Security Violation at CA ENF/CCI startup, even if no CCI PROTOCOL statement is specified for TCP/IP services.

Document ID : KB000054441
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

When starting the CA ENF stc you may get a security violation on the class SERVAUTH. This security violation may occur even if you have not setup CCI (within the ENF or CCI parameters) to establish a TCP/IP connection to other CA Products defined.

The following are examples of the security violation you may experience:

With RACF:

  ICH408I USER(MXSTC1  ) GROUP(MXSTC   ) NAME(STARTED.TASK 
  EZB.STACKACCESS.ssis.TCPIP CL(SERVAUTH) 
  INSUFFICIENT ACCESS AUTHORITY 
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   ) 

Or with CA TOP-SECRET : TSS7250E 136 J=ENF A=TCPIP TYPE=SERVAUTH RESOURCE=EZB.STACKACCESS.ssid.TCPIP TSS7251E Access Denied to SERVAUTH <EZB.STACKACCESS.ssid.TCPIP>

Solution

The SERVAUTH class is now checked when the CAICCI subtask is being initialized. As part of normal initialization CCI sttempts to get as much network information as possible. This includes getting the HOST name for the system it is executing on. CCI issues standard TCPIP function calls, GETHOSTID and GETHOSTNAME, to obtain this information. This is done regardless of the CCI PROTOCOL that has been defined.

As a result, you need to grant READ access for the EZB.STACKACCESS resource to the userid assigned to the ENF started task.