IBM Support

PK63063: QUERY SECURITY COMMAND WITH LOGMESSAGE(NOLOG) HAS NO EFFECT

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer's application issues many EXEC CICS Query Security
    commands with the LOGMESSAGE(NOLOG) option specified so that
    security violation messages will not be produced. For example
    message BST120I being written to the console log and possisbly
    message DFHXS1111 being written to CICS logs.
    .
    These security violation messages are not true violations as
    a user is not truly trying to access a resource. The query
    security command is simply making a determination if a user is
    or is not ABLE to access a resource.
    .
    Hundreds to thousands of messages can be produced in this manner
    and many customers may not wish to have them logged for the
    reason given above.
    .
    The Basic Security Manager (BSM) is being used in this scenario.
    It was discovered that the BSM does not currently support
    message suppression. APARs DY46880 (z/VSE 3.1) and DY46812
    (z/VSE 4.1) will supply the capability within the BSM. It will
    require CICS to pass MSGSUPP=YES on the associated RACROUTE
    call to cause the messages to be suppressed.
    .
    .
    Additional Symptom(s) Search Keyword(s):KIXREVJXD
    

Local fix

  • Apply appropriate VSE APAR mentioned above and request usermod
    DFHXSS.VSERLF from CICS support.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: ALL                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: LOGMESSAGE(NOLOG) option of QUERY       *
    *                      SECURITY fails to suppress Basic        *
    *                      Security Manager messages when          *
    *                      querying an external resource.          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A Customer's application issues many EXEC CICS QUERY SECURITY
    commands, against an external resource, with the
    LOGMESSAGE(NOLOG) option. However, the request to suppress
    security messages is not being honored. Instead the VSE console
    contains many BST120I messages, each of which details a
    resource that had been the target of a QUERY SECURITY command.
    
    The lack of message suppression is due to there being no
    support for it in either CICS or z/VSE 3.1.1 or higher. For
    CICS, the RACROUTE call used to invoke the security manager did
    not request log message suppression. For z/VSE 3.1.1 or higher,
    the Basic Security Manager was found not to support this
    option, even when specified. That omission was corrected by the
    following VSE PTFs:-
    
         UD53333 ( APAR DY46880 ) - z/VSE V3.1
         UD53271 ( APAR DY46812 ) - z/VSE V4.1
    
    
    Additional Keyword: DFHXSS BSM msgBST120I
    

Problem conclusion

  • Module DFHXSSC has been amended. The MSGSUP=YES option has been
    added to the RACROUTE call used when log message suppression has
    been requested.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PK63063

  • Reported component name

    CICSTS FOR VSE

  • Reported component ID

    564805400

  • Reported release

    B0P

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-03-20

  • Closed date

    2008-05-30

  • Last modified date

    2008-11-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK36931

Modules/Macros

  •    DESXSSC  DFHXSSC
    

Fix information

  • Fixed component name

    CICSTS FOR VSE

  • Fixed component ID

    564805400

Applicable component levels

  • RB0P PSY UK36931

       UP08/05/30 P E420

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1.1","Edition":""}]

Document Information

Modified date:
10 November 2008