There are currently 2 different RACROUTE calls for the CSFKEYS class used for JES2 spool encryption when a product called E(JES) is used. The first call is an AUTH call without WHEN criteria. The second call is a FASTAUTH call with WHEN criteria. This causes confusion with ACF2 administration related to resource access reporting and rule writing.

Symptoms:

• FASTAUTH loggings and violations do not automatically appear on the RV report
• 2 different ACF2 rule entries are required to account for the discrepancy in the call

To see potential FASTAUTH violations, either the user must have the TRACE bit set on their logonid or the CLASMAP definition for the CSFKEYS resource class must have LOG specified.

To grant access to both calls, 2 different ACF2 rules need to be written for the CSFKEYS resource class: one with and one without the WHEN criteria. 

Example:

$KEY(EXAMPLE) TYPE(CSF)                                                                  
 KEY UID(uidstring) ALLOW                                     
 KEY UID(uidstring) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))