How can it be that the Web Services started task(s) raise security violation for resources in the JESSPOOL resource class?

Release:
Component: ENDBAS

This may happen the system protects JES2 resources by having resource class JESSPOOL active in RACF and also the JCL for the Web Services started task has any DD statement defined as SYSOUT. For example, //BSTERR DD SYSOUT=*

The reason is that the spool datasets defined in the STC JCL are owned by the userid assigned to the started task (because they are allocated by MVS during the initialization of the STC). Later on, during processing of the Web Services requests, the userid is swapped to that of the client (for example, the MVS userid specified in the Eclipse Plugin).

If endevor or any user program (processor step program or user exit) try to write to any of these ddnames, it means that aone user (the client's ID) is trying to update spool dataset(s) owned by another user (the started task user). If the client is not authorized to do that, this will result in a security violation similar to the following:

ICH408I USER(<userid> ) GROUP(<groupid>) NAME(DOE, JOHN) 150
MVS01.WSEWSSTC.WSEWSSTC.STC82932.D0000105.? CL(JESSPOOL)
INSUFFICIENT ACCESS AUTHORITY
FROM MVS01.** (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(READ )
$HASP708 WSEWSSTC EN$DPMSG OPEN FAILED 151
RC=11 AUTHORIZATION FAILURE
DSNAME=WSEWSSTC.WSEWSSTC.STC82932.D0000105.?
IEC150I 913-74,IGG0199G,WSEWSSTC,WSEWSSTC,EN$DPMSG 152

The violations can be cleared by

• Apply PTF LU05101 for Endevor V18.1
• Use CIRCUMVENTION (choose one of the following method):
  • Give the client userids authority to update spool datasets owned by the STC userid as described in RACF Security Administration Guide.
  • Or remove any spool DD names (except internal reader) like EN$DPMSG from
    the JCL of the STC

For reference, the resource names in the JESSPOOL resource class are built as follows:

• JES2 node ID
• Owner ID (the userid associated with the Web Services STC)
• Jobname (name of the Web Services STC)
• Jobid (specific to each particular run of the STC)
• Spool dataset ID (specific to each ddname within the JCL)
• (optional) Value specified in DSN= parameter in the DD statement. If none, contains a question mark.

PTF LU05101:

PROBLEM DESCRIPTION:
WebServices STC now accesses spool datasets under STC of the user
currently performing a request, not the user id the DTC started with.
This means that all Endevor users need write access to spool datasets
owned by STC user id, if there are any trace or log DD names using spool
defined in the STC - like EN$DPMSG
 
SYMPTOMS:
If EN$DPMSG or any other DD names used by web services are using
spool datasets, and Endevor users aren't allowed write access to spool
datasets of the STC user id, security violation occurs when running a
web service request for a resource in class JESSPOOL
 
IMPACT:
Endevor web services cannot be used without taking one of the steps
outlined below:
 
CIRCUMVENTION:
1) Give all Endevor users write access to spool datasets created by STC
user id
2) Remove any spool DD names (except internal reader) like EN$DPMSG from
the JCL of the STC
 
PRODUCT(S) AFFECTED:
Endevor Software Change Manager                              Release 18.1