I am trying to protect the use of the $GD command. I receive messages ACF01097 and $HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE. What is needed to set this up?

Document ID:  TEC1218585
Last Modified Date:  08/09/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA ACF2 for z/OS

Releases

  • CA ACF2 for z/OS:Release:15
  • CA ACF2 for z/OS:Release:16

Components

  • CA ACF2 for z/OS:ACF2MS
Question:

I want to protect the use of the $G D command.
I tried to submit the command to another node and it failed with messages 

$HASP690 ACF01097 JOB SUBMITTED ON SYSTEM WITHOUT ACF2 AND NO DEFAULT LOGONID
$HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE

What validations occur to control who can issue the command?

Answer:

The format of the command in its simplest form is

$GDnnnn,'<jobname>' 

Where nnnn is the jes node name and <jobname> is the name of the job that you want information about.

(Further details can be found in the IBM z/OS JES2 Commands manual.)

 

The validations that occur are all in the OPERCMDS resource class.

there is one validation on the sending node for resource JES2.GDISPLAY.JOB which will validate against the submitter of the command.

The RACROUTE request looks like this....

RACROUTE REQUEST=AUTH,REQSTOR='SRICCMDA',SUBSYS='JES2z201',

          CLASS='OPERCMDS',RELEASE=1.9,STATUS=NONE,ATTR=READ,DSTYPE=N,
          DECOUPL=YES,ENTITY=('JES2.GDISPLAY.JOB'),FILESEQ=0,
          GENERIC=ASIS,LOG=ASIS,LOGSTR='$GDnnnn,'<jobname>'',MSGRTRN=YES,
          MSGSP=236,MSGSUPP=YES,TAPELBL=STD,UTOKEN=,WORKA=

 

On the executing node there will be another validation for OPERCMDS resource JES2.DISPLAY.JOB.

RACROUTE REQUEST=AUTH,REQSTOR='SRICCMDA',SUBSYS='JES2z201',
         CLASS='OPERCMDS',RELEASE=1.9,STATUS=NONE,ATTR=READ,DSTYPE=N,
         DECOUPL=YES,ENTITY=('JES2.DISPLAY.JOB'),FILESEQ=0,
         GENERIC=ASIS,LOG=ASIS,
         LOGSTR='SSI FORMATTED COMMAND - $D'<jobname>'',MSGRTRN=YES,
         MSGSP=236,MSGSUPP=YES,TAPELBL=STD,UTOKEN=,WORKA=

 

The validation will be against the node name of the sending system.
If that doesn't exist as a logonid, the validation will be against the NJE default logonid.
If that doesn't exist the local system default logonid will be used.

If there is no logonid available for the validation, the request will fail with the following messages...

 

$HASP690 ACF01097 JOB SUBMITTED ON SYSTEM WITHOUT ACF2 AND NO DEFAULT LOGONID
$HASP690 COMMAND REJECTED - AUTHORIZATION FAILURE

 

Additional Information:

As the validations are only against resource class OPERCMDS, if you are not validating this class, there will be no protection.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >