search cancel

ACF2 / TPX / SAF interface logon allowed with no password

book

Article ID: 202875

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Is there a setting that is either turned on or turned off in ACF2 for the SAF interface?  
If security set in TPX as ACF2 users are forced to enter a password when logging in to TPX.
If security set to SAF in TPX the user can get in without entering a password.

 

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The issue where a TPX used can logon without a password when TPX security is set to SAF is related to resource class VERPSWD validations. When a RACROUTE REQUEST=VERIFY with PASSCHK=YES is done for a logonid, there will also be a validation issued for a RACROUTE REQUEST=AUTH,CLASS=VERPSWD,LOG=NOFAIL,ENTITYX=('userid.NOPSWD') where userid is the LOGONID and the logonid of the requester will be used for the validation. There is an internal ACF2 GSO CLASMAP that maps the VERPSWD resource class to TYPE(PWD).

SECTRACE shows:

CAS21D0I TRACEID: TEST     EVENT#:  09451847                             
CAS21D0I JOBNAME: TPX      USERID:  TPX      ASID: 006E                  
CAS21D1I PROGRAM: TPXSECAL RB CURR: TPXSECAL APF:  YES  SFR/RFR: N/A     
CAS2200I RACROUTE REQUEST=VERIFY,RELEASE=7730,STAT=ASIS,SMC=NO,          
CAS2200I          ACEE={=>,STRUCTURE,=>}00000000,APPL={=>}'A25TPX',      
CAS2200I          ENVIR=CREATE,ENCRYPT=YES,ERROROPT=ABEND,LOG=ASIS,      
CAS2200I          MSGSP=0,NESTED=NO,PASSCHK=YES,                         
CAS2200I          PASSWRD={=>}'*SUPPRESSED*',TERMID={=>}'Z22JAA22',      
CAS2200I          USERID={=>}'Z09BBC',                                   
CAS2200I          WORKA={STRUCTURE SAFWORKA,=>,17D14488}                 
                                                                         
CAS21D0I TRACEID: TEST     EVENT#:  09451848                             
CAS21D0I JOBNAME: TPX      USERID:  TPX      ASID: 006E                  
CAS21D1I PROGRAM: TPXSECAL RB CURR: SVC245   APF:  YES  SFR/RFR: N/A     
CAS2200I RACROUTE REQUEST=AUTH,REQSTOR={=>}'ACF01VAL',                   
CAS2200I          CLASS={=>}'VERPSWD',RELEASE=1.9,STATUS=NONE,ATTR=READ, 
CAS2200I          DSTYPE={DEFAULT}N,ENTITYX=({=>}'Z09BBC.NOPSWD'),       
CAS2200I          FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD, 
CAS2200I          USERID={=>}'TPX',                                      
CAS2200I          WORKA={STRUCTURE SAFWORKA,=>,7F65DB80}                 
                                                                         
CAS21D0I TRACEID: TEST     EVENT#:  09451848                             
CAS21D0I JOBNAME: TPX      USERID:  TPX      ASID: 006E                  
CAS21D1I PROGRAM: TPXSECAL RB CURR: SVC245   APF:  YES  SFR/RFR: 0/0:0   
CAS21D3I SAFDEF:  GENAUTH  INTERNAL MODE: GLOBAL                         
CAS2200I RACROUTE REQUEST=AUTH,REQSTOR={=>}'ACF01VAL',                   
CAS2200I          CLASS={=>}'VERPSWD',RELEASE=1.9,STATUS=NONE,ATTR=READ, 
CAS2200I          DSTYPE={DEFAULT}N,ENTITYX=({=>}'Z09BBC.NOPSWD'),       
CAS2200I          FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD, 
CAS2200I          USERID={=>}'TPX',                                      
CAS2200I          WORKA={STRUCTURE SAFWORKA,=>,7F65DB80} 
    

 

The sectrace shows that job (STC) TPX, issues a VERIVY CREATE for user Z09BBC, which specifies PASSCHK=YES.  When no password is provided in this verify call, ACF2 issues an additional call(AUTH call for class VERPSWD) to see if the issuer of the VERIFY, in this case TPX, is authorized to use/verify logonid Z09BBC without a password. The object (ENTITYX) being validated is "Z09BBC.NOPSWD" and the return code of 0 for this check indicates that there is an ACF2 resource rule to ALLOW TPX access to use Z09BBC.                                                
                                                                            
To address this, the rule for Z09BBC.NOPSWD needs to be changed to deny (prevent) the access by TPX

Recommend list all TYPE(PWD) rules in order to code an appropriate rule, from TSO, ACF:

ACF
SET R(PWD)
DECOMP LIKE(-)

Possible rule to address the problem

$KEY(Z09BBC) TYPE(PWD)
NOPSWD UID(uid string for TPX) PREVENT

Additional Information

For additional information on VERPSWD see ACF2 Documentation section: "VERPSWD".