Batch jobs submitted via OTMA to MQ are failing with ACF01007 PASSWORD REQUIRED. How can this be corrected?

Document ID : KB000050868
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Batch jobs submitted via OTMA to MQ are failing with the message ACF01007 PASSWORD REQUIRED. This started occurring after an upgrade of ACF2 and Z/OS. No changes were made to ACF2 rules or userids.

Solution:

MQ issues a VERIFYX signon request with PASSCHK=YES, but no password is available through OTMA. To handle this situation ACF2 issues an AUTH request with the class of VERPSWD and a resource of userid.NOPSWD to validate whether the address space should proceed with the signon. 'userid' is the logonid shown in the ACF01007 message. If the VERPSWD validation fails, the ACF01007 message is generated and the signon fails. If the VERPSWD validation is successful, the signon proceeds without a password.

ACF2 provides a CLASMAP to map VERPSWD to the resource type of PWD. A rule can be written to allow the MQ id access to resource userid.NOPSWD with the type PWD, e.g., $KEY(userid.NOPSWD) TYPE(PWD). This rule will allow the signon to bypass the request for a password.

To confirm that a failed VERPSWD validation is the cause of the ACF01007 message you can set a SAF SECTRACE on the MQ address space. An example of the expected trace output follows. Since this trace was set with the default of TRACE=AFTER, only the "after" trace records are shown. This results in the VERIFYX and the AUTH calls appearing to be in the wrong order. This is because the requests are "nested" and the "before" records are not included.

The SECTRACE shows that the MQ address space fails the VERIFYX signon request with PASSCHK=YES. The VERIFYX signon request failed because the VERPSWD validation failed. The VERPSWD validation failed in this case because there was no PWD-type rule for USER1.NOPSWD. After adding a rule to allow MQ access to this resource, the VERPSWD validation was successful and the VERIFYX signon was successful.

From the SECTRACE:

SMFID= PRD1 TOD= 11:56:22.45 TRACEID= MQ USERID= QMP1MSTR 
JOBNAME= QMP1MSTR ASID= 0074 PGM= CSQVEUS3 CURR RB= SVC229   
SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE   
SAFDEF= GENAUTH INTERNAL MODE= GLOBAL   
   
RACROUTE REQUEST=AUTH,REQSTOR='ACF01VAL',CLASS='VERPSWD',RELEASE=1.9,   
          STATUS=NONE,ATTR=READ,DSTYPE=N,ENTITYX=('USER1.NOPSWD'),   
         FILESEQ=0,GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,   
          USERID='QMP1MSTR',WORKA=   
   
SMFID= PRD1 TOD= 11:56:22.45 TRACEID= MQ USERID= QMP1MSTR   
JOBNAME= QMP1MSTR ASID= 0074 PGM= CSQVEUS3 CURR RB= CSQVEUS3   
SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE   
SAFDEF= VERIFYX INTERNAL MODE= GLOBAL   
 
RACROUTE REQUEST=VERIFYX,RELEASE=2.1,STAT=ASIS,SMC=NO,ENVIR=CREATE,   
         ENCRYPT=YES,LOG=ASIS,MSGSP=0,PASSCHK=YES, <-------requesting a password   
         PASSWRD='*SUPPRESSED*',TOKNOUT=,USERID='USER1',WORKA=