** All sites with SO16294 must apply Hiper PTFs LU01759, LU04674 and LU00372 if the output of
the 'TSS MODI STATUS(BASE)' command displays the AES encryption status
Failure to apply LU01759 leaves the site open to the problems
After solution SO16294 is applied, a CREATE USING command that includes the
PASSWORD operand to assign a password to the new user does not function
correctly. The password field remains empty or improperly formatted. This failure occurs with
non-AES encrypted passwords.
Possible symptoms are:
1) The TSS CREATE command fails with unexpected error messages.
2) The command completes successfully, but the new acid record has no password.
3) The command completes successfully, but the new acid record includes incorrectly formatted password data.
If the command completes successfully, when a user logs on with the new ACID (built with CREATE USING PASSWORD) and is forced to change the password, an invalid length is used, and storage that follows the ACID in memory is released incorrectly. The result is that freed storage is re-used and overlaid. The overlay may include the in-storage GID table. When the GID table is overlaid, SAF programs start taking SOC4 or SA78 abends causing system instability, which requires a reinitialization of TOP Secret or possibly an IPL.
TSS9190A CA-TSS COMMAND PROCESSOR ABEND S0C4 IN TSSAUTH1+31ABE
CCSR010E TSSAUTHZ S0C4 at 24EE4ABE LMOD TSSAUTH CSECT TSSAUTH2 +00BABE
TSS N/A TSS
IEF196I CCSR010E TSSAUTHZ S0C4 at 24EE4ABE LMOD TSSAUTH CSECT TSSAUTH2
IEF196I +00BABE TSS N/A TSS
CCSR021I OWNER = CA TOP SECRET R16.0
IEF196I CCSR021I OWNER = CA TOP SECRET R16.0
The new user cannot log on to any application. Adding a new password to the user based on other field content, including Kerberos-related fields, may fail. During change password processing, storage can be corrupted causing unpredictable results, including S0C4 and SA78 abends and potentially a reinit of CA Top Secret or an IPL.
Release : 16.0
Important: Steps must be taken to delete and re-build any acids which were created with TSS CREATE USING() PASSWORD() commands while SO16294 was applied WITHOUT LU01759, LU04674 and LU00372. The list of affected acids can be found by running the TSSAUDIT utility with the CHANGES parameter for the entire timeframe while SO16294 was applied alone.
Issue the CREATE USING command without a PASSWORD operand, and then issue an ADD or REPLACE command to change the PASSWORD.