RACF commands translated to Top Secret for error "CTG6878E ####### Surrogate Check Failed"
search cancel

RACF commands translated to Top Secret for error "CTG6878E ####### Surrogate Check Failed"

book

Article ID: 263568

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

After upgrading to CICS 5.6 CTG, the following error occurs:

CTG6878E ####### Surrogate check failed with SURROGCHK=yes set in DFHXCOPT: EXCI Reason = 0x1a7, Subreason field-1 = 0x04, subreason field-2 = 0x00"

IBM gave instructions in RACF format. What are the Top Secret equivalent commands?

You are getting this error "CTG6878E ####### Surrogate check failed with SURROGCHK=yes set in DFHXCOPT: EXCI Reason = 0x1a7, Subreason field-1 = 0x04, subreason field-2 = 0x00" because of the changes made by the security Ides Rattial, which fixed a CICS/EXCI security vulnerability: CICS/EXCI interface security vulnerability has been corrected by removing the SURROGCHK option from the DFHXCOPT parameter list. This APAR changes SURROGCHK to always be YES.

In order to fix this error, you need to define the required security rules and give the CICS TG job userid the required authority to use other userids. The commands you need for RACF are:

 RDEF SURROGAT *.DFHEXCI UACC(NONE) OWNER(SECURITY) PERMIT *.DFHEXCI CLASS(SURROGAT) ID(ctgjob id) ACCESS(READ)

The OWNER(SECURITY) parameter should be a suitable admin security or CICS admin userid to own the profile.

Please make sure you verify the security setup by issuing the commands:

 RLIST SURROGAT *.DFHEXCI AUTH

- it will show you what uids have access.

 SETROPTS LIST

- to see that the SURROGAT class is ACTIVE, and RACLIST'd

And then after permission is granted, make sure you issue the RACF refresh command:

 SETROPTS RACLIST(SURROGAT) REFRESH

You could just also define a generic profile that allows every EXCI user to specify a different userid. This is not as secure, but is equivalent to SURROGCHK=NO:

 RDEFINE SURROGAT *.DFHEXCI UACC(READ) OWNER(SECURITY)

All of this is documented in this link : Surrogate user checking

Resolution

The equivalent TSS commands are in red:

  1. In order to fix this error, you need to define the required security rules and give the CICS TG job userid the required authority to use other userids. The commands you need for RACF are:

    RDEF SURROGAT *.DFHEXCI UACC(NONE) OWNER(SECURITY)
    PERMIT *.DFHEXCI CLASS(SURROGAT) ID(ctgjob id) ACCESS(READ)

    TSS equivalents:
    TSS ADD(dept) SURROGAT(*.DFHEXCI)
    TSS PER(ctgjob id) SURROGAT(*.DFHEXCI) ACCESS(READ)
    TSS REFRESH(ctgjob id) JOBNAME(*)

    The OWNER(SECURITY) parameter should be a suitable admin security or CICS admin userid to own the profile.

  2. Make sure you verify the security setup by issuing the commands:

    RLIST SURROGAT *.DFHEXCI AUTH

    - It will show you what uids have access.

    TSS equivalents:
    TSS WHOHAS SURROGAT(*.DFHEXCI)

    SETROPTS LIST

    - to see that the SURROGAT class is ACTIVE, and RACLIST'd

  3. After permission is granted, make sure you issue the RACF refresh command:

    SETROPTS RACLIST(SURROGAT) REFRESH

    No TSS equivalents.

    You could just also define a generic profile that allows every EXCI user to specify a different userid. This is not as secure, but is equivalent to SURROGCHK=NO:

    RDEFINE SURROGAT *.DFHEXCI UACC(READ) OWNER(SECURITY)

    TSS equivalents:
    TSS ADD(dept) SURROGAT(*.DFHEXCI)
    TSS PER(ALL) SURROGAT(*.DFHEXCI) ACCESS(READ)

Powered by Wolken Software