I am trying to protect the use of the $GD command. I receive messages ACF01097 and $HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE. What is needed to set this up?
search cancel

I am trying to protect the use of the $GD command. I receive messages ACF01097 and $HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE. What is needed to set this up?

book

Article ID: 15419

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

I want to protect the use of the $G D command.
I tried to submit the command to another node and it failed with messages 

$HASP690 ACF01097 JOB SUBMITTED ON SYSTEM WITHOUT ACF2 AND NO DEFAULT LOGONID
$HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE

What validations occur to control who can issue the command?

Environment

Release: ACF2..001AO-16-ACF2
Component:

Resolution

The format of the command in its simplest form is

$GDnnnn,'<jobname>' 

Where nnnn is the jes node name and <jobname> is the name of the job that you want information about.

(Further details can be found in the IBM z/OS JES2 Commands manual.)

 

The validations that occur are all in the OPERCMDS resource class.

there is one validation on the sending node for resource JES2.GDISPLAY.JOB which will validate against the submitter of the command.

The RACROUTE request looks like this....

RACROUTE REQUEST=AUTH,REQSTOR='SRICCMDA',SUBSYS='JES2z201',

          CLASS='OPERCMDS',RELEASE=1.9,STATUS=NONE,ATTR=READ,DSTYPE=N,
          DECOUPL=YES,ENTITY=('JES2.GDISPLAY.JOB'),FILESEQ=0,
          GENERIC=ASIS,LOG=ASIS,LOGSTR='$GDnnnn,'<jobname>'',MSGRTRN=YES,
          MSGSP=236,MSGSUPP=YES,TAPELBL=STD,UTOKEN=,WORKA=

 

On the executing node there will be another validation for OPERCMDS resource JES2.DISPLAY.JOB.

RACROUTE REQUEST=AUTH,REQSTOR='SRICCMDA',SUBSYS='JES2z201',
         CLASS='OPERCMDS',RELEASE=1.9,STATUS=NONE,ATTR=READ,DSTYPE=N,
         DECOUPL=YES,ENTITY=('JES2.DISPLAY.JOB'),FILESEQ=0,
         GENERIC=ASIS,LOG=ASIS,
         LOGSTR='SSI FORMATTED COMMAND - $D'<jobname>'',MSGRTRN=YES,
         MSGSP=236,MSGSUPP=YES,TAPELBL=STD,UTOKEN=,WORKA=

 

The validation will be against the node name of the sending system.
If that doesn't exist as a logonid, the validation will be against the NJE default logonid.
If that doesn't exist the local system default logonid will be used.

If there is no logonid available for the validation, the request will fail with the following messages...

 

$HASP690 ACF01097 JOB SUBMITTED ON SYSTEM WITHOUT ACF2 AND NO DEFAULT LOGONID
$HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE

 

Additional Information

As the validations are only against resource class OPERCMDS, if you are not validating this class, there will be no protection.

Powered by Wolken Software