A fix is available
APAR status
Closed as program error.
Error description
You've installed maintenance to RSU/1701. You start to receive RACF message: ICH408I USER( ) GROUP(NOTERM ) NAME( ) LOGON/JOB INITIATION - NOT AUTHORIZED TO TERMINAL CONSOLE1 DFHCE3541 APPLID Security interface error (00000030). Sign-on is terminated. You also see DFHSN1108 APPLID Signon at console CONSOLE1 by user USERID has failed. The trace shows: XS FE04 XSSB *EXC* FUNCTION(INQUIRE_PASSWORD_DATA) RESPONSE(EXCEPTION) REASON(UNKNOWN_ESM_RESPONSE) SAF_RESPONSE(8) SAF_REASON(0) ESM_RESPONSE(30) ESM_REASON(0) PASSWORD_FAILURES(0) The problem occurs after the installation of CICS APARs PI62428 and PI64443. PI62428 added POE onto the RACROUTE REQUEST=VERIFYX call made by DFHXSSB to verify the password. It did not add the SESSION parameter to specify the type of the entry port. The VERIFYX call was only ever used when the IRRSPW00 call failed. In this case the pasword is valid so IRRSPW00 would work and the VERIFYX call would never get issued. The subsequent VERIFY ENVIR=CREATE passes both POE and SESSION and so the signon would succeed. PI64443 changed DFHXSSB to use the updated version of the IRRSPW00 and to set the fast fail option. This causes the first IRRSPW00 call to fail immediately (because there isn't a cache entry) and for CICS to use the VERIFYX call to perform the valid signon. This VERIFYX call fails because it passes POE but does not pass SESSION and the supplied port of entry is a console and not the default of a TSO/terminal session. Additional Symptom(s) Search Keyword(s): KIXREVSWM
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: CICS signon error accompanied with * * messages DFHCE3541 and ICH408I. * **************************************************************** A user attempts to signon to CICS at a console. This user only has access via certain consoles and has no access to CICS from a regular terminal. The console signon will fail if the user currently has a non-zero password failure count. . The failure occurs because the POE parameter to the RACROUTE REQUEST=VERIFYX call made by DFHXSSB is not accompanied by the SESSION parameter. This causes the external security manager manager to use the default SESSION value which is a standard TSO terminal session.
Problem conclusion
CICS security code has been amended to pass a SESSION parameter on the RACROUTE=VERIFYX call from within DFHXSSB.
Temporary fix
Comments
APAR Information
APAR number
PI87053
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-09-08
Closed date
2017-09-15
Last modified date
2017-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI50350
Modules/Macros
DFHXSSB
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R100 PSY UI50350
UP17/09/20 P F709
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 October 2017