JESSPOOL Security Setup for ACF2
search cancel

JESSPOOL Security Setup for ACF2

book

Article ID: 96515

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Ability to read Output SPOOL data from active CICS Started Tasks. Currently the Started task is receiving a security related error.
SDF0381A SYSOUT FORWARDER ERROR MESSAGE: SECURITY CHECK FAILED,RC=00000004
...the error is related to the lack of access to a JESSPOOL Resource Rule.

Environment

Release:
Component: ACF2MS

Resolution

Change to 'MODE=IGNORE' and the SAFDEF Record defined:
===============================================
INSERT SAFDEF.IRONSTR ID(USER001)
- FUNCRET(0) -
PROGRAM(SSDFSOUT) RB(SSDFSOUT) -
MODE(IGNORE) -
RACROUTE(REQUEST=AUTH,CLASS=JESSPOOL) -
RETCODE(0)
===============================================
To see what Records are being used on this System, you can run the following commands:
SHOW SYSTEM
SHOW SAFDEF
SHOW CLASMAP

The ACF2 administrative steps required to implement JESSPOOL validation are:
1.) Determine a Resource Type Code to use for JESSPOOL Resources.
2.) Specify that Type Code in a GSO CLASMAP Record.
3.) Write Resource Rules.
4.) Activate Validation through GSO SAFDEF
...and assuming you select a Type Code of 'SPL' for the JESSPOOL, you'll need to insert the following GSO CLASMAP Record:
SET C(GSO) INSERT CLASMAP.spool RESOURCE(JESSPOOL) RSRCTYPE(SPL)

After all of the Rules are in place, you'll need to run the following commands to 'activate' the changes:
ACF
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
F ACF2,REFRESH(SAFDEF)

Please see JES Security in ACF2 documentation for full details of how to implement JESSPOOL Security 

This describes ACF2 'JES Security' and also 'JESSPOOL', both the set-up and helpful hints and tips. The problem is related to the lack of access to a JESSPOOL Resource Rule. The default SAFDEF for JESSPOOL is to ignore validations with 'RC=4', so you need to create an overriding SAFDEF to validate, basically, do all that's described above. Since the same output was browsed by both SDSF and the SDFOUT task the SECTRACE entries show that the SDSF issues the RACROUTE call for CLASS=JESSPOOL from program ISFMAIN and that the SDFOUT task RACROUTE call for CLASS=JESSPOOL is made from program SSDFSOUT. So by INSERTing a SAFDEF with PROGRAM(SSDFSOUT) only JESSPOOL validations for the SDFOUT task will be activated and the RACROUTE call for CLASS=JESSPOOL will continue to be processed the same as it is know without any impact to ISFPARM Security.

Powered by Wolken Software