An ECI_ERR_SECURITY_ERROR -27 can occur if RACF® program control is not active for the CICS® Transaction Gateway load library.
An ECI_ERR_SECURITY_ERROR -27 security error occurs.
RACF program control is not active for the CICS Transaction Gateway load library SCTGLOAD, and the CICS Transaction Server for z/OS® SDFHEXCI load library. RACF program control must be active for the CICS Transaction Gateway load library SCTGLOAD, and the CICS Transaction Server for z/OS SDFHEXCI load library.
SETROPTS CLASSACT(PROGRAM)
RDEFINE PROGRAM * UACC(READ)
SETROPTS WHEN(PROGRAM)
To add the CICS library when program control is active:RALTER PROGRAM * ADDMEM('hlq.SDFHEXCI'/volser/NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH
To add the CICS Transaction Gateway library
when program control is active: RALTER PROGRAM * ADDMEM('hlq.SCTGLOAD'/volser/NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH
Extended attributes settings are incorrect for certain HFS files.
Extended attributes for HFS files of the <install_path>/bin directory are set during the SMP/E installation process. However, if they are subsequently modified, program control might be compromised. Use the ls -E command from the USS shell command line to verify that extended attributes are set correctly.
extattr +p <install_path>/bin/lib*.so
extattr +ps <install_path>/bin/ctgstart
extattr +p javapath/bin/*
where javapath is
the location of the JVM. For further information, see Configuring for client certificate mapping.To perform the necessary security calls to verify passwords, the Gateway daemon must run in a program controlled address space. Under the USS shell, the first non-program controlled program that runs (for example ls) makes that particular USS address space "dirty", and unable to subsequently run program controlled code.
Therefore, if you intend to run the Gateway daemon by executing the ctgstart script directly from a USS shell, set environment variable _BPX_SHAREAS to NO. This ensures that the Gateway daemon runs in a separate "clean" address space.
If user IDs and passwords are not to be authenticated within the CICS Transaction Gateway, ensure the variable AUTH_USERID_PASSWORD is not set in the CICS Transaction Gateway STDENV file or shell environment.
The JAVA_PROPAGATE environment variable has not been set for a CICS Transaction Gateway application running in local mode. You must set:JAVA_PROPAGATE=NO
in
the environment under which the application runs. If the environment variable is not set, z/OS traces show that a pthread_security_np call with the CREATE_SECURITY_ENV parameter has failed with a 157 (EMVSERR) return code.