I read KB TEC1988656 which gave a solution to the S047 abends with
RACROUTE REQUEST=AUTH,STATUS=ACCESS of creating a GSO SAFDEF with NOAPFCHK.
I want to make the environment authorized, what do I do?
Even if you make your environment APF authorized, the racroute request will
not be issued in an apf authorized environment.
The situation relates to SSL connections wanting to verify if a user can use SSLV2 or SSLV3
in an SSL connection request. This requirement came about due to the Poodle Vulnerability
SSLV2 and SSLV3 are no longer allowed as defaults without further validation.
BPXPTATT is the Program that issues an SSL Connection Request, and part of that process
calls CSECT GSKC2904 in LOAD MODULE GSKC29 to issue the RACROUTE Request.
This Program is not APF authorised (not linked AC(1)).
Even if the Library is APF authorised, the Program is not.
Therefore the only options are to create the SAFDEF with NOAPFCHK or ask IBM to
change the module to be APF authorized.
If you want to allow SSLV2 or SSLV3 to be used, you will need to write rules
to allow users UPDATE access to the XFACILIT resources for example...
. $KEY(GSK.ENABLE.SSLV*.DEFAULT TYPE(XFC)
. UID(xxxxxxxxx) ALLOW SERVICE(UPDATE)
This rule will allow an application to request SSLV2 or SSLV3 connections.
If you do not write this rule and have no other resource rules with TYPE(XCF) giving update access,
SSLV2 or SSLV3 will NOT be allowed to be used - which is the default.