PH55371: ICH408I FOR QUERY SECURITY COMMAND AND USERIDERR

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• QUERY SECURITY command is getting the following errors:
  IRR012I VERIFICATION FAILED. USER PROFILE NOT FOUND.
                                                                 .
  ICH408I USER(NNNNNNN ) GROUP(    ) NAME(???         )
        LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED
                                                                 .
  The problem flow:
  - EXEC CICS SIGNON command removes trailing blanks and nulls
    from the supplied userid.
  - The userid on the command eg NNNNNNN was followed by a single
    null (x'00').
  - CICS passed NNNNNNN to RACF with a length of 7.
  - EXEC CICS SIGNON worked as expected.
  - The QUERY SECURITY command is only removing trailing blanks.
  - CICS passes NNNNNNN followed by a null to RACF and indicates
    the length is 8 bytes.
  - RACF cannot find the 8-byte userid ending in a null and issues
    the ICH408i.
  - QUERY SECURITY command returns USERIDERR.
  

Local fix

• If the SIGNON application replaces nulls (x'00') with spaces
  this will prevent the problem.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Passing a user ID padded by null        *
  *                      characters within a QUERY SECURITY      *
  *                      command leads to a USERIDERR.           *
  ****************************************************************
  When entering a user ID in a QUERY SECURITY command, you should
  be able to end this with null characters as well as spaces, as
  these are both blank characters. Currently, CICS checks to
  remove spaces from the user ID length (which is later used for
  validation), but not null characters, leading to a USERIDERR. A
  user ID with null characters filling the empty space should be
  valid.
  

Problem conclusion

• CICS has been updated to remove null characters as well when
  finding the length of a given user ID from a QUERY SECURITY
  command.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI92605

Modules/Macros

• DFHESE
  

Fix information

• Fixed component name

  CICS TS Z/OS V6

• Fixed component ID

  5655YA100

Applicable component levels

• R400 PSY UI92605

     UP23/07/07 P F307

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.