Does a window exist when USS security is not active?

Document ID : KB000121269
Last Modified Date : 15/11/2018
Show Technical Document Details
Introduction:
CA processing/access to USS files at IPL.
Question:
After anIPL, there is a started task for a product from another vendor that we have set up to start. The first few times it fails with messages that suggest that perhaps it does not have access to the USS files it requires in order to execute. If we retry a few minutes later, it starts and runs fine. This suggests that perhaps there is a window of time following the IPL in which native USS file security is active instead of ACF2. Is this correct? Is there some indicator (a message perhaps) that would tell us that such an application could proceed?
Environment:
Z/os
Answer:
IBM documents in a REDBOOK (https://www.redbooks.ibm.com/redpapers/pdfs/redp4193.pdf) that: z/OS UNIX requires an external security manager to be accessible through the System Authorization Facility (SAF) interface. The examples that we provide in the rest of this book assume that the IBM Resource Access Control Facility (RACF) external security manager is used, although similar non-IBM products, which provide equivalent functions, can be used. ACF2 actually holds back the start of OMVS till the ACF2 address space is fully functional. If you are starting the product before OMVS is started with message: BPXI004I OMVS INITIALIZATION COMPLETE I would recommend you set up your automated operator to wait for that message before starting this STC. The ENFUSS intercepts are not installed until ENF starts up and the CARRINIT program executes as a result of the DCM CARRDCM0 being invoked by ENF, When CARRINIT executes, it checks to see if OMVS in initialized prior to implanting it's hooks into the OMVS Callable service table entries.