After applying ACF2 maintenance - getting S047 errors with MFA AZFEXEC

book

Article ID: 194884

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

After applying ACF2 maintenance - getting errors with IBM MFA AZFEXEC 

CEE0374C CONDITION=CEE3250C TOKEN=00040CB2 61C3C5C5 00000000_00000000      

          WHILE RUNNING PROGRAM ACF9C000                                    

          AT THE TIME OF INTERRUPT

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The holddata for PTF SO04001 indicated to insert the SAFDEF like the following:

GSO SAFDEF record as follows:                      
INSERT SAFDEF.IBMMFA ID(IBMMFA) NOAPFCHK,          
RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS,
         ENTITYX=('IRR.RFACTOR.MFADEF.********'))  

Which unfortunately has an error in the way to insert this safdef. When using asterisks as a mask in the entity, in order to match the exact number of asterisks must be equal to the length of the resource. In this case, the SAFDEF with IRR.RFACTOR.MFADEF.******** would not match IRR.RFACTOR.MFADEF.AZFSTC but would match IRR.RFACTOR.MFADEF.AZFRADP1.

To correct this either change the SAFDEF records to be exact matches or use the dash (-) character to mask.

To use the dash change the ENTITYX to ENTITYX=IRR.RFACTOR.MFADEF.AZF- will match 'IRR.RFACTOR.MFADEF.AZFRADP1' and 'IRR.RFACTOR.MFADEF.AZFSTC'.

ACF
INSERT SAFDEF.IBMMFA1 ID(IBMMFA1) NOAPFCHK, RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS,ENTITYX=IRR.RFACTOR.MFADEF.AZF-)

F ACF2,REFRESH(SAFDEF)
END