search cancel

ACF2 Security issue CICS/MQ DFHMQ0758 EXEC CICS START NOTAUTH error after z/OS and ACF2 upgrade

book

Article ID: 239650

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

Upgrade from z/OS 2.1 to z/OS.23 of 2 LPARs. Encountering a not authorized issue on one LOGON ID after upgrading z/OS and ACF2:

DFHMQ0758 E 04/16/2022 05:30:07 WEQCICSF CKBR 00231 Unable to START bridge task. EIBRESP=69 EIBRESP2=8. Userid MQLNKPD is not authorized.

DFHMQ0758 Explanation
The CICS-MQ bridge monitor is being run with the IDENTIFY or VERIFY authorization option. An EXEC CICS START command for the CICS-MQ bridge task failed with NOTAUTH or USERIDERR because the user ID is not authorized to start CICS-MQ bridge transactions or has been revoked.

SECTRACE shows EXTRACT with SFR/RFR= 4/8:8:

  SMFID= ADCG         TOD= 20:30:07.56    TRACEID= P3         USERID= WEQCICSF
  JOBNAME= WEQCICSF   ASID= 00EE          PGM= DFHKETCB       CURR RB= SVC217
  SFR/RFR= 4/8:8      MODE= TASK          APF= AUTHORIZED     LOCKS= NONE
  SAFDEF= GENXTRCT INTERNAL MODE= GLOBAL
   
  RACROUTE REQUEST=EXTRACT,SUBSYS='CICS0690',CLASS='USER',RELEASE=7740,
           SUBPOOL=229,BRANCH=NO,DECOUPL=YES,DERIVE=NO,DATEFMT=YYDDDF,
           ENTITYX=('MQLNKPD'),FIELDS=,FLDACC=NO,GENERIC=ASIS,MSGSP=0,
           MATCHGN=NO,TYPE=EXTRACT,WORKA=
  FIELDS   DATA AREA FOLLOWS
  0001367F +000  00000009 C4C6D3E3 C7D9D740 C3C7C7D9  *....DFLTGRP CGGR*
  0001368F +010  D7C3E340 C6D3C1C7 F4404040 D9C5E5D6  *PCT FLAG4   REVO*
  0001369F +020  D2C5C4E3 D9C5E2E4 D4C5C4E3 C3C7C7D9  *KEDTRESUMEDTCGGR*
  000136AF +030  D7D5D440 C3C7C6D3 C1C7F440 C3C7D9C5  *PNM CGFLAG4 CGRE*
  000136BF +040  E5D2C4E3 C3C7D9C5 E2D4C4E3           *VKDTCGRESMDT* 
 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The errors can occur because ACF2 APAR SO05647 was included with the upgrade to z/OS 2.3, and the apar corrects a problem the default OMVS group was being returned with 0/0:0 when no group should be returned with z/OS 2.1 and above. Once SO05647 is applied RACROUTE EXTRACT calls for the default group will fail(as it should) so logonids must have a GROUP defined .

After adding GROUP(OMVSDGRP) to the MQLNKPD logonid, recycling the CICS region and running the MQ related transaction the errors(DFHMQ0758 and EXTRACT CLASS=USER SFR/RFR= 4/8:8) no longer occurred.