A fix is available
APAR status
Closed as program error.
Error description
Alert 1111 not written to CEF (or SYSLOG) destination if jobname of application changes during the threshold period. This can occur when the logon attempts are to a session manager which contains multiple instances in a high availability configuration, where multiple jobames can process the password entered by the terminal user.
Local fix
1) 1) Create your_userid.SCKRSLIB based on the allocation for the zSecure supplied hlq.SCKRSLIB 2) Copy hlq.SCKRSLIB(C2PS1111) to your_userid.SCKRSLIB 3) Edit your_userid.SCKRSLIB(C2PS1111) and issue: c 'jobname(0)' 'jobname(max,0)' all 4) Save your_userid.SCKRSLIB(C2PS1111) 5) Now start the zSecure Admin UI using your_userid prefixed files (in this case only SCKRSLIB): TSO CKR UPREFIX(your_userid) 6) Select Alert 1111 and choose the Arcsight destination 7) Verify and reFresh the alert configuration
Problem summary
**************************************************************** * USERS AFFECTED: Users of zSecure Alert using predefined * * alert 1111 with a ArcSight CEF destination. * **************************************************************** * PROBLEM DESCRIPTION: Predefined alert 1111 (Invalid password * * attempts exceed limit) is not triggered * * when the threshold value is reached. * **************************************************************** * RECOMMENDATION: Apply the PTF provided. * **************************************************************** Predefined alert 1111 (Invalid password attempts exceed limit) is not triggered when the theshold value is reached for a userid but it is for multiple jobs where the the threshold value has not been reached per individual job.
Problem conclusion
zSecure Alert has been modified so that predefined alert 1111 (Invalid password attempts exceed limit) is triggered when the threshold value is reached for all jobs that use that userid put together.
Temporary fix
Comments
APAR Information
APAR number
OA59777
Reported component name
ZSEC BASE,ADMIN
Reported component ID
5655T0100
Reported release
230
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-06-17
Closed date
2020-06-22
Last modified date
2020-07-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ03300 UJ03301 UJ03303
Modules/Macros
C2PS1111
Fix information
Fixed component name
ZSEC BASE,ADMIN
Fixed component ID
5655T0100
Applicable component levels
R230 PSY UJ03300
UP20/06/23 P F006
R231 PSY UJ03301
UP20/06/23 P F006
R240 PSY UJ03303
UP20/06/23 P F006
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"230","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
07 July 2020