A fix is available
APAR status
Closed as program error.
Error description
You are running your CICS region with an external security manager (ESM) and receive a message similar to the following: . DFHXS0001 applid An abend (code ---/0801) has occurred at offset X'FFFF' in module DFHXSPW. . The abend is out of Top Secret module TSSSFRVT. The abend is intentional. The problem is caused by a TCPIPSERVICE using basic authentication and being sent an empty Authorization header. The header value just contains an encoded ':' which is the separator character between the userid and password. DFHWBSR has not checked the userid or password lengths and just passed that on to DFHXSPW and then DFHXSSB. . When RACF is used the EXTRACT call fails with return codes (hex) 8, 24, 18, 24 and an exception response gets returned back from DFHXSSB. It appears that in the Top Secret case an abend is issued instead, which CICS is not expecting to intercept. .
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: DFHXS0001 issued when a null userid of * * length 0 is passed to an ESM. * * * **************************************************************** In the reported problem, a web client task with basic authentication passed an HTTP request into CICS containing a null userid and password each of length 0. CICS security code passed these to a vendor ESM using a RACROUTE EXTRACT call. The call failed but the return codes returned to CICS by the vendor ESM were not recognised by CICS and a severe error DFHXS0001 presented. Had the ESM been RACF then the return codes would have been interpreted by CICS and a soft error issued.
Problem conclusion
CICS security domain has been updated to no longer pass a null userid to the ESM. This APAR changes the RESP and RESP2 values returned for certain error conditions on EXEC CICS VERIFY PHRASE and EXEC CICS CHANGE PHRASE commands. If the commands are issued with a blank userid the response will be USERIDERR (68) with RESP2 = 8. If the commands are issued with a blank password the response will be NOTAUTH (70) with RESP2 = 1. This apar provides a new RESP2 code of 1 for VERIFY and CHANGE password requests to accompany a NOTAUTH (RESP = 70) response. A RESP2 of 1 means: Password required. The Knowledge Center will be updated at the next refresh.
Temporary fix
Comments
APAR Information
APAR number
PH23078
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-03-09
Closed date
2020-07-20
Last modified date
2020-08-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PH26296 UI70639 UI70640 UI70641 UI70642
Modules/Macros
DFHESN DFHUSAD DFHWBA DFHWBA1 DFHWBAP DFHWBAPF DFHWBBLI DFHWBDM DFHWBDUF DFHWBENV DFHWBPA DFHWBPW DFHWBSO DFHWBSR DFHWBTRI DFHWBTTA DFHWBXM DFHWBXN DFHXSPW DFHXSPWT
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R000 PSY UI70640
UP20/07/23 P F007
R100 PSY UI70639
UP20/07/22 P F007
R200 PSY UI70642
UP20/07/22 P F007
R300 PSY UI70641
UP20/07/22 P F007
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
05 August 2020