A fix is available
APAR status
Closed as program error.
Error description
Customer upgraded his CICS to 5.5 level and ran in to an issue with MQMON and the userid used to start the transactions . When a transaction is triggered he gets a violation on user XXXXXX ( selected by default, the CICS region ID). ACFAE900 LID=CICSSC TERM=NONE RESOURCE=TRANS NAME=WWWW ACFAE913 ACF2 security violation: Source=STCINRDR Access=V He expected that the transaction ( WWWW) would run under YYYYYY ( the userid value of the MQMONITOR resource ) DFHAC2003 Security violation has been detected term id = ????, trans id = WWWW, userid = XXXXXX. . This is a not problem with MQMONitors. Transaction CPIL is running under the correct userid (YYYYYY) that is associated with the MQMONITOR transaction CKTI. The problem is that when CPIL creates the process to run transaction WWWW, the userid returned when looking up the URIMAP, has been corrupted. The locate of the URIMAP returns userid TITITOTO. After control returns from programs associated with global user points XEIIN/XEIOUT and XICEREQ / XICEREQC Register 2 into which the userid has been saved is now corrupted due to registers not having been restored correctly leaving the top half of R2 overwritten with binary zeroes. When the task attach takes place the for task xxx (WWWW), the corrupted userid is passed in via the request block. The security manager fails to find this userid and defaults to the CICS region id which is not authorised to attach the task and so the violation occurs.
Local fix
NA
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Security violation when using * * web service over IBM MQ and a XICEREQ * * user exit is enabled. * **************************************************************** A web service request arrives over IBM MQ using persistent messages. DFHPILSQ retrieves the user ID from the URIMAP and stores it in register 2. Two EXEC CICS ASKTIME calls are made and there is a program enabled at the XICEREQ exit point. On completion of the EXEC CICS commands the user ID held in register 2 had been corrupted by the user exit program. As a result a security violation occurred when this was used to run the web service request.
Problem conclusion
DFHPILSQ has been updated to no longer hold the user ID in a register.
Temporary fix
Comments
APAR Information
APAR number
PH30114
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-10-05
Closed date
2020-10-23
Last modified date
2021-01-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI72214 UI72215
Modules/Macros
DFHPILSQ
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.5"}]
Document Information
Modified date:
30 January 2021