IBM Support

PH59430: IBM EXPLORER FOR Z/OS 3.3.2 FEKFOMVS FAILS TO PASS APPLICATION ID DURING RSED AUTHENTICATION WITH A PASSPHRASE

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • For users attempting to connect to a remote system using a
password passphrase. When the authentication information is
passed to the host system's security product, the application ID
is not passed as expected. This works correctly with a
traditional one to eight character password.

This presents an issue for sites implementing a Multi-factor
Authentication (MFA) product that may rely on the application ID
for successful authentication.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED: 1. All users                                 *
*                 2. All users                                 *
*                 3. All users                                 *
*                 4. security admin                            *
*                 5. All users                                 *
*                 6. The z/OS Explorer and RSEAPI Job query    *
*                 API                                          *
*                 7. users getting system activity report      *
****************************************************************
* PROBLEM DESCRIPTION: 1. MFA authentication using compound    *
*                      '&' password ( > 8 chars), user and     *
*                      application bypass profile definition   *
*                      may not work properly causing           *
*                      authentication failure.                 *
*                      2. It is a requirement for IPv6         *
*                      support for RSE operations.             *
*                      RSE can be configured to support        *
*                      IPv6, but IVP DAEMON operator command   *
*                      (to test user connection from z/OS)     *
*                      does not.                               *
*                      3. ZosOmvsService appears to be out     *
*                      of sync in querying and processing      *
*                      request commands with its C fekfomvs    *
*                      components, resulting unexpected        *
*                      behavior in authentication response.    *
*                      4. obsolete comment in SFEKSAMP         *
*                      (FEKRACF)                               *
*                      5. During client connection             *
*                      establishment, when ThreadPool          *
*                      retrieving user info using              *
*                      ZosOmvsService, the service C program   *
*                      fekfomvs may crash with a CEE dump.     *
*                      The operation can recover but the new   *
*                      fekfomvs would be under the current     *
*                      userID.                                 *
*                      6. The filter string for JES is         *
*                      already support the variable &USERID,   *
*                      but it cannot combine with a constant.  *
*                      7. user connection with JMON might be   *
*                      terminated with S0CF when requesting    *
*                      system activity report                  *
****************************************************************
1. RSE ZosOmvsService does not pass in the application ID
correctly when processing authentication routine in call
cases, especially with passphrase usage.
For MFA authentication using compound '&' password. It is
process as a passphrase input, and without a proper
application id passed in, MFA bypass profile for userid and
application is not working properly.
2. It is a requirement for IPv6 support for RSE operations.
RSE can be configured to support IPv6, but IVP DAEMON operator
command (to test user connection from z/OS) does not.
3. An inconsistency in data result from fekfomvs, for example
in get threads information query, could cause RSE
ZosOmvservice be out of sync in its data processing for the
requests.
4. z/OS Explorer sample job SFEKSAMP(FEKRACF) has a comment
that references RAM developers. This comment does not apply,
and dates back to the time that IBM z/OS Explorer was part of
IBM Developer for Z (IDz).
5. A coding error in the routing to retrieve user information
could lead to memory violation, leading to a crash and
improper spawning the new fekfomvs under end user ID.
6. For example, if the user id is TEST, the filter string
&USERIDX cannot be resolved as TESTX to query the jobs.
7. the user connection with JMON might be terminated with S0CF
ABEND when requesting a system activity report

Problem conclusion

  • 1. Pass in correctly the application ID when calling RACROUTE
VERIFY (CREATE), so that the setting for the application works
as intended for both normal and MFA authentication.
2. Connection testing tool now support in both operator
command (IVP DAEMON) or in cli mode (running directly fekfdivp
or cli fekfivpd rexx script).
3. An inconsistency in data of getThreads (/D P CPU command)
from fekomvs response could cause a left over in the readpipe
at ZosOmvsService java side.
The leftover causes out-of-sync for all operation processing
at ZosOmvsService java side, including authentication for a
new connection.
This apar defect fix is to handle the consequence when the
issue happened. It is to flush the left over of the read pipe
when getThreads() got exception, plush flushing the readpipe
before sending a new command.
4. removed comment
5. Coding error in getting user info routine is fixed, and
fekfomvs spawning now is done by a thread to have the process
(ThreadPool) user ID ownership properly.
6. Updated the code to resolve the filter string &USERID +
constant (e.g. &USERIDX) for owner and job name prefix
parameter when querying the jobs.
7. added check to avoid division by 0

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH59430
    • 

  • Reported component name
    EXP FOR Z/OS HO
    • 

  • Reported component ID
    5655EXP23
    • 

  • Reported release
    330
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-01-26
    • 

  • Closed date
    2024-03-07
    • 

  • Last modified date
    2024-04-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI95993
    

    • 



Modules/Macros


    

  • FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
FEKATTR  FEKDSI   FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD  FEKFCIPH
FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6
FEKFCORE FEKFDBG  FEKFDBG6 FEKFDBGM FEKFDIR  FEKFDIR6 FEKFDIVP
FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR
FEKFENVS FEKFEPL  FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0
FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU
FEKFJLIC FEKFJSON FEKFJVM  FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP
FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE
FEKFOMVS FEKFPATT FEKFPKCS FEKFPLUG FEKFPTC  FEKFRIVP FEKFRMSG
FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL  FEKFSTUP FEKFT000
FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFTIVP
FEKFTSO  FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZOS  FEKHCONF
FEKHCUST FEKHDEB  FEKHDESC FEKHFLOW FEKHGEN  FEKHISPF FEKHIVP
FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM
FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT  FEKKEYS
FEKLOCKA FEKLOGR  FEKLOGS  FEKM00   FEKM01   FEKM02   FEKMKDIR
FEKMOUNT FEKMSGC  FEKMSGS  FEKPKCS1 FEKRACF  FEKRSED  FEKSAPF
FEKSAPPL FEKSBPX  FEKSCLAS FEKSCLOG FEKSCMD  FEKSCPYM FEKSCPYU
FEKSDSN  FEKSENV  FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON
FEKSJWT  FEKSJWTU FEKSLPA  FEKSPROG FEKSPTKT FEKSRSED FEKSSERV
FEKSSTC  FEKSSU   FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT
FEKXMAIN FEKXML   HUHFCOR6 HUHFCORE

    



Fix information


    

  • Fixed component name
    EXP FOR Z/OS HO
    • 

  • Fixed component ID
    5655EXP23
    • 



Applicable component levels


    

  • R330  PSY  UI95993
       UP24/03/16  P  F403
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"330","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 April 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback