Skip to Content
Information
Space announcement This documentation space provides the same content as before, but the organization of the content has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Enabling RACROUTE under ACF2 and Top Secret

The Abend-AID Viewer issues standard RACROUTE calls, so it can interface with any external security package using standard SAF functions. For RACF, no special user action is required to ensure that RACROUTE calls can be issued. However, if you are using either ACF2 or Top Secret, ensure that RACROUTE is enabled for the Abend-AID Viewer by following the appropriate instructions below.

Enabling RACROUTE under ACF2

To enable RACROUTE under ACF2, write the rules appropriate to your release of ACF2.

ACF2 Release 6.0 and More Current

ACF2 release 6.0 and more current require SAFDEFs to enable the Abend-AID Viewer to use the SAF security application programming interface (API). The SAFDEFs are required because ACF2 performs additional security checking above and beyond that documented as being needed by IBM. Failure to define these SAFDEFs can result in the Abend-AID Viewer, BDCAS, or TDCAS failing with S047 abend codes. The SAFDEFs provided below are examples that you many need to tailor for your site’s installation.

When the prefix in the JOBNAME parameter is the same for the viewing server, the specific rules you should write are as follows:

 SAFDEF.aavwr1 JOBNAME(aa-) PROGRAM(FDB-) MODE(GLOBAL) -
                RACROUTE(REQUEST=AUTH)  

   SAFDEF.aavwr2 JOBNAME(aa-) PROGRAM(FDB-) MODE(GLOBAL) -
                RACROUTE(REQUEST=VERIFY)

In the above rules, aavwr is a unique qualifier, used to ensure that the rule keys are unique. The aa- specified in the JOBNAME parameter is the prefix of the Abend-AID viewing server jobs. The MODE parameter requires a valid SAF option.

If your Abend-AID/Abend-AID for CICS BDCAS/TDCAS jobs has the same job name prefix as your viewing server jobs, then use the following SAFDEF in place of the aavwr1 SAFDEF shown above:

   SAFDEF.aavwr1 JOBNAME(aa-) PROGRAM(FDB-) MODE(GLOBAL) NOAPFCHK-
                RACROUTE(REQUEST=AUTH)  

If your Abend-AID/Abend-AID for CICS BDCAS/TDCAS jobs has a different prefix than your viewing server jobs, then an additional SAFDEF is required for your BDCAS/TDCAS job, as follows:

   SAFDEF.aavwr3 JOBNAME(bdc-) PROGRAM(FDB-) MODE(GLOBAL) NOAPFCHK-
                RACROUTE(REQUEST=AUTH,CLASS=DATASET,STATUS=ACCESS)
   SAFDEF.aavwr4 JOBNAME(tdc-) PROGRAM(FDB-) MODE(GLOBAL) NOAPFCHK-
                RACROUTE(REQUEST=AUTH,CLASS=DATASET,STATUS=ACCESS) 

In the above rules, bdc-/tdc- in the JOBNAME parameter is the prefix of the Abend-AID/Abend-AID for CICS BDCAS/TDCAS jobs. The NOAPFCHK and RACROUTE parameters are restrictive settings, but will allow the BDCAS/TDCAS to issue a STATUS=ACCESS request. Because the Abend-AID viewing server requires less restrictive settings, do not use this RACROUTE setting for the viewing server JOBNAME prefix.

Some installations have also found the need to define the following SAFDEF:

If the viewing server gives Dataset not found messages but ACF2 messages in the JESMSGLG show that the users do not have access to them, then define this SAFDEF. This SAFDEF permits the Abend-AID Viewer to correctly determine if the users should be permitted to the use the data sets.

ACF2 release 5.2 and less current

ACF2 release 5.2 and less current require SAFPROT rules to enable the Abend-AID Viewer to use the SAF security API. The specific rules you should write are shown below. In the examples, aavwr is a unique qualifier, used to ensure that the rule keys are unique.

 SYS1 / SAFPROT.aavwr CLASSES(-) CNTLPTS(FDB-) SUBSYS(FDB-)

As an alternative, you can write the following rules:

   SYS1 / SAFPROT.aavwr1 CLASSES(VERIFY) CNTLPTS(FDB-) SUBSYS(FDB-)
   SYS1 / SAFPROT.aavwr2 CLASSES(DATASET) CNTLPTS(FDB-) SUBSYS(FDB-)
Warning

If you choose the alternative method from the two methods shown above, you need to write a third SAFPROT rule if both of the following are true:

  • You are restricting access to Abend-AID Viewer functions, as described in Controlling User Access to Specific Functions.
  • You specify something other than the default value, DATASET, for the EXTERNAL_SECURITY_RESOURCE_CLASS viewing server configuration parameter, as described in the Advanced-configuration.

Enabling RACROUTE under Top Secret

If you use Top Secret, define the viewing server’s user ID as a multi-user facility.



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI DevX Abend-AID 17.02