OA44366: Users get REVOKED after intermittently using invalid passwords via initACEE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When an OMVS / USS application attempts logins that go through
  RACF's initACEE service, invalid password attempts will
  accumulate in spite of intervening successful authentications
  when USS requests the ACEE to be Managed.
  This causes the Userid to ultimately become Revoked in RACF when
  it should not.
  
  EXTERNAL SYMPTOMS:
  In this case, CTG was being used.
  They correctly received :
     return code = -1, errno = 111, errno2 = 0X90C0000
  several times mixed in with two successful logins.  When they
  received it as many times as RACF's SETROPTS PASSWORD REVOKE
  value, they received:
     return code = -1, errno = 163, errno2 = 0X90C081C
  
  ANALYSIS:
  RACF's saved data about a Managed ACEE includes information
  about the input password.  When the password (and other info)
  matches, the saved ACEE is handed out to USS, without going to
  RACF's RACROUTE REQUEST=VERIFY.
  If the password does not match, VERIFY is called, which is when
  the invalid attempt is counted (REVOKECT).
  There is nothing in initACEE (IRRRIA00) that denotes a Managed
  ACEE failed on the password data & the VERIFY, and so no way to
  clear REVOKECT when a new attempt matches.
  
  KNOWN IMPACT:
  In this situation, an end user can get his userid Revoked
  unexpectedly.
  
  VERIFICATION STEPS:
  SAF Trace is needed to track down the sequence of events.
     CALLABLE(TYPE(26))
     RACROUTE(TYPE(5))
  A dump at some point can be used to find the chain of Managed
  ACEEs (off ASXBSENV-> ACEE-> ACEX-> ACEXHASH (table)-> ACELs
  

Local fix

• BYPASS/CIRCUMVENTION:
  Each user can use another method to log into the system
  intermittently.
  
  RECOVERY ACTION:
  The userid has to be RESUMEd.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Installations whose z/OS server issues       *
  *                 INITACEE INTA_MANAGED (for an address        *
  *                 space cache of ACEEs), make requests         *
  *                 for a user's ACEE, with both good and bad    *
  *                 passwords/password phrases.                  *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Installations whose z/OS server issues
  INITACEE INTA_MANAGED (for an address
  space cache of ACEEs), make requests
  for a user's ACEE, with both good and bad
  passwords/password phrases, might get the
  user revoked, even if the INITACEE had a
  good password/password phrase in between
  the bad ones.
  

Problem conclusion

• If a bad password or password phrase is given to INITACEE
  any ACEE's for that user in the address space level cache
  will no longer be handed out.  Now, when a good
  password or password phrase is given, we need to do a
  RACINIT.  This will reset the bad password count in the
  database, and  refresh the cache.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA73071 UA73072 UA73073

Modules/Macros

• IRRRIA00
  

Fix information

• Fixed component name

  RACF

• Fixed component ID

  5752XXH00

Applicable component levels

• R770 PSY UA73071

     UP14/04/16 P F404

• R780 PSY UA73072

     UP14/04/16 P F404

• R790 PSY UA73073

     UP14/04/16 P F404

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.