S047 Abend in an ACF2 environment
search cancel

S047 Abend in an ACF2 environment

book

Article ID: 258489

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

Why does an S047 abend occur in an ACF2 environment and how is this abend resolved?  

Environment

Release : 16.0

Resolution

Why does an S047 abend occur?

The RACROUTE STATUS=ACCESS call permits a user to interrogate security definitions (access and resource rules) to determine access levels for a user. No auditing is done for this request.

In order to maintain system integrity, ACF2 requires that a user be APF authorized to access security definitions. When a program is not authorized, ACF2 abends the task with an S047 abend.

How to resolve an S047 abend in ACF2

ACF2 will allow the security administrator to define the specific calls for which the APF authorization check for STATUS=ACCESS will be bypassed.

Note: Users who do not want to use this method should contact the vendor of the product receiving the S047 abend and request that the STATUS=ACCESS call be made in an APF authorized environment.

The bypassing of the authorization check in ACF2 is done through use of the 'NOAPFCHK' keyword added to the GSO SAFDEF record. 'NOAPFCHK' will only be honored for STATUS=ACCESS calls.

For example, the failing RACROUTE call for the IBM Debug Tool v10.1.0 product looks like:

 SMFID= <sysid>      TOD= 08:05:31.38    TRACEID= DEBUG      USERID= <userid>
 JOBNAME= <jobname>  ASID= <asid>        PGM= PGMXX         CURR RB= PGMXX
 SFR/RFR= N/A        MODE= TASK          APF= NON-AUTHORIZED LOCKS= NONE

RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=ACCESS, ATTR=READ,DSTYPE=N,ENTITY=('XXXXXXXX.BROWSE.MVS'),FILESEQ=0, GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=

The following SAFDEF can be written in ACF2 to address this:

ACF
SET CONTROL(GSO)
INSERT SAFDEF.TOOLS PROGRAM(PGMXX) RB(PGMXX) NOAPFCHK -
RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS)
F ACF2,REFRESH(SAFDEF)

 

How to diagnose what call is failing in order to write an ACF2 SAFDEF record

The product vendor should have documented what RACROUTE STATUS=ACCESS calls the product is making. If this documentation cannot be obtained or if adding the vendor recommended SAFDEFs did not resolve the issue, the following steps can be completed to gather information regarding the call that is failing:

  1. Set a SECTRACE using the following console command:

    /ST SET,ID=S047TRC,TRACE=ALL,FMT=DUMP,JOBNAME=jobname

  2. Re-create the abend

  3. Turn off the SECTRACE:

    /ST DELETE,ID=S047TRC

  4. Run the ACFRPTST report to pull the results from the trace

    Sample ST report JCL:
    //REPORT  EXEC PGM=ACFRPTST                       
    //SYSPRINT DD SYSOUT=*                             
    //HEXDUMP  DD SYSOUT=*                             
    //RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1               
    //RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2               
    //RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3               
    //SYSIN    DD *                                   
    TITLE(ACFRPTST)
    TRACEID(S047TRC)
    DETAIL

  5. An ACF2 SHOW SAFDEF command will show the current SAFDEFs on the system. This can be used to compare how the SAFDEFs are written vs how the call is being interpreted from the SECTRACE.

Please provide the SECTRACE results and the SHOW SAFDEF output to the ACF2 Support team at Broadcom if assistance is needed.