A fix is available
APAR status
Closed as program error.
Error description
You are using the VERIFY PHRASE command to authenticate users that are only allowed to use multi-factor authentication and do not have a PASSWORD or PHRASE value set in the external security manager (ESM). Instead of returning a packed format value, the EXPIRYTIME and CHANGETIME values are being incorrectly returned as binary zeros. Additional Symptom(s) Search Keyword(s): KIXREVSWM CICS may return a 'password expired' condition for users with MFA or passticket credentials.
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: VERIFY PHRASE and VERIFY PASSWORD may * * return zeroes for DAYSLEFT, EXPIRYTIME * * and CHANGETIME. * **************************************************************** VERIFY PHRASE and VERIFY PASSWORD return zeroes for DAYSLEFT, EXPIRYTIME and CHANGETIME when the password or password phrase is not set up in the ESM. The same fields may also contain non-zero data when the PHRASE or PASSWORD is expired. . A VERIFY PHRASE(phrase_string) command was issued and was successfully verified by the ESM (External Security Manager). . However, the user issuing the command did not have the phrase string set up in the ESM. In this scenario, the DAYSLEFT, EXPIRYTIME and CHANGETIME fields returned on the VERIFY PHRASE were inapplicable but CICS returned binary zeroes for all 3. EXPIRYTIME and CHANGETIME are defined to return packed decimal values, so attempting to use the zero value will lead to an application abend. Similarly, an expired PHRASE or PASSWORD returned inapplicable packed decimals. . In comparison, a VERIFY PHRASE where the phrase is non-expiring ( but is set up in the ESM ) would have had -1 returned in the aforementioned fields to clarify the values were inapplicable. . For the case where a phrase_string ( or password ) is not set up in the ESM, or has expired, it would be better to return a value that implies it is inapplicable. The same situation exists for the VERIFY PASSWORD(password) command. Users exploiting this fix who are also users of the CA Top Secret product are advised to also apply a CA fix whose reference number is RO98458.
Problem conclusion
DFHXSSB has been modified and will now return -2 for fields CHANGETIME, EXPIRYTIME and DAYSLEFT in the aforementioned scenario. The IBM Knowledge Center for CICS Transaction Server for z/OS Version 5 ( Release's 1, 2, 3 and 4 ) will have the following updates applied: VERIFY PHRASE CHANGETIME(data-area) returns the date and time the password or password phrase was last changed in ABSTIME units. When the external security manager is RACF, the time is shown as midnight. If the supplied phrase or password phrase is successfully verified by the external security manager, but has expired or is not set in the external security manager, then CHANGETIME has no meaning and is shown as -2. DAYSLEFT(data-area) returns the number of days from now, in a halfword binary field, until the password or password phrase expires. If the password password phrase does not expire, a value of -1 is returned. If the supplied phrase or password phrase is successfully verified by the external security manager, but has expired or is not set in the external security manager, then DAYSLEFT has no meaning and is shown as -2. EXPIRYTIME(data-area) returns the date and time the password will expire, in ABSTIME units. When the external security manager is RACF, the time is shown as midnight. If a user has a password or password phrase that does not expire, EXIRYTIME has no meaning and is shown as -1. If the supplied phrase or password phrase is successfully verified by the external security manager, but has expired or is not set in the external security manager, then EXPIRYTIME has no meaning and is shown as -2. VERIFY PASSWORD CHANGETIME(data-area) returns the date and time the password was last changed, in ABSTIME units. When the external security manager is RACF, the time is shown as midnight. If the supplied phrase or password phrase is successfully verified by the external security manager, but has expired or is not set in the external security manager, then CHANGETIME has no meaning and is shown as -2. DAYSLEFT(data-area) returns the number of days from now, in a halfword binary field, until the password expires. If the password is non-expiring, -1 is returned. If the supplied phrase or password phrase is successfully verified by the external security manager, but has expired or is not set in the external security manager, then DAYSLEFT has no meaning and is shown as -2. EXPIRYTIME(data-area) returns the date and time the password will expire, in ABSTIME units. When the external security manager is RACF, the time is shown as midnight. If the supplied phrase or password phrase is successfully verified by the external security manager, but has expired or is not set in the external security manager, then EXPIRYTIME has no meaning and is shown as -2.
Temporary fix
Comments
APAR Information
APAR number
PI88754
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-12
Closed date
2018-01-29
Last modified date
2018-07-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI92001 UI53504 UI53505 UI53506 UI53507
Modules/Macros
DFHXSSB
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R000 PSY UI53507
UP18/01/30 P F801
R100 PSY UI53506
UP18/01/30 P F801
R800 PSY UI53504
UP18/01/31 P F801
R900 PSY UI53505
UP18/02/01 P F801
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
17 July 2018