IBM Support

PI78764: CJSA TRANSACTION SECURITY VIOLATION BY CICS DEFAULT USER 17/07/07 PTF PECHANGE

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as unreproducible in next release.

Error description

  • After upgrading CICS to the newest RSU level, including Liberty
    v16.0.0.3 RACF security violations in the CICS log appear.
    .
    DFHXS1111 date time applid CJSL Security violation
    by user TPCICSDE for resource TPMTST.CJSA in class TCICSTRN. SAF
    codes are (X'00000008',X'00000000'). ESM codes are
    (X'00000008',X'00000000'). RACF request made was FASTAUTH.
    .
    In liberty message.log the following message is written:
    SystemErr
    date time UTC [ERROR]
      THREAD-NAME: Default Executor-thread-18
      BUNDLE-SYMBOLICNAME:com.ibm.cics.server
      MESSAGE: @Exception CICSThreadExecutor.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users with UI43268 applied.         *
    ****************************************************************
    * PROBLEM DESCRIPTION: Security violation against the region   *
    *                      default USERID to attach CJSA when      *
    *                      installing a Bundle into a Liberty      *
    *                      JVM server.                             *
    ****************************************************************
    * RECOMMENDATION: .                                            *
    ****************************************************************
    When a Bundle is installed into a Liberty JVM server an
    internal Liberty thread is created and CICS attempts to attach
    a CICS task.  A CJSA task is attempted to be attached using
    the default userid of the CICS region.  This causes a ICH408I
    RACF error to occur in the joblog.
    

Problem conclusion

Temporary fix

Comments

  • UI43268
    
    CICSExecutorService.java has been changed to mark
    com.ibm.ws.webserver.plugin.runtime.listeners.GeneratePluginConf
    igListener$1 as an internal Liberty thread.
    

APAR Information

  • APAR number

    PI78764

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    900

  • Status

    CLOSED UR1

  • PE

    YesPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-03-27

  • Closed date

    2017-07-06

  • Last modified date

    2017-08-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI48575 UI48576

Modules/Macros

  • DFJ@H356
    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R80D PSY UI48575

       UP17/07/20 P F707 {

  • R90D PSY UI48576

       UP17/07/20 P F707 {

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: CICS Transaction Server

Software version: 5.2

Reference #: PI78764

Modified date: 02 August 2017


Translate this page: