JESSPOOL Security Setup for ACF2

Document ID : KB000096515
Last Modified Date : 16/05/2018
Show Technical Document Details
Question:
Ability to read Output SPOOL data from active CICS Started Tasks. Currently the Started task is receiving a security related error.
SDF0381A SYSOUT FORWARDER ERROR MESSAGE: SECURITY CHECK FAILED,RC=00000004
...the error is related to the lack of access to a JESSPOOL Resource Rule.
Answer:
Change to 'MODE=IGNORE' and the SAFDEF Record defined:
===============================================
INSERT SAFDEF.IRONSTR ID(IRONSTR)
- FUNCRET(0) -
PROGRAM(SSDFSOUT) RB(SSDFSOUT) -
MODE(IGNORE) -
RACROUTE(REQUEST=AUTH,CLASS=JESSPOOL) -
RETCODE(0)
===============================================
To see what Records are being used on this System, you can run the following commands:
SHOW SYSTEM
SHOW SAFDEF
SHOW CLASMAP

The ACF2 administrative steps required to implement JESSPOOL validation are:
1.) Determine a Resource Type Code to use for JESSPOOL Resources.
2.) Specify that Type Code in a GSO CLASMAP Record.
3.) Write Resource Rules.
4.) Activate Validation through GSO SAFDEF
...and assuming you select a Type Code of 'SPL' for the JESSPOOL, you'll need to insert the following GSO CLASMAP Record:
SET C(GSO) INSERT CLASMAP.spool RESOURCE(JESSPOOL) RSRCTYPE(SPL)

After all of the Rules are in place, you'll need to run the following commands to 'activate' the changes:
ACF
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
F ACF2,REFRESH(SAFDEF)

Full details of how to implement JESSPOOL Security can be found in the CA web site, DOCOPS, at the following link:
https://docops.ca.com/ca-acf2-for-z-os/16-0/en/administrating/jes-security
...this describes ACF2 'JES Security' and also 'JESSPOOL', both the set-up and helpful hints and tips. So, the problem is related to the lack of access to a JESSPOOL Resource Rule. The default SAFDEF for JESSPOOL is to ignore validations with 'RC=4', so you need to create an overriding SAFDEF to validate, basically, do all that's described above. Since the same output was browsed by both SDSF and the SDFOUT task the SECTRACE entries show that the SDSF issues the RACROUTE call for CLASS=JESSPOOL from program ISFMAIN and that the SDFOUT task RACROUTE call for CLASS=JESSPOOL is made from program SSDFSOUT. So by INSERTing a SAFDEF with PROGRAM(SSDFSOUT) only JESSPOOL validations for the SDFOUT task will be activated and the RACROUTE call for CLASS=JESSPOOL will continue to be processed the same as it is know without any impact to ISFPARM Security.