During an IPL started tasks(STC) such as OPSMVS which start before ACF2 gets fully activated get the following ACF2 message: ACF01004 LOGONID +xxxxxx NOT FOUND ; how is this resolved? And where does the "+" sign come from?

Release: ACF2 r16.0

The ACF01004 LOGONID +xxxxxx NOT FOUND is issued because ACF2 is not fully active to complete the verification process.  It is recommended that ACF2 be fully operational before starting tasks such as OPSMVS.

By MVS/RACF convention, userids beginning with a plus sign ('+') are reserved for use by 'system tasks', such as MASTER and CONSOLE.  

In an ACF2 environment, the use and convention of these logonids remains (as that's how the MVS tasks init themselves), but the use of such LOGONIDs is not restricted to only these system tasks.   

When RACROUTE REQUEST=VERIFY,ENVIR=CREATE,PASSCHK=NO calls are issued for such LOGONIDs, ACF2 processes them as system tasks. The result is a valid ACEE, which addresses (for performance reasons) a 'dummy' ACUCB/LIDREC for the address space LOGONID.  

The recommended solution is to create a CAISEC00 member in the system PARMLIB to automatically start ACF2 after security subsystem initialization to ensure that ACF2 starts before any other started tasks.  There are a handful of exceptions like MASTER, DUMPSRV, CONSOLE, SMF, and a few other system tasks that do start before ACF2.  The CAISEC00 member can point to another CAISECxx member.  The CAISEC00 or CAISECxx member then specifies:

ACF2 (00 START)

which starts ACF2 and points to member CAIACF00 that contains the ACF2 startup parameters. 

See Perform ACF2 System Initialization for details on CAISEC00 configuration for deatils on how to start ACF2 automatically through a CAISEC00 member in SYS1.PARMLIB.

This is documented in the ACF2 Installation Guide in Chapter 5 (Starting Your Product) under "CA ACF2 System Initialization."