When trying to activate VSE Library Security by specifying SEC=YES, 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' is received during IPL
- 'OS20I UNAUTHORIZED ACCESS REQUEST FOR library.sublibrary' during IPL at BGINIT time:
A VSE ID card for the BGINIT must be present.
If CA-TOP SECRET is active and cataloging a new BG or FB startup proc, specify the following ID card syntax:'ID USER=FORSEC,PWD=FORSEC'
Note: No '//' (slashes).
Explanation: If the ID card is cataloged with the '//' (slashes), CA-Top Secret will encrypt the ID card.
Because CA-Top Secret has not initialized yet when the BGINIT job executes, the encrypted '// ID ' card cannot be read.The solution is to remove the '//' from the '// ID' card and re-catalog the IPL deck. Without the '//' (slashes), CA-Top Secret will not encrypt the '// ID' card.
- '0S20I UNAUTHORIZED ACCESS REQUEST FOR: library.sublibrary $$b_transient.phase' during CASAUTIL execution.
VSE IPL 'SYSTEM' statement with SEC=YES activates VSE library security. The IPL/ASI/startup is at the mercy of IBM's VSE security until CA-TOP SECRET has a chance to completely initialize during IPL.
B-Transients are a special kind of system phase. In a system with VSE library security active, they can be loaded from protected libraries only. Any attempt to load a B-transient from an unprotected library would cause an IBM VSE '0S20I UNAUTHORIZED ACCESS?" access violation.
Libraries that contain B-transients of the VSE base programs are automatically protected by appropriate entries in the IBM VSE pre-generated access control table DTSECTAB.
B-Transients are phase name beginning by $$B. Any library containing B-Transients phases that will be loaded prior to CA-TOP SECRET initialization need to be added to the IBM VSE security table DTSECTAB or a VSE '0S20I UNAUTHORIZED ACCESS?" access violation will be received.
For Example, CA-CIS, and CA-DYNAM libraries.
- No security checking being done for library/sublibrary/member.
Verify that IBM VSE IPL 'SYSTEM' statement with parameter SEC=YES has Specified.
- Display address 80 who is the address of SYSCOM. From the VSE console issue a:
AR 0015 00000420 00001004 0002006B 00040011 *...........,....*
AR 0015 1I40I READY
- Add x'041' to the address of SYSCOM and display that address:
x'420' + x'041' = x'461'
AR 0015 601CE8 00200044 0240BB80 000090E0 00 *-.Y..... .......*
AR 0015 1I40I READY
If a x'10' was not set that means that SEC=NO was coded
Once the above is achieved, VSE will correctly start and you can define any library/sublibrary/member to be protected by CA-TOP SECRET using CA-TOP SECRET itself.
See Chapter 7 'VSE Libarary Security' in the CA-TOP SECRET Implementation: Batch, STC and APPC Guide.
Link to documentation https://support.ca.com/cadocs/1/h000116e.pdf