A fix is available
APAR status
Closed as program error.
Error description
RACF no longer updates the AST=ACCESS field of a RACF user profile when the request comes through IMS Connect. This occurs after IMS upgrade from V12 to V14. This is due to a change in IMS Connect modules from VERIFY to VERIFYX. For VERIFYX the default (STAT=ASIS) is processed the same as STAT=NO. This APAR will also add a statistics configuration option to specify whether or not statistics are wanted for IMS Connect. STAT=Y/N (tuld be choosen as an IMS Connect configuration
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IMS 14 IMS Connect users running TM * * transactions with RACF enabled. * **************************************************************** * PROBLEM DESCRIPTION: * * When IMS Connect authenticated the * * userid of the TM client, RACF did * * not update the LAST-ACCESS time of * * the RACF user profile. * **************************************************************** * RECOMMENDATION: * * INSTALL CORRECTIVE SERVICE FOR APAR/PTF * **************************************************************** When IMS Connect authenticated the userid of the TM client, RACF did not update the LAST-ACCESS time of the RACF user profile. The user authentication call was previously changed from RACROUTE REQUEST=VERIFY to RACROUTE REQUEST=VERIFYX. With the VERIFYX call, RACF statistics was disabled so the LAST-ACCESS time did not get updated.
Problem conclusion
IMS Connect adds a new TMRACFST parm option in the HWS statement of the IMS Connect HWSCFGxx configuration member that enables or disables the update of RACF statistics when IMS Connect authenticates users for TM transactions to OTMA. IMS Connect changes the user authentication call from RACROUTE REQUEST=VERIFYX to RACROUTE REQUEST=VERIFY. With TMRACFST option enabled, the RACROUTE call uses STAT=ASIS option to enable RACF statistics. With TMRACFST option disabled, the RACROUTE call uses STAT=NO option to disable RACF statistics. Parts changes ------------- HWSHCDB - Add HCDB_TMRACFST byte. HWSHSCT - Add SCT_FG_TMRFST_Y equate. HWSOCBLK - Add qic_show_tmracfst and uic_tmracfst. HWSCQ010 - Add SHOW(TMRACFST). HWSCU010 - Add SET(TMRACFST). HWSFM060 - Recompile for HCDB dump formatter changes. HWSOCM00 - Add SHOW(TMRACFST) for QRY CONFIG. - Add SET(TMRACFST) for UPD CONFIG. HWSSRCF0 - Change RACROUTE REQUEST=VERIFYX to VERIFY. Use STAT= option value based on TMRACFST parm option. HWSXCFG0 - Add TMRACFST= parm option. Doc changes ----------- IMS Version 14 Release Planning (GC19-4224-00) Release planning for IMS > Release planning > IMS Version 14 enhancements > IMS system enhancements > IMS Connect enhancements Recording IMS Connect RACF statistics for IMS TM connections In IMS 14 with APAR PI89512, you can enable RACF statistics to be recorded when IMS Connect issues the RACF call RACROUTE REQUEST=VERIFY to authenticate OTMA client connections to IMS TM. You can enable RACF statistics by specifying TMRACFST=Y in the HWS statement of the HWSCFGxx configuration member. After you enable RACF statistics, the statistics, including the last date and time a user was authenticated to request transaction in IMS TM, are recorded by RACF no more than once per day to a system management facility (SMF) data set or log stream. The SMF data set or log stream that is used to record the RACF statistics is specified in the RACF configuration. You can use the RACF statistics to enforce security policies, such as defining how frequently user passwords need to be changed or enabling access to be automatically revoked for inactive users. If you enable RACF statistics, the STAT=ASIS parameter is used for the RACROUTE REQUEST=VERIFY call to enable the options that are specified on the RACF command SETROPTS to take effect. IMS Version 14 System Definition (GC19-4226-00) Installing IMS > System definition > Members of the IMS PROCLIB data set > HWSCFGxx member of the IMS PROCLIB data set > HWS statement New TMRACFST= parameter is added to the HWS statement in the IMS Connect HWSCFGxx configuration member of the IMS PROCLIB data set. HWS statement TMRACFST= parameter Specifies whether RACF statistics are recorded and updated when IMS Connect issues the RACROUTE REQUEST=VERIFY call to authenticate connections from an OTMA client to IMS TM. This parameter is used only if RACF=Y is specified in the HWS statement of the HWSCFGxx configuration member. N is the default value. You can change the value of this parameter by using the SET(TMRACFST(ON)) or SET(TMRACFST(OFF)) option on the online IMS Connect command UPD IMSCON TYPE(CONFIG). Y RACF statistics are recorded when IMS Connect issues the RACROUTE REQUEST=VERIFY call to authenticate connections from an OTMA client to IMS TM. If the logon is successful, a message is also issued. When you specify TMRACFST=Y, the STAT=ASIS parameter is used by IMS Connect on the RACROUTE REQUEST=VERIFY call. With STAT=ASIS, the RACF messages and statistics are controlled by the installation's current options on the RACF command SETROPTS. After you enable RACF statistics, the statistics are recorded by RACF no more than once per day to a system management facility (SMF) data set or log stream. The SMF data set or log stream that is used to record the RACF statistics is specified in the RACF configuration. N RACF statistics are not recorded when IMS Connect issues the RACROUTE REQUEST=VERIFY call to authenticate connections from an OTMA client to IMS TM, and if the logon is successful, no message is issued. When you specify TMRACFST=N, the STAT=NO parameter is used by IMS Connect on the RACROUTE REQUEST=VERIFY call. With STAT=NO, the options specified on the RACF command SETROPTS are ignored. For more information about the STAT= parameter of the RACROUTE REQUEST=VERIFY macro call, see "z/OS Security Server RACROUTE Macro Reference" in the IBM z/OS documentation. IMS Version 14 Commands, Volume 2: IMS Commands N-V (SC19-4211-00) IMS reference information > IMS commands > IMS commands > QUERY commands > QUERY IMSCON commands > QUERY IMSCON TYPE(CONFIG) command The QUERY IMSCON TYPE(CONFIG) command is enhanced to display the TMRACFST value. The filter keyword TMRACFST is added to the SHOW keyword. SHOW TMRACFST Displays the RACF statistics option value, which is used to enable or disable RACF statistics when connections to IMS TM are authenticated. The following entry is added to the output fields table. Short Long label label Keyword Meaning ------------------------------------------------------------- TRSTAT TMRacfStat TMRACFST Whether RACF statistics are recorded and updated when IMS Connect issues the RACF command RACF RACROUTE REQUEST=VERIFY to authenticate OTMA client connections to IMS TM. One of the following values is displayed: Y RACF statistics and messages are enabled and updated for the execution of the RACF RACROUTE REQUEST=VERIFY call. N RACF statistics and messages are not enabled and not updated for the execution of the RACF RACROUTE REQUEST=VERIFY call. IMS reference information > IMS commands > IMS commands > UPDATE commands > UPDATE IMSCON commands > UPDATE IMSCON TYPE(CONFIG) command The UPDATE IMSCON TYPE(CONFIG) command is enhanced to allow the TMRACFST value to be changed. The TMRACFST attribute keyword is added to the SET keyword. SET TMRACFST Specifies whether RACF statistics are recorded and updated when IMS Connect issues the RACROUTE REQUEST=VERIFY command to authenticate connections from an OTMA client to IMS TM. This keyword is used only if RACF=Y is specified in the HWS statement of the HWSCFGxx configuration member. ON RACF statistics are recorded and updated when IMS Connect issues the RACROUTE REQUEST=VERIFY command to authenticate connections from an OTMA client to IMS TM. If the logon is successful, a message is also issued. When you specify TMRACFST=Y, the STAT=ASIS parameter is used by IMS Connect on the RACROUTE REQUEST=VERIFY command. With STAT=ASIS, the RACF messages and statistics are controlled by the installation's current options on the RACF command SETROPTS. After you enable RACF statistics, the statistics are recorded by RACF no more than once per day to a system management facility (SMF) data set or log stream. The SMF data set or log stream that is used to record the RACF statistics is specified in the RACF configuration. OFF RACF statistics are not recorded when IMS Connect issues the RACROUTE REQUEST=VERIFY command to authenticate connections from an OTMA client to IMS TM. Also, the statistics are not updated and, if the logon is successful, no message is issued. When you specify TMRACFST=N, the STAT=NO parameter is used by IMS Connect on the RACROUTE REQUEST=VERIFY command. With STAT=NO, the options specified on the RACF command SETROPTS are ignored. For more information about the STAT= parameter of the RACROUTE REQUEST=VERIFY macro call, see "z/OS Security Server RACROUTE Macro Reference" in the IBM z/OS documentation.
Temporary fix
Comments
APAR Information
APAR number
PI89512
Reported component name
IMS V14
Reported component ID
5635A0500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-27
Closed date
2017-12-07
Last modified date
2018-03-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI89717 UI52498
Modules/Macros
HWSXCFG0 HWSSRCF0 HWSCQ010 HWSOCM00 HWSCU010 HWSFM060
| GC19422400 | GC19422600 | SC19421100 |
Fix information
Fixed component name
IMS V14
Fixed component ID
5635A0500
Applicable component levels
R400 PSY UI52498
UP17/12/15 P F712
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPH2","label":"IMS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"14.1","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
01 December 2023