DFHXS1201 'invalid password' for FEPI passticket in CICS back-end region

Question & Answer

Question

Why do my FEPI nodes fail with message DFHXS1201 indicating the password is invalid in my CICS Transaction Server for z/OS (CICS TS) back-end region? The password is actually a passticket generated on a front end FEPI node and sent to a backend FEPI node for use. The DFHXS1201 failure occurs during signon to the back end FEPI node, using the generated passticket passed in.

Here is the CICS message I receive:
DFHXS1201 The password supplied in the verification request for userid userid was invalid. This occurred in transaction tranid when userid userid was signed on at netname netname.

Answer

The DFHXS1201 indicating the password is invalid was due to the passticket being generated with the wrong APPLID.

The front-end FEPI application was connecting to the back-end target CICS region using a FEPI TARGET definition with the back-end target CICS region's Generic APPLID. Therefore, the FEPI REQUEST PASSTICKET command caused the passticket to be created using the back-end target CICS region's Generic APPLID. However, the back-end target CICS region had GRNAME coded within it's system initialization table (SIT). So, RACF failed the verification because the APPLIDs were not the same.

To resolve this situation, the FEPI TARGET definition must be updated to specify an APPLID equal to the GRNAME used by the back-end target CICS region. This will cause the passticket to be generated with the correct APPLID and allow RACF to verify the passticket as valid.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"FEPI","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Was this topic helpful?

Document Information

Modified date:
11 June 2015

UID

dwa1196095

Tips