IBM Support

PI64443: INCREASED CPU FOR PASSWORD VERIFICATIONS IN CICS AFTER RACF DATABASE CHANGED TO USE KDFAES ENCRYPTION.

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • After changing the RACF database to use KDFAES encryption, the
    password verifications and signons performed by CICS use
    significantly more CPU than before.
    

Local fix

  • Change the application or configuration settings to avoid
    checking the password when the userid is a shared system or
    functional userid and requests come from a trusted source.
    .
    Alternatively change the RACF database back to using DES
    encryption.  Any passwords created while KDFAES encryption was
    active will need to be changed again to return to the pre-KDFAES
    CPU usage.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All CICS Users.                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Decrease in performance when CICS uses a KDFAES RACF         *
    * database.                                                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * .                                                            *
    ****************************************************************
    With KDFAES support in RACF, passwords are encrypted with
    
    KDFAES on the database. However a check on the KDFAES is very
    
    expensive, so RACF creates a cached DES version of the password
    
    which will be used if available. CICS currently uses the V1 of
    
    R_Password interface, which will use the cached DES version, and
    
    if this fails will check the KDFAES version of the password.
    
    However, it does not create a cached entry. So if CICS is using
    
    the V1 of R_Password interface exclusively for password checking
    
    (such as web traffic), CICS will never create a cached entry and
    
    so requests will always use the KDFAES check.
    
    This is also the case if passtickets are always used.
    

Problem conclusion

  • CICS has been changed to use the V2 R_Password interface.
    Using this interface, CICS will do a check using the cache, if
    there is no cache the request fails and a full RACROUTE VERIFY
    request is made. This request will create a cache entry.
    .
    RACF APARs OA50748 and OA50749 are required to use V2 of the
    R_Password interface. If these are not installed then the V1
    
    interface will be used.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI64443

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-06-17

  • Closed date

    2016-11-21

  • Last modified date

    2017-01-03

  • APAR is sysrouted FROM one or more of the following:

    PI64175

  • APAR is sysrouted TO one or more of the following:

    002PC0Ÿ UI42764 002PC0Ÿ UI42765 002PC0Ÿ

Modules/Macros

  • EYU0VBPC
    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R000 PSY UI42764

       UP16/12/02 P F612 ¢

  • R00M PSY UI42765

       UP16/12/02 P F612 ¢

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: CICS Transaction Server

Software version: 5.3

Reference #: PI64443

Modified date: 03 January 2017