A fix is available
APAR status
Closed as program error.
Error description
A RACF SMF type 80 subtype 2 record for the RACF audit information revealed incorrect character string data for LOGSTR in RACROUTE. The RACF authorization check procedure EZACDMRA in the command utility module EZACDMU2 is called by various applications (for example, OMPROUTE, DCAS, TN3270, and LBA) to issue the CMDAUTH macro with the LOGSTR data to determine if the user that has issued the command is authorized by RACF. For the OMPROUTE application, the SMF type 80 subtype 2 record is used to store the LOGSTR data for RACROUTE in command class MVS.ROUTEMGR.OMPROUTE. In this case, the application did pass the LOGSTR character string data of "START OMPROUTE" in the EZACDMRA call for CMDAUTH. However, the result was garbage characters in the SMF record for the RACF audit information.
Local fix
None KEYWORDS: RACF AUDIT RACROUTE LOGSTR SMF TYPE80 SUBTYPE2 EZACDMU2 EZACDMRA CMDAUTH OMPROUTE DCAS TN3270 LBA
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Release 1 and 2 IP * **************************************************************** * PROBLEM DESCRIPTION: * * The LOGSTR value is incorrect in RACF SMF Type 80 records * * for TCP/IP command authorization failures. * **************************************************************** * RECOMMENDATION: * * Apply the PTF. * **************************************************************** For certain TCP/IP commands, authorization to RACF resource profile is checked to determine if the user ID is authorized to issue the command. RACF may create an SMF Type 80 record with the results of the authorization check. A log string (LOGSTR parameter) value can be included in the record. For some TCP/IP functions the log string value was not displayable characters. This is because the module that invoked the authorization checking did not set the log string value correctly.
Problem conclusion
Entry point EZACDMRA in module EZACDMU2 has been changed to correctly set the log string value prior to the authorization checking. The log string value must begin with a 1-byte length field and be following by the log string character value, up to a max of 255 characters.
Temporary fix
Comments
APAR Information
APAR number
PI68004
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
210
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-23
Closed date
2016-10-21
Last modified date
2017-01-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI41899 UI41900
Modules/Macros
EZACDMU2
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 January 2017