Security Violation at CA ENF/CCI startup, even if no CCI PROTOCOL statement is specified for TCP/IP services.
search cancel

Security Violation at CA ENF/CCI startup, even if no CCI PROTOCOL statement is specified for TCP/IP services.

book

Article ID: 54441

calendar_today

Updated On:

Products

CA 1 Flexible Storage CA 1 Tape Management - Copycat Utility CA 1 Tape Management - Add-On Options Compress Data Compression for MVS Compress Data Compression for Fujitsu Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware

Issue/Introduction

Description

When starting the CA ENF stc you may get a security violation on the class SERVAUTH. This security violation may occur even if you have not setup CCI (within the ENF or CCI parameters) to establish a TCP/IP connection to other CA Products defined.

The following are examples of the security violation you may experience:

With RACF:

  ICH408I USER(MXSTC1  ) GROUP(MXSTC   ) NAME(STARTED.TASK 
  EZB.STACKACCESS.ssis.TCPIP CL(SERVAUTH) 
  INSUFFICIENT ACCESS AUTHORITY 
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   ) 

Or with CA TOP-SECRET : TSS7250E 136 J=ENF A=TCPIP TYPE=SERVAUTH RESOURCE=EZB.STACKACCESS.ssid.TCPIP TSS7251E Access Denied to SERVAUTH <EZB.STACKACCESS.ssid.TCPIP>

Solution

The SERVAUTH class is now checked when the CAICCI subtask is being initialized. As part of normal initialization CCI sttempts to get as much network information as possible. This includes getting the HOST name for the system it is executing on. CCI issues standard TCPIP function calls, GETHOSTID and GETHOSTNAME, to obtain this information. This is done regardless of the CCI PROTOCOL that has been defined.

As a result, you need to grant READ access for the EZB.STACKACCESS resource to the userid assigned to the ENF started task.

Environment

Release:
Component: ENF