IBM Support

PI39336: DFHXS1201 ISSUED ON PASSWORDLESS SIGNON

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Customer is making use of RACF exit ICHRIX01 which gets
    driven on RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX
    calls during Signon. These specific signons are being made with
    a dummy password to be passed to the ICHRIX01 exit program
    purposely. The exit is also expecting installation data (INSTLN)
    to be passed on these calls. The region is coded with
    ESMEXITS(INSTLN) in the DFHSIT to support INSTLN to be
    passed.
      All was working as expected until the customer applied
    maintenance to the RSU1412 level which included PI21866 that
    changed the password verification process in CICS to use
    IRRSPW00 and not to call VERIFYX at all. PI33454 was then
    applied to resolve the PE against PI21866 which also reinstated
    the VERIFYX call. However, this new process makes use
    of DFHXSSB to make these calls and DFHXSSB has never passed
    INSTLN data. Because INSTLN is not being passed, the ICHRIX01
    exit program fails to set bit RIXPSCKN to tell RACF to ignore
    the password. Thus, RACF does fail the password and passes back
    bad return codes to CICS.  CICS reacts by issuing the DFHXS1201
    message to report INVALID PASSWORD.
      DFHXSSB needs to pass INSTLN data if ESMEXITS(INSTLN) is
    coded.
    
    Addtional Symptom(s) Search Keyword(s): KIXREVWJB
    inquire_password_data  inquire password data
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: RACF exit ICHRIX01 no longer has access *
    *                      to both the user's password and the     *
    *                      CICS installation data as part of a     *
    *                      signon.                                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    APAR PI21866 separated out the password processing done as part
    of a signon request.  The password is processed using RACF
    service IRRSPW00 and RACROUTE REQUEST=VERIFYX.  IRRSPW00 does
    not invoke any RACF exits.  The VERIFYX invokes the ICHRIX01
    exit but does not pass the CICS installation data.  This means
    that the ICHRIX01 exit program cannot use the installation
    data to determine if password checking should be bypassed.
    
    This can cause valid signons with special password requirements
    to now fail.
    
    Installation data is still passed on the RACROUTE REQUEST=VERIFY
    that will create the ACEE and the ICHRIX01 exit will be invoked
    but the password is no longer available on that call.
    
    Additional Keywords:
    ESMEXITS  INSTLN
    

Problem conclusion

  • CICS has been changed to now pass installation data on the
    RACROUTE REQUEST=VERIFYX that is done to validate the password
    as part of signon processing.  Installation data is not passed
    when the call is part of a VERIFY PASSWORD command or
    equivalent internal function.
    
    The CICS Transaction Server for z/OS V5.1 and V5.2 Knowledge
    Center section "For RACF users - the RACF user exit parameter
    list" will be updated as follows;
    
    Add a Note 3:
    
    As a result of CICS APAR PI21866, CICS APAR PI39336 and RACF
    APAR OA43999 passwords will no longer be available to the
    ICHRIX01 user exit when the passwords are valid.  In normal
    usage the exit will only have access to the password if the
    password was invalid. This is because the verification and
    changing of passwords is now performed separately from the
    signon. This has changed the RACF calls made during the signon,
    as well as the data available to user exits invoked as part of
    those calls. The following calls are made:
    
     1. RACF service IRRSPW00 is called to verify the supplied
        password. This service does not drive any user exits. If
        the password verification fails, or the supplied password
        is a passticket, or the password is valid but there was a
        previous failure, then a RACROUTE REQUEST=VERIFYX call is
        made. The ICHRIX01 user exit is invoked and is passed
        installation data.
    
     2. After the password is verified, if a new password was
        supplied, the password is changed using RACROUTE
        REQUEST=VERIFYX.  This call invokes the ICHRIX01 user exit
        but does not pass any installation data.
    
     3. The signon uses RACROUTE REQUEST=VERIFY.  This call invokes
        the ICHRIX01 user exit and passes installation data.  The
        password and any new password are not available.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PI39336

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-04-17

  • Closed date

    2015-09-30

  • Last modified date

    2015-11-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI31633 UI31634 UI31635 UI31636

Modules/Macros

  • DFHESN   DFHISXS  DFHPITC  DFHSOSE  DFHSZREQ DFHUSAD  DFHWBSR
    DFHWBXN  DFHXSAD  DFHXSDM  DFHXSFL  DFHXSIS  DFHXSLU  DFHXSPW
    DFHXSPWT DFHXSRC  DFHXSSA  DFHXSSB  DFHXSSBT DFHXSTRI EYU0VBPC
    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R80M PSY UI31634

       UP15/10/08 P F510

  • R800 PSY UI31633

       UP15/10/08 P F510

  • R90M PSY UI31635

       UP15/10/08 P F510

  • R900 PSY UI31636

       UP15/10/08 P F510

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: CICS Transaction Server

Software version: 5.1

Reference #: PI39336

Modified date: 03 November 2015


Translate this page: