A PAGENT install is done according to "ACF2 equivalent to the RACF security setup for AT-TLS PAGENT" , however the PAGENT job fails at startup with IEF453I PAGENT - JOB FAILED - JCL ERROR .
In the JOBLOG these messages are seen:
IGD04900I ATTEMPT TO GET FILE STATUS FOR A HFS FILE FAILED
RETURN CODE IS (0000006F) REASON CODE IS (EF076015)
FILENAME IS (/aaa/pagent/pagent.xxx)
IEF272I PAGENT PAGENT - STEP WAS NOT EXECUTED.
Release : 16.0
The ACFRPTRV report output shows this violation under type FSA at startup:
RFSA-OMVS.ZOS.xxxx.xxx *VIO RFSA-OMVS
uid STCINRDR TEST ACF9CFAT NO-REC - - UPDT
23.031 20/01 08.31 PAGENT PAGENT TCP/IP POLICY AGENT 0 8 0 0 16
SAF RESOURCE CLASS FSACCESS
RESOURCE NAME: OMVS.ZOS.xxxx.xxx
The FSACCESS resource class check is an optional high-level check. It was made available back in zOS 1.12 and 1.13 to reduce IO in zFS implementations. If the user is not authorized to this resource, then no further checking will be performed, and the user will not be allowed access to the zFS, even if they are a superuser.
The output of SHOW UNIXOPTS (from the TSO, ACF prompt) includes the text "HFS SECURITY ACTIVE: NO". zFS security is in effect and there are no ACF2 resource rules governing access to the file system. So when the FSACCESS resource validation fails, the job ends in error before zFS security validation occurs.
There are two choices here:
1) The appropriate resource rules are added to allow the FSACCESS validation to succeed - see KD 21731
2) the FSACCESS checking is "turned off" with the following commands at the TSO ACF prompt:
SET CONTROL(GSO)
CHANGE UNIXOPTS BYP-FSA
F ACF2,REFRESH(UNIXOPTS)