Violation in CICS Region Status Server in ACF2 environment for class FCICSFCT message DFHCF0512

book

Article ID: 194892

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

When starting a CICS region status server the following error is seen: 

DFHCF0512  RACROUTE REQUEST=FASTAUTH for resource TESTPLEX gave R15=00000008,SAFPRRET=00000008,SAFPRREA=00000000.                                     
DFHCF0513  Attempt to open table TESTPLEX was rejected by the external security manager.

What is causing this problem, and how can it be fixed?

Cause

The description of message DFHCF0512 states the following

DFHCF0512      RACROUTE REQUEST=FASTAUTH for resource resource gave R15=rc, SAFPRRET=retcode, SAFPRREA=rsncode.      
                                                        
Explanation:  A coupling facility data table OPEN, SET  or DELETE security check gave a non-zero return code.   
This message indicates the resource name used for the   check, the RACROUTE register 15 return code and the     
external security manager return and reason codes  returned in the SAF request parameter list.             
                                                        
System action:   Access to the table is rejected with   message DFHCF0513.                                      
                                                        
User response: See the documentation of the  RACROUTE macro with REQUEST=FASTAUTH in                 
z/OS Security Server RACROUTE Macro Reference  (GC28-1922) for the explanation of the return and       
reason codes.                                           
                                                        
Module: DFHCFXS   

description of message DFHCF0513 is as follows

DFHCF0513      Attempt to open table table was rejected  by the external security manager.          
                                                          
Explanation:  A security check was performed by the       
coupling facility data table server to determine whether  
the connected region was allowed to open the named        
table, and the external security manager indicated that   
access was not allowed.                                   
                                                          
System action:   The table open request is rejected.      
                                                          
User response:   See the preceding message                
DFHCF0512 for the specific reason that access was         
rejected. Check that the correct table name was           
specified. Ensure that the client region is authorized to 
access the resource matching the table name (prefixed     
by the server region userid if SECPRFX=YES was            
                                                          
specified) in the CICS file resource class (usually       
'FCICSFCT').                                              
                                                          
Module: DFHCFXS                                           

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The FCICFCT violoation is occurrimg outside of ACF2/cics and needs a rule for type SAF
(a different TYPE can be assigned by adding a clasmap record in ACF2 Control(GSO) )


The violation was for UPDATE access.
The resource class is FCICSFCT  
The resource name in the validation is TESTPLEX
RSAF-TESTPLEX                                            *VIO RSAF-TESTPLEX
CICSUIDCICS1 STCINRDR SYS2 ACF9CFAT NO-REC - DIRECTRY UPDT
20.191 07/09 12.53 CIC1JOB CICS1TEST CICS REGION              0 8 0 0 16
SAF RESOURCE CLASS FCICSFCT
RESOURCE NAME: TESTPLEX