Security error due to RACF problem

An ECI_ERR_SECURITY_ERROR -27 can occur if RACF® program control is not active for the CICS® Transaction Gateway load library.

Symptom

An ECI_ERR_SECURITY_ERROR -27 security error occurs.

Probable cause

RACF program control is not active for the CICS Transaction Gateway load library SCTGLOAD, and the CICS Transaction Server for z/OS® SDFHEXCI load library. RACF program control must be active for the CICS Transaction Gateway load library SCTGLOAD, and the CICS Transaction Server for z/OS SDFHEXCI load library.

Action

Activate RACF program control:
SETROPTS CLASSACT(PROGRAM)
RDEFINE PROGRAM * UACC(READ)
SETROPTS WHEN(PROGRAM)
To add the CICS library when program control is active:
RALTER PROGRAM * ADDMEM('hlq.SDFHEXCI'/volser/NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH
To add the CICS Transaction Gateway library when program control is active:
RALTER PROGRAM * ADDMEM('hlq.SCTGLOAD'/volser/NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH

Additional information

Extended attributes settings are incorrect for certain HFS files.

Extended attributes for HFS files of the <install_path>/bin directory are set during the SMP/E installation process. However, if they are subsequently modified, program control might be compromised. Use the ls -E command from the USS shell command line to verify that extended attributes are set correctly.

The following extattr commands mark the load modules used by the CICS Transaction Gateway as program controlled. Issue commands similar to the following from an OMVS shell or a Telnet session:
extattr +p <install_path>/bin/lib*.so
extattr +ps <install_path>/bin/ctgstart
The Java™ SDK must also be program controlled. By default, the SDK is installed as program controlled. If necessary issue the following command:
extattr +p javapath/bin/*
where javapath is the location of the JVM. For further information, see Configuring for client certificate mapping.

Running ctgstart from the USS command line with AUTH_USER_PASSWORD set

To perform the necessary security calls to verify passwords, the Gateway daemon must run in a program controlled address space. Under the USS shell, the first non-program controlled program that runs (for example ls) makes that particular USS address space "dirty", and unable to subsequently run program controlled code.

Therefore, if you intend to run the Gateway daemon by executing the ctgstart script directly from a USS shell, set environment variable _BPX_SHAREAS to NO. This ensures that the Gateway daemon runs in a separate "clean" address space.

Note: This is in direct contrast to the setting of _BPX_SHAREAS used when executing the Gateway daemon via CTGBATCH.
The CICS Transaction Gateway failed to authenticate the user ID and password specified in the ECI call.

If user IDs and passwords are not to be authenticated within the CICS Transaction Gateway, ensure the variable AUTH_USERID_PASSWORD is not set in the CICS Transaction Gateway STDENV file or shell environment.

The JAVA_PROPAGATE environment variable has not been set for a CICS Transaction Gateway application running in local mode. You must set:
JAVA_PROPAGATE=NO
in the environment under which the application runs.

If the environment variable is not set, z/OS traces show that a pthread_security_np call with the CREATE_SECURITY_ENV parameter has failed with a 157 (EMVSERR) return code.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tgzos_latest/help/topic/com.ibm.cics.tg.zos.doc//ctgzos/racfprobs_2.html