IBM Support

PK94753: SECURITY VIOLATION AGAINST USERID LESS THAN 8 CHARACTERS

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer is implementing CICS Web Support and testing the
    DFH$WB1A sample. The BSM (Basic Security Manager) is being used
    as the Security Manager. Message DFHXS1111 is being issued by
    CICS to indicate a security violation during the access check of
    the userid against transacton CWBA (alias transaction). Security
    prefixing is being used (SECPRFX=YES in DFHSIT) thus the
    resource being checked is userid.CWBA where 'userid' is less
    than 8 characters. The resource is correctly defined to the BSM
    and the userid does have access. However, the BSM is unable to
    find the resource as CICS has passed userid_length of 8. The BSM
    returns with return and reason codes of 8,0,8,4 to indicate
    NOTAUTH.
      The problem is within DFHWBXM's INIT_XM_CLIENT processing
    where he calls DFHUSAD for ADD_USER_WITHOUT_PASSWORD and
    passes a userid_length of 8. DFHWBXM is hard coding       _
    which is passing the userid_length of 8. DFHWBXM is hard coding
    userid_length with a load address command instead of determining
    the real length of the userid.
    .
    Additional keywords: INIT XM CLIENT  ADD USER WITHOUT PASSWORD
                         ADD_USER USAD
    KIXREVSCB
    

Local fix

  • Use an 8 byte userid
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Security violation when using the CICS  *
    *                      Web Support with a default userid that  *
    *                      is less than 8 characters long.         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If a CICS Web Support request is processed and the userid is
    not specified, the DFLTUSER SIT parameter is used. DFHWBXM
    issues an INQUIRE_DEFAULT_USER call to get the default userid
    followed by an ADD_USER_WITHOUT_PASSWORD call.
    
    The ADD_USER_WITHOUT_PASSWORD call always passes a length of
    8 for the userid. When this userid is used later to actually
    check the authority to use CWBA, it is possible that the
    userid is passed incorrectly to the BSM. However, the DFHXS1111
    error message will show the userid correctly, and checking the
    authorisation for that userid will show that it should be
    able to use CWBA.
    
    If the default userid is 8 characters long or it is a Systems
    Administrator type, the error does not occur.
    
    This results in CICS DFHXS1111 and VSE BST120I security messages
    for transaction CWBA, e.g.
    
    DFHXS1111 date time applid CWBA Security violation by user xxxx
    for resource CWBA in class TCICSTRN. SAF codes are (X'00000008',
    X'00000000'). ESM codes are (X'00000008',X'00000000').
    BST120I USER(xxxx    ) NAME(xxxxxxxxxxxxxxxxxxxx)
    BST120I   CWBA CL(TCICSTRN)
    BST120I   INSUFFICIENT ACCESS AUTHORITY
    BST120I   FROM CWBA
    BST120I   ACCESS INTENT(READ    ) ACCESS ALLOWED(NONE    )
    
    Additional keywords: msgDFHXS1111 msgBST120I PQ86975
    

Problem conclusion

  • DFHWBXM has been changed to set the actual length of the userid
    on the ADD_USER_WITHOUT_PASSWORD call.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PK94753

  • Reported component name

    CICSTS FOR VSE

  • Reported component ID

    564805400

  • Reported release

    B0P

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-08-26

  • Closed date

    2009-10-19

  • Last modified date

    2010-03-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK51186

Modules/Macros

  •    DESWBXM  DFHWBXM
    

Fix information

  • Fixed component name

    CICSTS FOR VSE

  • Fixed component ID

    564805400

Applicable component levels

  • RB0P PSY UK51186

       UP09/10/23 P E422

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1.1","Edition":""}]

Document Information

Modified date:
24 March 2010