Trying to issue an operator command and it fails with message: IEE345I VARY CN AUTHORITY INVALID, FAILED BY MVS
search cancel

Trying to issue an operator command and it fails with message: IEE345I VARY CN AUTHORITY INVALID, FAILED BY MVS

book

Article ID: 26259

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

A MODIFY or VARY operator console command z/OS fails with:

 
IEE345I VARY CN AUTHORITY INVALID, FAILED BY MVS
  or
IEE345I MODIFY AUTHORITY INVALID, FAILED BY MVS

What is needed to allow this to work?

 

 

 

 

 

Environment

Release:
Component: ACF2MS

Cause

This is the result of a RACROUTE REQUEST=AUTH,CLASS=OPERCMDS calls from the operating system. CA ACF2 by default ignores all operator command validation. CA ACF2 will reply with a return code of 4 to the caller with this default. Per the IBM Racroute Manual, a return code of 4 means the specified resource is not protected by security. Most applications generally allows the resource with this return code. In some cases, the application will fail the resource with a return code of 4. The operating system is failing the return code of 4 in this case.

Resolution

To get this to work, sites will need to override the default SAFDEF record that CA ACF2 supplies. The override can be done one of two ways.

The first is to change the return code to 0 (zero). This would allow any operator command to be allowed. Here is the SAFDEF that would be needed:

TSO ACF
SET CONTROL(GSO)
INSERT SAFDEF.OPR ID(OPR) FUNCRET(0) RETCODE(0) MODE(IGNORE) RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS) 
F ACF2,REFRESH(SAFDEF)

The recommended way to correct this from a security standpoint, would be to validate operator commands. Be sure to write rules first. Here is an example of a generic rule:

$KEY(********) TYPE(OPR)
VARY.- UID(uid of system programmers) ALLOW
VARY.- UID(uid of operators) ALLOW
- UID(uid of operators) ALLOW

Alternatively, the MVS commands and JES2 commands can be separated. Here is an example of that:

$KEY(MVS) TYPE(OPR)
VARY.- UID(uid of system programmers) ALLOW
VARY.- UID(uid of operators) ALLOW
MODIFY.- UID(uid of operators) ALLOW
- UID(uid of operators) ALLOW
 
$KEY(JES2) TYPE(OPR)
- UID(uid of operators) ALLOW

Please review  ACF2 documentation section: 'Protect Operator Commands'. Review the IBM manuals for other operator commands that can and should be secured. The default type code for operator commands is SAF. To change the type code to the rule example, enter the following:

ACF
SET CONTROL(GSO)
INSERT CLASMAP.OPR RESOURCE(OPERCMDS) RSRCTYPE(OPR)
F ACF2,REFRESH(CLASMAP)

If a masked key is used, an INFODIR change is needed.

ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPRS(R-ROPR) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(OPR)

The rules are now in storage and ready for the change to validating operator commands.

ACF 
SET CONTROL(GSO)
INSERT SAFDEF.OPR ID(OPR) MODE(GLOBAL) RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS) REP
F ACF2,REFRESH(SAFDEF)
Powered by Wolken Software