We are running z/OS 1.11 and in the course of trying out the new TCPIP application CSSMTP, I encountered an unexpected ACF04056 security violation for the SERVAUTH RESOURCE class. How can this SERVAUTH resource violation be addressed?

Document ID : KB000052649
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

With z/OS 1.11 there is a new profile in the SERVAUTH class for the TCPIP CSSMTP application:

EZB.CSSMTP.sysname.writername.originJESnode. The application fails with the following violation:

ACF04056 ACCESS TO RESOURCE EZB.CSSMTP.SYS1.SMTP.NODEJES TYPE RSER BY
CSSMTP NOT AUTHORIZED

An ACF2 resource rule can be written to address the violation.

Solution:

With ACF2 all resources are protected by default. To address the violation a site cand to add a rule entry for the second qualifier CSSMTP to the existing $KEY(EZB) TYPE(SER) resource rule or create the rule for the SERVAUTH resource class.

For example a new rule can be compiled or stored:

$KEY(EZB) TYPE(SER)
CSSMTP.sysname.writername.originJESnode UID(uid string) ALLOW

Or the existing $KEY(EZB) TYPE(SER) can be updated to include a rule entry for the new CSSMTP resource:

ACF
SET RESOURCE(SER)
RECKEY EZB ADD(CSSMTP.sysname.writername.originJESnode UID(uid string) ALLOW)

Details on ACF2 resource rules and the RECKEY subcommand can be found in the CA ACF2 for z/OS Administrator Guide, Chapter 7: Maintaining Resource Rules, section "Using the ACF Command".