Question & Answer
Question
You are modifying a few CICS Transaction Server for z/OS (CICS TS) applications to exploit ACF2 Multi-Factor Authentication (MFA), Securid tokens, using the EXEC CICS VERIFY PHRASE command to pass pin+token. You are seeing a successful R_password check, but then DFHXSSB is issuing an unexpected VERIFYX call using the same password credentials (secured token). Since the token values are one-time use only, this duplicate password check fails.
Why would DFHXSSB be issuing the VERIFYX call when the R_password call appears to work successfully?
Answer
The R_Password service is documented to only process passwords and phrases. It is not to be used to process tokens. This is because the call is supposed to be lightweight and fast. R_Password cannot be successful if it is called to validate anything that is not a valid password or passphrase. Any attempt to validate a token should fail. CICS would then make a VERIFYX call which can successfully validate tokens.
The only way CICS code can go on to issue a VERIFYX call after R_Password returns OK is if the user or group is revoked or the user is expired (passdate is 0). If the user is not revoked or expired and the external security manager reported the supplied phrase value was correct then CICS would not make any further calls.
In this case, a slip trap confirmed the users actual password had expired. R_Password incorrectly returned an OK response, CICS then called VERIFYX. Security managers should not be using the R_Password service to validate a single use token as the interface that does not support that.
ACF2 users should apply fix ST05388.
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
24 March 2020
UID
dwa1483808