IBM Support

OA50748: MINIMIZE KDFAES PERFORMANCE IMPACTS IN CERTAIN APPLICATION FLOWS

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Minimize KDFAES performance impacts in certain application
    flows.
    Updates to the R_Password callable service (IRRSPW00) and
    RACROUTE REQUEST=VERIFY are being made to allow application
    authentication flows to minimize the performance impact of
    enabling RACF's KDFAES password algorithm.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Applications that perform PassTicket         *
    *                 authentication of a KDFAES user using        *
    *                 RACROUTE REQUEST=VERIFY/X or the R_Password  *
    *                 callable service (IRRSPW00)                  *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The R_Password callable service does not support PassTicket
    evaluation, since it does not accept an application name as a
    parameter. An application that authenticates a user may not
    know whether the string entered is a password or a PassTicket.
    When a PassTicket is supplied to R_Password, it will be
    evaluated as a password, possibly resulting in a KDFAES
    encryption operation, depending on the options requested, and
    the presence or absence of an ACEE cache entry in VLF.
    
    RACROUTE REQUEST=VERIFY and REQUEST=VERIFYX first attempt to
    evaluate the supplied password as a password.  If that
    evaluation fails, it will be evaluated as a PassTicket.
    If the user has not previously authenticated using a password,
    a KDFAES encryption operation will be performed prior to the
    PassTicket evaluation.  Repetitive calls of this nature will
    always incur a KDFAES encryption operation.
    

Problem conclusion

  • R_Password is being enhanced with a "fast-fail" option.  If
    there is no VLF cache entry that can be used to evaluate the
    input password value, the request immediately fails.  The
    caller can then call RACROUTE REQUEST=VERIFY/X to perform the
    authentication.
    
    RACROUTE REQUEST=VERIFY/X is being changed to reverse the
    order of password evaluation when a cached ACEE is found and
    SYSTEM=NO is specified, or defaulted.  That is, the KDFAES
    encryption is always performed first when there is no cache
    hit, but subsequent requests received while the cache entry
    still exists will first evaluate the password as a
    PassTicket.
    
    PassTicket evaluation is improved to screen out passwords that
    contain a special character (including national characters) or
    a lower case character.  A PassTicket can only contain upper
    case letters and digits.  Therefore, when a user is
    authenticating with a password, the overhead of PassTicket
    evaluation (including encryption, RACF profile lookups, and
    serialization) can be completely eliminated when user
    passwords are required to contain symbolic or lower case
    characters.
    
    Note that CICS is an application that is known to be taking
    advantage of the changes in this APAR.
    
    Applications which provide service to exploit the enhancement
    in order to improve performance will be documented in INFO
    APAR II14765 as they become known.
    
    ---------------------------------------------------------------
    
    The following fix category keyword identifies this APAR as
    pertaining to KDFAES password encryption:
    
    RACFPWENCR/K
    
    ---------------------------------------------------------------
    
    The following RACF publications have changes to support this
    apar.
    
    z/OS Security Server RACF Callable Services
     (SA22769100 SA23229300)
    
    z/OS Security Server RACF Data Areas
     (GA22768000 GA32088500)
    
    z/OS Security Server RACF Security Administrator's Guide
     (SA22768300 SA23228900)
    
    ---------------------------------------------------------------
    
    z/OS Security Server RACF Callable Services:
    
    For the R_Password callable service (IRRSPW00), there is an
    update to the description of the Function_parmlist parameter
    for function code X'0001': Verify a user's current password
    or phrase.  A new option flag is defined in the XPW_VFY_OPTIONS
    field:
    
    x'40000000': If there is no ACEE cache entry that can be used
                 to validate the password, then fail immediately
                 with return code 8/8/8. The password may or may
                 not be valid.
    
    Usage note 1 is replaced with the following:
    
    The password evaluation service checks to see if the specified
    password or phrase matches the one stored in the RACF database
    for the specified user.  It also optionally provides password
    expiration and user revocation checking.  When the caller
    requests the extra checking (and the x'40000000' bit is not
    set on in XPW_VFY_OPTIONS), and the request fails, or caching
    does not find a match, a RACROUTE REQUEST=VERIFY is issued.
    When the extra checking is not requested, no RACROUTE is
    issued.
    
    ---------------------------------------------------------------
    
    z/OS Security Server RACF Data Areas
    
    A new one-byte field named RCVTFLG4 is added at decimal offset
    640 (X'280).  Bit 0 of this field is named RCVTRPFF and, when
    on, indicates that the R_Password fast-fail option is
    available.
    
    ---------------------------------------------------------------
    
    z/OS Security Server RACF Security Administrator's Guide
    
    In the "Protecting general resources" chapter, in the section
    "Using the secured signon function", the heading titled "How
    RACF processes the password or PassTicket" has the following
    note added to step 1:
    
    Note: When RACF finds an ACEE in the VLF cache, PassTicket
          evaluation is performed first, and the value in the
          password field is only evaluated as a password if
          PassTicket evaluation is unsuccessful.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA50748

  • Reported component name

    RACF

  • Reported component ID

    5752XXH00

  • Reported release

    780

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / Pervasive / Xsystem

  • Submitted date

    2016-06-17

  • Closed date

    2017-01-10

  • Last modified date

    2017-02-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA83757 UA83758

Modules/Macros

  • ICHIRCVT ICHRIN00 ICHSEC07 IRRRIN23 IRRRPW01
    

Publications Referenced
SA22769100 SA23229300 GA22768000 GA32088500 SA22768300
SA23228900        

Fix information

  • Fixed component name

    RACF

  • Fixed component ID

    5752XXH00

Applicable component levels

  • R7A0 PSY UA83757

       UP17/01/25 P F701  

  • R790 PSY UA83758

       UP17/01/25 P F701  

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 780

Operating system(s): MVS, z/OS

Reference #: OA50748

Modified date: 01 February 2017


Translate this page: