RACF ICH408 errors after upgrading to CA XCOM Data Transport r12 when transferring USS files with RACF PROTECTALL enabled and SECURITY=RACF specified.
Traces show a Return Code = 00000008 from RACF.
Since the introduction of USS file support, SECURITY=SAF has been the recommended setting when USS transfers will be performed.
The SAF option creates a new ACEE and switches the subtask(s) to run under the auspices of the USERID specified (or defaulted...) in the transfer parameters. As a result of switching directly to an ACEE built for the specific USERID, no explicit security calls are made or required by XCOM to check resource permissions for a transfer. As the resources are accessed, the ESM (RACF in your case) simply allows or rejects the access. This is actually the cleanest method to enforce security rules. There is no room for error or interpretation on the part of XCOM-generated RACROUTE calls.
When you run with SECURITY=RACF | TOPS | ACF2, XCOM's subtasks run under the ACEE used to start the server, and thus specific RACROUTE calls are required to do third-party authentication for the USERID used for the transfer (if different from the one used to start the server).
The solution to this problem is to run using SECURITY=SAF. There will be no code change to exempt USS file names from the standard RACROUTE processing currently in place.