Batch jobs submitted via OTMA to MQ are failing with ACF01007 PASSWORD REQUIRED. How can this be corrected?
search cancel

Batch jobs submitted via OTMA to MQ are failing with ACF01007 PASSWORD REQUIRED. How can this be corrected?

book

Article ID: 50868

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Description:

Batch jobs submitted via OTMA to MQ are failing with the message ACF01007 PASSWORD REQUIRED. This started occurring after an upgrade of ACF2 and Z/OS. No changes were made to ACF2 rules or userids.

Solution:

MQ issues a VERIFYX signon request with PASSCHK=YES, but no password is available through OTMA. To handle this situation ACF2 issues an AUTH request with the class of VERPSWD and a resource of userid.NOPSWD to validate whether the address space should proceed with the signon. 'userid' is the logonid shown in the ACF01007 message. If the VERPSWD validation fails, the ACF01007 message is generated and the signon fails. If the VERPSWD validation is successful, the signon proceeds without a password.

ACF2 provides a CLASMAP to map VERPSWD to the resource type of PWD. A rule can be written to allow the MQ id access to resource userid.NOPSWD with the type PWD, e.g., $KEY(userid.NOPSWD) TYPE(PWD). This rule will allow the signon to bypass the request for a password.

To confirm that a failed VERPSWD validation is the cause of the ACF01007 message you can set a SAF SECTRACE on the MQ address space. An example of the expected trace output follows. Since this trace was set with the default of TRACE=AFTER, only the "after" trace records are shown. This results in the VERIFYX and the AUTH calls appearing to be in the wrong order. This is because the requests are "nested" and the "before" records are not included.

The SECTRACE shows that the MQ address space fails the VERIFYX signon request with PASSCHK=YES. The VERIFYX signon request failed because the VERPSWD validation failed. The VERPSWD validation failed in this case because there was no PWD-type rule for USER1.NOPSWD. After adding a rule to allow MQ access to this resource, the VERPSWD validation was successful and the VERIFYX signon was successful.

From the SECTRACE:

SMFID= SYSX TOD= 11:56:22.45 TRACEID= MQ USERID= MQXXXXX 
JOBNAME= MQXXXXX ASID= 0074 PGM= CSQVEUS3 CURR RB= SVC229   
SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE   
SAFDEF= GENAUTH INTERNAL MODE= GLOBAL   
   
RACROUTE REQUEST=AUTH,REQSTOR='ACF01VAL',CLASS='VERPSWD',RELEASE=1.9,   
          STATUS=NONE,ATTR=READ,DSTYPE=N,ENTITYX=('USER1.NOPSWD'),   
         FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,   
          USERID='MQXXXXX',WORKA=   
   
SMFID= SYSX TOD= 11:56:22.45 TRACEID= MQ USERID= MQXXXXX   
JOBNAME= MQXXXXX ASID= 0074 PGM= CSQVEUS3 CURR RB= CSQVEUS3   
SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE   
SAFDEF= VERIFYX INTERNAL MODE= GLOBAL   
 
RACROUTE REQUEST=VERIFYX,RELEASE=2.1,STAT=ASIS,SMC=NO,ENVIR=CREATE,   
         ENCRYPT=YES,LOG=ASIS,MSGSP=0,PASSCHK=YES, <-------requesting a password   
         PASSWRD='*SUPPRESSED*',TOKNOUT=,USERID='USER1',WORKA=

Environment

Release:
Component: ACF2MS

Resolution

-

Powered by Wolken Software