ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

New zOS 2.4 install and new ACF2 16.0 install. Error msg ABEND=SEC6 came up from day one.

book

Article ID: 213305

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Receiving following error and it appears to be a security issue, but not sure how to fix in ACF2. 
Tried adding different rules but still getting the error below.

BPXP024I BPXAS INITIATOR STARTED ON BEHALF OF JOB BPXOINIT RUNNING IN  
ASID 0025                                                              
+BPXI026I THE ETCINIT JOB COULD NOT BE STARTED.  BPX4EXC  RETURN CODE  
0000006F REASON CODE EF076015                                          
IEA989I SLIP TRAP ID=XEC6 MATCHED.  JOBNAME=BPXOINIT, ASID=002F.       
BPXP023I THREAD 0A7F800000000000, IN PROCESS 4, WAS 143                
TERMINATED BY SIGNAL *NO SIGNAL, SENT FROM THREAD                      
0000000000000000, IN PROCESS 0, UID 0, IN JOB         .                
IEF450I BPXOINIT STEP1 - ABEND=SEC6 U0000 REASON=0000FF09 145          
        TIME=09.37.16                                                  
BPXI027I THE ETCINIT JOB ENDED IN ERROR, EXIT STATUS 00000009          
BPXI004I OMVS INITIALIZATION COMPLETE                                  
CEA0105I COMMON EVENT ADAPTER IS RUNNING IN MINIMUM MODE. 147          
UNIX SYSTEM SERVICE DUBDFLT ENDED WITH RETURN CODE 0000009C            
REASON CODE 0B0C00FD                                                   

Environment

Release : 16.0
Component : CA ACF2 for z/OS

Resolution

Changing unixopts record to BYP-FSA will eliminate the error at IPL.

Since CA ACF2 protects resources by default, access to all users of zFS, including superusers,
would be denied without adding needed resource rules with this support in place.

Note: This FSACCESS resource validation is only for UNIX zFS file systems - NOT hFS file systems.

IBM added a new function to check a user's authority to access the file system objects on z/OS UNIX zFS file systems using the new SAF FSACCESS resource class.

BYP-FSA | NOBYP-FSA ..... Specifies 
whether ck_access processing for zFS files bypasses RACROUTE FASTAUTH calls against resources in the FSACCESS.

The default (NOBYP-FSA) protects the class by continuing to provide FSACCESS checking. 
Disabling FSACCESS (BYP-FSA) class checking improves zFS performance but sacrifices an extra level of authentication and auditing.

Also please review knowledge articles :
  18546     21731