PH23078: DFHXS0001 ABEND 0801 IN DFHXSPW

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• You are running your CICS region with an external security
  manager (ESM) and receive a message similar to the following:
  .
  DFHXS0001 applid An abend (code ---/0801)
  has occurred at offset X'FFFF' in module DFHXSPW.
  .
  The abend
  is out of Top Secret module TSSSFRVT. The abend is intentional.
  The problem is caused by a TCPIPSERVICE using basic
  authentication and being sent an empty Authorization header.
  The header value just contains an encoded ':' which is the
  separator character between the userid and password. DFHWBSR
  has not checked the userid or password lengths and just passed
  that on to DFHXSPW and then DFHXSSB.
  .
  When RACF is used the
  EXTRACT call fails with return codes (hex) 8, 24, 18, 24 and an
  exception response gets returned back from DFHXSSB. It appears
  that in the Top Secret case an abend is issued instead, which
  CICS is not expecting to intercept.
  .
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All.                                         *
  ****************************************************************
  * PROBLEM DESCRIPTION: DFHXS0001 issued when a null userid of  *
  *                      length 0 is passed to an ESM.           *
  *                                                              *
  ****************************************************************
  In the reported problem, a web client task with basic
  authentication passed an HTTP request into CICS containing
  a null userid and password each of length 0.
  
  CICS security code passed these to a vendor ESM using a
  RACROUTE EXTRACT call.  The call failed but the return codes
  returned to CICS by the vendor ESM were not recognised by
  CICS and a severe error DFHXS0001 presented.
  
  Had the ESM been RACF then the return codes would have been
  interpreted by CICS and a soft error issued.
  

Problem conclusion

• CICS security domain has been updated to no longer pass a null
  userid to the ESM.
  
  This APAR changes the RESP and RESP2 values returned for
  certain error conditions on EXEC CICS VERIFY PHRASE and
  EXEC CICS CHANGE PHRASE commands.
  
  If the commands are issued with a blank userid the response
  will be USERIDERR (68) with RESP2 = 8.
  
  If the commands are issued with a blank password the response
  will be NOTAUTH (70) with RESP2 = 1.
  
  This apar provides a new RESP2 code of 1 for VERIFY and CHANGE
  password requests to accompany a NOTAUTH (RESP = 70) response.
  A RESP2 of 1 means:  Password required.
  The Knowledge Center will be updated at the next refresh.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  PH26296 UI70639 UI70640 UI70641 UI70642

Modules/Macros

• DFHESN   DFHUSAD  DFHWBA   DFHWBA1  DFHWBAP  DFHWBAPF DFHWBBLI
  DFHWBDM  DFHWBDUF DFHWBENV DFHWBPA  DFHWBPW  DFHWBSO  DFHWBSR
  DFHWBTRI DFHWBTTA DFHWBXM  DFHWBXN  DFHXSPW  DFHXSPWT
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R000 PSY UI70640

     UP20/07/23 P F007

• R100 PSY UI70639

     UP20/07/22 P F007

• R200 PSY UI70642

     UP20/07/22 P F007

• R300 PSY UI70641

     UP20/07/22 P F007

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.