IBM Support

OA50846: ABEND0C4-11 IRRFRN00 OR ICH408I INVALID PASSWORD IMS CONNECT AFTER KDFAES AND MIGRATING USERIDS

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • With the KDFAES enhancement, once a user has been PWCONVERTed, a
    FRACINIT (Fast VERIFY / logon) can have two issues:
    1) failure to validate the length of the parmlist before using
    the PasswordPhrasePtr will result in an Abend0C4 RSN11;
    The dump title is:
    ICHRST00-RACF SVCS,ABEND CODE=0C4-011,
    SVC=IRRFRN00,USER=IMSSTC,GROUP=STCPROC ,EXIT=IRRFRN00
    
    2) failure to trim trailing blanks from the Userid will generate
    msgICH408I / msgIRR013I for INVALID PASSWORD.
    
    ANALYSIS:
    1) New routine GET_PWPHRASE builds a new ICHETEST block using
    INITPHRL & INITPHRS without first checking the INITLEN is at
    least PARMLEN9.
    2) IRRFRN00 may now need to validate the password through an
    ICHEINTY instead of by comparison to the VLF cache data, and so
    needs to treat the userid the same way as ICHRIN00, by removing
    any trailing blanks.
    
    KNOWN IMPACT:
    At present, IMS Connect logins will fail when using exit
    ZRJXICON. The customer has to back out of KDFAES.
    
    VERIFICATION STEPS:
    Abend is at:
     IRRFRN00+41B6 at UA90721, UA90720, UA90719
             +4250 at UA90988,
             +41DC at UA90989
    
    ADDITIONAL SYMPTOMS:
    ICH408 msgICH408 msgIRR013 IRR013I IRR013
    

Local fix

  • BYPASS/CIRCUMVENTION:
    Do not activate SETROPTS PASSWORD( ALGORITHM(KDFAES) )
    or change the caller of VERIFY to use the correct length.
    
    RECOVERY ACTION:
    Deactivate KDFAES via:
       SETROPTS PASSWORD( NOALGORITHM )
    and then force failing users to change their password.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of IMS Connect (or other similarly     *
    *                 coded applications) with RACF passwords or   *
    *                 phrases encrypted by the KDFAES algorithm    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Incorrect parameter list checking in RACROUTE REQUEST=VERIFY
    when SYSTEM=YES is specified assumes a password phrase can be
    specified even when the value specified on the RELEASE=
    keyword is too old (lower than "7730") to support phrases.
    This results in a reference to unallocated or uninitialized
    storage.
    
    In addition, specification of a USERID= value whose length
    field includes trailing blanks beyond the actual user ID value
    can cause the password or phrase check to fail when SYSTEM=YES
    is specified and the password or phrase is encrypted by
    KDFAES.
    

Problem conclusion

  • Checking is added to only reference the PHRASE= data if
    RELEASE= is specified with "7730" or higher.
    
    Code is also added to tolerate trailing blanks in the user ID
    specification.  Although this is an incorrect parameter list,
    such a specification worked prior to the introduction of
    KDFAES.
    
    The following fix category keyword identifies this APAR as
    pertaining to KDFAES password encryption:
    
    RACFPWENCR/K
    

Temporary fix

  • *********
    * HIPER *
    *********
    REQUEST RELIEF FROM LEVEL 2
    

Comments

APAR Information

  • APAR number

    OA50846

  • Reported component name

    RACF

  • Reported component ID

    5752XXH00

  • Reported release

    790

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-08

  • Closed date

    2016-09-13

  • Last modified date

    2016-10-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA82738 UA82739 UA82740

Modules/Macros

  • IRRFRN00
    

Fix information

  • Fixed component name

    RACF

  • Fixed component ID

    5752XXH00

Applicable component levels

  • R7A0 PSY UA82738

       UP16/09/28 P F609 ¢

  • R780 PSY UA82739

       UP16/09/28 P F609 ¢

  • R790 PSY UA82740

       UP16/09/28 P F609 ¢

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 790

Operating system(s): MVS, z/OS

Reference #: OA50846

Modified date: 04 October 2016