null,"53":null,"54":null,"55":null,"56":null,"57":null,"58":null,"59":null,"60":null,"61":null,"62":null,"63":null,"64":null,"65":null,"66":null,"67":null,"68":null,"69":null,"70":null,"71":null,"72":null,"73":null,"74":null,"75":null,"76":null,"77":null,"78":null,"79":null,"80":null,"81":null,"82":null,"83":null,"84":null,"85":null,"86":null,"87":null,"88":null,"89":null,"90":null,"91":null,"92":null,"93":null,"94":null,"95":null,"96":null,"97":null,"98":null,"99":null,"100":null,"101":null,"102":null,"103":null,"104":null,"105":null,"106":null,"107":null,"108":null,"109":null,"110":null,"111":null,"112":null,"113":null,"114":null,"115":null,"116":null,"117":null,"118":null,"119":null,"120":null,"121":null,"122":null,"123":null,"124":null,"125":null,"126":null,"127":null,"128":null,"129":null,"130":null,"131":null,"132":null,"133":null,"134":null,"135":null,"136":null,"137":null,"138":null,"139":null,"140":null,"141":null,"142":null,"143":null,"144":null,"145":null,"146":null,"147":null,"148":null,"149":null,"150":null,"151":null,"152":null,"153":null,"154":null,"155":null,"156":null,"157":null,"158":null,"159":null,"160":null,"161":null,"162":null,"163":null,"164":null,"165":null,"166":null,"167":null,"168":null,"169":null,"170":null,"171":null,"172":null,"173":null,"174":null,"175":null,"176":null,"177":null,"178":null,"179":null,"180":null,"181":null,"182":null,"183":null,"184":null,"185":null,"186":null,"187":null,"188":null,"189":null,"190":null,"191":null,"192":null,"193":null,"194":null,"195":null,"196":null,"197":null,"198":null,"199":null,"200":null,"201":null,"202":null,"203":null,"204":null,"205":null,"206":null,"207":null,"208":null,"209":null,"210":null,"211":null,"212":null,"213":null,"214":null,"215":null,"216":null,"217":null,"218":null,"219":null,"220":null,"221":null,"222":null,"223":null,"224":null,"225":null,"226":null,"227":null,"228":null,"229":null,"230":null,"231":null,"232":null,"233":null,"234":null,"235":null,"236":null,"237":null,"238":null,"239":null,"240":null,"241":null,"242":null,"243":null,"244":null,"245":null,"246":null,"247":null,"248":null,"249":null,"250":null,"251":null,"252":null,"253":null,"254":null,"255":null,"256":null,"257":null,"258":null,"259":null,"260":null,"261":null,"262":null,"263":null,"264":null,"265":null,"266":null,"267":null,"268":null,"269":null,"270":null,"271":null,"272":null,"273":null,"274":null,"275":null,"276":null,"277":null,"278":null,"279":null,"280":null,"281":null,"282":null,"283":null,"284":null,"285":null,"286":null,"287":null,"288":null,"289":null,"290":null,"291":null,"292":null,"293":null,"294":null,"295":null,"296":null,"297":null,"298":null,"299":null,"300":null,"301":null,"302":null,"303":null,"304":null,"305":null,"306":null,"307":null,"308":null,"309":null,"310":null,"311":null,"312":null,"313":null,"314":null,"315":null,"316":null,"317":null,"318":null,"319":null,"320":null,"321":null,"322":null,"323":null,"324":null,"325":null,"326":null,"327":null,"328":null,"329":null,"330":null,"331":null,"332":null,"333":null,"334":null,"335":null,"336":null,"337":null,"338":null,"339":null,"340":null,"341":null,"342":null,"343":null,"344":null,"345":null,"346":null,"347":null,"348":null,"349":null,"350":null,"351":null,"352":null,"353":null,"354":null,"355":null,"356":null,"357":null,"358":null,"359":null,"360":null,"361":null,"362":null,"363":null,"364":null,"365":null,"366":null,"367":null,"368":null,"369":null,"370":null,"371":null,"372":null,"373":null,"374":null,"375":null,"376":null,"377":null,"378":null,"379":null,"380":null,"381":null,"382":null,"383":null,"384":null,"385":null,"386":null,"387":null,"388":null,"389":null,"390":null,"391":null,"392":null,"393":null,"394":null,"395":null,"396":null,"397":null,"398":null,"399":null,"400":null,"401":null,"402":null,"403":null,"404":null,"405":null,"406":null,"407":null,"408":null,"409":null,"410":null,"411":null,"412":null,"413":null,"414":null,"415":null,"416":null,"417":null,"418":null,"419":null,"420":null,"421":null,"422":null,"423":null,"424":null,"425":null,"426":null,"427":null,"428":null,"429":null,"430":null,"431":null,"432":null,"433":null,"434":null,"435":null,"436":null,"437":null}
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 February 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback