IBM Support

OA52117: RACF KDFAES PERFORMANCE, USING CPACF INSTEAD OF CACHED DATA FOR ADDITIONAL APPL / POE COMBINATION

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When KDFAES is activated, RACF will cache password data as each
    userid logs in.  If the userid uses a different APPL or POE, etc
    RACF fails to take advantage of that cached info.  Rather, it
    re-drives the full algorithm via the CPACF.  This is very CPU
    intensive.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of a z/OS system on which the KDFAES   *
    *                 password algorithm is enabled, and on        *
    *                 which users authenticate multiple times      *
    *                 from different terminals or applications.    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    RACF uses the IRRACEE class in VLF to cache security
    environments (ACEEs) for users in order to avoid overhead
    (I.E.  RACF database I/O) on subsequent authentications for
    that user.  A cached ACEE must exactly match the environment
    in which the user is being authenticated.  For example, if a
    user logs on using a different terminal name, or logs on using
    a different application (for example, CICS vs. TSO), then
    RACF considers this a cache miss, and performs RACF database
    I/O in order to create a new ACEE, which it then adds to the
    user's VLF object.  Password validation is performed as part
    of the I/O request, and so this drives an additional password
    encryption operation for every new ACEE created.  This can
    result in excessive CPU (CPACF) overhead when there are a large
    number of users with KDFAES-format passwords who frequently
    authenticate in different environments.
    

Problem conclusion

  • RACF's use of its VLF cache is optimized to avoid these
    additional password encryptions whenever possible while still
    creating and caching ACEE instances in the same fashion it
    currently does.  Note that the optimization does not extend to
    the use of password phrases.
    
    ---------------------------------------------------------------
    
    The following fix category keyword identifies this APAR as
    pertaining to KDFAES password encryption:
    
    RACFPWENCR/K
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA52117

  • Reported component name

    RACF

  • Reported component ID

    5752XXH00

  • Reported release

    790

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-10

  • Closed date

    2017-03-02

  • Last modified date

    2017-07-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA91216 UA91217

Modules/Macros

  • ICHRIN00
    

Fix information

  • Fixed component name

    RACF

  • Fixed component ID

    5752XXH00

Applicable component levels

  • R7A0 PSY UA91216

       UP17/03/15 P F703

  • R790 PSY UA91217

       UP17/03/15 P F703

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"790","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"790","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
31 July 2017