Received: 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' When Trying To Activate VSE Library Security

Document ID : KB000027267
Last Modified Date : 14/02/2018
Show Technical Document Details


When trying to activate VSE Library Security by specifying SEC=YES, 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' is received during IPL


  1. 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' during IPL at BGINIT time:
    A VSE ID card for the BGINIT must be present.

    If  CA-TOP SECRET is active and cataloging a new BG or FB startup proc, specify the following ID card syntax:'ID USER=FORSEC,PWD=FORSEC'
    Note: No '//' (slashes).

    Explanation: If the ID card is cataloged with the '//' (slashes),  CA-Top Secret will encrypt the ID card.
    Because  CA-Top Secret has not initialized yet when the BGINIT job executes, the encrypted '// ID ' card cannot be read.The solution is to remove the '//' from the '// ID' card and re-catalog the IPL deck. Without the '//' (slashes),  CA-Top Secret will not encrypt the '// ID' card.                                                                      
  2. '0S20I UNAUTHORIZED ACCESS REQUEST FOR: library.sublibrary $$b_transient.phase' during CASAUTIL execution.

    VSE IPL 'SYSTEM' statement with SEC=YES activates VSE library security. The IPL/ASI/startup is at the mercy of IBM's VSE security until  CA-TOP SECRET has a chance to completely initialize during IPL.

    B-Transients are a special kind of system phase. In a system with VSE library security active, they can be loaded from protected libraries only. Any attempt to load a B-transient from an unprotected library would cause an IBM VSE '0S20I UNAUTHORIZED ACCESS?" access violation.

    Libraries that contain B-transients of the VSE base programs are automatically protected by appropriate entries in the IBM VSE pre-generated access control table DTSECTAB.

    B-Transients are phase name beginning by $$B. Any library containing B-Transients phases that will be loaded prior to  CA-TOP SECRET initialization need to be added to the IBM VSE security table DTSECTAB or a VSE '0S20I UNAUTHORIZED ACCESS?" access violation will be received.

    For Example, CA-CIS, and CA-DYNAM libraries.

  3. No security checking being done for library/sublibrary/member.
    Verify that IBM VSE IPL 'SYSTEM' statement with parameter SEC=YES has Specified.

    To verify:
    1. Display address 80 who is the address of SYSCOM. From the VSE console issue a:
      dsply 80

      dsply 80

      AR 0015 00000420 00001004 0002006B 00040011 *...........,....*
      AR 0015 1I40I READY
    2. Add x'041' to the address of SYSCOM and display that address:
      x'420' + x'041' = x'461'

      dsply 461
      AR 0015 601CE8 00200044 0240BB80 000090E0 00 *-.Y..... .......*
      AR 0015 1I40I READY

      If a x'10' was not set that means that SEC=NO was coded

Once the above is achieved, VSE will correctly start and you can define any library/sublibrary/member to be protected by CA-TOP SECRET using CA-TOP SECRET itself.


Additional Information:

See Chapter 7 'VSE Libarary Security' in the  CA-TOP SECRET Implementation: Batch, STC and APPC Guide.

Link to documentation