Top Secret: z/OSMF OMVS violations in USS

book

Article ID: 207795

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

The Top Secret TSSUTIL report shows the following violations for z/OSMF at startup:

ACCESSOR JOBNAME  FFM VC PROGRAM  R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME)       
-------- -------- --- -- -------- -------- -------- ------- --- ---------------------------- 
IZUSVR   IZUSVR1  S F                               *08*-04 USS ? CHECK_PROC_OWNER           
IZUSVR   IZUSVR1  S F                               *08*-30 USS ? R_DATALIB
IZUSVR   IZUSVR1  S F                               *08*-30 USS ? R_DATALIB
IZUSVR   IZUSVR1  S F                               *08*-2C USS ? R_DATALIB
IZUSVR   IZUSVR1  S F                               *08*-30 USS ? R_DATALIB
IZUSVR   IZUSVR1  S F                               *08*-30 USS ? R_DATALIB
IZUSVR   IZUSVR1  S F                               *08*-2C USS ? R_DATALIB

 

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

OMVS uses non-zero return codes to force another event to happen.  None of the below non-zero return codes are violations.
 

USS return code meanings:

The *08*-30 for R_DATALIB calls are usually normal. An application was trying to determine a certificate size. So an R_datalib call with a certificate size of zero was issued. This will cause the certificate size to be passed back on the call and the  entry you see in the TSSUTIL to be written.

The 08-2C on the R_DATALIB call means that there are no more certificates. This is perfectly normal. If there are 5 certificates, each time there will be a data getnext call, which will get rc=0, till the last one, which gets the 8/8:44 (44 is x’2’) because there are no more certificates.

*08*-04 with CHECK_PROC_OWNER, CHECK_PROC_OWNER checks to see if the calling process is the owner of a process being called.  If it is the owner then it will treat it a a superuser.  In this case the caller is not the owner and the *08*-04 is returned.  It is not a violation it is just a check to determine if the called should have superuser authority.