ICSF encryption is activated but there are no SAF calls for class CSFSERV resource CSFREFR.
search cancel

ICSF encryption is activated but there are no SAF calls for class CSFSERV resource CSFREFR.

book

Article ID: 11092

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



ICSF encryption is active and per IBM doc, to secure the refresh instorage option, they need to secure class CSFSERV resource CSFREFR. They are not seeing any SAF calls made for this when they run the ACF2 SECTRACE.

Environment

Release:
Component: ACF2MS

Resolution

The ICSF CHECKAUTH parameter controls whether or not RACROUTE security calls are made for callers that are supervisor state or are running in a system key (key 0 - 7). Typically, programs running in supervisor state or in a system key would be considered authorized and would not need any extra authentication. ICSF parameter setting of CHECKAUTH(YES) will turn on the needed SAF calls.

The CSFPRMxx member of SYS1.PARMLIB contains the ICSF startup parameters including the CHECKAUTH parameter. Note that with CHECKAUTH(NO), accesses to the ICSF services are not logged in SMF records for callers that are in supervisor state or in a system key.