I applied IBM maintenance (OA49905) NEW FUNCTION - HONOR CHKAUTH=NO ON RACROUTE REQUEST=DEFINE,TYPE=ADDVOL and now I get acf2 violations against garbage dataset names.
search cancel

I applied IBM maintenance (OA49905) NEW FUNCTION - HONOR CHKAUTH=NO ON RACROUTE REQUEST=DEFINE,TYPE=ADDVOL and now I get acf2 violations against garbage dataset names.

book

Article ID: 6985

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

After implementing relatively current z/OS maintenance, we have several jobs that fail.

Jobs that worked for years, start failing with spurious or unpredictable security violations. 

This ACF2 HIPER - RO91013, was identified as the Fix for this condition. However, there is no information what this APAR 'fixes'. 

 

What is broken that needs fixing ?

 

Racroute 'define' calls to SAF are getting a not authorized message to do the define and the dataset name showing up in the violation is garbage.

 

                     ACF99913 ACF2 VIOLATION-08,06,logonid,VOL123,VOL456hsjns........¬@..¬ 

or: 

                     ACF99058 INVALID DSN SLRG0G....... .........@[email protected]\E..\ OR LIB

 

Message ACF99058 may be issued instead of ACF99913.

 

Since there are no rules to authenticate the 'garbage' dataset name, ACF2 generates a violation.

Environment

Release: ACF2..001AO-16-ACF2
Component:

Resolution

IBM APAR OA49905 changed the IBM code during a SAF REQUEST=DEFINE,TYPE=ADDVOL to change the CHKAUTH= from a NO to a YES. 

This ACF2 HIPER, RO91013 was introduced to address this IBM change. 

IBM Problem summary
APAR / OA49905: NEW FUNCTION - HONOR CHKAUTH=NO ON RACROUTE REQUEST=DEFINE,TYPE=ADDVOL

    ****************************************************************
   * USERS AFFECTED: Users of the RACROUTE REQUEST=DEFINE,                        
   *                 TYPE=ADDVOL who wish to suppress the                                        
   *                 authorization check that is performed.                                                
   ****************************************************************

    * PROBLEM DESCRIPTION: Users of a RACROUTE REQUEST=DEFINE,  
    *                      TYPE=ADDVOL cannot suppress the                                              
    *                      authorization check that is performed.                                          
    ****************************************************************

    * RECOMMENDATION:                                                                                           

    ****************************************************************

    CHKAUTH=NO is now honored on a RACROUTE

    REQUEST=DEFINE,TYPE=ADDVOL.

 

Additional Notes:

For ACF2 R15.0 - HIPER is RO91013

For ACF2 R16.0 - HIPER is RO91270

Powered by Wolken Software