RACROUTE call returns RC 0 but ESM returns RC 8 and allows access to transaction

Technote (troubleshooting)


Problem(Abstract)

You see that all CICS transactions are being allowed by the external security manager (ESM). All RACROUTE calls to check resources returned response of x'00' to CICS, even when the ESM response was x'08'. You found any user, even those who had not signed on, were able to use transactions that should have been secured.

Cause

A product from an independent software vendor (ISV) is resetting RACROUTE return codes. The ISV vendor product had installed a RACF RACROUTE exit that was intercepting all RACROUTE calls, and setting the response to x'00'.

Diagnosing the problem

When you look at a trace, you see the following trace entries:

XS 0709 XSRC EVENT CHECK CEMT FUNCTION(CHECK_RESOURCE_ACCESS)
        SECURITY_TOKEN(21257530,00000001) CLASSNAME(TCICSTRN)
        ACCESS(READ) LOGMSG(YES) RESOURCE(18438BA4,00000004)
XS 070A XSRC EVENT CHECK-COMPLETE CEMT CICSUSER
        FUNCTION(CHECK_RESOURCE_ACCESS) RESPONSE(OK)
        SAF_RESPONSE(0) SAF_REASON(0) ESM_RESPONSE(8)
        ESM_REASON(0)


In the XS 070A trace entry above, CICS reports the following response and reason codes:

SAF_RESPONSE(0) = R15 after return from RACROUTE
SAF_REASON(0) = R0 after return from RACROUTE
ESM_RESPONSE(8) = SAFPRRET, from ICHSAFP copybook
ESM_REASON(0) = SAFPRREA, from ICHSAFP copybook

As can be seen, although the ESM responded with x'08' indicating that no access should be allowed, CICS got a response of x'00' on the RACROUTE call. Security was turned on in the SIT with SEC=YES, and transaction security enabled with XTRAN=TCICSTRN. There were no ICH408 messages being created.


Resolving the problem

In order to check to see if a RACROUTE exit has been enabled, you can do the following.

  1. Verify the ESM installed, by entering L 10?+3E0? in IPCS.

  2. If this points to an RCVT, the ESM product is RACF, and you can continue with the diagnosis below. If it points to an RTSS, the ESM product is CA-Top Secret, and if it points to an ACF2, the ESM product is CA-ACF2. In either case, you will need to contact the vendor.

  3. If RACF is the ESM, in IPCS enter L 10?+F8? to get to the SAF Vector Table.

  4. At that location +x'08' points to the SAF router exit. If there is an address there, then there is a RACROUTE exit installed. In the dump, you can see this eye-catcher:

    00CBE020 16806000 00CBE028 47F0F010 C1E4C4D3 |..-...\..00.AUDL|
    00CBE030 D7C1D3C2 00CBE000 47F0F07E 69C1E4C4 |PALB..\..00=.AUD|
    00CBE040 D3D7C1D3 C240D3E5 D37AF34B F14BF240 |LPALB LVL:3.1.2 |
    00CBE050 F0F561F1 F561F0F2 406040F1 F44BF2F7 |05/15/02 - 14.27|
    00CBE060 40C6C9E7 7A40F0F0 F0F040F0 F061F0F0 | FIX: 0000 00/00|
    00CBE070 61F0F040 40C3C3D3 7AF0F1F8 F040C3D6 |/00  CCL:0180 CO|
    00CBE080 D7E8D9C9 C7C8E340 C9E2D6C7 D6D540C3 |PYRIGHT ISOGON C|
    00CBE090 D6D9D7D6 D9C1E3C9 D6D540F1 F9F9F360 |ORPORATION 1993-|
    00CBE0A0 F2F0F0F2 4B4041D0 D00090FC D01018CF |2002. .}}...}...|
    00CBE0B0 58901000 41909000 41E0E000 41F0C09E |.........\\..0{.|


    Note: AUDLPALB from ISOGON is now part of the IBM Tivoli License Compliance Manager for z/OS product.

Related information

CICS RACF Security Guide

Product Alias/Synonym

CICS/TS CICS TS CICS Transaction Server

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

CICS Transaction Server
Security

Software version:

3.1, 3.2, 4.1, 4.2, 5.1

Operating system(s):

z/OS

Reference #:

1111157

Modified date:

2013-03-29

Translate my page

Machine Translation

Content navigation