ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ACIDs that match NETNAME suspended at CICS signon after reason code "DF" violations

book

Article ID: 223190

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Customer Information Control System (CICS) users get revoked at CICS signon when netname matches the user's TSS ACID.

  • This netname is assigned by the TPX ACB exit. 
  • Transactions which run before a successful signon may lead to TSS violations against the ACID with reason code DF (‘signon for ACID requires a phrase’).
  • Multiple violations can cause suspension of the ACID. 

 

Cause

ATS (Automatic Termimal Signon) is a Top Secret CICS feature used for printers, ATMS, and other devices.

If a security check occurs on a terminal where there is no user signed on, TSS will search for an ACID that matches the terminal id. So, if a regular user's ACIDs coincidentally matches a terminal id, it will be signed by signed on to the CICS terminal by Top Secret.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Three choices are availble to resolve this issue:

  • If an ACID should not get signed on by ATS, add the NOATS attribute to the user. For example: TSS ADD(T123456) NOATS
  • Change the ACID to a value that does not match the terminal id.
  • Change the naming conventions for terminals so that no terminal name can match regular user ACIDs.

NOTE  there really is no way to tell if ATS was used to sign on aside from observing the match between terminals and ACIDs.

 

Additional Information

It appears the netname is being checked against the TSS Secfile, to see if it is defined there as an ACID, as part of the Automatic Terminal Signon Procedure:

https://ftpdocs.broadcom.com/cadocs/0/CA%20Top%20Secret%20%20Security%20for%20z%20OS%20r15-ENU/Bookshelf_Files/HTML/TSS_CICS_zOS_ENU/527480.html