S047 abends in MQ Series, CA LDAP Server, IBM HTTP Server (IMWEBSRV)
search cancel

S047 abends in MQ Series, CA LDAP Server, IBM HTTP Server (IMWEBSRV)

book

Article ID: 56934

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

System Abend Code S047 is seen

 

 

Environment

Component: ACF2MS

Cause

The resolution process was made necessary in 2018 by IBM PTFs UA76980 UA76979 relating to SSL processing.

RACF does not require APF authorization for the affected RACROUTE call, but ACF2 DOES require APF authorization because it shows a user's access to a resource.

 

Resolution

Required Updates

The solution is to create a GSO SAFDEF record to allow the call to run NON-APF authorized. The situation has been seen in different environments where SSL is involved.

1) One environment was within CA LDAP Server  - which is running entirely out of a USS environment. When that is the case, the SAFDEF should be coded as...

      ACF
      SET CONTROL(GSO)
      INSERT SAFDEF.NOAPF ID(@NOAPF) PROGRAM(*PATHNAM) RB(*PATHNAM) NOAPFCHK -
      RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS)
      F ACF2,REFRESH(SAFDEF)
      END

Note: *PATHNAM is the actual name used for programs in the USS environment. This will allow the RACROUTE to process.

2) If the environment that is getting the S047 abend is in MQ series, the SAFDEF should be coded as...
 
      ACF
      SET CONTROL(GSO)
      INSERT SAFDEF.NOAPF ID(@NOAPF) PROGRAM(CSQXSERV) RB(CSQXSERV) NOAPFCHK -
      RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS)
      F ACF2,REFRESH(SAFDEF)
      END

3) If the environment that is getting the S047 abend is in HTTP Server (IMWEBSRV), the SAFDEF should be coded as...
 
      ACF
      SET CONTROL(GSO)
      INSERT SAFDEF.NOAPF ID(@NOAPF) PROGRAM(IMWHTTPD) RB(IMWHTTPD) NOAPFCHK -
      RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS)
      F ACF2,REFRESH(SAFDEF)
      END

 

ACTIONS TO TAKE: 

1) Create the appropriate SAFDEF , refresh the in-storage SAFDEF table with F ACF2,REFRESH(SAFDEF) command and then recreate the situation.

2)  If the S047 still occurs after the SAFDEF is established, 

a)  run a ACF2 SAF SECTRACE so that the PROGRAM and RB values for the SAFDEF can be obtained:

ST SET,ID=APF,JOBNAME=xxxxxxxx,FORMAT=DUMP,TRACE=ALL,END

b) run ACFRPTST with the DETAIL option. NOTE: If the SECTRACE is not run with TRACE=ALL/DETAIL option you will not see the RACROUTE request in the SECTRACE report. 

c) review the ACFRPTST report.

A SECTRACE record consists of two types of entries.

A "BEFORE" entry (before ACF2 has process the request.) The text 'SFR/RFR= N/A' is seen.
An "AFTER" entry (after ACF2 has processed the request.) The text 'SFR/RFR= n/n:n  is seen.

When a RACROUTE request abends, you will only see the "BEFORE" entry.

When you see that the "before" entry does not have an "AFTER" entry, use the PROGRAM and RB values to create the SAFDEF.  

 

 

Additional Information

 

For details on the ACF2 SAF SECTRACE operator command see ACF2 Techdocs: Trace SAF requests

Powered by Wolken Software