Error 'ICH302D REPLY Y TO ALLOW ANOTHER ATTEMPT OR N TO REVOKE USER' causes the Region to reject the User logon, until the WTOR is replied to from the console.

Document ID : KB000053222
Last Modified Date : 07/03/2018
Show Technical Document Details
Issue:

A RACF Userid is defined with the SPECIAL attribute. When the number of unsuccessful password attempts is reached, RACF generates the 'ICH302D' message, i.e. a WTOR requesting a reply. As long as the reply remains outstanding, the User logon is suspended for all Users trying to access this Region.
So how to get rid of this problem?...
 

Cause:
The user is unable to logon.
 
Resolution:

Message:

ICH301I MAXIMUM PASSWORD ATTEMPTS BY SPECIAL USER xxxxxxx

follows message 'ICH302D', to indicate that the Userid maximum number of password attempts has been reached. This problem only occurrs on a Userid defined with the SPECIAL attribute in RACF, and is due to a security exposure.

It also occurs on others Applications like the CA-TPX Session Manager or IBM's NVAS Session Manager. The CA Knowledge Base article KB000054554  is available for TPX information regarding this which gives more details as well as an IBM APAR for NVAS, although this should be cross checked on the IBM web site for current APARS.

This problem can fixed by one of the following methods :

  1. Reply to the ICH302D message manually or automatically by an Automation product.
     
  2. Change the the permissible number of password attempts using the following command:

    SETROPTS PASSWORD(REVOKE(number_invalid_passwords)
     
  3. Remove the SPECIAL attribute from the Userid involved.
Additional Information:
KB000054554: TPX users inhibited from signing on when a WTOR is pending with system console messages ICH301I and ICH302D or ICH303I and ICH304D.