*30*-1A violations on POE Source after applying RO96857

book

Article ID: 8153

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Clients running Top Secret release 16.0 have seen Source failures after applying fix RO96857.  

The following messages have been reported:

TSS7171E Unauthorized Source of System Entry.
TSS7100E 026 J=jobname A=acid F=facility - Invalid Source

A TSSUTIL Violation report will show a *30*-1A violation:

DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL 
RESOURCE TYPE & NAME
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- -------- 
09/11/17 06:07:11 CMCZ ZSYSCON CONSOLE CONSOLE FAIL 01 IEAVMQWR *30*-1A INI ZSYSCON 
RESOURCE TYPE & NAME : NAME=ZSYSCON 
09/11/17 06:07:17 SYS1 TCPIPACID TCPIPACID TCPIP FAIL 01 DSNVEUSA *30*-1A INI TCPIP
RESOURCE TYPE & NAME : NAME=TCPIP  

Cause

In Top Secret release 16.0 a hole was closed in Source processing by PTF RO96857.
Prior to RO96857, RACROUTE calls with a POE= were not going through SOURCE security processing.  
SOURCE restrictions were honored only if a TERMID= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE.
If a POE= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE security call, no Source processing was done.
After applying RO96857, TSS will honor the value passed in the POE= and check for a SOURCE restriction in the user's record or profile.  If the acid has a SOURCE restriction that does NOT match the value passed in the POE=, then the sign on will fail with TSS7171E Unauthorized Source of System Entry.

This is for all applications that pass a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with a POE= .
The original problem was found signing onto CA-Sysview and the PTF description may lead you to incorrectly believe this only effects CA-Sysview.

Environment

Top Secret release 16.0 with RO96857 applied.

Resolution

If the number of acids and Source violations are minimal then it is best to issue the Source(s) to the acid(s) without using OPTIONS(88).  TSS ADD(acid/profile) SOURCE(source)

If there is a large number of failures occurring then clients can activate OPTIONS(88) in the TSS parameter file.
With fix RO96857, along with setting OPTIONS(88), if a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with POE= is issued, and the acid has a SOURCE restriction that does NOT match the POE= passed, we will allow the call to succeed but log it with the following message to our ATF file:
++ TSS ADD(acid/profile) SOURCE(xxxxxxxx)
Where xxxxxxxx is the POE passed on the RACROUTE security call.

The commands will be seen in the TSSUTIL Violation Report.

Example of TSSUTIL Violation Report (LONG):
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL RESOURCE TYPE & NAME
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- --------
01/19/17  09:16:58  XE56  BAXTH03   BAXTH01E  BATCH FAIL  01  VYPOESER  *30*-1A  INI  J066203 A58LPOE                    RESOURCE  TYPE & NAME :  NAME=++ TSS ADD(acid/profile) SOURCE(A58LPOE )   


Example of TSSUTIL Violation Report:
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- -------- 
09/14/17 09:14:49 DEV1 P0CCRUPD JES2 J F 01 HA$PSUBS *30*-1A VFX ++ TSS ADD(acid/profile) S AP01JES2 

After running with OPTIONS(88) and not receiving any *30*-1A violations showing ++ TSS ADD(acid/profile) SOURCE(xxxxxxxx) for a while then you should remove OPTIONS(88) to no longer bypass POE= Source checking.  Be aware that valid TERM= source violations will still show in the violation report as a *30*-1A  but they will not include the command to add the source.

 

Additional Information

OPTIONS(88) should have been included in the Hold Data for PTF RO96857.