Trying to issue a VARY operator command and it fails with message: IEE345I VARY CN AUTHORITY INVALID, FAILED BY MVS

Document ID : KB000026259
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

I needed to vary a console on z/OS. Entering the following command, it failed:

V CN(CONMST2),AUTH=MASTER
IEE345I VARY CN AUTHORITY INVALID, FAILED BY MVS

What is needed to allow this to happen?

 

Cause:

This is the result of a RACROUTE REQUEST=AUTH,CLASS=OPERCMDS calls from the operating system. CA ACF2 by default ignores all operator command validation. CA ACF2 will reply with a return code of 4 to the caller with this default. Per the IBM Racroute Manual, a return code of 4 means the specified resource is not protected by security. Most applications generally allows the resource with this return code. In some cases, the application will fail the resource with a return code of 4. The operating system is failing the return code of 4 in this case.

 

Resolution:

To get this to work, you will need to override the default SAFDEF record that CA ACF2 supplies. The override can be done one of two ways.

The first is to change the return code to 0 (zero). This would allow any operator command to be allowed. Here is the SAFDEF that would be needed:

TSO ACF
SET CONTROL(GSO)
INSERT SAFDEF.OPR ID(OPR) FUNCRET(0) RETCODE(0) MODE(IGNORE) RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS) 
F ACF2,REFRESH(SAFDEF)

The recommended way to correct this from a security standpoint, would be to validate operator commands. You would need to write rules first. Here is an example of a generic rule:

$KEY(********) TYPE(OPR)
VARY.- UID(uid of system programmers) ALLOW
VARY.- UID(uid of operators) ALLOW
- UID(uid of operators) ALLOW

Alternatively, the MVS commands and JES2 commands can be separated. Here is an example of that:

$KEY(MVS) TYPE(OPR)
VARY.- UID(uid of system programmers) ALLOW
VARY.- UID(uid of operators) ALLOW
- UID(uid of operators) ALLOW
 
$KEY(JES2) TYPE(OPR)
- UID(uid of operators) ALLOW

Please review the CA ACF2 Administrators Guide for examples of securing ACF2 and SECTRACE commands. Review the IBM manuals for other operator commands that can and should be secured. The default type code for operator commands is SAF. To change the type code to the rule example, enter the following:

ACF
SET CONTROL(GSO)
INSERT CLASMAP.OPR RESOURCE(OPERCMDS) RSRCTYPE(OPR)
F ACF2,REFRESH(CLASMAP)

If a masked key is used, an INFODIR change is needed.

ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPRS(R-ROPR) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(OPR)

The rules are now in storage and ready for the change to validating operator commands.

ACF
SET CONTROL(GSO)
INSERT SAFDEF.OPR ID(OPR) MODE(GLOBAL) RACROUTE(REQUEST=AUTH,CLASS=OPERCMDS) REP
F ACF2,REFRESH(SAFDEF)