PH03147: IBM EXPLORER FOR SYSTEM Z V3.0.1 - NOT RECOGNIZING COLON ":" AS MFA SEPARATOR LEADS TO ERROR AZFRADP1

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• In z/OS Explorer, which is used by Developer for z Systems
  (RDz/IDz), RSE does not properly recognize and handle the colon
  ":" as MFA separator character which leads to MFA error message
  AZFRADP1. The problem is that the client uses the same colon
  ":" token to separate the data it sends to the RSE daemon;
  userid:password:new_password. Because there is no way,
  currently, to distinguish the separator, the MFA separator
  token ends up being parsed by the daemon,
  and the token ends up being interpreted as new_password.
  In this instance, the MFA configuration uses Generic Radius
  in-band compound authentication, which consists of the
  following combination being entered in a logon password field:
  
  
    <RACF credential><MFA separator><OTP>
  
  
    - RACF credential is either a password or passphrase which is
  validated by RACF
    - MFA separator is a character used to separate the two
  authentication pieces
    - OTP is a one-time generated passcode
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: 01.All zOS Explorer users                    *
  *                 02.All zOS Explorer users who has SSL        *
  *                    enabled                                   *
  *                 03.All zOS Explorer users                    *
  *                 04.All zOS Explorer users                    *
  *                 05.All zOS Explorer and IDz users            *
  *                 06.system programmers                        *
  ****************************************************************
  * PROBLEM DESCRIPTION: 01.rse.env is missing an undocumented   *
  *                         environment variable                 *
  *                      02.Enhancement to support 4 char-id     *
  *                         ciphers when connecting using SSL    *
  *                      03.RSE Server TLS session is not using  *
  *                         the expected cipher suite for the    *
  *                         client connection.                   *
  *                      04.Daemon version shown in the log is   *
  *                         often mixed up with the IDz version  *
  *                         number. Removed Daemon version:14.0  *
  *                         from the Logs to eliminate           *
  *                         confusion                            *
  *                      05.In z/OS Explorer, RSE does not       *
  *                         properly recognize and handle the    *
  *                         colon ":" in passwords, including    *
  *                         when specified as an MFA separator   *
  *                         character, which leads to MFA error  *
  *                         message AZFRADP1                     *
  *                      06.server and user logs not collected   *
  *                         by FEKLOGS                           *
  ****************************************************************
  01.rse.env is missing an undocumented environment variable
  02.Enhancement to support 4 char-id ciphers when connecting
     using SSL
  03.The Remote System Explorer (RSE) Daemon is using 2 character
     cipher suites that are proposed in the rse.env >
     GSK_V3_CIPHER_SPECS. However, the RSE Server is using a
     4character cipher that cannot be specified in the
     GSK_V3_CIPHER_SPECS.
  04.Daemon version shown in the log is often mixed up with the
     IDz version number. Remove Daemon version:14.0 from the Logs
     to eliminate confusion
  05.In z/OS Explorer, RSE does not properly recognize and handle
     the colon ":" in passwords, including when specified as an
     MFA separator character, which leads to MFA error message
     AZFRADP1
  06.When RDz/IDz is installed on top of z/OS Explorer, then
     there is a chance that the server and user logs are not
     collected by FEKLOGS
  

Problem conclusion

• 01.Sample has been updated
  02.Host modules have been updated. Note: 4 character ciphers
     are only supported with JAVA 8
  03.Host modules have been updated
  04.Host modules have been updated
  05.The zOS Explorer server modules are updated
  06.corrected variable reuse
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI59229

Modules/Macros

• FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
  FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
  FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
  FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
  FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
  FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
  FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
  FEKDSI   FEKEESX0 FEKFASIZ FEKFBLD  FEKFCIPH FEKFCLIE FEKFCMOD
  FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6 FEKFCORE FEKFDBGM
  FEKFDIR  FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF
  FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL  FEKFICUL FEKFISPF
  FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM
  FEKFJESU FEKFJVM  FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH
  FEKFMAI6 FEKFMAIN FEKFMINE FEKFMINS FEKFNTCE FEKFOMVS FEKFPATT
  FEKFPRDS FEKFPTC  FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD
  FEKFSEND FEKFSSL  FEKFSTUP FEKFT000 FEKFT001 FEKFT002 FEKFT003
  FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFT009 FEKFT010
  FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015 FEKFT016 FEKFT017
  FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFTIVP FEKFTRKS FEKFTSO
  FEKFUNIV FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZME  FEKFZMF
  FEKFZOS  FEKHCONF FEKHCUST FEKHDEB  FEKHDESC FEKHFLOW FEKHGEN
  FEKHISPF FEKHIVP  FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE
  FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2
  FEKINIT  FEKKEYS  FEKLOGR  FEKLOGS  FEKM00   FEKM01   FEKM02
  FEKMKDIR FEKMOUNT FEKMSGC  FEKMSGS  FEKRACF  FEKRSED  FEKSAPF
  FEKSAPPL FEKSBPX  FEKSCLAS FEKSCLOG FEKSCMD  FEKSCPYM FEKSCPYU
  FEKSDSN  FEKSENV  FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON
  FEKSLPA  FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC  FEKSSU
  FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML
  

Fix information

• Fixed component name

  EXP FOR Z/OS HO

• Fixed component ID

  5655EXP23

Applicable component levels

• R300 PSY UI59229

     UP18/10/31 P F810

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.