Re: RACROUTE REQUEST=AUTH problem
I put the same RACROUTE macro in a batch job and it works fine. The problem was using the RACROUTE in the client's CICS region but this has been solved by using the EXEC CICS QUERY SECURITY command instead. I'd like to thank everyone for their help with this. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
The client's quite happy now as it works with EXEC CICS QUERY SECURITY. We were only able to get a RC=0 on our own LPAR. On the client's LPAR it was a hard error. It always gave this response combination no matter which class and resource they tried: SAF_RC=04 RACF_RC=04 RACF_RSN=00 Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Well, under CICS - except perhaps L8 which might set a TCB level ACEE, you are not going to get the users permission, you will be getting the CICS STC permission. So the answer will be wrong. I am not sure which CICS control block contains the ACEE pointer, but if you are already going to do an ADDRESS ACEE you may as well use INQUIRE SECURITY. You stated that you receive 0 for authorized users. Are you getting 8 for those not authorized? Is the message correct? Is the program doing this defined as threadsafe? At your client? I personally would add DECOUPL=YES to the RACROUTE.n Just in case they have a table. On Tue, 12 Dec 2023 02:49:18 -0600 John Blythe Reid wrote: :>Thanks Binyamin, :> :>Here are the macros: :> :> RACROUTE REQUEST=AUTH, :> CLASS=(R2), :> ENTITY=((R3),NONE), :> STATUS=ACCESS, :> WORKA=(R5), :> RELEASE=1.9, :> MF=(E,(R1)) :> :>RACLST RACROUTE REQUEST=AUTH, :>GENERIC=YES, :>RELEASE=1.9, :>MF=L -- Binyamin Dissen http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Thanks Binyamin, Here are the macros: RACROUTE REQUEST=AUTH, CLASS=(R2), ENTITY=((R3),NONE), STATUS=ACCESS, WORKA=(R5), RELEASE=1.9, MF=(E,(R1)) RACLST RACROUTE REQUEST=AUTH, GENERIC=YES, RELEASE=1.9, MF=L Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
As to why it work on your LPAR and not the customers you need to look at how to setup CICS to use RACF. Also CICS you need to look at your CDT entries and you will probably find you CDT entries have entries that the customer doesn’t Sent from my iPhone No one said I could type with one thumb > On Dec 11, 2023, at 13:37, Walt Farrell wrote: > > On Mon, 11 Dec 2023 09:50:34 -0600, John Blythe Reid > wrote: > >> The client never got the RACROUTE macro to work. Instead they've opted to >> use the CICS command EXEC CICS QUERY SECURITY and that works ok. Does anyone >> think that the problem may be due to issuing a RACROUTE macro inside a CICS >> transaction ? However the same transaction does work on our LPAR but not on >> the client's. > > EXEC CICS QUERY SECURITY is what you're _supposed_ to use, and the last time > I checked (many years ago) in most CICS configurations the user's ACEE is not > in a location where RACROUTE would find it. That means that a RACROUTE would > use the CICS region user ID, which is only one of the problems you need to > deal with in trying to use non-CICS functions inside a CICS transaction. > > I have no idea what CICS configuration you're running, nor what your client > is running. And I have no idea how using the region's ACEE might return an > RC=4. Usually I would expect an unwanted RC=0 or RC=8. > > Nor do I have any idea what changes might have occurred in CICS in those > intervening years. > > -- > Walt (former designer/developer on the RACF team at IBM) > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
On Mon, 11 Dec 2023 09:50:34 -0600, John Blythe Reid wrote: >The client never got the RACROUTE macro to work. Instead they've opted to use >the CICS command EXEC CICS QUERY SECURITY and that works ok. Does anyone think >that the problem may be due to issuing a RACROUTE macro inside a CICS >transaction ? However the same transaction does work on our LPAR but not on >the client's. EXEC CICS QUERY SECURITY is what you're _supposed_ to use, and the last time I checked (many years ago) in most CICS configurations the user's ACEE is not in a location where RACROUTE would find it. That means that a RACROUTE would use the CICS region user ID, which is only one of the problems you need to deal with in trying to use non-CICS functions inside a CICS transaction. I have no idea what CICS configuration you're running, nor what your client is running. And I have no idea how using the region's ACEE might return an RC=4. Usually I would expect an unwanted RC=0 or RC=8. Nor do I have any idea what changes might have occurred in CICS in those intervening years. -- Walt (former designer/developer on the RACF team at IBM) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Show the LIST and EXECUTE form of the RACROUTE. On Mon, 11 Dec 2023 09:50:34 -0600 John Blythe Reid wrote: :>The client never got the RACROUTE macro to work. Instead they've opted to use the CICS command EXEC CICS QUERY SECURITY and that works ok. Does anyone think that the problem may be due to issuing a RACROUTE macro inside a CICS transaction ? However the same transaction does work on our LPAR but not on the client's. :> :>Regards, :>John. -- Binyamin Dissen http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
The client never got the RACROUTE macro to work. Instead they've opted to use the CICS command EXEC CICS QUERY SECURITY and that works ok. Does anyone think that the problem may be due to issuing a RACROUTE macro inside a CICS transaction ? However the same transaction does work on our LPAR but not on the client's. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Hi Jon, Muli-User *Single Address Space. Regards, David On 2023-12-01 02:19, Jon Perryman wrote: The one thing no one has mentioned is MUSASS configuration (Multi-User address spaces). Has the customer configured MUSASS changes like naming table, exits or ???. For instance, is the STC jobname being appended to distinguish between production and test? Maybe a RACF trace would show the real resource name and results. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
The one thing no one has mentioned is MUSASS configuration (Multi-User address spaces). Has the customer configured MUSASS changes like naming table, exits or ???. For instance, is the STC jobname being appended to distinguish between production and test? Maybe a RACF trace would show the real resource name and results. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
John, Are they defining generic profiles to protect resources in this class? If yes, did they remember to activate SETROPTS GENCMD and GENERIC for the class, especially _before_ creating such profiles. Have them execute SEARCH CLASS(class) and examine the resulting profile list to verify all profiles containing generic characters show a '(G)' to the right of the profile. Also look at SETROPTS LIST to confirm the class is listed under both GENERIC PROFILE CLASSES and GENERIC COMMAND CLASSES. Assuming GENERIC is active, have them create a ** catch-all profile in the class to see if this results in a profile being found. Have they RACLISTed the class? If yes, are they remembering to RACLIST REFRESH the class every time they make a profile change? The REFRESH needs to be performed on each system sharing the RACF database, especially on the system where this CICS environment is running. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Wed, 29 Nov 2023 16:18:49 + From:Rob Scott Subject: Re: RACROUTE REQUEST=AUTH problem Yes - so you have a "4,4,0" set of SAF_RC,RACF_RC and RACF_RSN >From the RACROUTE macro docs , the RACF-RC/RSN means : 04 The specified resource is not protected by RACF. If PROTECTALL is active, no profile is found, and the user ID whose authority was checked does not have the SPECIAL attribute, RACF returns a return code X'08' instead of a return code X'04' and denies access. Reason code Meaning 00 One of the following has occurred: • There is no RACF profile protecting the resource. • RACF is not active. • Specified class is not in the RACF class descriptor table. • Specified class (other than DSNR) is not active. • Specified class requires SETROPTS RACLIST option to be active and it is not. • CLASS TEMPDSN was active and the data set is a temporary data set. • A userid of *BYPASS* has been passed on the authorization check. No profile checking will occur. You have at least one of the above conditions Rob -Original Message- From: IBM Mainframe Discussion List On Behalf Of John Blythe Reid Sent: Wednesday, November 29, 2023 4:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACROUTE REQUEST=AUTH problem EXTERNAL EMAIL Rob, I'm looking at SAFPRRET and SAFPRREA in a test on our LPAR. After checking a non-existent resource SAFPRRET contains X'0004' and SAFPRREA contains binary zeros. Is the value in SAFPRRET the RACF RC ? The RACROUTE macro return code in R15 is also X'04'. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Yes - so you have a "4,4,0" set of SAF_RC,RACF_RC and RACF_RSN From the RACROUTE macro docs , the RACF-RC/RSN means : 04 The specified resource is not protected by RACF. If PROTECTALL is active, no profile is found, and the user ID whose authority was checked does not have the SPECIAL attribute, RACF returns a return code X'08' instead of a return code X'04' and denies access. Reason code Meaning 00 One of the following has occurred: • There is no RACF profile protecting the resource. • RACF is not active. • Specified class is not in the RACF class descriptor table. • Specified class (other than DSNR) is not active. • Specified class requires SETROPTS RACLIST option to be active and it is not. • CLASS TEMPDSN was active and the data set is a temporary data set. • A userid of *BYPASS* has been passed on the authorization check. No profile checking will occur. You have at least one of the above conditions Rob -Original Message- From: IBM Mainframe Discussion List On Behalf Of John Blythe Reid Sent: Wednesday, November 29, 2023 4:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACROUTE REQUEST=AUTH problem EXTERNAL EMAIL Rob, I'm looking at SAFPRRET and SAFPRREA in a test on our LPAR. After checking a non-existent resource SAFPRRET contains X'0004' and SAFPRREA contains binary zeros. Is the value in SAFPRRET the RACF RC ? The RACROUTE macro return code in R15 is also X'04'. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Rob, I'm looking at SAFPRRET and SAFPRREA in a test on our LPAR. After checking a non-existent resource SAFPRRET contains X'0004' and SAFPRREA contains binary zeros. Is the value in SAFPRRET the RACF RC ? The RACROUTE macro return code in R15 is also X'04'. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
John The next step is to examine the RACF RC associated with the SAF RC=4 as that will help narrow down the reason. Rob -Original Message- From: IBM Mainframe Discussion List On Behalf Of John Blythe Reid Sent: Wednesday, November 29, 2023 2:49 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACROUTE REQUEST=AUTH problem EXTERNAL EMAIL Hi Rob, Thanks a lot for your reply. However, we executed the SETR LIST command and we can see that the classes involved are indeed active. By the way, this is a conversion from Top Secret to RACF. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Hi Rob, Thanks a lot for your reply. However, we executed the SETR LIST command and we can see that the classes involved are indeed active. By the way, this is a conversion from Top Secret to RACF. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
DECOUPL= ? On Wed, 29 Nov 2023 04:42:01 -0600 John Blythe Reid wrote: :>We have a CICS module that issues a RACROUTE REQUEST=AUTH to query a user's access rights to a resource. We execute the module on our LPAR and it works fine returning RC=0 if the user has access. :>When we put that same CICS module on our client's LPAR the RACROUTE REQUEST=AUTH always returns RC=04 as though the resources weren't defined to RACF. If we take one of the resources that the module didn't find and display it using 'TSO RL class resource' RACF displays the resource details ok. So the resources are correctly defined but the RACROUTE macro never appears to find them. :>The z/OS level is the same: 2.4; and the RACF level in the RACROUTE macro is the same: 1.9. :>It's a bit of a mystery. Anyone have any ideas ? -- Binyamin Dissen http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
Is the class active on customer system? Use "TSO SETR LIST" to examine class status information. Rob Scott Rocket Software -Original Message- From: IBM Mainframe Discussion List On Behalf Of John Blythe Reid Sent: Wednesday, November 29, 2023 10:42 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: RACROUTE REQUEST=AUTH problem EXTERNAL EMAIL Hello, We have a CICS module that issues a RACROUTE REQUEST=AUTH to query a user's access rights to a resource. We execute the module on our LPAR and it works fine returning RC=0 if the user has access. When we put that same CICS module on our client's LPAR the RACROUTE REQUEST=AUTH always returns RC=04 as though the resources weren't defined to RACF. If we take one of the resources that the module didn't find and display it using 'TSO RL class resource' RACF displays the resource details ok. So the resources are correctly defined but the RACROUTE macro never appears to find them. The z/OS level is the same: 2.4; and the RACF level in the RACROUTE macro is the same: 1.9. It's a bit of a mystery. Anyone have any ideas ? Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RACROUTE REQUEST=AUTH problem
Hello, We have a CICS module that issues a RACROUTE REQUEST=AUTH to query a user's access rights to a resource. We execute the module on our LPAR and it works fine returning RC=0 if the user has access. When we put that same CICS module on our client's LPAR the RACROUTE REQUEST=AUTH always returns RC=04 as though the resources weren't defined to RACF. If we take one of the resources that the module didn't find and display it using 'TSO RL class resource' RACF displays the resource details ok. So the resources are correctly defined but the RACROUTE macro never appears to find them. The z/OS level is the same: 2.4; and the RACF level in the RACROUTE macro is the same: 1.9. It's a bit of a mystery. Anyone have any ideas ? Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
