I received a S047 abend in ACF9C000 with the IBM File Manager product that appears to be related to APF authorization. What can be done to address this abend?

Document ID : KB000050382
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The ACF2 SECTRACE utility can be used to verify that the abend is caused by a RACROUTE STATUS=ACCESS call in addition to the program that is making the call.

The SECTRACE can be set from the console as follows:

SECTRACE SET,ID=TEST,TRACE=ALL,FMT=DUMP,DEST=JOBLOB,TYPE=SAFP
  nn CAS21200 SPECIFY RACROUTE PARAMETERS, CANCEL OR END
r nn,REQUEST=AUTH,END
  nn CAS212210 CONTINUE SAF RACROUTE SPECIFICATIONS, CANCEL, OR END
r nn,END
  nn CAS21100 CONTINUE SECTRACE SPECIFICATIONS, CANCEL, OR END
r nn,END
CAS21110 SECTRACE SET ON 02.026 13:01:52 ID=TEST

The failing RACROUTE call for the IBM File Manager product looks like:

SMFID= SYS1         TOD= 08:27:45.35    TRACEID= TEST       USERID= USER01  
JOBNAME= JOBX062    ASID= 008F          PGM= FMNMAIN        CURR RB= FMNMAIN 
SFR/RFR= N/A        MODE= TASK          APF= NON-AUTHORIZED LOCKS= NONE

RACROUTE REQUEST=AUTH,CLASS='FACILITY',RELEASE=1.9,STATUS=ACCESS, ATTR=READ,DSTYPE=N,ENTITY=('FILEM.PARMLIB.BASE'),FILESEQ=0, GENERIC=ASIS,LOG=ASIS,MSGSP=0,TAPELBL=STD,WORKA=

To avoid the S047 abend, an ACF2 GSO SAFDEF can be coded to bypass the APF authorization check for the STATUS=ACCESS RACROUTE call.

Solution:

The RACROUTE STATUS=ACCESS call permits a user to interrogate security definitions (access and resource rules) to determine access levels for a user. No auditing is done for this request.

In order to maintain system integrity, ACF2 requires that a user be APF authorized to access security definitions. Because the IBM File Manager program FMNMAIN and FMNMIMS are not APF authorized, ACF2 will abend the task with an S047 abend.

To accommodate this situation, ACF2 will allow the security administrator to define the specific calls for which the APF authorization check for STATUS=ACCESS will be bypassed.

CA's policy is that allowing non-APF authorized users this knowledge is a security exposure. Shops who do not want to allow this call should contact the vendor of the product and request that the STATUS=ACCESS calls be made in an APF authorized environment.

The bypassing of the authorization check in ACF2 is done through use of the 'NOAPFCHK' keyword added to the GSO SAFDEF record. 'NOAPFCHK' will only be honored for STATUS=ACCESS calls. An example of the SAFDEF used for the IBM File Manager product follows:

ACF
SET CONTROL(GSO)                                                    
INSERT SAFDEF.apf PROGRAM(FMNMAIN) RB(FMNMAIN) NOAPFCHK -   
       RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS)
INSERT SAFDEF.apf2 PROGRAM(FMNMIMS) RB(FMNMIMS) NOAPFCHK -
       RACROUTE(REQUEST=AUTH,CLASS=FACILITY,STATUS=ACCESS)
INSERT SAFDEF.apf3 PROGRAM(FMNMAIN) RB(FMNMAIN) NOAPFCHK -
       RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS)
INSERT SAFDEF.apf4 PROGRAM(FMNMIMS) RB(FMNMIMS) NOAPFCHK -
       RACROUTE(REQUEST=AUTH,CLASS=XFACILIT,STATUS=ACCESS)
F ACF2,REFRESH(SAFDEF)

Details on the ACF2 SAFDEF can be found in the ACF2 Security for z/OS Administrator Guide in Chapter 14: Maintaining Global System Options Records, section "Environments for SAF Calls (SAFDEF)".