OA48667: ADDUSER ALTUSER NULL PASSWORD FAILS MSGIKJ56701I AFTER OA47396 15/11/11 PTF PECHANGE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The security change made by APAR OA47396 introduced a new
  restriction for the PASSWORD option on the ADDUSER and ALTUSER
  commands; namely, you could no longer specify the option without
  a value.  Instead, depending on your TSO PROFILE PROMPT setting,
  you get msgIKJ56701I and a failure, or you are prompted to
  specify a value.
  This change created several issues:
   - in an RRSF environment, on a 1.13 or 2.1 system without the
     APAR change, when an ADDUSER is issued without the PASSWORD
     option, RACF will automatically include PASSWORD without a
     value, as that is the default setting.  When this re-formed
     command was received on a system with the APAR change, the
     command would fail.
   - the command exit point, IRREVX01, will no longer see the
     PASSWORD parm without a value.  This inhibits any special
     processing that the exit may do to create a new, unique
     password for the user.  One exploiter of this exit point is
     zSecure Command Verifier.
   - any RACF administrator or admin application that normally
     runs an ADDUSER with PASSWORD() followed immediately by an
     ALTUSER PASSWORD(x) will not get the userid created.  The
     PASSWORD() option needs to be removed from the ADDUSER cmd,
     or the PASSWORD(x) option needs to be moved to the ADDUSER
     cmd.
   - on 1.13 and 2.1, using ALTUSER PASSWORD cannot be used to
     reset the password back to the default value.
  
  This APAR will allow a null PASSWORD to be treated the same as
  not specifying the option.
  In z/OS 1.13 and 2.1, that treatment is to give a default value.
  In z/OS 2.2, that treatment is to not assign a password, with
  the potential for the user being assigned the PROTECTED
  attribute.  (See APAR OA49109 for the lack of a migration item
  in the z/OS Migration Guide for z/OS 2.2.)
  
  The ++HOLDs in UA77922, UA77923, UA77924 will be nullified.
  
  
  PE INFORMATION
  Users Affected:
    All users of the ADDUSER and ALTUSER commands, when specifying
    the PASSWORD option without a value.
  User Impact:
    APAR OA47396 fixed the problem it reported but introduced a
  new problem.
  
  
  Additional Symptoms:
  IKJ56701I msgIKJ56701 IKJ56701
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Installations which have installed a PTF for *
  *                 OA47396:                                     *
  *                 UA77922 - z/OS V2R2  HRF77A0                 *
  *                 UA77923 - z/OS V1R13 HRF7780                 *
  *                 UA77924 - z/OS V2R1  HRF7790.                *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Installations which have installed a PTF for
  OA47396:
  UA77922 - z/OS V2R2  HRF77A0
  UA77923 - z/OS V1R13 HRF7780
  UA77924 - z/OS V2R1  HRF7790.
  When an ADDUSER or ALTUSER command is issued with the PASSWORD
  operand, but without a password value, the command would fail
  in NOPROMPT mode.
  This aspect of OA47396 introduced excessive churn.
  Examples of the undesirable behavior:
  1- In RRSF environments, if SYS1 did not have a OA47396 PTF
     applied, then the command issued with no password value
     would succeed.   But when propagated to other systems
     which did have a OA47396 PTF applied, the command would fail.
  2- The command exit point, IRREVX01, with an OA47396 PTF applied
     no longer saw the PASSWORD parmameter without a value.
     This inhibited any special processing that the exit may have
     done to create a new, unique password for the user.
     One exploiter of this exit point is zSecure Command Verifier.
  3- On z/OS V1R13 and z/OS V2R1, specifying the ADDUSER
     or ALTUSER command with the PASSWORD operand with no
     password value did NOT set or restore the default group
     as the password.
  

Problem conclusion

• The HOLD(DOC) and HOLD(ACTION) aspects of OA47396 have been
  removed.
  ADDUSER and ALTUSER commands issued with the PASSWORD operand,
  but without a password value, when in NOPROMPT mode, will not
  fail.  In those cases a null PASSWORD keyword will be presented
  to the IRREVX01 command exit.
  

Temporary fix

Comments

• ×**** PE16/07/27 PTF IN ERROR. SEE APAR OA50949  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA80164 UA80165 UA80166

Modules/Macros

• IRRCAU0P IRRCCU0P
  

Fix information

• Fixed component name

  RACF

• Fixed component ID

  5752XXH00

Applicable component levels

• R7A0 PSY UA80164

     UP15/12/30 P F512 Ø

• R780 PSY UA80165

     UP15/12/30 P F512 Ø

• R790 PSY UA80166

     UP15/12/30 P F512 Ø

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.