A fix is available
APAR status
Closed as program error.
Error description
IN CICS TS 5.4, when issuing a CICS SIGNON USERID(ABK) PASSWORD(' ') NEWPASS('A'), the command returns EIBRESP=22 (LENGERR) and EIBRESP2=1 which is "PHRASELEN was out-of-range". If the NEWPASS parameter is removed or NEWPASS (' ') is supplied, the command returns the expected EIBRESP=70 (NOTAUTH) and EIBRESP2=1 which is "A password or password phrase is required" as it did under CICS TS 5.1. When issuing a CICS SIGNON USERID(ABK) PASSWORD('abc$123') NEWPASS('abc$456') the command returns EIBRESP=16 (INVREQ) and EIBRESP2=13 which is "There is an unknown return code in ESMRESP from the ESM; or the ESM is not active or has failed in an unexpected way". If the user is not authorized to the CICS application in the APPL class of RACF. If the NEWPASS parameter is not supplied, the command returns the expected EIBRESP=70 (NOTAUTH) & EIBRESP2=17 which is "The USERID is not authorized to use the application" as it did under CICS TS 5.1. The difference comes about because SIGNON with PASSWORD and NEWPASSWORD has changed to behave more like CHANGE PASSWORD instead of VERIFY PASSWORD. That was necessary because VERIFY followed by a CHANGE as part of the signon does not work with single use tokens or some MFA credentials. The CHANGE PASSWORD processing has never handled the case where the user was not authorised to the applid so returns an "unknown" error. The CHANGE PASSWORD does distinguish between a password or a phrase being used but the SIGNON command does not. That is why the EIBRESP and RESP2 refer to the length of the phrase.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: SIGNON of unauthorised user returns * * LENGERR or INVREQ instead of NOTAUTH. * **************************************************************** A USERID is UNAUTHORISED to SIGNON using a particular CICS applid. If the SIGNON includes a NEWPASSSWORD parameter then the request fails with an EIBRESP of LENGERR. Similarly,if the PASSWORD field is blank but a NEWPASSWORD is supplied the request fails with an EIBRESP of INVREQ. In both cases NOTAUTH should have been returned because the USERID is UNAUTHORISED to SIGNON to the CICS applid.
Problem conclusion
CICS security code has been amended to correct the aforementioned problem.
Temporary fix
Comments
APAR Information
APAR number
PH09141
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-03-01
Closed date
2019-07-10
Last modified date
2019-08-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI64127 UI64128 UI64129 UI64130 UI64131
Modules/Macros
DFHXSPW DFHXSSB
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R000 PSY UI64128
UP19/08/01 P F907
R100 PSY UI64130
UP19/08/01 P F907
R200 PSY UI64129
UP19/08/01 P F907
R800 PSY UI64131
UP19/07/19 P F907
R900 PSY UI64127
UP19/08/01 P F907
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 August 2019