New zOS 2.4 install and new ACF2 16.0 install. Error msg ABEND=SEC6 came up from day one.
Article ID: 213305
Updated On:
Products
Issue/Introduction
Receiving following error and it appears to be a security issue, but not sure how to fix in ACF2.
Tried adding different rules but still getting the error below.
BPXP024I BPXAS INITIATOR STARTED ON BEHALF OF JOB BPXOINIT RUNNING IN
ASID 0025
+BPXI026I THE ETCINIT JOB COULD NOT BE STARTED. BPX4EXC RETURN CODE
0000006F REASON CODE EF076015
IEA989I SLIP TRAP ID=XEC6 MATCHED. JOBNAME=BPXOINIT, ASID=002F.
BPXP023I THREAD 0A7F800000000000, IN PROCESS 4, WAS 143
TERMINATED BY SIGNAL *NO SIGNAL, SENT FROM THREAD
0000000000000000, IN PROCESS 0, UID 0, IN JOB .
IEF450I BPXOINIT STEP1 - ABEND=SEC6 U0000 REASON=0000FF09 145
TIME=09.37.16
BPXI027I THE ETCINIT JOB ENDED IN ERROR, EXIT STATUS 00000009
BPXI004I OMVS INITIALIZATION COMPLETE
CEA0105I COMMON EVENT ADAPTER IS RUNNING IN MINIMUM MODE. 147
UNIX SYSTEM SERVICE DUBDFLT ENDED WITH RETURN CODE 0000009C
REASON CODE 0B0C00FD
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
Changing unixopts record to BYP-FSA will eliminate the error at IPL.
Since CA ACF2 protects resources by default, access to all users of zFS, including superusers,
would be denied without adding needed resource rules with this support in place.
Note: This FSACCESS resource validation is only for UNIX zFS file systems - NOT hFS file systems.
IBM added a new function to check a user's authority to access the file system objects on z/OS UNIX zFS file systems using the new SAF FSACCESS resource class.
BYP-FSA | NOBYP-FSA ..... Specifies
whether ck_access processing for zFS files bypasses RACROUTE FASTAUTH calls against resources in the FSACCESS.
The default (NOBYP-FSA) protects the class by continuing to provide FSACCESS checking.
Disabling FSACCESS (BYP-FSA) class checking improves zFS performance but sacrifices an extra level of authentication and auditing.
Feedback
