A fix is available
APAR status
Closed as program error.
Error description
When a webservice request arrives at the TOR, it runs under a common transaction with little RACF protection using the CICS default userid. A terminal handler in the Pipeline extracts the userid from the Soap header and replaces the userid and tranid within containers DFHWS-USERID and DFHWS-TRANID. After substitution of userid and tranid the webservice application will run under RACF protection of the substituted userid to provide the audit trail. If the webservice is allowed to execute locally in the TOR it is executed with the replaced userid as expected. If however the transaction stored in DFHWS-TRANID is routed to a backend AOR, the backend transaction will run under the appropriate tranid that was substituted. However, the transacton also runs under the CICS default userid rather than the userid substituted within DFHWS-USERID. Thus, a security violation is produced due to the default userid not having authority to the transaction.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: A remote web service transaction * * does not run under the supplied * * DFHWS-USERID, irrespective of the * * ATTACHSEC setting in the connection. * **************************************************************** * RECOMMENDATION: * **************************************************************** CICS is being used as a webservice provider. A handler program in the pipeline is used to change the userid by putting a value into the DFHWS-USERID container. The handler program also changes the transaction id that the webservice will under by putting a value into the DFHWS-TRANSID container. The webservice transaction is defined to run remotely across a connection defined as ATTACHSEC=IDENTIFY. When DFHZIS2 builds the FMH5 to pass to the remote system, the userid field is not updated from the Request Stream used to transport the Web Service request. This results in the userid of the current pipeline task being used and potential security violations on the target system. An additional problem fixed by this APAR is that DFHRZXM does an unnecessary ADD_USER_WITHOUT_PASSWORD call for non-terminal signon processing to add the associated userid to the US domain. However, there is no corresponding DELETE_USER call at task termination. The consequence is the ACEE for the associated userid is never released because the userid use count never goes to zero in the US domain. Additional keywords: USRDELAY DFHXS1111 msgDFHXS1111 MSGICH408I ICH408I ACF2 RACF
Problem conclusion
DFHZIS2 has been modified for Request Streams to extract the userid field and copy this into the FMH5 userid field. The unnecessary ADD_USER_WITHOUT_PASSWORD call has also been removed.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK48572
Reported component name
CICSTS V3 Z/OS
Reported component ID
5655M1500
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-07-09
Closed date
2007-08-15
Last modified date
2007-09-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK28193
Modules/Macros
DESMRXM DESRZCON DESRZRS DESRZST DESRZTC DESRZTR DFHMRXM DFHRZCON DFHRZRMC DFHRZRMD DFHRZRSC DFHRZRSD DFHRZRS1 DFHRZSO DFHRZSOA DFHRZSOJ DFHRZSOM DFHRZSOT DFHRZSOV DFHRZSO1 DFHRZTA DFHRZTAA DFHRZTAM DFHRZTAT DFHRZTCC DFHRZTCX DFHRZTRC DFHRZTRD DFHRZTR1 DFHZIS2
Fix information
Fixed component name
CICSTS V3 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R500 PSY UK28193
UP07/08/18 P F708
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 September 2007