IBM Support

PI46508: CICS TERMINAL NETNAME IS NOT PASSED TO RACF SMF80 AUDIT RECORD WHEN DFHSN1102 SIGNON FAILED, PW NOT RECOG 16/05/13 PTF PECHANGE

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When customer runs with CICS TS 5.2 during the logon process,
    if the password is invalid , the info is collected
    by SMF 80.
    But the Terminal netname doesn't appear
    in the SMF 80 record as it used to appear when they
    run with CICS 4.2.
    Messages issued are :
    DFHSN1102 22/07/2015 12:05:28 ABCCICS Signon at netname nnnnnn
    user uuuuu has failed. Password not recognized.
    .
    DFHXS1201 22/07/2015 12:06:22 ABCCICS The password supplied in
    the verification request for userid uuuuuu
    was invalid. This occurred in transaction CESN when userid uuuu
    was signed on at netname nnnnnn.
    .
    These messages are the same but after APARs:
    PI21866
    "This change supports the Enhanced Password Algorithm
    implemented in the RACF APAR OA43999 which applies to z/OS 1.12,
    1.13 and 2.1.
    If these APARs are installed CICS will call a new
    callable service IRRSPW00 to for password authentication.
    This service will be used for basic authentication requests,
    VERIFY PASSWORD, VERIFY PHRASE and SIGNON requests.
    "
    ...the terminal netname no longer is passed by CICS
    to RACF for inclusion in SMF80.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users with PI21866 applied.         *
    ****************************************************************
    * PROBLEM DESCRIPTION: RACF SMF 80 record no longer contains   *
    *                      the terminal netname.                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Following CICS APAR PI21866 when a signon fails message
    DFHSN1102 is issued which indicates that the signon failed at
    netname for that userid. The problem is that when RACF is called
    doing a RACROUTE VERIFYX to verify the password, only the userid
    and password are included. Other information, such as netname,
    is not sent and so the RACF SMF 80 record which is recording
    that invalid password attempt, does not include the netname.
    This is the port of entry and is required for auditing reasons.
    

Problem conclusion

  • UI22616 UI24127 UI25262 UI30325
    UI22618 UI24130 UI25263 UI30326
    
    CICS modules DFHUSAD, DFHXSPW and DFHXSSB have been changed to
    ensure that a port of entry is included on the RACROUTE VERIFYX
    call, so that the CICS netname can be included in the SMF 80
    record for a password failure.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PI46508

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    YesPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-08-07

  • Closed date

    2015-12-09

  • Last modified date

    2016-05-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI52900 010PC2Ÿ 010PC2Ÿ 010PC2Ÿ 010PC2Ÿ 010PC2Ÿ UI33709 010PC2Ÿ
    UI33710 010PC2Ÿ UI33707 UI33708 010PC2Ÿ 012AC3Ÿ PI62428

Modules/Macros

  • DFHESN   DFHISXS  DFHPITC  DFHSOSE  DFHSZREQ DFHUSAD  DFHWBSR
    DFHWBXN  DFHXSAD  DFHXSDM  DFHXSFL  DFHXSIS  DFHXSLU  DFHXSPW
    DFHXSPWT DFHXSRC  DFHXSSA  DFHXSSB  DFHXSSBT DFHXSTRI EYU0VBPC
    

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R80M PSY UI33708

       UP15/12/18 P F512 {

  • R800 PSY UI33707

       UP15/12/18 P F512 {

  • R90M PSY UI33710

       UP15/12/18 P F512 {

  • R900 PSY UI33709

       UP15/12/18 P F512 {

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: CICS Transaction Server

Software version: 5.2

Reference #: PI46508

Modified date: 13 May 2016