OA50846: ABEND0C4-11 IRRFRN00 OR ICH408I INVALID PASSWORD IMS CONNECT AFTER KDFAES AND MIGRATING USERIDS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• With the KDFAES enhancement, once a user has been PWCONVERTed, a
  FRACINIT (Fast VERIFY / logon) can have two issues:
  1) failure to validate the length of the parmlist before using
  the PasswordPhrasePtr will result in an Abend0C4 RSN11;
  The dump title is:
  ICHRST00-RACF SVCS,ABEND CODE=0C4-011,
  SVC=IRRFRN00,USER=IMSSTC,GROUP=STCPROC ,EXIT=IRRFRN00
  
  2) failure to trim trailing blanks from the Userid will generate
  msgICH408I / msgIRR013I for INVALID PASSWORD.
  
  ANALYSIS:
  1) New routine GET_PWPHRASE builds a new ICHETEST block using
  INITPHRL & INITPHRS without first checking the INITLEN is at
  least PARMLEN9.
  2) IRRFRN00 may now need to validate the password through an
  ICHEINTY instead of by comparison to the VLF cache data, and so
  needs to treat the userid the same way as ICHRIN00, by removing
  any trailing blanks.
  
  KNOWN IMPACT:
  At present, IMS Connect logins will fail when using exit
  ZRJXICON. The customer has to back out of KDFAES.
  
  VERIFICATION STEPS:
  Abend is at:
   IRRFRN00+41B6 at UA90721, UA90720, UA90719
           +4250 at UA90988,
           +41DC at UA90989
  
  ADDITIONAL SYMPTOMS:
  ICH408 msgICH408 msgIRR013 IRR013I IRR013
  

Local fix

• BYPASS/CIRCUMVENTION:
  Do not activate SETROPTS PASSWORD( ALGORITHM(KDFAES) )
  or change the caller of VERIFY to use the correct length.
  
  RECOVERY ACTION:
  Deactivate KDFAES via:
     SETROPTS PASSWORD( NOALGORITHM )
  and then force failing users to change their password.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of IMS Connect (or other similarly     *
  *                 coded applications) with RACF passwords or   *
  *                 phrases encrypted by the KDFAES algorithm    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Incorrect parameter list checking in RACROUTE REQUEST=VERIFY
  when SYSTEM=YES is specified assumes a password phrase can be
  specified even when the value specified on the RELEASE=
  keyword is too old (lower than "7730") to support phrases.
  This results in a reference to unallocated or uninitialized
  storage.
  
  In addition, specification of a USERID= value whose length
  field includes trailing blanks beyond the actual user ID value
  can cause the password or phrase check to fail when SYSTEM=YES
  is specified and the password or phrase is encrypted by
  KDFAES.
  

Problem conclusion

• Checking is added to only reference the PHRASE= data if
  RELEASE= is specified with "7730" or higher.
  
  Code is also added to tolerate trailing blanks in the user ID
  specification.  Although this is an incorrect parameter list,
  such a specification worked prior to the introduction of
  KDFAES.
  
  The following fix category keyword identifies this APAR as
  pertaining to KDFAES password encryption:
  
  RACFPWENCR/K
  

Temporary fix

• *********
  * HIPER *
  *********
  REQUEST RELIEF FROM LEVEL 2
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA82738 UA82739 UA82740

Modules/Macros

• IRRFRN00
  

Fix information

• Fixed component name

  RACF

• Fixed component ID

  5752XXH00

Applicable component levels

• R7A0 PSY UA82738

     UP16/09/28 P F609 ¢

• R780 PSY UA82739

     UP16/09/28 P F609 ¢

• R790 PSY UA82740

     UP16/09/28 P F609 ¢

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.