IBM Support

PH55707: CORRECT THE QUERY SECURITY COMMAND TO NOT REQUIRE CMDSEC(YES)

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The difference in behaviour between the releases is due to
change in behaviour of the QUERY SECURITY command.  At 5.3 QUERY
SECURITY resulted in one call to the DFHXSRC (CICS resource
checking module) for each access level being queried.  At 5.6 an
optimised call is done and DFHXSRC is called once to check all
the requested access levels.
The problem is that the optimised routine for command security
checks in DFHXSRC is incorrectly requiring CMDSEC(YES) to be
set.  The user transaction has CMDSEC(NO) and that causes the
call to the ESM to be bypassed and the QUERY SECURITY command to
return OK instead of NOTAUTH.  Everything appears to work when
CEDF is being used because CEDF has CMDSEC(YES) and forces that
be used.

Raise an APAR so that we can correct the QUERY SECURITY command
to not require CMDSEC(YES).
return OK instead of NOTAUTH.  Everything appears to work when

Local fix

  • An alternative solution to the problem is to define the
transaction with CMDSEC(YES).

Problem summary

  • ****************************************************************
* USERS AFFECTED: All CICS users.                              *
****************************************************************
* PROBLEM DESCRIPTION: QUERY SECURITY always returns OK for    *
*                      transactions defined with CMDSEC(NO).   *
****************************************************************
When an application issues an EXEC CICS QUERY SECURITY
RESTYPE('SPCOMMAND') command from a transaction which has
CMDSEC(NO) set in its transaction definition, CICS will return
'OK' instead of 'NOTAUTH' even when the user who ran the
transaction does not have the correct permissions.

Problem conclusion

  • CICS has been updated so that CMDSEC(YES) does not have to be
set to correctly identify if the user has permission to use a
QUERY SECURITY command within a program.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH55707
    • 

  • Reported component name
    CICS TS Z/OS V6
    • 

  • Reported component ID
    5655YA100
    • 

  • Reported release
    400
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-07-12
    • 

  • Closed date
    2023-07-31
    • 

  • Last modified date
    2024-08-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PH55608
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI92956
    

    • 



Modules/Macros


    

  • DFHXSRC

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V6
    • 

  • Fixed component ID
    5655YA100
    • 



Applicable component levels


    

  • R400  PSY  UI92956
       UP23/08/01  P  F307
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 August 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback