Document ID : KB000053299
Last Modified Date : 14/02/2018
Show Technical Document Details


When issuing a ROUTED command to our SYSPLEX environment that contains RACF LPARs and CA Top Secret LPARs.

The commands fail with the following message on the RACF system:



Environment processing is based upon each security product and their respective security data structures. Each security structure is different between each of the mainframe security products. With console processing a command shipped between systems also contains and ENVROUT object for the security check to be processed under. When the console command is received that object is then used to perform the security check.

For CA ACF2 and CA Top Secret, if the object received was not created by a like system, each product does processing within its own security environment to ensure that the command can be executed under the correct user that shipped the command across systems. Even in the case of IBM's RACF@, CA ACF2 and CA Top Secret recognize the object is from RACF and process the request appropriately ensuring the user has authority to issue the command and also to ensure it is processed under the correct user.

Currently IBM's RACF does not recognize the objects shipped from systems running CA ACF2 and CA Top Secret. IBM issues an ICH409i 283-54 message and terminates the request. IBM published UW34880 which was to address an error in processing VTAM requests in cross memory mode.

CA ACF2 and CA Top Secret adhere to the documented formats in the RACROUTE MACRO Guide for the ENVR Object processing. Beyond the standard header information is the security product specific object. If there is a length that tells IBM's RACF that the object was not created by RACF, it would be up to IBM to manage the request to ensure security integrity and also allow the request if the requestor was authorized to issue the console commands on that system. This is what CA ACF2 and CA Top Secret do day.

The following is taken directly from the RACROUTE MACRO Guide:

According to IBM's documentation, ENVR objects should not even be passed among systems within a SYSPLEX if they are all RACF based but using separate security databases.

IBM's documentation for the ENVRIN parameter of the RACROUTE REQUEST=VERIFY macro reads as follows:

,ENVRIN=envr data addr

specifies the data structure that contains the information necessary to re-create a security environment.

The address points to a data structure defined in Table 11. The data structure describes the storage location for the ENVR object. While the format of the data structure pointed to by ENVRIN is known to the RACROUTE invokers, the content of the object itself is known only to the external security product.