ACF2 / TPX / SAF interface logon allowed with no password
Article ID: 202875
Updated On:
Products
Issue/Introduction
Is there a setting that is either turned on or turned off in ACF2 for the SAF interface?
If security set in TPX as ACF2 users are forced to enter a password when logging in to TPX.
If security set to SAF in TPX the user can get in without entering a password.
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
The issue where a TPX used can logon without a password when TPX security is set to SAF is related to resource class VERPSWD validations. When a RACROUTE REQUEST=VERIFY with PASSCHK=YES is done for a logonid, there will also be a validation issued for a RACROUTE REQUEST=AUTH,CLASS=VERPSWD,LOG=NOFAIL,ENTITYX=('userid.NOPSWD') where userid is the LOGONID and the logonid of the requester will be used for the validation. There is an internal ACF2 GSO CLASMAP that maps the VERPSWD resource class to TYPE(PWD).
SECTRACE shows:
CAS21D0I TRACEID: TEST EVENT#: 09451847
CAS21D0I JOBNAME: TPX USERID: TPX ASID: 00nn
CAS21D1I PROGRAM: TPXSECAL RB CURR: zzzzzzz APF: YES SFR/RFR: N/A
CAS2200I RACROUTE REQUEST=VERIFY,RELEASE=7730,STAT=ASIS,SMC=NO,
CAS2200I ACEE={=>,STRUCTURE,=>}00000000,APPL={=>}'xxxTPX',
CAS2200I ENVIR=CREATE,ENCRYPT=YES,ERROROPT=ABEND,LOG=ASIS,
CAS2200I MSGSP=0,NESTED=NO,PASSCHK=YES,
CAS2200I PASSWRD={=>}'*SUPPRESSED*',TERMID={=>}'yyyyyyy',
CAS2200I USERID={=>}'TESTUSR',
CAS2200I WORKA={STRUCTURE SAFWORKA,=>,17D14488}
CAS21D0I TRACEID: TEST EVENT#: 09451848
CAS21D0I JOBNAME: TPX USERID: TPX ASID: 00nn
CAS21D1I PROGRAM: TPXSECAL RB CURR: zzzzz APF: YES SFR/RFR: N/A
CAS2200I RACROUTE REQUEST=AUTH,REQSTOR={=>}'ACF01VAL',
CAS2200I CLASS={=>}'VERPSWD',RELEASE=1.9,STATUS=NONE,ATTR=READ,
CAS2200I DSTYPE={DEFAULT}N,ENTITYX=({=>}'TESTUSR.NOPSWD'),
CAS2200I FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,
CAS2200I USERID={=>}'TPX',
CAS2200I WORKA={STRUCTURE SAFWORKA,=>,7F65DB80}
CAS21D0I TRACEID: TEST EVENT#: 09451848
CAS21D0I JOBNAME: TPX USERID: TPX ASID: 00nn
CAS21D1I PROGRAM: TPXSECAL RB CURR: zzzzz APF: YES SFR/RFR: 0/0:0
CAS21D3I SAFDEF: GENAUTH INTERNAL MODE: GLOBAL
CAS2200I RACROUTE REQUEST=AUTH,REQSTOR={=>}'ACF01VAL',
CAS2200I CLASS={=>}'VERPSWD',RELEASE=1.9,STATUS=NONE,ATTR=READ,
CAS2200I DSTYPE={DEFAULT}N,ENTITYX=({=>}'TESTUSR.NOPSWD'),
CAS2200I FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,
CAS2200I USERID={=>}'TPX',
CAS2200I WORKA={STRUCTURE SAFWORKA,=>,7F65DB80}
The sectrace shows that job (STC) TPX, issues a VERIVY CREATE for user TESTUSR, which specifies PASSCHK=YES. When no password is provided in this verify call, ACF2 issues an additional call(AUTH call for class VERPSWD) to see if the issuer of the VERIFY, in this case TPX, is authorized to use/verify logonid TESTUSR without a password. The object (ENTITYX) being validated is "TESTUSR.NOPSWD" and the return code of 0 for this check indicates that there is an ACF2 resource rule to ALLOW TPX access to use TESTUSR.
To address this, the rule for TESTUSR.NOPSWD needs to be changed to deny (prevent) the access by TPX.
Recommend list all TYPE(PWD) rules in order to code an appropriate rule, from TSO, ACF:
ACF
SET R(PWD)
DECOMP LIKE(-)
Possible rule to address the problem:
$KEY(TESTUSR) TYPE(PWD)
NOPSWD UID(uid string for TPX) PREVENT
Additional Information
For additional information on VERPSWD see ACF2 Documentation section: "VERPSWD".
Feedback
