A fix is available
APAR status
Closed as program error.
Error description
When customer runs with CICS TS 5.2 during the logon process, if the password is invalid , the info is collected by SMF 80. But the Terminal netname doesn't appear in the SMF 80 record as it used to appear when they run with CICS 4.2. Messages issued are : DFHSN1102 22/07/2015 12:05:28 ABCCICS Signon at netname nnnnnn user uuuuu has failed. Password not recognized. . DFHXS1201 22/07/2015 12:06:22 ABCCICS The password supplied in the verification request for userid uuuuuu was invalid. This occurred in transaction CESN when userid uuuu was signed on at netname nnnnnn. . These messages are the same but after APARs: PI21866 "This change supports the Enhanced Password Algorithm implemented in the RACF APAR OA43999 which applies to z/OS 1.12, 1.13 and 2.1. If these APARs are installed CICS will call a new callable service IRRSPW00 to for password authentication. This service will be used for basic authentication requests, VERIFY PASSWORD, VERIFY PHRASE and SIGNON requests. " ...the terminal netname no longer is passed by CICS to RACF for inclusion in SMF80.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users with PI21865 applied. * **************************************************************** * PROBLEM DESCRIPTION: RACF SMF 80 record no longer contains * * the terminal netname. * **************************************************************** * RECOMMENDATION: * **************************************************************** Following CICS APAR PI21865 when a signon fails message DFHSN1102 is issued which indicates that the signon failed at netname for that userid. The problem is that when RACF is called doing a RACROUTE VERIFYX to verify the password, only the userid and password are included. Other information, such as netname, is not sent and so the RACF SMF 80 record which is recording that invalid password attempt, does not include the netname. This is the port of entry and is required for auditing reasons.
Problem conclusion
UI22614 UI25260 UI31713 CICS modules DFHUSAD, DFHXSPW and DFHXSSB have been changed to ensure that a port of entry is included on the RACROUTE VERIFYX call, so that the CICS netname can be included in the SMF 80 record for a password failure.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI52900
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
700
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-11-20
Closed date
2015-12-09
Last modified date
2016-01-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI33711 UI33712
Modules/Macros
DFHESN DFHIIRS DFHISXS DFHPITC DFHSOSE DFHSZREQ DFHUSAD DFHWBSR DFHWBXN DFHXSAD DFHXSDM DFHXSFL DFHXSIS DFHXSLU DFHXSPW DFHXSPWT DFHXSRC DFHXSSA DFHXSSB DFHXSSBT DFHXSTRI EYU0VBPC
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 January 2016