IBM Support

PI79362: CPSM SECURITY CHECKS ON INCORRECT RESOURCE NAME AFTER PTF APPLIED

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • You apply one of the following PTFs to your CPSM environment:
.
Release    PTF        APAR
4.1        UI40460    PI66813
4.2        UI40461    PI66813
5.1        UI40462    PI66814
5.2        UI40463    PI66814
5.3        UI40464    PI66792
.
Afterward, you find security checks being made for the wrong
resource names. For example, you retrieve definitions for
transactions. That should generate a check against resource
BAS.DEF.xxxxx but instead it generates one for BAS.TRAN.xxxxxx.
This may result in RACF violations against the new resource
names.
.
The BAS.TRAN.xxxxx or BAS.FILE.xxxxx type resource names, with
a resource type in the second node, is only supposed to be used
for installing the resources, not viewing them. The
BAS.DEF.xxxxxx resource name is what CPSM should be checking
when they are viewed.
.
Additional Symptom(s) Search Keyword(s): KIXREVSVR

Local fix

  • Temporarily permit RACF access.

Problem summary

  • ****************************************************************
* USERS AFFECTED: All CICSPlex SM V4R1M0 and V4R2M0 Users      *
****************************************************************
* PROBLEM DESCRIPTION: After applying PTF UI40460 (CPSM 4.1)   *
*                      or UI40461 (CPSM 4.2) for APAR PI66813, *
*                      you might not be able to retrieve the   *
*                      following resource definitions through  *
*                      WUI, CPSM Explorer or CPSM GET API, due *
*                      to security check failure:              *
*                                                              *
*                      ATOMDEF         MAPDEF                  *
*                      BUNDDEF         MQCONDEF                *
*                      CONNDEF         PARTDEF                 *
*                      DB2CDEF         PIPEDEF                 *
*                      DB2EDEF         PROCDEF                 *
*                      DB2TDEF         PROFDEF                 *
*                      DOCDEF          PROGDEF                 *
*                      EJCODEF         PRTNDEF                 *
*                      EJDJDEF         RQMDEF                  *
*                      ENQMDEF         SESDEF                  *
*                      FENODDEF        TCPDEF                  *
*                      FEPOODEF        TDQDEF                  *
*                      FEPRODEF        TERMDEF                 *
*                      FETRGDEF        TRANDEF                 *
*                      FILEDEF         TRNCLDEF                *
*                      IPCONDEF        TSMDEF                  *
*                      JRNMDEF         TYPTMDEF                *
*                      JVMSVDEF        URIMPDEF                *
*                      LIBDEF          WEBSVDEF                *
*                      LSRDEF                                  *
****************************************************************
* RECOMMENDATION: This fix is being provided across all        *
*                 supported releases of CPSM as follows:       *
*                                                              *
*                  -  CPSM V4R1M0  -  APAR PI79362             *
*                  -  CPSM V4R2M0  -  APAR PI79362             *
*                  -  CPSM V5R1M0  -  APAR PI79774             *
*                  -  CPSM V5R2M0  -  APAR PI79774             *
*                  -  CPSM V5R3M0  -  APAR PI79774             *
*                                                              *
*                 After applying the PTF that resolves this    *
*                 APAR, all CMASes must be recycled to pick    *
*                 up the new code.  Note that CMASes do not    *
*                 need to be brought down and restarted at     *
*                 the same time.                               *
****************************************************************
When you retrieve the BAS resource definitions through WUI, CPSM
API or CICS Explorer, method EYU0BAGQ ( BAGQ - BAS Frontend Data
Repository Get ) is driven to get requested definitions from the
data repository.

Prior to the execution of BAGQ, method EYU0CRCK ( CRCK - Access
Authority Checking ) is called to check if the user has
authority to execute the requested service. CRCK calls method
EYU0XLML to build main XLXS and alternative XLXS. Based on the
XLXSes, CRCK populates the profile name, and passes it along
with other information to RACF for security check.

Due to a previous change for APAR PI66813, CRCK might populate
an incorrect profile name, which causes the failure of RACF
security check.

Problem conclusion

  • Module EYU0CRCK has been updated to populate correct profile
name for BAGQ services.

Temporary fix

  •             *********
            * HIPER *
            *********
FIX AVAILABLE BY PTF ONLY

Comments

  • 



APAR Information




    

  • APAR number
    PI79362
    • 

  • Reported component name
    CICS TS Z/OS V4
    • 

  • Reported component ID
    5655S9700
    • 

  • Reported release
    60M
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    YesPE
    • 

  • HIPER
    YesHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-04-04
    • 

  • Closed date
    2017-05-08
    • 

  • Last modified date
    2017-06-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI79774 UI47048 UI47049
    

    • 



Modules/Macros


    

  • EYU0CRCK EYU0XDOX EYU9BAPU EYU9BAP3 EYU9BAP4 EYU9BAP6

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V4
    • 

  • Fixed component ID
    5655S9700
    • 



Applicable component levels


    

  • R60M  PSY  UI47048
       UP17/05/10  P  F705  ­
    • 

  • R70M  PSY  UI47049
       UP17/05/10  P  F705  ­
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 June 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback