Question & Answer
Question
Why do I receive message DFHUS0002 with code x'0309' in DFHUSAD at each attempt to sign-on to CICS Transaction Server for z/OS (CICS TS)? Our site is trying to implement Multi-factor Authentication (MFA) where the password is the token #, and both new password fields are the PIN number for the token. Our security manager is CA ACF2 from CA Technologies.
These are the message I receive:
DFHUS0002 A SEVERE ERROR (CODE X'0309') HAS OCCURRED IN MODULE DFHUSAD.
DFHME0116
(MODULE:DFHMEME) CICS SYMPTOM STRING FOR MESSAGE DFHUS0002 IS
PIDS/5655Y0400 LVLS/700 MS/DFHUS0002 RIDS/DFHUSAD PTFS/UI44768
PRCS/00000309
I took a CICS trace of one of the failures and I see the following trace entries:
US 0301 USAD ENTRY ADD_USER_WITH_PASSWORD SIGNON_TYPE(USER_SIGN_ON)
USERID_LENGTH(8) USERID(useridx) PASSWORD_TYPE(CLEAR)
XS 0601 XSPW ENTRY UPDATE_PASSWORD USERID_LENGTH(8) (USERID(useridxx)
USERID(I652219) PASSWORD(00000000 , 00000000)
XS 0602 XSPW EXIT UPDATE_PASSWORD/EXCEPTION
REASON(INVALID_PASSWORD_COMBO)
SAF_RESPONSE(0) SAF_REASON(0)
ESM_RESPONSE(0) ESM_REASON(0)
US 0309 USAD *EXC* Exception-unknown FUNCTION(ADD_USER_WITH_PASSWORD)
SIGNON_TYPE(USER_SIGN_ON) USERID_LENGTH(8)
USERID(useridxx) PASSWORD_TYPE(CLEAR)
Answer
The US0002 dump is taken because DFHUSAD does not expect the INVALID_PASSWORD_COMBO returned by DFHXSPW. In this scenario, processing only gets as far as DFHXSPW because of the CA code involved. It is not possible to recreate the DFHUS0002 due to INVALID_PASSWORD_COMBO within normal CICS operation.
CA ACF2 Support recommended that current maintenance be applied and said this was most likely related RO97057 that corrects a problem with RO93181.
Note that it is NOT recommended to use the PHRASE and NEWPHRASE as means to supply MFA credentials. All the credentials should be supplied as part of the PHRASE, separated by a defined delimiter such as a "/". This avoids the need to supply the PIN twice and also allows the MF validation to run on an L8 TCB instead of blocking the RO TCB, which would happen for the CHANGE PASSWORD route.
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
05 December 2017
UID
dwa1417011