PH39684: CICS WEB APPLICATIONS : DISABLE SECURITY FOR CROSS-ORIGIN RESOURCE SHARING PREFLIGHT REQUESTS

A fix is available

APAR status

Closed as program error.

Error description

Customer is running CICS TS 5.6 with Liberty. In this
environment they have some Web applications which have some
caller restrictions by Cross Origin Resource Sharing (CORS).
CORS relies on a mechanism by which browsers make a "preflight"
request to the server hosting the cross-origin resource, in
order to check that the server will permit the actual request.
The browsers use the OPTIONS method for that preflight request.
The OPTIONS request does not have any authorization credentials.
It is not possible to disable that preflight requests.
Enabling transaction security in CICS enforces a valid userid
for the web request. Because the OPTIONS request does not have
any credentials, CICS uses the default userid which fails.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED: All CICS Liberty users.                      *
****************************************************************
* PROBLEM DESCRIPTION: CORS preflight OPTIONS request fail     *
*                      authentication because no credentials   *
*                      are sent with the request.              *
****************************************************************
Cross-origin Resource Sharing (CORS) relies on a mechanism by
which clients make a "preflight" request to the server hosting
the cross-origin resource, in order to check that the server
will permit the actual request. The clients use the OPTIONS
method for that preflight request. The OPTIONS request does not
have any authorisation credentials. CICS will try and create a
CICS Transaction and because no userid is available, it switches
to the CICS Default userid and the request fails
authentication.

Problem conclusion

The CICS code has been modified to use late bindings if an
OPTIONS request was received.

Temporary fix

Comments

APAR Information

APAR number
PH39684
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
300
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-08-09
Closed date
2021-12-21
Last modified date
2022-01-04

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

UI78683

Modules/Macros

```
DFJ@H387
```

Fix information

Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400

Applicable component levels

R300 PSY UI78683
UP21/12/22 P F112

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.6"}]

Document Information

Modified date:
05 January 2022

Tips

PH39684: CICS WEB APPLICATIONS : DISABLE SECURITY FOR CROSS-ORIGIN RESOURCE SHARING PREFLIGHT REQUESTS

A fix is available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R300 PSY UI78683

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?