A fix is available
APAR status
Closed as program error.
Error description
In IBM DEVELOPER FOR z/OS (IDz) v15.0.4 and Explorer for z/OS v3.2.0.18, the operator command DISPLAY CPU fails with a NullPointerException or a NumberFormatException. The rseserver log shows the following errors: java.lang.NullPointerException java.lang.NumberFormatException: For input string: "USERXYZ :1DB4800000000B22:00995270:21876: 3222/ServerReceiver" After this error, new user connections fail with an error like: RSEG1242 server failure USERXYZ:1DD8480000000B32:009AEE88: 3238/DebugMiner
Local fix
restart IDz/RSED started task on the host.
Problem summary
**************************************************************** * USERS AFFECTED: 1. Security admin * * 2. sysprog * * 3. All users * * 4. All users that run UNIX commands * * 5. All users * * 6. All users * * 7. All users * * 8. All users * * 9. All users * **************************************************************** * PROBLEM DESCRIPTION: 1. "INSUFFICIENT AUTHORITY TO KILL" * * security violation * * 2. Startup script errors when using * * non-English shell environment * * 3. The user ServerThread connection * * establisher may not handle properly * * the socket exception conditions * * caused by client socket closing when * * the connection terminates. * * 4. In previous releases, the current * * working directory (".") was * * automatically added to the PATH for * * convenience, when running UNIX shell * * commands but that was removed. * * 5. Using RSE remote system properties * * for a dataset member with a creation * * date in 19th century and a * * modification date in 20th century * * would display incorrectly the * * modification date as in 19th. * * 6. fekfomvs is required to be APF * * (extended 'a' attribute), the * * required bit setting is 'aps'. When * * its bit setting is not proper, RSE * * may fail to properly authenticate a * * user. * * 7. It is a requirement for IPv6 * * support for RSE operations. * * RSE can be configured to support * * IPv6, but IVP DAEMON operator command * * (to test user connection from z/OS) * * does not. * * 8. ZosOmvsService appears to be out * * of sync in querying and processing * * request commands with its C fekfomvs * * components, resulting unexpected * * behavior in authentication response. * * 9. MFA authentication using compound * * '&' password ( > 8 chars), user and * * application bypass profile definition * * may not work properly causing * * authentication failure. * **************************************************************** 1. When the RSED STC userid lacks permit to UNIXPRIV SUPERUSER.PROCESS.KILL and SETROPTS LOGOPTIONS(FAILURES(PROCACT)) is in effect, you can see security violations ICH408I USER(enduser) GROUP(group) NAME(user connected via client) CL(PROCACT ) INSUFFICIENT AUTHORITY TO KILL EFFECTIVE UID(uid) EFFECTIVE GID(gid) 2. Startup script errors when using non-English shell environment e.g. @=/usr/lpp/IBM/zexpl/bin/envvars.sh: /tmp/rsed.sh.50331783 1: . : _Init 76: /usr/lpp/IBM/zexpl/bin/rsed.sh 549: FSUM7351 not found -- ERROR -- version_track not defined in /usr/lpp/IBM/zexpl/bin/plugin.conf 3. Socket exception (due to client terminated abruptly) may leave user threads left over with no client holder at the Threadpool. 4. In previous releases, the current working directory (".") was automatically added to the PATH for convenience, when running UNIX shell commands but that was removed. 5. RSE FEKATTR module incorrectly parses the century of a dataset member modification date information obtained from the z/OS system. 6. When it is not APF, fekfomvs cannot perform its verifyUser command to authenticate a user. RSE authentication service fails to recognize the issue and let the authentication going through as sucessful. 7. It is a requirement for IPv6 support for RSE operations. RSE can be configured to support IPv6, but IVP DAEMON operator command (to test user connection from z/OS) does not. 8. An inconsistency in data result from fekfomvs, for example in get threads information query, could cause RSE ZosOmvservice be out of sync in its data processing for the requests 9. RSE ZosOmvsService does not pass in the application ID correctly when processing authentication routine in call cases, especially with passphrase usage. For MFA authentication using compound '&' password. It is process as a passphrase input, and without a proper application id passed in, MFA bypass profile for userid and application is not working properly.
Problem conclusion
1. Provide sample commands to grant the required permit 2. Do not allow customers to change LANG or LC_ALL environment variables 3. As socket exception is critical (and expected during IVP Daemon runs), it should be treated as error during the handshake message message exchange for a cleaner connection establishment shutdown. 4. The inclusion of "." in the PATH will be added back. 5. Have FEKATTR correct the parsing for the modification date's century of dataset members. 6. Have authentication catch the issue and fails the authentication. This could also affect RSEAPI. 7. Connection testing tool now support in both operator command (IVP DAEMON) or in cli mode (running directly fekfdivp or cli fekfivpd rexx script). 8. An inconsistency in data of getThreads (/D P CPU command) from fekomvs response could cause a left over in the readpipe at ZosOmvsService java side. The leftover causes out-of-sync for all operation processing at ZosOmvsService java side, including authentication for a new connection. This apar defect fix is to handle the consequence when the issue happened. It is to flush the left over of the read pipe when getThreads() got exception, plush flushing the readpipe before sending a new command. 9. Pass in correctly the application ID when calling RACROUTE VERIFY (CREATE), so that the setting for the application works as intended for both normal and MFA authentication.
Temporary fix
Comments
APAR Information
APAR number
PH59210
Reported component name
EXP FOR Z/OS HO
Reported component ID
5655EXP23
Reported release
320
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-01-16
Closed date
2024-05-01
Last modified date
2024-06-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI96742
Modules/Macros
FEJENF70 FEJJCNFG FEJJJCL FEJJMON FEJTSO FEK1SMPE FEK2RCVE FEK3ALOC FEK4ZFS FEK5MKD FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR FEK@CONE FEK@CONF FEK@CUST FEK@DEB FEK@DESC FEK@FLOW FEK@GEN FEK@GENW FEK@ISPF FEK@IVP FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1 FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX FEKATTR FEKDSI FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD FEKFCIPH FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6 FEKFCORE FEKFDBG FEKFDBG6 FEKFDBGM FEKFDIR FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU FEKFJLIC FEKFJSON FEKFJVM FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPLUG FEKFPTC FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL FEKFSTUP FEKFT000 FEKFT001 FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFT009 FEKFT010 FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015 FEKFT016 FEKFT017 FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFT022 FEKFT023 FEKFT024 FEKFT025 FEKFT026 FEKFT027 FEKFT028 FEKFT029 FEKFT030 FEKFTIVP FEKFTSO FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZOS FEKHCONF FEKHCUST FEKHDEB FEKHDESC FEKHFLOW FEKHGEN FEKHISPF FEKHIVP FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT FEKKEYS FEKLOCKA FEKLOGR FEKLOGS FEKM00 FEKM01 FEKM02 FEKMKDIR FEKMOUNT FEKMSGC FEKMSGS FEKRACF FEKRSED FEKSAPF FEKSAPPL FEKSBPX FEKSCLAS FEKSCLOG FEKSCMD FEKSCPYM FEKSCPYU FEKSDSN FEKSENV FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSLPA FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC FEKSSU FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML HUHFCOR6 HUHFCORE
Fix information
Fixed component name
EXP FOR Z/OS HO
Fixed component ID
5655EXP23
Applicable component levels
R320 PSY UI96742
UP24/05/10 P F405
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"320","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
Document Information
Modified date:
03 June 2024