IBM Support

DFHUS0002 0309 in DFHUSAD trying to signon using MFA and CA ACF2

Question & Answer


Question

Why do I receive message DFHUS0002 with code x'0309' in DFHUSAD at each attempt to sign-on to CICS Transaction Server for z/OS (CICS TS)? Our site is trying to implement Multi-factor Authentication (MFA) where the password is the token #, and both new password fields are the PIN number for the token. Our security manager is CA ACF2 from CA Technologies.

These are the message I receive:
DFHUS0002 A SEVERE ERROR (CODE X'0309') HAS OCCURRED IN MODULE DFHUSAD.
DFHME0116 (MODULE:DFHMEME) CICS SYMPTOM STRING FOR MESSAGE DFHUS0002 IS
PIDS/5655Y0400 LVLS/700 MS/DFHUS0002 RIDS/DFHUSAD PTFS/UI44768
PRCS/00000309

I took a CICS trace of one of the failures and I see the following trace entries:

 US 0301 USAD  ENTRY ADD_USER_WITH_PASSWORD SIGNON_TYPE(USER_SIGN_ON)
                     USERID_LENGTH(8) USERID(useridx) PASSWORD_TYPE(CLEAR)
                       
  XS 0601 XSPW  ENTRY UPDATE_PASSWORD USERID_LENGTH(8) (USERID(useridxx)                  
                      USERID(I652219) PASSWORD(00000000 , 00000000) 

  XS 0602 XSPW  EXIT  UPDATE_PASSWORD/EXCEPTION                          
                      REASON(INVALID_PASSWORD_COMBO)                     
                      SAF_RESPONSE(0) SAF_REASON(0)
                      ESM_RESPONSE(0) ESM_REASON(0)  

 US 0309 USAD  *EXC* Exception-unknown FUNCTION(ADD_USER_WITH_PASSWORD)
                     SIGNON_TYPE(USER_SIGN_ON) USERID_LENGTH(8)
                     USERID(useridxx) PASSWORD_TYPE(CLEAR)

Answer

The US0002 dump is taken because DFHUSAD does not expect the INVALID_PASSWORD_COMBO returned by DFHXSPW. In this scenario, processing only gets as far as DFHXSPW because of the CA code involved. It is not possible to recreate the DFHUS0002 due to INVALID_PASSWORD_COMBO within normal CICS operation.

CA ACF2 Support recommended that current maintenance be applied and said this was most likely related RO97057 that corrects a problem with RO93181.

Note that it is NOT recommended to use the PHRASE and NEWPHRASE as means to supply MFA credentials. All the credentials should be supplied as part of the PHRASE, separated by a defined delimiter such as a "/". This avoids the need to supply the PIN twice and also allows the MF validation to run on an L8 TCB instead of blocking the RO TCB, which would happen for the CHANGE PASSWORD route.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"Security","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Document Information

Modified date:
05 December 2017

UID

dwa1417011