PH30114: MQMONITOR USERID NOT BEING USED ALTHOUGH CORRECTLY SET

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Customer upgraded his CICS to 5.5 level and ran in to an issue
  with MQMON and the userid used to start the transactions .
  When a transaction is triggered he gets a violation on user
  XXXXXX ( selected by default, the CICS region ID).
  
  ACFAE900 LID=CICSSC TERM=NONE RESOURCE=TRANS NAME=WWWW
  ACFAE913 ACF2 security violation: Source=STCINRDR Access=V
  
  He expected that the transaction ( WWWW) would run under YYYYYY
  ( the userid value of the MQMONITOR resource )
  
  DFHAC2003 Security violation has been detected term id = ????,
  trans id = WWWW, userid = XXXXXX.
  .
  This is a not problem with MQMONitors.
  Transaction CPIL is running under the correct userid (YYYYYY)
  that is associated with the MQMONITOR transaction CKTI.
  
  The problem is that when CPIL creates the process to run
  transaction WWWW, the userid returned when looking up the
  URIMAP, has been corrupted.
  
  The locate of the URIMAP returns userid TITITOTO.
  
  After control returns from programs associated with global user
  points XEIIN/XEIOUT and XICEREQ / XICEREQC Register 2 into which
  the userid has been saved is now corrupted due to registers
  not having been restored correctly leaving the top half of R2
  overwritten with binary zeroes.
  
  When the task attach takes place the for task xxx (WWWW), the
  corrupted userid is passed in via the request block. The
  security manager fails to find this userid and defaults to the
  CICS region id which is not authorised to attach the task and
  so the violation occurs.
  

Local fix

• NA
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Security violation when using           *
  *                      web service over IBM MQ and a XICEREQ   *
  *                      user exit is enabled.                   *
  ****************************************************************
  A web service request arrives over IBM MQ using persistent
  messages.  DFHPILSQ retrieves the user ID from the URIMAP and
  stores it in register 2.  Two EXEC CICS ASKTIME calls are made
  and there is a program enabled at the XICEREQ exit point.  On
  completion of the EXEC CICS commands the user ID held in
  register 2 had been corrupted by the user exit program.  As a
  result a security violation occurred when this was used to run
  the web service request.
  

Problem conclusion

• DFHPILSQ has been updated to no longer hold the user ID in a
  register.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI72214 UI72215

Modules/Macros

• DFHPILSQ
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R200 PSY UI72214

     UP20/10/24 P F010

• R300 PSY UI72215

     UP20/10/24 P F010

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.