A fix is available
APAR status
Closed as program error.
Error description
Performing some tests with CICSExplorer (CICSPlex) and a revoked UserID, some error messages and abends occurred in the CMAS. . I logged on to CICSExplorer and tested how the system behaves if when my UserID is revoked on an LPAR within the CICSPlex: . In the CMAS log : . ICH409I 283-04C ABEND DURING RACINIT PROCESSING EYUXS1026E Security Interface has intercepted abnormal termination EYUXS1027I Security Interface recovery has started EYUXS1028I Security Interface recovery complete . and . EYUXL0900I Starting Environment Recovery EYUXL0905E ASRA IN CRCK, OFFSET ???????? PSW=07042000 982A18A0 LEVEL=UI47081 EYUXL0905E INTC=0004 ILC=6 TXCP=00000480 SCODE=S00C4 TRAN=XLST EYUXL0905E Methods=CRCK,XLSD,XLSI,XLST,XLOP EYUXL0905E BEAR=01878BC0, OFFSET=???????? DUMP TITLE=ICHRST00-RACF SVCS,ABEND CODE=0C4-011,SVC=IRRRFC27 AP0001 , WAS SUPPRESSED BY THE DUMP TABLE OPTION . . Additional Comments: Failure to properly restart the ESSS at the same time that this fix is rolled out to all CMAS/WUI/MAS regions on the LPAR may result in S378 abends and messages similar to . EYUXS1026E applid Security Interface has intercepted abnormal termination S378 . The MVS SYSTRACE in the dump would show the failure similar to this: . Ident CD/D PSW----- Address- Unique-1 Unique-2 Unique-3 Unique-4 Unique-5 Unique-6 DSP 00000000_2D2EF250 00000000 00000001 D2D0FC68 07041000 80000000 PC ... 0 2D2EFDE8 00311 Storage Release SSRV 133 00000000 04000003 00000568 2D6CA0E0 Storage Release 013700FF *SVC D 00000000_0171E6CE 00000014 84000000 84378000 07041000 80000000
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of CPSM V5.3, V5.4 and V5.5. * **************************************************************** * PROBLEM DESCRIPTION: Attempting to RESET a revoked USERID * * results in an invalid ACEE being * * passed to the External Security * * Manager (ESM). * **************************************************************** * RECOMMENDATION: After applying the PTF that resolves APAR * * PH07119, the CPSM ESSS (Environment Service * * System Services) subsystem address space * * EYUXvrm, (where for example, vrm=530 refers * * to CPSM V5R3M0 or vrm=540 for CPSM V5R4M0, * * etc.) must be terminated on every MVS image * * where a CMAS has executed since the last * * IPL. * * * * This can be accomplished in either of two * * ways: * * * * 1 - Ensure that module EYU9Xvrm in the * * linklist concatenation is replaced by * * the updated version from SEYULINK. * * * * - IPL the MVS Image. * * * * Or: * * * * 2 - Stop all CMASes, MASes (including WUI * * servers) and CPSM batch API programs * * on an MVS image. * * * * - Use EYU9XENF to check that no address * * spaces are connected to the ESSS * * subsystem. * * * * - Use the EYU9XEUT TERMINATE function to * * stop the ESSS. * * * * - Ensure that module EYU9Xvrm in the * * linklist concatenation is replaced by * * the updated version from SEYULINK. * * * * - Refresh LLA to ensure the updated * * versions of the linklist modules are * * picked up. * * * * Restart any CMASes, MASes (including WUI * * servers) and CPSM batch API programs which * * execute on the MVS image, ensuring that the * * updated libraries are being picked up. When * * the first CMAS is started the EYUXvrm * * address space will be started automatically. * * * * For details on the EYU9XEUT utility, refer * * to: * * * * - CICS Transaction Server for z/OS * * - Troubleshooting and support * * - Troubleshooting CICSPlex SM * * - Tools for problem determination * * - Using the ESSS utility(EYU9XEUT) * * * * For details on the EYU9XENF utility, refer * * to: * * * * - CICS Transaction Server for z/OS * * - Troubleshooting and support * * - Troubleshooting CICSPlex SM * * - Tools for problem determination * * - Using the ESSS utility(EYU9XEUT) * * - Using the ESSS Information * * Display Utility (EYU9XENF) * * * * Note that each MVS image can be updated * * separately, and systems on an MVS image that * * are using the new code can communicate with * * systems on other MVS images that are not yet * * using the new code. * **************************************************************** When a user signs-on to CPSM, the corresponding USERID is stored in an internal table and indicates whether the user has signed on, if the USERID needs to be reset, the last time that the USERID was referenced etc. When a USERID has been RESET, then the table is updated to reflect this, and the USERID is signed-off and back on again. However, if the USERID has been revoked by an ESM before the SIGNOFF has occurred, then the data pointed to by that USERID's entry in the internal table may be invalidated. This means that when the SIGNOFF code executes, it may be passed an invalidated ACEE which could lead to an ABEND. This problem may also occur when all USERIDs are purged, either at the request of a USER or periodically by the CPSM communications long running task. Furthermore, such an ABEND may propagate back to the CPSM PC routine SECCALL, whose logic is unable to correctly handle such an ABEND leading to another ABEND. Additional Keywords: abendASRA S0C4 abendS0C4 SECCALL ICH409I 283-04C S283-04C abendS283 S203 S0283 XSECSTAE XERT_FRR CRCK EYU0CRCK
Problem conclusion
Module EYU0CRSI has been modified to correct the management of signed-on USERIDs to ensure that once a USERID has been revoked, it cannot be used for processing which requires security until it has been successfully signed-on again during USERID reset processing. The CPSM PC routine SECCALL has been modified to ensure that addressability to its work area is reestablished should its recovery routine be driven.
Temporary fix
Comments
APAR Information
APAR number
PH07119
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-01-10
Closed date
2019-07-19
Last modified date
2019-12-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI64308 UI64309 UI64310
Modules/Macros
EYU0ABG2 EYU0CRCK EYU0CRDK EYU0CRIN EYU0CRLT EYU0CRSC EYU0CRSI EYU0CRSO EYU0CRSR EYU0XDE3 EYU0XLSD EYU9X530 EYU9X540 EYU9X550 EYU9XSEC EYU9XSTC EYUTXEPC
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R00M PSY UI64308
UP19/07/20 P F907
R10M PSY UI64309
UP19/07/20 P F907
R20M PSY UI64310
UP19/07/20 P F907
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 December 2019