IBM Support

PI92001: VERIFY PHRASE FOR AN MFAONLY USER SHOULD RETURN PACKED FORMAT VALUES FOR EXPIRYTIME AND CHANGETIME

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • You are using the VERIFY PHRASE command to authenticate users
that are only allowed to use multi-factor authentication and
do not have a PASSWORD or PHRASE value set in the external
security manager (ESM).

Instead of returning a packed format value, the EXPIRYTIME and
CHANGETIME values are being incorrectly returned as binary
zeros.

Additional Symptom(s) Search Keyword(s): KIXREVSWM

Local fix

  • n/a

Problem summary

  • ****************************************************************
* USERS AFFECTED: All.                                         *
****************************************************************
* PROBLEM DESCRIPTION: VERIFY PHRASE and VERIFY PASSWORD may   *
*                      return zeroes for DAYSLEFT, EXPIRYTIME  *
*                      and CHANGETIME.                         *
****************************************************************
* RECOMMENDATION: .                                            *
****************************************************************
A VERIFY PHRASE(phrase_string) command was issued and was
successfully verified by the ESM (External Security Manager).
                                                              .
However, the user issuing the command did not have the phrase
string set up in the ESM.  In this scenario, the DAYSLEFT,
EXPIRYTIME and CHANGETIME fields returned on the VERIFY PHRASE
were inapplicable but CICS returned binary zeroes for all 3.
EXPIRYTIME and CHANGETIME are defined to return packed decimal
values, so attempting to use the zero value will lead to an
application abend.  Similarly, an expired PHRASE or PASSWORD
returned inapplicable packed decimals.
                                                              .
In comparison, a VERIFY PHRASE where the phrase is non-expiring
( but is set up in the ESM ) would have had -1 returned in the
aforementioned fields to clarify the values were inapplicable.
                                                               .
For the case where a phrase_string ( or password ) is not set
up in the ESM, or has expired, it would be better to return a
value that implies it is inapplicable.

The same situation exists for the VERIFY PASSWORD(password)
command.

Users exploiting this fix who are also users of the CA Top
Secret product are advised to also apply a CA fix whose
reference number is RO98458.

Problem conclusion

  • DFHXSSB has been modified and will now return -2 for fields
CHANGETIME, EXPIRYTIME and DAYSLEFT in the aforementioned
scenario.

The IBM Knowledge Center for CICS Transaction Server for z/OS
Version 4 Release 2 will have the following updates applied:
The OPTION descriptions under VERIFY PASSWORD and VERIFY PHRASE
for CHANGETIME, DAYSLEFT and EXPIRYTIME will read as follows:

VERIFY PHRASE
CHANGETIME(data-area)
returns the date and time the password or password phrase was
last changed in ABSTIME units.  When the external security
manager is RACF, the time is shown as midnight.
If the supplied phrase or password phrase is successfully
verified by the external security manager, but has expired or
is not set in the external security manager, then CHANGETIME
has no meaning and is shown as -2.

DAYSLEFT(data-area)
returns the number of days from now, in a halfword binary field,
until the password or password phrase expires. If the password
password phrase does not expire, a value of -1 is returned.
If the supplied phrase or password phrase is successfully
verified by the external security manager, but has expired or
is not set in the external security manager, then DAYSLEFT
has no meaning and is shown as -2.

EXPIRYTIME(data-area)
returns the date and time the password will expire, in ABSTIME
units. When the external security manager is RACF, the time
is shown as midnight. If a user has a password or password
phrase that does not expire, EXIRYTIME has no meaning and is
shown as -1.
If the supplied phrase or password phrase is successfully
verified by the external security manager, but has expired or
is not set in the external security manager, then EXPIRYTIME
has no meaning and is shown as -2.


VERIFY PASSWORD
CHANGETIME(data-area)
returns the date and time the password was last changed, in
ABSTIME units. When the external security manager is RACF, the
time is shown as midnight.
If the supplied phrase or password phrase is successfully
verified by the external security manager, but has expired or
is not set in the external security manager, then CHANGETIME
has no meaning and is shown as -2.

DAYSLEFT(data-area)
returns the number of days from now, in a halfword binary field,
until the password expires. If the password is non-expiring, -1
is returned.
If the supplied phrase or password phrase is successfully
verified by the external security manager, but has expired or
is not set in the external security manager, then DAYSLEFT
has no meaning and is shown as -2.

EXPIRYTIME(data-area)
returns the date and time the password will expire, in ABSTIME
units. When the external security manager is RACF, the time is
shown as midnight.
If the supplied phrase or password phrase is successfully
verified by the external security manager, but has expired or
is not set in the external security manager, then EXPIRYTIME
has no meaning and is shown as -2.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI92001
    • 

  • Reported component name
    CICS TS Z/OS V4
    • 

  • Reported component ID
    5655S9700
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-01-03
    • 

  • Closed date
    2018-01-29
    • 

  • Last modified date
    2018-02-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PI88754
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI53503
    

    • 



Modules/Macros


    

  • DFHXSSB

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V4
    • 

  • Fixed component ID
    5655S9700
    • 



Applicable component levels


    

  • R700  PSY  UI53503
       UP18/01/30  P  F801
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 February 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback