PH42067: MESSAGE AND DUMP FOR DFHUS0002 FOR AN UNAUTHORISED LIBERTY REQUEST. A SWITCH_PTHREAD_CONTEXT TO REPLACE THE USERID FAILS.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The customer is running CICS 5.6 with Liberty. An http request
  is made to the server for an application using Client
  Certificates. The task created under CICS is initially assigned
  the userid set in the URIMAP.  Once the Client Certificate has
  been matched to a userid, Liberty requests a
  SWITCH_PTHREAD_CONTEXT.
  During the switch the userid fails RACF authorisation. This is
  because the userid is not authorised to CICS and an ICH408I
  message issued.
  The task then abends with DFHUS0002 code x'311' which means
  Use-count-error.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS Users                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: DFHUS0002 A severe error (code X'0311') *
  *                      has occurred in module DFHUSAD because  *
  *                      the usud_add_use_count has become       *
  *                      negative.                               *
  ****************************************************************
  The problem stems from the unauthorised Liberty request when
  using client certificate authentication. The associated CICS
  task starts off using the userid defined in the URIMAP.
  This user gets the usud_add_use_count and usud_tran_use_count
  fields incremented as a result.
  When Liberty has determined the real userid to use, from the
  client certificate, CICS gets called back to change the userid
  for the task (SWITCH_PTHREAD_CONTEXT).
  A DELETE_USER is performed for the current userid (set from the
  URIMAP).
  Then an ADD_USER is performed for the new userid.  This ADD_USER
  fails with the reported ICH408I message. CICS then leaves the
  userid associated with the task alone, but the DELETE_USER
  process has decremented usud_add_use_count.
  At the end of the task the user is removed from the transaction
  and signed off.  This decrements usud_add_use_count again.
  In the failing case the attempt to decrement usud_add_use_count
  fails because it is already 0.
  This triggers the DFHUS0002 message and dump.
  The usud_tran_use_count is not decremented so no longer
  represents the correct number of active transactions for the
  userid.
  

Problem conclusion

• The CICS code has been updated to only perform the DELETE_USER
  if the ADD_USER succeeds and correctly decrement the transaction
  count for the userid.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI79797

Modules/Macros

• DFHSJJS  DFHUSXM
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R300 PSY UI79797

     UP22/03/19 P F203

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.