I read KB TEC1988656 which gave a solution to the S047 abends with RACROUTE REQUEST=AUTH,STATUS=ACCESS of creating a GSO SAFDEF with NOAPFCHK. I want to make the environment authorized, what do I do?

Document ID : KB000057366
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

I read KB TEC1988656 which gave a solution to the S047 abends with 

RACROUTE REQUEST=AUTH,STATUS=ACCESS of creating a GSO SAFDEF with NOAPFCHK.

I want to make the environment authorized, what do I do?

 

Answer:

Even if you make your environment APF authorized, the racroute request will

not be issued in an apf authorized environment.

 

The situation relates to SSL connections wanting to verify if a user can use SSLV2 or SSLV3

in an SSL connection request. This requirement came about due to the Poodle Vulnerability

attacks.

 

SSLV2 and SSLV3 are no longer allowed as defaults without further validation.

 

BPXPTATT is the Program that issues an SSL Connection Request, and part of that process 

calls CSECT GSKC2904 in LOAD MODULE GSKC29 to issue the RACROUTE Request. 

This Program is not APF authorised (not linked AC(1)).

Even if the Library is APF authorised, the Program is not. 

Therefore the only options are to create the SAFDEF with NOAPFCHK or ask IBM to 

change the module to be APF authorized.  

 

Note:

If you want to allow SSLV2 or SSLV3 to be used, you will need to write rules

to allow users UPDATE access to the XFACILIT resources for example...

 

ACF

SET RESOURCE(XFC) 

COMPILE * 

. $KEY(GSK.ENABLE.SSLV*.DEFAULT TYPE(XFC) 

. UID(xxxxxxxxx) ALLOW SERVICE(UPDATE)

.

STORE

 

This rule will allow an application to request SSLV2 or SSLV3 connections.

 

If you do not write this rule and have no other resource rules with TYPE(XCF) giving update access,

SSLV2 or SSLV3 will NOT be allowed to be used - which is the default.