How to handle IBM APAR OA45793 changes with CA ACF2 running on z/OS 2.1 and above?

Document ID : KB000013305
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

We are pursuing the implementation of PTFs for IBM APAR OA45793 with z/OS 2.2 .According to the PTF HOLDDATA, unix files with the sticky bit set, and have either set-uid or set-gid attributes, whose program is found in the MVS search order, will require a FACILITY class security profile (BPX.STICKYSUG.pgmname) for the program to execute successfully. Without the profile, the process abends with SEC6 RSNE055.

 

Question:

How to handle IBM APAR OA45793 changes with CA ACF2 release 15 and 16 running on z/OS 2.1 and above? 

Environment:
CA ACF2 Release 15 and 16
Answer:

Due to its design ACF2 denies access to any resource for which there is no rule. Since this is a "trigger" and not a real validation, SAFDEF is the way to go to tackle this situation.

Please try this one: 

INSERT SAFDEF.STICKY ID(STICKY) MODE(IGNORE) 

RACROUTE(REQUEST=AUTH,CLASS=FACILITY,ENTITYX=BPX.STICKYSUG.-) 

If you intend to test one program, put that in the ENITYTX for the - spot after STICKYSUG.   

Make sure to issue the REFRESH for SAFDEF after the insert is done by using command:

F ACF2,REFRESH(SAFDEF)

Additional Information:

 

IBM Knowledge Center Links:

APAR OA45793 changes

Setting up the UNIX-related FACILITY and SURROGAT class profiles (review section on BPX.STICKYSUG.program_name)