IBM Support

OA50749: SAF MACRO SUPPORT FOR RACF APAR OA50748

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SAF macro support for RACF APAR OA50748.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: RACF users with OA50748 applied              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
This APAR provides SAF macro support for RACF APAR OA50748.

    



Problem conclusion


    

  • SAF mapping macros are updated to support OA50748.

The following fix category keyword identifies this APAR as
pertaining to KDFAES password encryption:

RACFPWENCR/K

The following RACF publications have changes to support this
apar.

z/OS Security Server RACF Callable Services
 (SA22769100 SA23229300)

z/OS Security Server RACF Data Areas
 (GA22768000 GA32088500)

z/OS Security Server RACF Security Administrator's Guide
 (SA22768300 SA23228900)

---------------------------------------------------------------

z/OS Security Server RACF Callable Services:

For the R_Password callable service (IRRSPW00), there is an
update to the description of the Function_parmlist parameter
for function code X'0001': Verify a user's current password
or phrase.  A new option flag is defined in the XPW_VFY_OPTIONS
field:

x'40000000': If there is no ACEE cache entry that can be used
             to validate the password, then fail immediately
             with return code 8/8/8. The password may or may
             not be valid.

Usage note 1 is replaced with the following:

The password evaluation service checks to see if the specified
password or phrase matches the one stored in the RACF database
for the specified user.  It also optionally provides password
expiration and user revocation checking.  When the caller
requests the extra checking (and the x'40000000' bit is not
set on in XPW_VFY_OPTIONS), and the request fails, or caching
does not find a match, a RACROUTE REQUEST=VERIFY is issued.
When the extra checking is not requested, no RACROUTE is
issued.

---------------------------------------------------------------

z/OS Security Server RACF Data Areas

A new one-byte field named RCVTFLG4 is added at decimal offset
640 (X'280).  Bit 0 of this field is named RCVTRPFF and, when
on, indicates that the R_Password fast-fail option is
available.

---------------------------------------------------------------

z/OS Security Server RACF Security Administrator's Guide

In the "Protecting general resources" chapter, in the section
"Using the secured signon function", the heading titled "How
RACF processes the password or PassTicket" has the following
note added to step 1:

Note: When RACF finds an ACEE in the VLF cache, PassTicket
      evaluation is performed first, and the value in the
      password field is only evaluated as a password if
      PassTicket evaluation is unsuccessful.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA50749
    • 

  • Reported component name
    SYS SECRTY SPT
    • 

  • Reported component ID
    5752SC1BN
    • 

  • Reported release
    780
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / Pervasive / Xsystem
    • 

  • Submitted date
    2016-06-17
    • 

  • Closed date
    2017-01-10
    • 

  • Last modified date
    2017-02-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UA83755 UA83756
    

    • 



Modules/Macros


    

  • ICHPRCVT IRRPCOMP

    




Publications Referenced


SA22769100SA23229300GA22768000GA32088500SA22768300


SA23228900    





Fix information


    

  • Fixed component name
    SYS SECRTY SPT
    • 

  • Fixed component ID
    5752SC1BN
    • 



Applicable component levels


    

  • R7A0  PSY  UA83755
       UP17/01/25  P  F701   
    • 

  • R790  PSY  UA83756
       UP17/01/25  P  F701   
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 February 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback