PH63625: IMPROVED SUPPORT FOR TERMINAL BASED SIGNONS USING MFA

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• An MFA (compound in-band) user signs on to CICS at a terminal.
  The supplied password or phrase is valid but expired.  The
  signon program prompts for a new password to be entered.  The
  signon is attempted again supplying the new password in addition
  to the original credentials.  The signon fails because the
  original credentials contained a single use MFA token which has
  already been validated.
  
  The CICS terminal signon process needs to be enhanced to allow
  for this expired password scenario to work without requiring
  a new MFA token to be supplied.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Terminal signon for MFA users with      *
  *                      an expired password fails.              *
  ****************************************************************
  Users are signing on to CICS using a terminal. The users are
  required to use MFA and have been set up with compound in-band
  MFA which requires a token to be entered along with their
  existing password or phrase.
  
  The password or phrase has expired.  The user is prompted to
  enter a new value and the signon is attempted again. This signon
  fails because the MFA token supplied in the first signon has
  already been used.
  
  The password or phrase can be changed as part of signon but the
  new value must be provided as part of the initial signon call.
  

Problem conclusion

• The CICS terminal signon process has been changed to allow for
  the normal expired password flow to work for MFA users.
  
  The IDTDATA class must be activated in RACF for the changes in
  this APAR to take effect.
  

Temporary fix

Comments

• ×**** PE25/04/15 FIX IN ERROR. SEE APAR PH66152  FOR DESCRIPTION
  ×**** PE25/04/07 FIX IN ERROR. SEE APAR PH66036  FOR DESCRIPTION
  ×**** PE25/09/22 FIX IN ERROR. SEE APAR PH68228  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI99617 UI99618

Modules/Macros

• DFHBSTS  DFHDUTM  DFHSNTU  DFHTCDUF DFHTCRP  DFHUSAD  DFHUSADT
  DFHXSAD  DFHXSADT DFHXSIS  DFHXSIST DFHXSSA  DFHXSSAT DFHXSSB
  DFHXSSBT
  

Fix information

• Fixed component name

  CICS TS Z/OS V6

• Fixed component ID

  5655YA100

Applicable component levels

• R400 PSY UI99618

     UP25/01/14 P F501  

• R500 PSY UI99617

     UP25/01/16 P F501  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.