IBM Support

PH30252: MONITOR END-TO-END ACCESS IN REAL TIME FOR AUDIT PURPOSES

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Monitor end-to-end access from requester to the databases. The
audit information must be available in real time to a Security
Information and Event Management system (QRadar). Monitoring is
for both inbound and outbound access to and from the mainframe.
Auditors need the ability to correlate the user ID, the
transaction or application, and the database access.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All.                                         *
****************************************************************
* PROBLEM DESCRIPTION: CICS Origin adapter data not available  *
*                      to Db2 at runtime.                      *
****************************************************************
The CICS SMF 110 performance record contains origin data, and in
particular origin adapter data. For a request that originated
via z/OS Connect Enterprice Edition (ZCEE), the origin adapter
data contains ZCEE tracking data. For an application that
accesses Db2, it is possible to correlate Db2 SMF 101 SMF data
with CICS 110 SMF data and using the ZCEE tracking data, be
able to correlate with ZCEE SMF 126 data. This gives an end to
end audit flow, but not in real time whilst the transaction is
running. CICS Origin adapter data needs to be passed to Db2
when the first Db2 request is made.

    



Problem conclusion


    

  • Db2 V12 via apar PH31447 is enhanced to allow CICS to pass extra
fields on the signon call to Db2.
The CICS-Db2 Attach is enhanced to detect that adapter origin
data is present, and if the DB2ENTRY or pool specifies
ACCOUNTREC(TASK) or ACCOUNTREC(UOW), passes extra  data to Db2
when issuing a partial or full signon.

The appl-longname will contain the 64 bytes of Adapter id
preceded by a 28 byte string eyecatcher. It will result in the
Db2 special register CURRENT CLIENT_APPLNAME being set and the
data is written to the Db2 accounting record.

The accounting-string will contain 192 bytes of adapter data
preceded by a 35 byte eyecatcher. It will result in the
Db2 special register CURRENT CLIENT_ACCTNG being set and the
data is written to the Db2 accounting record.

CICS TS @n.n@ Knowledge Center will be updated to reflect:

CICS Transaction Server for z/OS 5.4, 5.5 and 5.6.
CICS fundamentals > CICS Intercommunication >
                    Transaction tracking > Adapter tracking

The statement that currently reads:

"Examples of adapter data added to a task's origin data is when
tasks start as a result of requests coming into CICS from z/OS®
Connect over the IPIC protocol. z/OS Connect passes adapter
data, which is added to the origin data."

will change to:

"Examples of adapter data added to a task's origin data is when
tasks start as a result of requests coming into CICS from z/OS®
Connect over the IPIC protocol. z/OS Connect passes adapter
data, which is added to the origin data (requires a minimum
z/OS Connect level of V3.0.30.0)."

    



Temporary fix


    

  • 



Comments


    

  • ×**** PE22/09/12 FIX IN ERROR. SEE APAR PH49408  FOR DESCRIPTION

    



APAR Information




    

  • APAR number
    PH30252
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2020-10-06
    • 

  • Closed date
    2021-03-18
    • 

  • Last modified date
    2023-03-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI74495 UI74496 UI74497
    

    • 



Modules/Macros


    

  • DFHD2CC  DFHD2CM1 DFHD2CO  DFHD2D2  DFHD2DUF DFHD2EDF DFHD2EX1
DFHD2EX2 DFHD2EX3 DFHD2MSB DFHD2RP  DFHD2ST  DFHD2STP DFHD2STR
DFHD2TM  DFHD2TR1 DFHD2TRI DFHDSMT  DFHMQDUF

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R100  PSY  UI74497
       UP21/03/19  P  F103   
    • 

  • R200  PSY  UI74496
       UP21/03/19  P  F103   
    • 

  • R300  PSY  UI74495
       UP21/03/19  P  F103   
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback