TSS All sites with SO16294 must apply Hipers PTF LU01759 LU04674 LU00372
search cancel

TSS All sites with SO16294 must apply Hipers PTF LU01759 LU04674 LU00372

book

Article ID: 224391

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

** All sites with SO16294 must apply Hiper PTFs LU01759, LU04674 and LU00372 if the output of
   the 'TSS MODI STATUS(BASE)' command displays the AES encryption status
   as follows:
 
   AES_ENCRYPTION(Inactive)
 
   Failure to apply LU01759 leaves the site open to the problems
   described below.
 
After solution SO16294 is applied, a CREATE USING command that includes the
PASSWORD operand to assign a password to the new user does not function
correctly.  The password field remains empty or improperly formatted.  This failure occurs with
non-AES encrypted passwords.
 
SYMPTOMS:

Possible symptoms are:

1)       The TSS CREATE command fails with unexpected error messages.

2)       The command completes successfully, but the new acid record has no password.

  1. A subsequent LIST of the ACID displays the PASSWORD field as *NONE*.

3)       The command completes successfully, but the new acid record includes incorrectly formatted password data.

  1. A subsequent LIST of the ACID displays the PASSWORD field as blanks, as expected, but the acid record is actually improperly formatted.

If the command completes successfully, when a user logs on with the new ACID (built with CREATE USING PASSWORD) and is forced to change the password, an invalid length is used, and storage that follows the ACID in memory is released incorrectly. The result is that freed storage is re-used and overlaid.  The overlay may include the in-storage GID table. When the GID table is overlaid, SAF programs start taking SOC4 or SA78 abends causing system instability, which requires a reinitialization of TOP Secret or possibly an IPL.
For Example:
TSS9190A CA-TSS COMMAND PROCESSOR ABEND S0C4 IN TSSAUTH1+31ABE             
 CCSR010E TSSAUTHZ S0C4 at 24EE4ABE LMOD TSSAUTH CSECT TSSAUTH2 +00BABE     
 TSS N/A TSS                                                                
 IEF196I CCSR010E TSSAUTHZ S0C4 at 24EE4ABE LMOD TSSAUTH CSECT TSSAUTH2     
 IEF196I +00BABE TSS N/A TSS                                                
 CCSR021I OWNER = CA TOP SECRET R16.0                                       
 IEF196I CCSR021I OWNER = CA TOP SECRET R16.0                     
 
IMPACT:
The new user cannot log on to any application. Adding a new password to the user based on other field content, including Kerberos-related fields, may fail.  During change password processing, storage can be corrupted causing unpredictable results, including S0C4 and SA78 abends and potentially a reinit of CA Top Secret or an IPL.

Environment

Release : 16.0

 

Resolution

Important: Steps must be taken to delete and re-build any acids which were created with TSS CREATE USING() PASSWORD() commands while SO16294 was applied WITHOUT LU01759, LU04674 and LU00372.  The list of affected acids can be found by running the TSSAUDIT utility with the CHANGES parameter for the entire timeframe while SO16294 was applied alone.

CIRCUMVENTION:
Issue the CREATE USING command without a PASSWORD operand, and then issue an ADD or REPLACE command to change the PASSWORD.

Powered by Wolken Software