IBM Support

PI75325: CICS INSTALLATION DATA MISSING PHASE INFORMATION FOR CHANGE PASSORD AND PASSWORD VERIFICATION REQUESTS

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • PI39336 added the capability for installation data to be passed
    on change password and password verification requests. It seems
    the installation data passed is missing UXPPHASE values to
    identify the two new requests to ESM exit routines.
    
    Symptom(s) Search Keyword(s): KIXREVxxx
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS users with PI21865 applied.         *
    ****************************************************************
    * PROBLEM DESCRIPTION: Performing a SIGNON with PHRASE and     *
    *                      NEWPHRASE causes the PHRASE to be       *
    *                      validated twice.  The SIGNON can then   *
    *                      fail if the PHRASE contains a           *
    *                      single use token.                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A SIGNON is performed specifying PHRASE and NEWPHRASE.  The
    PHRASE contains the password and a single use token.  This is
    validated by calling the R_Password (IRRSPW00) service.
    Exit program IRRSXT00 extracts the token and successfully
    validates it.  A RACROUTE REQUEST=VERIFY call is then made to
    change the password.  The PHRASE and NEWPHRASE are passed on
    this call.  Exit program ICHRIX01 extracts the token.
    Validation of the token fails, because it has already been used
    on the IRRSPW00 call.  The exit program rejects the attempt to
    change the password and the signon fails.
    

Problem conclusion

  • UI44249 UI44250
    
    CICS has been updated to only issue a single RACROUTE
    REQUEST=VERIFY call to change the password as part of a signon.
    This means that any security exit program will only be passed
    the PHRASE (or PASSWORD) once.
    
    CICS has also been changed to always pass installation data
    (if EMSEXITS=INSTLN is coded in the SIT) on the RACROUTE
    REQUEST=VERIFY call used to change the password and on the
    RACROUTE REQUEST=VERIFYX call used in password verification
    (when there has been a password failure or a passticket is
    being used). New UXPPHASE values have been created to allow the
    ICHRIX01 exit to correctly determine why it is being invoked.
    This APAR contains the fixes for APARs PI39336 and PI79851.
    
    The new UXPPHASE values are:
    
    PASSWORD_CHANGE (x'90')
    PASSWORD_VERIFICATION (x'91')
    
    The following documentation change will be made to the CICS
    Transaction Server for z/OS 4.2 Customization Guide
    ( SC34-7161-00 ).  The following 2 fields added in chapter 33
    ( titled: Invoking an external security manager ), where it
    lists the possible values that can be addressed by UXPPHASE:
    
    PASSWORD_CHANGE        X'90'
         Change of password
    PASSWORD_VERIFICATION  X'91'
         password being verified
    

Temporary fix

  •             *********
                * HIPER *
                *********
    FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PI75325

  • Reported component name

    CICS TS Z/OS V4

  • Reported component ID

    5655S9700

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-01-23

  • Closed date

    2017-06-23

  • Last modified date

    2017-08-02

  • APAR is sysrouted FROM one or more of the following:

    PI67905

  • APAR is sysrouted TO one or more of the following:

    UI48246

Modules/Macros

  • DFHSNTU  DFHUSAD  DFHXMTA  DFHXMXE  DFHXSAD  DFHXSCR  DFHXSCT
    DFHXSDM  DFHXSDUF DFHXSEJ  DFHXSEV  DFHXSFL  DFHXSIDT DFHXSIS
    DFHXSKR  DFHXSLU  DFHXSPW  DFHXSRC  DFHXSSA  DFHXSSB  DFHXSSBT
    DFHXSSC  DFHXSSD  DFHXSSE  DFHXSSF  DFHXSSH  DFHXSSI  DFHXSTRI
    DFHXSTS  DFHXSUXP DFHXSXM
    

Publications Referenced
SC34716100    

Fix information

  • Fixed component name

    CICS TS Z/OS V4

  • Fixed component ID

    5655S9700

Applicable component levels

  • R700 PSY UI48246

       UP17/07/08 P F707 ¢

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 August 2017