Error 'ICH302D REPLY Y TO ALLOW ANOTHER ATTEMPT OR N TO REVOKE USER' causes the Region to reject the User logon, until the WTOR is replied to from the console.

book

Article ID: 53222

calendar_today

Updated On:

Products

CA CMDB for z/OS CA NetSpy Network Performance CA NetMaster Network Automation CA SOLVE CA NetMaster Network Management for SNA CA NetMaster Network Management for TCP/IP CA NetMaster File Transfer Management CA SOLVE:Operations Automation SOLVE:Access Session Management CA SOLVE:FTS CA SOLVE

Issue/Introduction

A RACF Userid is defined with the SPECIAL attribute. When the number of unsuccessful password attempts is reached, RACF generates the 'ICH302D' message, i.e. a WTOR requesting a reply. As long as the reply remains outstanding, the User logon is suspended for all Users trying to access this Region.
So how to get rid of this problem?...
 

Cause

The user is unable to logon.
 

Environment

Release: SLOPFC00200-12.1-NetMaster-File Transfer Management
Component:

Resolution

Message:

ICH301I MAXIMUM PASSWORD ATTEMPTS BY SPECIAL USER xxxxxxx

follows message 'ICH302D', to indicate that the Userid maximum number of password attempts has been reached. This problem only occurrs on a Userid defined with the SPECIAL attribute in RACF, and is due to a security exposure.

It also occurs on others Applications like the CA-TPX Session Manager or IBM's NVAS Session Manager. The CA Knowledge Base article KB000054554  is available for TPX information regarding this which gives more details as well as an IBM APAR for NVAS, although this should be cross checked on the IBM web site for current APARS.

This problem can fixed by one of the following methods :

  1. Reply to the ICH302D message manually or automatically by an Automation product.
     
  2. Change the the permissible number of password attempts using the following command:

    SETROPTS PASSWORD(REVOKE(number_invalid_passwords)
     
  3. Remove the SPECIAL attribute from the Userid involved.

Additional Information

KB000054554: TPX users inhibited from signing on when a WTOR is pending with system console messages ICH301I and ICH302D or ICH303I and ICH304D.