ACF2 Error starting IPVSRV1 for MFA, RACROUTE EXTRACT CLASS PTKTDATA 4/8:0

book

Article ID: 221672

calendar_today

Updated On:

Products

CA ACF2 - z/OS

Issue/Introduction

Getting an ACF2 violation when starting IPVSRV1 STC (IBM Problem Determination Tools Common Components). SECTRACE shows this violation/failure:

CAS21D1I PROGRAM: IPVSRV   RB CURR: IPVSRV   APF:  YES  SFR/RFR: 4/8:0  
CAS21D3I SAFDEF:  SAF00259 GSO      MODE: GLOBAL                        
CAS2200I RACROUTE REQUEST=EXTRACT,REQSTOR='SAFPTGEN',CLASS='PTKTDATA',  
CAS2200I          RELEASE=1.9,SUBPOOL=229,SEGMENT='SSIGNON',BRANCH=NO,  
CAS2200I          DERIVE=NO,ENTITYX=('IPVAPPL'),FIELDS=,FLDACC=NO,      
CAS2200I          GENERIC=ASIS,MSGSP=0,MATCHGN=NO,TYPE=EXTRACT,WORKA=   

The following is defined:

$KEY(IPVAPPL) TYPE(PTK)                                 
 UID(**************IPVSRV1) SERVICE(READ,UPDATE) ALLOW     

as per this RACF instruction:

PE   IPVAPPL CLASS(PTKTDATA) ID(IPVSRV1) ACCESS(UPDATE)      
Also added these lines to IPVSRV1 config:
APPLID=IPVAPPL                 * SET SAF APPL TO USE           
PASSTK=480                     * Passtickets life of 8 hours   

This is the only violation/failure in the SECTRACE output.

Environment

Release : 16.0

Component :

Resolution

The RACF instructions state:

To create PassTickets, the server started task user ID must have the following authorizations:

SETROPTS CLASSACT(PTKTDATA) 
SETROPTS RACLIST(PTKTDATA) 
RDEF PTKTDATA IPVAPPL SSIGNON(KEYMASKED(yourmaskvalue)) 
RDEF PTKTDATA IRRPTAUTH.IPVAPPL.* UACC(NONE) 
PERMIT IRRPTAUTH.IPVAPPL.* ID(your.userid) ACCESS(UPDATE) CLASS(PTKTDATA) 
SETR RACLIST(PTKTDATA) REFRESH

For the RDEF PTKTDATA IPVAPPL SSIGNON(KEYMASKED(yourmaskvalue)) define the profile IPVAPPL in the PTKTDATA class and associate a secret secured signon key with the profile. The key must be the same on both the system on which the PassTicket is to be generated (the z/OSMF system) and the system on which the PassTicket is to be verified. The key yourmaskvalue is a user-supplied 16-digit value used to generate the PassTicket. 

The ACF2 equivalent to RDEF PTKTDATA IPVAPPL SSIGNON(KEYMASKED(yourmaskvalue)) is:

ACF
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
INSERT IPVAPPL SSKEY(yourmaskvalue)  
F ACF2,REBUILD(PTK),CLASS(P)