BPX security issues using xcom in OMVS USS

Document ID : KB000103182
Last Modified Date : 25/06/2018
Show Technical Document Details
Issue:
We're trying to use XCOM to transfer USS files.
We are getting
ICH420I PROGRAM CCS@ZE01 FROM LIBRARY PISV.CAS9.CAW0LINK CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
XCOMM0128I XCOM12 REQ#=123456 FOLLOWING FMH7 SENT TO CONVERSATION PARTNER
XCOMM0854E XCOM12 REQ#=123456 SAF SECURITY FAILED, 320 RV=FFFFFFFF, RC=0000008B, REAS=130102AF,/opt/XCOM/filetst
ICH420I PROGRAM CCS@ZE01 FROM LIBRARY PISV.CAS9.CAW0LINK CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.


What are the requirements to transfer USS files with XCOM for z/OS?
Resolution:
These messages indicate that security (RACF) is rejecting XCOM's request for the reason given in the ICH420I message. Please check carefully the definition of CCS@ZE01 and the library named in the message to RACF.
Things to check:
  • Add the XCOM userid to BPX.SERVER resource
  • Add the XCOMXFER program to PROGRAM control resource
  • Add CCS@ZE01 program to PROGRAM control resource
  • Recycle XCOM after making these changes
Also please refer to Understanding message XCOMM0854E SAF Security failed.
Additional Information:
For basic information about OMVS and USS Files with XCOM, please refer to these sections in the CA XCOM Data Transport for z/OS - 12.0 documentation online. 

OMVS Requirements 

Ensure the value set for the BPX PARMLIB parameter MAXPROCUSER handles the number of processes that CA XCOM tasks use. CA XCOM functions run at the subtask level. Each subtask is considered a process due to the new version of ETPKI that is distributed with this release. The new version of ETPKI requires a POSIX environment.

Functions that run as a subtask:

  • TCPIP transfers
  • Setting SECURITY=SAF
  • SNA transfers
  • USS file transfers
  • ISPF
  • Inquiry for transfers (TYPE=INQUIRE)
  • History requests (TYPE=HISTORY or using ISPF)

Consider setting the value for MAXPROCUSER by using the following formula:

MAXPROCUSER value = MAXTASK x 2 + nn

The number nn is the number of active TCP/IP listeners.

Security Considerations for USS Files  
USS support enforces SAF security for all transfers that involve a USS file, regardless of the SECURITY= parameter in the default table, config member or EXEC statement. 

USS Files 
This section describes special considerations for handling USS files, including HFS, ZFS, and TFS files.