PM96332: ENF NOTIFICATION AND TRANSACTION AUTHORITY 13/12/30 PTF PECHANGE

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Authority is removed from the user to run a transaction.
    
    The flow is as follows:
    Enter transaction TRANA. The transaction is routed over to AOR
    and executed successfully.
    Enter security command to remove the profile (revoke transaction
    permission) from the user.   ENF 71 is signal sent by security
    manager at this time.
    Enter transaction TRANA. The transaction is routed over to AOR
    and immediately failed due to user no longer having security for
    transaction.
    
    After application of the fixes for PM79281 and PM88282,  the
    flow is as follows:
    Enter transaction TRANA. The transaction is routed over to AOR
    and executed successfully.
    Enter RACF command to remove the profile (revoke transaction
    permission) from the user. ENF 71 signal is sent by security
    manager at this time.
    Enter transaction TRANA. The transaction is routed over to AOR
    and STILL executed successfully.
    
    The ENF notification is received in the AOR and the USUDB is
    correctly flagged.  However, after PM79281, only non-terminal
    signons removed the notified user from the user domain
    directories.  When transaction routing is used the signon in
    the AOR is a terminal signon.  The first transaction runs after
    the user is revoked therefore finds the user in the user domain
    directory and uses it so is allowed to run.
    At the end of the transaction a deferred signoff is done.  This
    would  put the user onto the timeout queue.  The notification
    bit is on in the USUDB so the user gets deleted instead.  When
    the second transaction runs the user is not found in the
    directory so a full signon is done at which point we find that
    the user is revoked.
    Additional Symptom(s) Search Keyword(s): KIXREVEPH
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users with UK94164 applied.         *
    ****************************************************************
    * PROBLEM DESCRIPTION: CICS ignores RACF ENF notification      *
    *                      in the AOR when a transaction           *
    *                      is being routed.                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A terminal user is signed on in a TOR (terminal owning region).
    They run a transaction that gets routed to the AOR (application
    owning region). As transaction routing is being used a
    surrogate terminal is created and a terminal signon is done
    for the user. At the end of that transaction a deferred signoff
    is done in the AOR and the user gets placed on the user
    timeout queue.
    The userid is then revoked in the ESM.  This causes an
    ENF71 notification be sent to the TOR and the AOR.
    CICS processes the notification and turns the
    usud_notify_received flag on in the USUDB for this userid in
    the TOR and the AOR.
    The user then runs another transaction. This gets routed to
    the AOR causing DFHSNUS to call DFHUSAD for
    ADD_USER_WITHOUT_PASSWORD specifying a signon type of
    ATTACH_SIGN_ON.
    The routine in DFHUSAD only processes the ENF notification
    for non_terminal users and so this user is not processed
    because this is a terminal signon.  The user is found
    on the timeout queue so gets removed from that queue
    and the transaction is allowed to run.
    At the end of the transaction a deferred signoff is done.
    This would normally put the user on the timeout queue but
    as the usud_notify_received flag is on the user is deleted
    instead.
    The terminal user runs a third transaction which is routed
    to the AOR.  A terminal signon is done and the user is not
    found so a full signon gets performed.  This finds that the
    user is revoked and the transaction is not allowed to run.
    DFHUSAD should include surrogate terminals when deciding
    whether to delete a userid following a RACF ENF notification.
    
    Additional keywords: msgDFHSN0002 DFHSN0002 SECVFYFREQ
                         USRDELAY DFHSNAS CODE X'2056' 2056
    

Problem conclusion

  • UK94164
    DFHUSAD has been changed so that all userids will be considered
    for deletion when either a RACF ENF notification is received
    or the SECVFYFREQ time expires.
    If the userid is not on the USRDELAY timeout queue then
    only non_terminal_signon userids will be deleted.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PM96332

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    YesPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-09-03

  • Closed date

    2014-01-03

  • Last modified date

    2014-02-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI08773 UI14134

Modules/Macros

  •    DFHAMCSD DFHAMPFI DFHAMPIL DFHAMRDI DFHAMST
    DFHAPEX  DFHAPLI1 DFHAPLJ1 DFHAPLX1 DFHAPRT  DFHAPRX  DFHBAAC
    DFHBAAC0 DFHBAAC1 DFHBAAC2 DFHBAAC3 DFHBAAC4 DFHBAAC5 DFHBAAC6
    DFHBAAR1 DFHBAAR2 DFHBAA10 DFHBAA11 DFHBAA12 DFHBABR  DFHBACM
    DFHBACR  DFHBADM  DFHBAPR  DFHBAPR0 DFHBASP  DFHBAUE  DFHBAXM
    DFHBRAT  DFHBRFM  DFHBRMP  DFHBRMR  DFHBRXM  DFHBSS   DFHBSTS
    DFHBSTZO DFHCQSY  DFHDLIDP DFHDPIN  DFHDPLU  DFHDPWD  DFHDPWE
    DFHDPWJ  DFHDPWL  DFHDPXM  DFHD2EX1 DFHD2TM  DFHECEAS DFHECEC
    DFHECSC  DFHEIAD  DFHEIIC  DFHEIQAS DFHEIQSA DFHEIQSQ DFHEIQST
    DFHEPEV  DFHESN   DFHFCQI  DFHFCRP  DFHICP   DFHICUS  DFHICXM
    DFHSJJS  DFHSJXM  DFHSNAS  DFHSNPU  DFHSNSU  DFHSNTU  DFHSNUS
    DFHSNXR  DFHSODM  DFHSOXM  DFHTCRP  DFHTDA   DFHTDTM  DFHUSAD
    DFHUSADT DFHUSDM  DFHUSDUF DFHUSES  DFHUSFL  DFHUSIS  DFHUSST
    DFHUSTI  DFHUSTRI DFHUSXM  DFHWBA   DFHWBBLI DFHWBBMS DFHWBDM
    DFHWBSR  DFHWBTL  DFHWBTTA DFHWBXM  DFHWBXN  DFHWSATR DFHW2AT
    DFHW2DM  DFHXFP   DFHXFQ   DFHXFX   DFHXMIQ  DFHXMRM  DFHXMRU
    DFHXMXD  DFHXMXM  DFHXSRC  DFHXTP   DFHZATA2 DFHZGAI  DFHZSGN
    DFHZTSP
    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R800 PSY UI14134

       UP14/01/20 P F401

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Rate this page:

(0 users)Average rating

Document information


More support for:

z/OS family

Software version:

5.1

Reference #:

PM96332

Modified date:

2014-02-05

Translate my page

Machine Translation

Content navigation