Setting up external (RACF) LOGON security to CA7. I only want LOGON security at this point. 

The security statement is coded:

SECURITY,NAME=SASSSECI,EXTERNAL=(LOGON),APPL=CA7  

I get the following errors attempting to log on to CA7:

CA-7.022 LOGON FORMAT INCORRECT                 
CAL2103I - USER NOT AUTHORIZED FOR CA-7 COMMANDS  

EXTERNAL=(LOGON) only mean the user will be validated through external security when they logon to CA 7.  

You will need to add the users that will be logging to the internal security module (SASSSECI) because this will control users access to commands and panels.