Top Secret All sites with SO16294 must apply Hiper PTF LU01759


Article ID: 224391


Updated On:


CA Top Secret


** All sites with SO16294 must apply Hiper PTF LU01759 if the output of
   the 'TSS MODI STATUS(BASE)' command displays the AES encryption status
   as follows:
   Failure to apply LU01759 leaves the site open to the problems
   described below.
After solution SO16294 is applied, a CREATE USING command that includes the
PASSWORD operand to assign a password to the new user does not function
correctly.  The password field remains empty or improperly formatted.  This failure occurs with
non-AES encrypted passwords.

Possible symptoms are:

1)       The TSS CREATE command fails with unexpected error messages.

2)       The command completes successfully, but the new acid record has no password.

  1. A subsequent LIST of the ACID displays the PASSWORD field as *NONE*.

3)       The command completes successfully, but the new acid record includes incorrectly formatted password data.

  1. A subsequent LIST of the ACID displays the PASSWORD field as blanks, as expected, but the acid record is actually improperly formatted.

If the command completes successfully, when a user logs on with the new ACID (built with CREATE USING PASSWORD) and is forced to change the password, an invalid length is used, and storage that follows the ACID in memory is released incorrectly. The result is that freed storage is re-used and overlaid.  The overlay may include the in-storage GID table. When the GID table is overlaid, SAF programs start taking SOC4 or SA78 abends causing system instability, which requires a reinitialization of TOP Secret or possibly an IPL.
The new user cannot log on to any application. Adding a new password to the user based on other field content, including Kerberos-related fields, may fail.  During change password processing, storage can be corrupted causing unpredictable results, including S0C4 and SA78 abends and potentially a reinit of CA Top Secret or an IPL.


Release : 16.0



Important: Steps must be taken to delete and re-build any acids which were created with TSS CREATE USING() PASSWORD() commands while SO16294 was applied WITHOUT LU01759.  The list of affected acids can be found by running the TSSAUDIT utility with the CHANGES parameter for the entire timeframe while SO16294 was applied alone.

Issue the CREATE USING command without a PASSWORD operand, and then issue an ADD or REPLACE command to change the PASSWORD.