After an upgrade to z/OS or SDSF migration to external SAF security, the following message is seen:
$HASP186 SYSLOG OUTGRP=n.n.n NOT SELECTED BY STC0xxxx/<filename> DUE TO SECURITY POLICY.
It was suggested to use JES2 command $T DEBUG,SECURITY=YES to show RACF violations causing this message. When issuing this JES2 command, there are no ACF2 violation messages. There is also nothing showing up in the ACFRPTRV report.
How can this issue be diagnosed?
Release: R16
Component: ACF2MS
This error most commonly happens for the (JES2) resource classes WRITER and JESSPOOL.
To see these violations, set a SECTRACE for all AUTH calls happening on the system. There is likely a validation occurring with LOG=NONE which would result in no SMF record for the ACFRPTRV report.
The SECTRACE operator command is as follows:
ST SET,ID=xxxx,TYPE=SAFP,FORMAT=DUMP,TRACE=ALL
nn CAS...... SPECIFY RACROUTE PARAMETERS...
r nn,REQUEST=AUTH,END
nn CAS......Continue SECTRACE SPECIFICATIONS...
r nn,END
This command will set a SECTRACE for AUTH calls. No CLASS is specified because it is unclear from the error message what CLASS is the reason for the violation.
Set the SECTRACE before testing, then after receiving the $HASP186 error, delete the SECTRACE using this operator command:
ST DEL,ID=xxxx
Run the ACFRPTST report using the SMF records generated during your test. You can use the ISPF panels to generate the report or use a batch job. The batch job only requires a few statements:
//JOB....
// EXEC PGM=ACFRPTST,PARM='DETAIL'
//SYSPRINT DD SYSOUT=*
//REC0001 DD DSN=SYS1.MAN1,DISP=SHR <--substitute the active SMF filename
//*
The output report should contain a RACROUTE AUTH call with SFR/RFR codes of 8/8:0. This failed AUTH call is likely related to the $HASP186 message and the CLASS and ENTITY can be used to write an appropriate resource rule. A LOG keyword in the RACROUTE call specifying anything other than ASIS would explain why no SMF record was generated for the ACFRPTRV report.
Note that the default internal SAFDEF records for JESSPOOL and WRITER resource classes provided by CA ACF2 specify MODE=IGNORE for these validation requests.