A fix is available
APAR status
Closed as program error.
Error description
CICS does not pass installation data to the ESM on the RACROUTE REQUEST=VERIFY call made to change a password. CICS only passes installation data to the ESM on the RACROUTE REQUEST=VERIFYX call used for password verification if that call was made as part of a signon. In this case the UXPPHASE value indicates to the ICHRIX01 exit that the request is a signon and not a password verification request. Symptom(s) Search Keyword(s): KIXREVxxx
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users with PI21866 applied. * **************************************************************** * PROBLEM DESCRIPTION: Performing a SIGNON with PHRASE and * * NEWPHRASE causes the PHRASE to be * * validated twice. The SIGNON can then * * fail if the PHRASE contains a * * single use token. * **************************************************************** A vendor security product is used to validate authentication tokens supplied as part of a password phrase. A SIGNON is performed specifying PHRASE and NEWPHRASE. The PHRASE contains the password and a single use token. This is validated by calling the R_Password (IRRSPW00) service. Exit program IRRSXT00 extracts the token and successfully validates it. A RACROUTE REQUEST=VERIFY call is then made to change the password. The PHRASE and NEWPHRASE are passed on this call. Exit program ICHRIX01 extracts the token. Validation of the token fails, because it has already been used on the IRRSPW00 call. The exit program rejects the attempt to change the password and the signon fails.
Problem conclusion
UI22618 UI24130 UI25263 UI30326 UI43780 CICS has been updated to only issue a single RACROUTE REQUEST=VERIFY call to change the password as part of a signon. This means that any security exit program will only be passed the PHRASE (or PASSWORD) once. CICS has also been changed to always pass installation data (if EMSEXITS=INSTLN is coded in the SIT) on the RACROUTE REQUEST=VERIFY call used to change the password and on the RACROUTE REQUEST=VERIFYX call used in password verification (when there has been a password failure or a passticket is being used). New UXPPHASE values have been created to allow the ICHRIX01 exit to correctly determine why it is being invoked. The new UXPPHASE values are: PASSWORD_CHANGE (x'90') PASSWORD_VERIFICATION (x'91') The CICS Transaction Server for z/OS 5.2 Customization Guide ( SC34-7269-00 ) will have the following 2 fields added in Chapter 9 (Customizing security processing), where it lists the possible values that can be addressed by UXPPHASE thus: PASSWORD_CHANGE X'90' Change of password PASSWORD_VERIFICATION X'91' password being verified
Temporary fix
Comments
APAR Information
APAR number
PI67905
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
900
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-22
Closed date
2017-02-09
Last modified date
2017-03-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI75324 PI75325 PI76141 UI44531
Modules/Macros
DFHSNTU DFHUSAD DFHXMAT DFHXMTA DFHXMXE DFHXSAD DFHXSCR DFHXSCT DFHXSDM DFHXSDUF DFHXSEV DFHXSFL DFHXSIDT DFHXSIS DFHXSKR DFHXSLU DFHXSPW DFHXSRC DFHXSRN DFHXSSA DFHXSSB DFHXSSC DFHXSSD DFHXSSE DFHXSSF DFHXSSH DFHXSSI DFHXSSK DFHXSTRI DFHXSTS DFHXSUXP DFHXSXM
SC34726900 |
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R900 PSY UI44531
UP17/02/13 P F702 {
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 March 2017