JES2 error message $HASP186 SYSLOG OUTGRP=x.x.x NOT SELECTED BY STC0xxxx/<filename> DUE TO SECURITY POLICY
search cancel

JES2 error message $HASP186 SYSLOG OUTGRP=x.x.x NOT SELECTED BY STC0xxxx/<filename> DUE TO SECURITY POLICY

book

Article ID: 11105

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

After an upgrade to z/OS or SDSF migration to external SAF security, the following message is seen:

$HASP186 SYSLOG OUTGRP=n.n.n NOT SELECTED BY STC0xxxx/<filename> DUE TO SECURITY POLICY.

It was suggested to use JES2 command $T DEBUG,SECURITY=YES to show RACF violations causing this message. When issuing this JES2 command, there are no ACF2 violation messages. There is also nothing showing up in the ACFRPTRV report.

How can this issue be diagnosed?

Environment

Release: R16
Component: ACF2MS

Resolution

This error most commonly happens for the (JES2) resource classes WRITER and JESSPOOL. 

To see these violations, set a SECTRACE for all AUTH calls happening on the system. There is likely a validation occurring with LOG=NONE which would result in no SMF record for the ACFRPTRV report.

The SECTRACE operator command is as follows:

 

ST SET,ID=xxxx,TYPE=SAFP,FORMAT=DUMP,TRACE=ALL 
nn CAS...... SPECIFY RACROUTE PARAMETERS...    
r nn,REQUEST=AUTH,END    
nn CAS......Continue SECTRACE SPECIFICATIONS...    
r nn,END

 

This command will set a SECTRACE for AUTH calls. No CLASS is specified because it is unclear from the error message what CLASS is the reason for the violation. 

 

Set the SECTRACE before testing, then after receiving the $HASP186 error, delete the SECTRACE using this operator command:

 

ST DEL,ID=xxxx

 

Run the ACFRPTST report using the SMF records generated during your test. You can use the ISPF panels to generate the report or use a batch job. The batch job only requires a few statements:

 

//JOB....
// EXEC PGM=ACFRPTST,PARM='DETAIL'
//SYSPRINT DD SYSOUT=*
//REC0001 DD DSN=SYS1.MAN1,DISP=SHR <--substitute the active SMF filename
//*

 

The output report should contain a RACROUTE AUTH call with SFR/RFR codes of 8/8:0. This failed AUTH call is likely related to the $HASP186 message and the CLASS and ENTITY can be used to write an appropriate resource rule. A LOG keyword in the RACROUTE call specifying anything other than ASIS would explain why no SMF record was generated for the ACFRPTRV report.

Additional Information

Note that the default internal SAFDEF records for JESSPOOL and WRITER resource classes provided by CA ACF2 specify MODE=IGNORE for these validation requests.

Powered by Wolken Software