IBM Support

PI85774: CPSM MAS AGENT STARTUP DUPLICATING SECURITY CHECKING DONE BY CICS 5.4

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In CICS 5.4, the CPSM MAS agent tasks were converted from user
tasks to CICS Category 1 system tasks. CICS already checks
during its startup to make sure that the CICS region userid has
sufficient authority in RACF (or the current External Security
Manager) to run all Category 1 transactions. Because of this,
CPSM no longer needs to duplicate the efforts when the MAS
agent code starts.
.
Additional Symptom(s) Search Keyword(s): KIXREVxxx

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICSPlex SM V5R4M0 Users.                *
****************************************************************
* PROBLEM DESCRIPTION: One or more EYUNX0102E messages may be  *
*                      issued during the start of the CPSM     *
*                      agent in a MAS or SMSS region,          *
*                      indicating that the security definition *
*                      for one or more CPSM transactions is    *
*                      incorrect.  The text of the messages    *
*                      will be similar to the following:       *
*                                                              *
*                        EYUNX0102E  Security profile for      *
*                                    TRANSATTACH <tranid> is   *
*                                    incorrect:                *
*                                    READ=NOTREADABLE.         *
*                                                              *
*                      If this occurs, the messages will be    *
*                      followed by message EYUNX0103E,         *
*                                                              *
*                        EYUNX0103E  Incorrect security        *
*                                    profile for one or more   *
*                                    resources. MAS            *
*                                    initialization is         *
*                                    terminating.              *
*                                                              *
*                      and CPSM agent initialization will      *
*                      terminate.                              *
****************************************************************
* RECOMMENDATION: After applying the PTF that resolves this    *
*                 APAR, all MASes, including MASes running as  *
*                 WUI servers, must be restarted.  Note that   *
*                 the restarts do not need to occur at the     *
*                 same time.                                   *
****************************************************************
When the CPSM agent initializes in a MAS or SMSS, module
EYU9NXLM (MAS) or EYU9NXRM (SMSS) is performing security checks
to verify that the CPSM transactions that are internally started
have the correct authorization.  This check is against the
PLTPIUSR ID (if specified) or the region user ID.

With CICS TS V5.4, all CPSM agent transactions that are
internally started in a MAS and SMSS that is running CICS 710
have been changed to CICS Category 1 transactions, and will run
under the region user ID.

If PLTPIUSR is specified for a MAS or SMSS region running CICS
710, and that user ID does not have the same authorization as
the region user ID, then EYU9NXLM or EYU9NXRM may invalidly
issue message EYUNX0102E for each transaction, and fail CPSM
agent initialization with message EYUNX0103E.

    



Problem conclusion


    

  • With CICS TS V5.4, the CPSM MAS and SMSS transactions that are
now defined as CICS Category 1 transactions are now subject to
authorization checking performed by CICS at region start up so
there is no need for CPSM to perform authorization checks for
them in EYU9NXLM and EYU9NXRM when the MAS or SMSS is running
CICS release 710.  As such, the following updates have been
made:

-  Since a CPSM MAS running CICS TS V5.4 could be running CICS
   710 or previous, a conditional check has been added to
   EYU9NXLM to only perform CPSM transaction authorization
   checking if the CICS release is 700 or lower.

-  Since a CPSM SMSS running CICS TS V5.4 must be running CICS
   710, the CPSM transaction authorization checking has been
   removed from EYU9NXRM.

Note that when the MAS or SMSS is running CICS 710, and the CICS
authorization checking for CPSM MAS or SMSS transactions fails,
CICS will issue messages DFHXS1111 and DFHXS1113 to document
this and fail region initialization.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI85774
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    10M
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / CST / Xsystem
    • 

  • Submitted date
    2017-08-10
    • 

  • Closed date
    2017-10-17
    • 

  • Last modified date
    2017-11-08
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI51214
    

    • 



Modules/Macros


    

  • CJF9NXLM CJG9NXLM CJH9NXLM EYU9NXLM EYU9NXRM EYUE3516 EYUK3516
EYUS3516

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R10M  PSY  UI51214
       UP17/10/20  P  F710
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            08 November 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback