IBM Support

OA46777: SOME PROCESSING AGAINST ICHEACTN WHEN RUN=NO. ABEND OR OVERLAY POSSIBLE

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • PE Information:
    Users Affected:
    This processing was introduced with APAR OA43999, PTFs UA90719,
    UA90720 and UA90721 for HRF7770, HRF7780 and HRF7790
    respectively.
    User Impact:
    When RUN=NO is specified on ICHEACTN for the PASSWORD, PHRASE,
    OLDPSWDS or OLDPHRES field there is the possibility of an ABEND
    or overlay due to processing the input field early in RACF
    Manager processing.
    
    The specific issues to be addressed:
    1) Attempts to process password/phrase data when RUN=NO
    specified.
    2) Missing length checking on password or phrase, may encrypt
    more than what will fit in target buffer.
    3) Will try to encrypt unknown data on a DELETE request.
    
    APAR OA43999 implemented the desired function but introduced a
    new problem.
    
    If KDFAES is active and users have KDFAES encrypted passwords
    or phrases, do not back off the original PTF.  Doing so could
    prevent users from accessing the system.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users who run programs which make            *
    *                 calls to the RACF ICHEINTY service           *
    *                 which contain ICHEACTN requests which        *
    *                 perform one of the following actions         *
    *                 on a password, password phrase or            *
    *                 history field.                               *
    *                 1. specify RUN=NO.                           *
    *                 2. delete the field.                         *
    *                 3. Specify data in excess of 100 bytes.      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If an ICHEACTN specifies the RUN=NO option, an attempt
    may still be made to hash the password, phrase or history
    data specified in the ICHEACTN request.  If RUN=NO
    is specified, it is possible that the ICHEACTN contains
    invalid data pointer and data length information, because
    the program which sets RUN=NO may not have set a valid
    data pointer and length.
    Because RUN=NO was specified, RACF should not
    try to hash the data.
    When RUN=YES, RACF fails to perform adequate length checking
    of the input password, password phrase and history data
    prior to hashing the data in certain cases.
    RACF also fails to properly detect a DELETE request for
    password, password phrase or history data and may attempt
    to hash arbitrary data on a DELETE request.
    

Problem conclusion

  • RACF properly recognizes the RUN=NO and DELETE options on
    ICHEACTN and is careful to not attempt to hash any data
    when RUN=NO or DELETE is specified.
    RACF also adds some additional length checking
    on password, password phrase and history data when hashing.
    

Temporary fix

  • *********
    * HIPER *
    *********
    

Comments

APAR Information

  • APAR number

    OA46777

  • Reported component name

    RACF

  • Reported component ID

    5752XXH00

  • Reported release

    780

  • Status

    CLOSED PER

  • PE

    YesPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-12-16

  • Closed date

    2015-01-23

  • Last modified date

    2015-03-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA76136 UA76138 UA76137

Modules/Macros

  • IRRMAF00
    

Fix information

  • Fixed component name

    RACF

  • Fixed component ID

    5752XXH00

Applicable component levels

  • R770 PSY UA76136

       UP15/02/04 P F502 «

  • R780 PSY UA76137

       UP15/02/04 P F502 «

  • R790 PSY UA76138

       UP15/02/04 P F502 «

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 March 2015