PK26518: INCORRECT USERID PASSED TO ESS ( DB2 ) WHEN RRSAF USED IN JMP REGION, OTMA INPUT MESSAGE, AND OTMASE=C|N

APAR status

• Closed as fixed if next.

Error description

• Java Message Regions ( JMP ) uses RRSAF for DB2 access not
  ESAF. For RRSAF, DB2 obtains the userid / AUTHID from the
  security environment of the caller - TCBSENV if populated,
  otherwise ASXBSENV.
  DFSTMAS0 has code in to force creation of a TCB-level ACEE
  for JMP regions, but this code is not executed for OTMA or
  APPC input messages. In this case the value of OTMASE / APPCSE,
  and settings as a result of /SEC OTMA or /SEC APPC apply.
  Unless FULL is in effect for the message being scheduled,
  no ACEE will be created. If the Java application invokes
  DB2 then the userid / AUTHID used will be the JMP region
  userid from ASXBSENV, not the userid from the input OTMA
  or APPC message.
  This is incorrect. The design is to force creation of TCB-level
  ACEE in JMP regions if RRSAF is to be used.
  This is consistent with ESAF, where if there is a userid
  associated with an input message, that userid is always passed
  to the ESS at ESS signon.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All IMS V9 Java Users that are running a JMP *
  *                 program accessing an external subsystem      *
  *                 using the IMS RRSAF feature.                 *
  ****************************************************************
  * PROBLEM DESCRIPTION: A JMP region passes the wrong USERID    *
  *                      or AUTHID to the external subsystem     *
  *                      when processing OTMA or APPC input.     *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When a Java Message Region (JMP) uses RRSAF for external
  subsystem access, the external subsystem obtains the USERID /
  AUTHID from the security environment of the caller; field
  TCBSENV if populated, otherwise ASXBSENV.
  
  IMS has code in to force the creation of a TCB-level ACEE for
  JMP regions, but this code is not executed for OTMA or APPC
  input messages.  In this case, the value of OTMASE / APPCSE, as
  well as the settings of /SEC OTMA or /SEC APPC apply.  Unless
  the FULL security setting is specified for the message being
  scheduled, no ACEE will be created.  If the Java application
  invokes an external subsystem, the USERID / AUTHID used will be
  from the JMP region userid in field ASXBSENV, not from the
  userid in the input OTMA or APPC message.  This is incorrect.
  
  The design should be to force the creation of TCB-level ACEE in
  JMP regions if RRSAF is to be used.
  

Problem conclusion

Temporary fix

Comments

• This apar is closed as "FIN".  The problem reported in this apar
  will be fixed in a future release/version of IMS, tracked by PTM
  KFN0454 .
  
       FIN: Fixed IF next. There is a deficiency that we
            currently plan to fix if there is another release.
            This is not a commitment, but expresses our
            intention. 'Next Release' is not defined.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  IMS V9

• Fixed component ID

  5655J3800

Applicable component levels

• R900 PSN

     UP