A fix is available
APAR status
Closed as program error.
Error description
After changing the RACF database to use KDFAES encryption, the password verifications and signons performed by CICS use significantly more CPU than before.
Local fix
Change the application or configuration settings to avoid checking the password when the userid is a shared system or functional userid and requests come from a trusted source. . Alternatively change the RACF database back to using DES encryption. Any passwords created while KDFAES encryption was active will need to be changed again to return to the pre-KDFAES CPU usage.
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: Decrease in performance when CICS uses * * a KDFAES RACF database. * **************************************************************** * RECOMMENDATION: * **************************************************************** With KDFAES support in RACF, passwords are encrypted with KDFAES on the database. However a check on the KDFAES is very expensive, so RACF creates a cached DES version of the password which will be used if available. CICS currently uses the V1 of R_Password interface, which will use the cached DES version, and if this fails will check the KDFAES version of the password. However, it does not create a cached entry. So if CICS is using the V1 of R_Password interface exclusively for password checking (such as web traffic), CICS will never create a cached entry and so requests will always use the KDFAES check. This is also the case if passtickets are always used.
Problem conclusion
CICS has been changed to use the V2 R_Password interface. Using this interface, CICS will do a check using the cache, if there is no cache the request fails and a full RACROUTE VERIFY request is made. This request will create a cache entry. . RACF APARs OA50748 and OA50749 are required to use V2 of the R_Password interface. If these are not installed then the V1 interface will be used.
Temporary fix
********* * HIPER * ********* FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI64175
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-06-14
Closed date
2016-11-21
Last modified date
2016-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
DFHSNTU DFHXMTA DFHXMXE DFHXSAD DFHXSCR DFHXSCT DFHXSDM DFHXSDUF DFHXSEJ DFHXSEV DFHXSFL DFHXSIS DFHXSKR DFHXSLU DFHXSPW DFHXSRC DFHXSSA DFHXSSB DFHXSSBT DFHXSSC DFHXSSD DFHXSSE DFHXSSF DFHXSSH DFHXSSI DFHXSTRI DFHXSTS DFHXSXM
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
R700 PSY UI42815
UP16/11/29 P F611 ¢
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 December 2016