The ACF2 SECTRACE utility can be used to verify that the abend is caused by a RACROUTE STATUS=ACCESS call in addition to the program that is making the call.
The SECTRACE can be set from the console as follows:
SECTRACE SET,ID=TEST,TRACE=ALL,FMT=DUMP,DEST=JOBLOB,TYPE=SAFP nn CAS21200 SPECIFY RACROUTE PARAMETERS, CANCEL OR END r nn,REQUEST=AUTH,END nn CAS212210 CONTINUE SAF RACROUTE SPECIFICATIONS, CANCEL, OR END r nn,END nn CAS21100 CONTINUE SECTRACE SPECIFICATIONS, CANCEL, OR END r nn,END CAS21110 SECTRACE SET ON 02.026 13:01:52 ID=TEST
The failing RACROUTE call for the IBM File Manager product looks like:
SMFID= SYS1 TOD= 08:27:45.35 TRACEID= TEST USERID= USER01 JOBNAME= JOBX062 ASID= 008F PGM= FMNMAIN CURR RB= FMNMAIN SFR/RFR= N/A MODE= TASK APF= NON-AUTHORIZED LOCKS= NONE
RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=ACCESS, ATTR=READ,DSTYPE=N,ENTITY=('FILEM.PARMLIB.BASE'),FILESEQ=0, GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=
To avoid the S047 abend, an ACF2 GSO SAFDEF can be coded to bypass the APF authorization check for the STATUS=ACCESS RACROUTE call.
The RACROUTE STATUS=ACCESS call permits a user to interrogate security definitions (access and resource rules) to determine access levels for a user. No auditing is done for this request.
In order to maintain system integrity, ACF2 requires that a user be APF authorized to access security definitions. Because the IBM File Manager program FMNMAIN and FMNMIMS are not APF authorized, ACF2 will abend the task with an S047 abend.
To accommodate this situation, ACF2 will allow the security administrator to define the specific calls for which the APF authorization check for STATUS=ACCESS will be bypassed.
CA's policy is that allowing non-APF authorized users this knowledge is a security exposure. Shops who do not want to allow this call should contact the vendor of the product and request that the STATUS=ACCESS calls be made in an APF authorized environment.
The bypassing of the authorization check in ACF2 is done through use of the 'NOAPFCHK' keyword added to the GSO SAFDEF record. 'NOAPFCHK' will only be honored for STATUS=ACCESS calls. An example of the SAFDEF used for the IBM File Manager product follows:
ACF SET CONTROL(GSO) INSERT SAFDEF.apf PROGRAM(FMNMAIN) RB(FMNMAIN) NOAPFCHK - RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS) INSERT SAFDEF.apf2 PROGRAM(FMNMIMS) RB(FMNMIMS) NOAPFCHK - RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS) INSERT SAFDEF.apf3 PROGRAM(FMNMAIN) RB(FMNMAIN) NOAPFCHK - RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS) INSERT SAFDEF.apf4 PROGRAM(FMNMIMS) RB(FMNMIMS) NOAPFCHK - RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS) F ACF2,REFRESH(SAFDEF)
Details on the ACF2 SAFDEF can be found in the ACF2 Security for z/OS Administrator Guide in Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".