File transfer with z/OS doesn’t work after Agent upgrade; Authorizations required for thread level security

Document ID : KB000087940
Last Modified Date : 14/04/2018
Show Technical Document Details
Issue:
Error Message :
U2000102 Error when calling the function 'setgid', error code '139(EDC5139I Operation not permitted.)'.
U2000102 Error when calling the function 'setgid', error code '157/0B7A02AF(5157I An Internal error occured.)'.

File transfer with z/OS doesn’t work after an Agent upgrade.

As of version 11 a new file transfer feature for the z/OS Agent is available, it’s called “thread level security”. This new feature may require additional Authorizations for the user which executes the transfer.  Here is a description of the 2 settings available:

  • ft_thread_level_security=yes
    On starting the File transfer a switch inside the File transfer's thread will be executed to the user context of the user, whose data has been entered in the Login object, which is referenced in the File transfer object. Any input and output will be executed with the permissions of the user starting the File transfer.
     
  • ft_thread_level_security=no
    The previeos behavior is, that the authorization of the user starting the File transfer will be checked, but the File transfer will be executed with the authorization of the user starting the agent.
 
The parameter ft_thread_level_security can be set in the (GLOBAL) section of the Agent's INI file. The default value for the parameter ft_thread_level_security is “Yes”, that means the new feature is switched on by default after an upgrade to version 11 or above.
 

 

Environment:
OS Version: N/A
Cause:
Cause type:
Configuration
Root Cause: New ft_thread_level_security feature may require additional user authorizations.
Resolution:
Grant necessary permissions as described below.

Unfortunately this new useful feature may need additional user authorizations. The following Resource Access Control Facility (RACF) settings resolves different authority issues:
 
The agent user needs:
  • OMVS segment
  • Class Facility resource FACILITY BPX.DAEMON with Read access
  • Class Facility resource FACILITY BPX.SERVER with Read access
  • Class Facility resource FACILITY BPX.WLMSERVER with Read access
  • Class UNIXPRIV resource SUPERUSER.FILESYS.CHOWN with Read access
  • Class SURROGAT resource BPX.SRV.loginUid with Read access for all logins
The login user needs:
  • OMVS segment
  • Class APPL resource OMVSAPPL with Read access
  • Class SURROGAT BPX.SRV.loginUid where agent user has Read access on (mentioned above)
Depending on the missing privilege, different error messages are issued. Here are some examples, of reported errors:
  • U2000102 Error when calling the function 'setgid', error code '139(EDC5139I Operation not permitted.)'.
  • U2000102 Error when calling the function 'setgid', error code '157/0B7A02AF(5157I An Internal error occured.)'.
  • U02000102 Fehler beim Aufruf der Funktion 'pthread_security_np(CREATE)', Fehlercode '139(EDC5139I Operation not permitted.)'.
References

More information can be found in the product documentation: 

Fix Status: No Fix

Fix Version(s):
N/A
Additional Information:
Workaround :
Set ft_thread_level_security=no, see description above.