Batch jobs submitted via OTMA to MQ are failing with the message ACF01007 PASSWORD REQUIRED. This started occurring after an upgrade of ACF2 and Z/OS. No changes were made to ACF2 rules or userids.
MQ issues a VERIFYX signon request with PASSCHK=YES, but no password is available through OTMA. To handle this situation ACF2 issues an AUTH request with the class of VERPSWD and a resource of userid.NOPSWD to validate whether the address space should proceed with the signon. 'userid' is the logonid shown in the ACF01007 message. If the VERPSWD validation fails, the ACF01007 message is generated and the signon fails. If the VERPSWD validation is successful, the signon proceeds without a password.
ACF2 provides a CLASMAP to map VERPSWD to the resource type of PWD. A rule can be written to allow the MQ id access to resource userid.NOPSWD with the type PWD, e.g., $KEY(userid.NOPSWD) TYPE(PWD). This rule will allow the signon to bypass the request for a password.
To confirm that a failed VERPSWD validation is the cause of the ACF01007 message you can set a SAF SECTRACE on the MQ address space. An example of the expected trace output follows. Since this trace was set with the default of TRACE=AFTER, only the "after" trace records are shown. This results in the VERIFYX and the AUTH calls appearing to be in the wrong order. This is because the requests are "nested" and the "before" records are not included.
The SECTRACE shows that the MQ address space fails the VERIFYX signon request with PASSCHK=YES. The VERIFYX signon request failed because the VERPSWD validation failed. The VERPSWD validation failed in this case because there was no PWD-type rule for USER1.NOPSWD. After adding a rule to allow MQ access to this resource, the VERPSWD validation was successful and the VERIFYX signon was successful.
From the SECTRACE:
SMFID= PRD1 TOD= 11:56:22.45 TRACEID= MQ USERID= QMP1MSTR JOBNAME= QMP1MSTR ASID= 0074 PGM= CSQVEUS3 CURR RB= SVC229 SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE SAFDEF= GENAUTH INTERNAL MODE= GLOBAL RACROUTE REQUEST=AUTH,REQSTOR='ACF01VAL',CLASS='VERPSWD',RELEASE=1.9, STATUS=NONE,ATTR=READ,DSTYPE=N,ENTITYX=('USER1.NOPSWD'), FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD, USERID='QMP1MSTR',WORKA= SMFID= PRD1 TOD= 11:56:22.45 TRACEID= MQ USERID= QMP1MSTR JOBNAME= QMP1MSTR ASID= 0074 PGM= CSQVEUS3 CURR RB= CSQVEUS3 SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE SAFDEF= VERIFYX INTERNAL MODE= GLOBAL RACROUTE REQUEST=VERIFYX,RELEASE=2.1,STAT=ASIS,SMC=NO,ENVIR=CREATE, ENCRYPT=YES,LOG=ASIS,MSGSP=0,PASSCHK=YES, <-------requesting a password PASSWRD='*SUPPRESSED*',TOKNOUT=,USERID='USER1',WORKA=