Clients running Top Secret release 16.0 have seen Source failures after applying fix RO96857.  

The following messages have been reported:

TSS7171E Unauthorized Source of System Entry.
TSS7100E 026 J=jobname A=acid F=facility - Invalid Source

A TSSUTIL Violation report will show a *30*-1A violation:

In Top Secret release 16.0 a hole was closed in Source processing by PTF RO96857. Prior to RO96857, RACROUTE calls with a POE= were not going through SOURCE security processing. SOURCE restrictions were honored only if a TERMID= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE. If a POE= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE security call, no Source processing was done.

After applying RO96857, TSS will honor the value passed in the POE= and check for a SOURCE restriction in the user's record or profile.  If the acid has a SOURCE restriction that does NOT match the value passed in the POE=, then the sign on will fail with TSS7171E Unauthorized Source of System Entry.

This is for all applications that pass a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with a POE= .
The original problem was found signing onto CA-Sysview and the PTF description may lead you to incorrectly believe this only effects CA-Sysview.

If the number of acids and Source violations are minimal, then it is best to issue the Source(s) to the acid(s) without using OPTIONS(88):

  TSS ADD(acid/profile) SOURCE(source)

If there are a large number of failures occurring, then sites can activate OPTIONS(88) in the Top Secret parameter file. With fix RO96857 and OPTIONS(88) set, if a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with POE= is issued, and the acid has a SOURCE restriction that does NOT match the POE= passed, Top Secret will allow the call to succeed but log it with the following message to our ATF file:

++ TSS ADD(acid/profile) SOURCE(xxxxxxxx)

Where xxxxxxxx is the POE passed on the RACROUTE security call.

The commands will be seen in the TSSUTIL Violation Report.

Example of TSSUTIL Violation Report (LONG):
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL RESOURCE TYPE & NAME
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- --------
01/19/17  09:16:58  XE56  BAXTH03   BAXTH01E  BATCH FAIL  01  VYPOESER  *30*-1A  INI  J066203 A58LPOE                    RESOURCE  TYPE & NAME :  NAME=++ TSS ADD(acid/profile) SOURCE(A58LPOE )   

Example of TSSUTIL Violation Report (without the LONG option):
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- -------- 
09/14/17 09:14:49 DEV1 P0CCRUPD JES2 J F 01 HA$PSUBS *30*-1A VFX ++ TSS ADD(acid/profile) S AP01JES2 

After running with OPTIONS(88) and not receiving any *30*-1A violations showing ++ TSS ADD(acid/profile) SOURCE(xxxxxxxx) for a while, remove OPTIONS(88) to no longer bypass POE= Source checking. Be aware that valid TERM= source violations will still show in the violation report as a *30*-1A  but the violations will not include the command to add the SOURCE.

OPTIONS(88) should have been included in the Hold Data for PTF RO96857.