A fix is available
APAR status
Closed as program error.
Error description
For users attempting to connect to a remote system using a password passphrase. When the authentication information is passed to the host system's security product, the application ID is not passed as expected. This works correctly with a traditional one to eight character password. This presents an issue for sites implementing a Multi-factor Authentication (MFA) product that may rely on the application ID for successful authentication.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: 1. All users * * 2. All users * * 3. All users * * 4. security admin * * 5. All users * * 6. The z/OS Explorer and RSEAPI Job query * * API * * 7. users getting system activity report * **************************************************************** * PROBLEM DESCRIPTION: 1. MFA authentication using compound * * '&' password ( > 8 chars), user and * * application bypass profile definition * * may not work properly causing * * authentication failure. * * 2. It is a requirement for IPv6 * * support for RSE operations. * * RSE can be configured to support * * IPv6, but IVP DAEMON operator command * * (to test user connection from z/OS) * * does not. * * 3. ZosOmvsService appears to be out * * of sync in querying and processing * * request commands with its C fekfomvs * * components, resulting unexpected * * behavior in authentication response. * * 4. obsolete comment in SFEKSAMP * * (FEKRACF) * * 5. During client connection * * establishment, when ThreadPool * * retrieving user info using * * ZosOmvsService, the service C program * * fekfomvs may crash with a CEE dump. * * The operation can recover but the new * * fekfomvs would be under the current * * userID. * * 6. The filter string for JES is * * already support the variable &USERID, * * but it cannot combine with a constant. * * 7. user connection with JMON might be * * terminated with S0CF when requesting * * system activity report * **************************************************************** 1. RSE ZosOmvsService does not pass in the application ID correctly when processing authentication routine in call cases, especially with passphrase usage. For MFA authentication using compound '&' password. It is process as a passphrase input, and without a proper application id passed in, MFA bypass profile for userid and application is not working properly. 2. It is a requirement for IPv6 support for RSE operations. RSE can be configured to support IPv6, but IVP DAEMON operator command (to test user connection from z/OS) does not. 3. An inconsistency in data result from fekfomvs, for example in get threads information query, could cause RSE ZosOmvservice be out of sync in its data processing for the requests. 4. z/OS Explorer sample job SFEKSAMP(FEKRACF) has a comment that references RAM developers. This comment does not apply, and dates back to the time that IBM z/OS Explorer was part of IBM Developer for Z (IDz). 5. A coding error in the routing to retrieve user information could lead to memory violation, leading to a crash and improper spawning the new fekfomvs under end user ID. 6. For example, if the user id is TEST, the filter string &USERIDX cannot be resolved as TESTX to query the jobs. 7. the user connection with JMON might be terminated with S0CF ABEND when requesting a system activity report
Problem conclusion
1. Pass in correctly the application ID when calling RACROUTE VERIFY (CREATE), so that the setting for the application works as intended for both normal and MFA authentication. 2. Connection testing tool now support in both operator command (IVP DAEMON) or in cli mode (running directly fekfdivp or cli fekfivpd rexx script). 3. An inconsistency in data of getThreads (/D P CPU command) from fekomvs response could cause a left over in the readpipe at ZosOmvsService java side. The leftover causes out-of-sync for all operation processing at ZosOmvsService java side, including authentication for a new connection. This apar defect fix is to handle the consequence when the issue happened. It is to flush the left over of the read pipe when getThreads() got exception, plush flushing the readpipe before sending a new command. 4. removed comment 5. Coding error in getting user info routine is fixed, and fekfomvs spawning now is done by a thread to have the process (ThreadPool) user ID ownership properly. 6. Updated the code to resolve the filter string &USERID + constant (e.g. &USERIDX) for owner and job name prefix parameter when querying the jobs. 7. added check to avoid division by 0
Temporary fix
Comments
APAR Information
APAR number
PH59430
Reported component name
EXP FOR Z/OS HO
Reported component ID
5655EXP23
Reported release
330
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-01-26
Closed date
2024-03-07
Last modified date
2024-04-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI95993
Modules/Macros
FEJENF70 FEJJCNFG FEJJJCL FEJJMON FEJTSO FEK1SMPE FEK2RCVE FEK3ALOC FEK4ZFS FEK5MKD FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR FEK@CONE FEK@CONF FEK@CUST FEK@DEB FEK@DESC FEK@FLOW FEK@GEN FEK@GENW FEK@ISPF FEK@IVP FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1 FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX FEKATTR FEKDSI FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD FEKFCIPH FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6 FEKFCORE FEKFDBG FEKFDBG6 FEKFDBGM FEKFDIR FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU FEKFJLIC FEKFJSON FEKFJVM FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPKCS FEKFPLUG FEKFPTC FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL FEKFSTUP FEKFT000 FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFTIVP FEKFTSO FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZOS FEKHCONF FEKHCUST FEKHDEB FEKHDESC FEKHFLOW FEKHGEN FEKHISPF FEKHIVP FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT FEKKEYS FEKLOCKA FEKLOGR FEKLOGS FEKM00 FEKM01 FEKM02 FEKMKDIR FEKMOUNT FEKMSGC FEKMSGS FEKPKCS1 FEKRACF FEKRSED FEKSAPF FEKSAPPL FEKSBPX FEKSCLAS FEKSCLOG FEKSCMD FEKSCPYM FEKSCPYU FEKSDSN FEKSENV FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSJWT FEKSJWTU FEKSLPA FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC FEKSSU FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML HUHFCOR6 HUHFCORE
Fix information
Fixed component name
EXP FOR Z/OS HO
Fixed component ID
5655EXP23
Applicable component levels
R330 PSY UI95993
UP24/03/16 P F403
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"330","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
Document Information
Modified date:
04 April 2024