After z/OS upgrade now getting JES2 error message $HASP186 SYSLOG OUTGRP=x.x.x NOT SELECTED BY STC0xxxx/<filename> DUE TO SECURITY POLICY

Document ID : KB000011105
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

After an upgrade to z/OS, I am getting this message $HASP186 SYSLOG OUTGRP=n.n.n NOT SELECTED BY STC0xxxx/<filename> DUE TO SECURITY POLICY. I checked the JES2 messages and it was suggested I use JES2 command $T DEBUG,SECURITY=YES to show RACF violations causing this message. When I issue this JES2 command, I get NO ACF2 violation messages. I also tried running the ACFRPTRV report but it showed no violations.

Answer:

Since the JES2 documentation refers to a possible RACF violation, we recommend you set a SECTRACE for an AUTH call. There is likely a validation with LOG=NONE which would result in no SMF record for the ACFRPTRV report.

The SECTRACE operator command is as follows:

st set,id=xxxx,type=safp 
nn CAS...... SPECIFY RACROUTE PARAMETERS...    
r nn,request=auth,end    
nn CAS......Continue SECTRACE SPECIFICATIONS...    
r nn,end

This command will set a SECTRACE for AUTH calls. No CLASS is specified because it is unclear what the CLASS should be.

Set the SECTRACE before you test, then after you get the $HASP186 error, delete the SECTRACE using this operator command:

st del,id=xxxx

Run the ACFRPTST report using the SMF records generated during your test. You can use the ISPF panels to generate the report or use a batch job. The batch job only requires a few statements:

//JOB....
// EXEC PGM=ACFRPTST,PARM='DETAIL'
//SYSPRINT DD SYSOUT=*
//REC0001 DD DSN=SYS1.MAN1,DISP=SHR <--substitute the active SMF filename
//*

The output report should contain a RACROUTE AUTH call with SFR/RFR codes of 8/8:0. This failed AUTH call is likely related to the $HASP186 message and the CLASS and ENTITY can be used to write an appropriate resource rule. A LOG keyword in the RACROUTE call specifying anything other than ASIS would explain why no SMF record was generated for the ACFRPTRV report.

Customers have reported that this can happen for the (JES2) resource classes WRITER and JESSPOOL. Note that the default internal SAFDEF records for these resource classes provided by CA ACF2 specify MODE=IGNORE for these validation requests.