PH66130: CICS incorrectly fails sign on for a pure MFA user with an expired password

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The issue is specific to pure MFA users with expired passwords
  when the non-RACF ESM is returning an OK response on the
  IRRSPW00 (R_PASSWORD) call. CICS is not expecting an OK response
  on the IRRSPW00 call for MFA users (or PASSTICKETS) because
  IRRSPW00 cannot handle these forms of authentication. In the
  case of RACF, this call always fails and a full VERIFYX call is
  made, the code path for this resets the expired password flags
  set by CICS calculations, and the result of the VERIFX call is
  honored/not overridden by CICSs calculations.
  
  
  Some ESMs are not validating the password at this point and
  returning OK on the IRRSPW00 call, the assumption is that this
  is because it has already done this previously. This APAR caters
  for the case where the ESM returns an OK response on the
  IRRSPW00 call for MFA users (and PASSTICKETS will also fall into
  this case).
  
  Customer is using MFA, and their password is expired as expected
   ( as expected because they do not use a password to logon ).
   A logon attempt when using a non-RACF ESM fails with message
   DFHxxxxxx when it shoukd be permitted.
  

Local fix

• Keyword: RJLKIXREV
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS Users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Pure MFA users and/or users of          *
  *                      PassTickets experiencing sign on        *
  *                      failures with message DFHXS1202         *
  *                      reporting an expired password.          *
  ****************************************************************
  Pure MFA users, or users of PassTickets attempting to sign on to
  CICS via a non-RACF ESM receive message DFHXS1202 reporting that
  their password has expired.
  
  In these cases, the users password has expired, however this is
  not relevant as the password is not being used as a form of
  authentication. CICS calculates that the password has expired
  before making an IRRSPW00 call to the ESM. CICS expects this
  call to fail for MFA users and users of PassTickets.
  The failure of the IRRSPW00 call will then result in a VERIFYX
  call to be driven for the ESM to validate the credentials.
  
  In the cases of a pure MFA or a PassTicket user with an expired
  password, it has been found that a non-RACF ESM may return an
  OK response on the IRRSPW00 call, this results in CICS not
  making the VERIFYX call to validate the users credentials. Based
  on its calculations, CICS has determined that the users password
  has expired, this is reported in message DFHXS1202.
  

Problem conclusion

• CICS has been updated to handle an OK response to the IRRSPW00
  call. If this call is successful but the users password has
  expired, a VERIFYX call will be driven to validate the users
  credentials with the ESM.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO03133 UO03134

Modules/Macros

• DFHXSSB
  

Fix information

• Fixed component name

  CICS TS Z/OS V6

• Fixed component ID

  5655YA100

Applicable component levels

• R400 PSY UO03172

     UP25/05/14 I 1000

• R500 PSY UO03171

     UP25/05/14 I 1000

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.