ACF2 GENREQ or GENCERT command gets CAS20EDE Operation xxxxxxxx cannot be performed
search cancel

ACF2 GENREQ or GENCERT command gets CAS20EDE Operation xxxxxxxx cannot be performed

book

Article ID: 239546

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS

Issue/Introduction

Extract certificate for renewal with the ACF2 GENREQ command getting:
CAS20EDE Operation GENREQ cannot be performed - User is not defined as OMVS user.

GENCERT of a certificate getting:
CAS20EDE Operation GENCERT cannot be performed - User is not defined as OMVS user

 

Environment

Component : ACF2 for z/OS

Resolution

In order to issue the GENCERT command the logonid that is issuing the command must be defined to OMVS. The logonid must have a UID and GID assigned. With ACF2 UID and GID are assigned by ACF2 USER Profile records. UIDs and GIDs can be auto-assigned however, this is optional and must be configured. Also note that in order to issue the GENCERT command the logonid needs security authorization by either having SECURITY, Scoped SECURITY or access to the ACFCMD.DIGTCERT.command resource rules in the CASECAUT class as indicated in Command Authorization Requirements.

The following can be done to determine if the logonid is defined to OMVS:

  1. For the following commands testlid is the logonid that is issuing the GENCERT command.

    ACF
    LIST testlid PROFILE(OMVS)
    LIST testlid

  2. From the display of the second LIST command above look for the 'RESTRICTIONS' section

    RESTRICTIONS         GROUP(TESTGRP) PREFIX(USER001)

    Note the GROUP field, in the above group TESTGRP.

  3. Next issue the following commands to check the GROUP:

    ACF
    SET PROFILE(GROUP) DIV(OMVS)
    LIST TESTGRP

To address the error ensure that the logonid issuing the command has an OMVS User Profile record defined with a UID and the GROUP field on the logonid that has a GID defined.