IBM Support

VM65872: IUCV CONNECT PROBLEMS FOR IDENTITY USERS

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The initial support for IUCV CONNECT within an SSI environment
was overly protective.  Some combinations of DISTRIBUTE IUCV
setting (in SYSTEM CONFIG) and IUCV CONNECT invoker and target
user were restricted out of an excess of caution.

The primary inconsistency is found when DISTRIBUTE IUCV NO is
configured in SYSTEM CONFIG and the invoker is trying to use
IUCV CONNECT to a user within the SSI cluster.  Some scenarios
work (for example, a single-configuration USER can connect to a
single-configuration USER) but other scenarios fail when one
might reasonably expect them to work.

For example, the following scenarios fail:
CONNECT from IDENTITY to USER fails
CONNECT from USER to IDENTITY with TARGET=node fails

These are cases one might expect to work, but instead IUCV
CONNECT fails with IPRCODE=11 (target not logged on).

Local fix

  • Apply PTF

Problem summary

  • ****************************************************************
* USERS AFFECTED: Customers using IUCV applications across     *
*                 ISFC within an SSI cluster with DISTRIBUTE   *
*                 IUCV NO configured in SYSTEM CONFIG.         *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION: APPLY PTF                                    *
****************************************************************
When DISTRIBUTE IUCV NO is configured within an SSI cluster,
some IUCV CONNECT possibilities are allowed based on the fact
that these users are operating in a special domain (almost like
being in the same system).  This was not permitted for IDENTITY
users because the nominal userid does not uniquely identify a
specific virtual machine (the same user might be online on
every node in the collection).

Some IUCV CONNECT cases (especially those involving an IDENTITY
user) are not allowed within the SSI cluster unless the customer
configures DISTRIBUTE IUCV YES (which opens IUCV to users on
other systems as well).

The restriction against IDENTITY users was overly protective
since it resulted in IUCV CONNECT failures even when the
target node was specified.

Problem conclusion

  • HCPIUOCO handles IUCV CONNECT processing.  This logic was
updated to reorganize the tests and allow for connection in
cases that were originally restricted within the SSI cluster
when DISTRIBUTE IUCV NO was configured.

HCPAAJEP handles incoming requests (including the OPEN request
associated with an inbound IUCV CONNECT request).  This logic
was updated to allow inbound IUCV CONNECT (regardless of
the DISTRIBUTE IUCV setting) for requests that originated
within the SSI cluster.

The following tables illustrate the results before and
after applying this APAR.  Invoker/USER type is:
USER     = Single-Configuration userid within the SSI
IDENTITY = Multiple-Configuration userid within the SSI
ExtUser  = External user (outside the SSI cluster)

IUCV CONNECT with TARGET(null)
+---------------------------------------------------------+
| Invoker  | USER     |          DISTRIBUTE IUCV          |
| type     | type     | NO        | TOLERATE  | ALL       |
|----------+----------+-----------+-----------+-----------|
| USER     | USER     | YES       | YES       | YES       |
|          | IDENTITY | NO(1)     | NO        | YES       |
|          | ExtUser  | NO        | NO        | YES       |
|----------+----------+-----------+-----------+-----------|
| IDENTITY | USER     | NO->YES   | NO->YES   | NO->YES   |
|          | IDENTITY | NO(1)     | NO        | YES       |
|          | ExtUser  | NO        | NO        | YES       |
|----------+----------+-----------+-----------+-----------|
| ExtUser  | (ANY)    | NO        | NO        | YES       |
+---------------------------------------------------------+

IUCV CONNECT with TARGET=nodeid
+---------------------------------------------------------+
| Invoker  | USER     |          DISTRIBUTE IUCV          |
| type     | type     | NO        | TOLERATE  | ALL       |
|----------+----------+-----------+-----------+-----------|
| USER     | USER     | YES(2)    | YES       | YES       |
|          | IDENTITY | NO->YES(2)| YES       | YES       |
|          | ExtUser  | NO        | YES       | YES       |
|----------+----------+-----------+-----------+-----------|
| IDENTITY | USER     | NO->YES(2)| YES       | YES       |
|          | IDENTITY | NO->YES(2)| YES       | YES       |
|          | ExtUser  | NO        | YES       | YES       |
|----------+----------+-----------+-----------+-----------|
| ExtUser  | (ANY)    | NO        | YES       | YES       |
+----------+----------+-----------+-----------+-----------+

Notes:
NO->YES  indicates behavior before->after applying this fix.
NO(1)    CONNECT to an IDENTITY user with no target nodeid
         and D-IUCV NO is prohibited because the IDENTITY
         user is not unique within the SSI cluster.
YES(2)   CONNECT to any user type with TARGET=nodeid is
         allowed (regardless of D-IUCV setting).

Also note that IUCV CONNECT with LOCAL=YES will never try
to connect to a remote user (regardless of D-IUCV settings
or SSI membership).

Temporary fix

  • FOR RELEASE VM/ESA CP/ESA R630 :
PREREQ: VM65856 VM65403
CO-REQ: NONE
IF-REQ: NONE
FOR RELEASE VM/ESA CP/ESA R640 :
PREREQ: NONE
CO-REQ: NONE
IF-REQ: NONE

Comments

  • 



APAR Information




    

  • APAR number
    VM65872
    • 

  • Reported component name
    VM CP
    • 

  • Reported component ID
    568411202
    • 

  • Reported release
    A62
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    YesHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-08-01
    • 

  • Closed date
    2017-02-27
    • 

  • Last modified date
    2017-11-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UM35050 UM35051 UM35052 UM35053
    

    • 



Modules/Macros


    

  • HCPAAJ   HCPIUO   HCPMES   HCPMESA  HCPMESB  HCPMXRBK HCPNET
HCPZSC   HCP3012I

    



Fix information


    

  • Fixed component name
    VM CP
    • 

  • Fixed component ID
    568411202
    • 



Applicable component levels


    

  • RA63  PSY  UM35050
       UP17/03/07  P  1701  ¢
    • 

  • RA64  PSY  UM35051
       UP17/11/24  P  1702  ¢
    • 

  • R630  PSY  UM35052
       UP17/03/01  P  1701  ¢
    • 

  • R640  PSY  UM35053
       UP17/03/01  P  1702  ¢
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A62","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 November 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback