*30*-1A violations on POE Source after applying RO96857

Document ID : KB000008153
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Clients running Top Secret release 16.0 have seen Source failures after applying fix RO96857.  

The following messages have been reported:

TSS7171E Unauthorized Source of System Entry.
TSS7100E 026 J=jobname A=acid F=facility - Invalid Source

A TSSUTIL Violation report will show a *30*-1A violation:

DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL 
RESOURCE TYPE & NAME
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- -------- 
09/11/17 06:07:11 CMCZ ZSYSCON CONSOLE CONSOLE FAIL 01 IEAVMQWR *30*-1A INI ZSYSCON 
RESOURCE TYPE & NAME : NAME=ZSYSCON 
09/11/17 06:07:17 SYS1 TCPIPACID TCPIPACID TCPIP FAIL 01 DSNVEUSA *30*-1A INI TCPIP
RESOURCE TYPE & NAME : NAME=TCPIP  

Environment:
Top Secret release 16.0 with RO96857 applied.
Cause:

In Top Secret release 16.0 a hole was closed in Source processing by PTF RO96857.
Prior to RO96857, RACROUTE calls with a POE= were not going through SOURCE security processing.  
SOURCE restrictions were honored only if a TERMID= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE.
If a POE= was passed on the RACROUTE REQUEST=VERIFY,ENVIR=CREATE security call, no Source processing was done.
After applying RO96857, TSS will honor the value passed in the POE= and check for a SOURCE restriction in the user's record or profile.  If the acid has a SOURCE restriction that does NOT match the value passed in the POE=, then the sign on will fail with TSS7171E Unauthorized Source of System Entry.

This is for all applications that pass a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with a POE= .
The original problem was found signing onto CA-Sysview and the PTF description may lead you to incorrectly believe this only effects CA-Sysview.

Resolution:

If the number of acids and Source violations are minimal then it is best to issue the Source(s) to the acid(s) without using OPTIONS(88).  TSS ADD(acid/profile) SOURCE(source)

If there is a large number of failures occurring then clients can activate OPTIONS(88) in the TSS parameter file.
With fix RO96857, along with setting OPTIONS(88), if a RACROUTE REQUEST=VERIFY,ENVIR=CREATE with POE= is issued, and the acid has a SOURCE restriction that does NOT match the POE= passed, we will allow the call to succeed but log it with the following message to our ATF file:
++ TSS ADD(acid/profile) SOURCE(xxxxxxxx)
Where xxxxxxxx is the POE passed on the RACROUTE security call.

The commands will be seen in the TSSUTIL Violation Report.

Example of TSSUTIL Violation Report (LONG):
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL RESOURCE TYPE & NAME
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- --------
01/19/17  09:16:58  XE56  BAXTH03   BAXTH01E  BATCH FAIL  01  VYPOESER  *30*-1A  INI  J066203 A58LPOE                    RESOURCE  TYPE & NAME :  NAME=++ TSS ADD(acid/profile) SOURCE(A58LPOE )   


Example of TSSUTIL Violation Report:
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID TERMINAL
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- ------- -------- 
09/14/17 09:14:49 DEV1 P0CCRUPD JES2 J F 01 HA$PSUBS *30*-1A VFX ++ TSS ADD(acid/profile) S AP01JES2 

After running with OPTIONS(88) and not receiving any *30*-1A violations showing ++ TSS ADD(acid/profile) SOURCE(xxxxxxxx) for a while then you should remove OPTIONS(88) to no longer bypass POE= Source checking.  Be aware that valid TERM= source violations will still show in the violation report as a *30*-1A  but they will not include the command to add the source.

 

Additional Information:

OPTIONS(88) should have been included in the Hold Data for PTF RO96857.