ESP1253E error after updating to level 12.0.08
Article ID: 425021
Updated On:
Products
Issue/Introduction
After upgrading to version 12.0.08 users attempting to view logs hosted on distributed platform servers received the ESP1253E error message.
You are not permitted to issue verb xxxx to Agent yyyy
Environment
Component: ESP Workload Automation
Release: 12.0.08
Cause
Applying PTF LU11648
Explanation provided in the PTF:
***************************
* PUBLICATION *
***************************
The ESP Workload Automation core currently truncates all the resource names that are examined in authorization calls to the maximum security
class length, which means that the users cannot use some of the security profiles that ESP examines to determine access rights.
The truncation is done by the security facility call itself, not by ESP directly.
The only solution to this is to switch to a new security class, preferably the IBM-recommended XFACILIT.
However, another legacy limitation of ESP is not allowing the use of security classes with maximum length exceeding 128 characters.
This fix removes this length limitation. However, due to technical reasons, the fix also removes the resource name truncation.
This can lead to security violations, especially for RACF users, since RACF considers a resource name exceeding the security class limit to be a
serious security violation and abends with 282-054.
To preserve compatibility with the previous behavior while the user is transitioning to the XFACILIT class, ESP introduces a new USERMOD 202,
which forces ESP to truncate the resource names before performing the security calls.
Resolution
There are two possible solutions:
- Turning USERMOD 202 ON after installing this PTF without using XFACILIT security class;
- After migrating to XFACILIT security class, turning off USERMOD 202.
Feedback
