CA Datacom DB00501E RC 87 (003) XCF Security

Document ID : KB000105192
Last Modified Date : 06/07/2018
Show Technical Document Details
Issue:

When a job runs on a different LPAR to the MUF it issues error:

DB00501E - OPEN ERROR - RETURN CODE 87 (003)

This indicates an XCF External Security violation. 

Cause:

XCF is externally secured by using the DTSYSTEM resource class with a resource name of cxxname.XCF 
If permission is denied to the MUF userid, XCF external security is in place. 
Message DB00220I will be issued during MUF startup to indicate XCF is externally secured:

DB00220I - EXTERNAL SECURITY ACTIVE FOR cxxname   ON XCF

If XCF is externally secured the MUF checks if jobs are allowed from the remote system by checking the DTSYSTEM resource class using a resource name of cxxname.XCFFROM.from-system.groupname.
Permission must be allowed to the MUF userid. If permission is denied, the job is not allowed to run and will fail with a RC 87 (003).

Normally external security messages of the DTSYSTEM resource checks are suppressed in the MUF.
Add the following option to the MUF startup parameters to not suppress the security messages:

DIAGOPTION 5,4,ON

This will show all the external security messages during startup.

Resolution:

The security definitions for the resource class DTSYSTEM must be defined as follows :

  1. Resource name cxxname.XCF - the MUF userid must be denied access to turn on XCF external security.

  2. Resource name cxxname.XCFFROM.from-system.groupname - the MUF userid must be allowed access to allow jobs to run against the MUF from that system and group.

The following security rules need to be coded to resolve this:
 

RACF

RDEFINE DT@YSTEM cxxname.XCF UACC(NONE)
PERMIT cxxname.XCFFROM.* CLASS(DT@YSTEM) ID(muf_userid) ACC(ALTER)


CA ACF2

$KEY(cxxname) TYPE(DTS) 
XCF UID(*) PREVENT 
XCFFROM.- UID(muf_userid) ALLOW 


CA Top Secret

TSS PER(ALL) DTSYSTEM(cxxname.XCF) ACCESS(NONE)
TSS PER(muf_userid) DTSYSTEM(cxxname.XCFFROM.) ACCESS(ALL)


Another way to resolve this is to force the job to run in the same LPAR as the MUF by adding the following card after the JOB card: 

/*JOBPARM SYSAFF=nnnn 
Additional Information: