Security error due to RACF problem

An ECI_ERR_SECURITY_ERROR -27 can occur if RACF® program control is not active for the CICS® Transaction Gateway load library.

Symptom

An ECI_ERR_SECURITY_ERROR -27 security error occurs.

Probable cause

RACF program control is not active for the CICS Transaction Gateway load library SCTGLOAD, and the CICS Transaction Server for IBM® z/OS® SDFHEXCI load library. RACF program control must be active for the CICS Transaction Gateway load library SCTGLOAD, and the CICS Transaction Server for IBM z/OS SDFHEXCI load library.

Action

Activate RACF program control:
SETROPTS CLASSACT(PROGRAM)
RDEFINE PROGRAM * UACC(READ)
SETROPTS WHEN(PROGRAM)
To add the CICS library when program control is active:
RALTER PROGRAM * ADDMEM('hlq.SDFHEXCI'/volser/NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH
To add the CICS Transaction Gateway library when program control is active: 
RALTER PROGRAM * ADDMEM('hlq.SCTGLOAD'/volser/NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH

Additional information

Security errors can also be caused by:
  • Extended attributes settings are incorrect for certain zFS files.

    Extended attributes for zFS files of the <install_path>/bin directory are set during the SMP/E installation process. However, if they are subsequently modified, program control might be compromised. Use the ls -E command from the USS shell command line to verify that extended attributes are set correctly.

    The following extattr commands mark the load modules used by the CICS Transaction Gateway as program controlled. Issue commands similar to the following from an OMVS shell or a Telnet session: 
    extattr +p <install_path>/bin/lib*.so
extattr +ps <install_path>/bin/ctgstart
    The Java SDK must also be program controlled. By default, the SDK is installed as program controlled. If necessary issue the following commands: 
    extattr +p javapath/bin/*
    For 31 bit Java you also need to issue these commands:
    extattr +p javapath/lib/s390/*
extattr +p javapath/lib/s390/j9vm/*
extattr +p javapath/lib/s390/default/*
    For 64 bit Java you also need to issue these commands:
    extattr +p javapath/lib/s390x/*
extattr +p javapath/lib/s390x/j9vm/*
extattr +p javapath/lib/s390x/default/*
extattr +p javapath/lib/s390x/compressedrefs/*
    where javapath is the location of the JVM. For further information, see Configuring for client certificate mapping.

  • Running ctgstart from the USS command line with AUTH_USER_PASSWORD set.

    To perform the necessary security calls to verify passwords, the Gateway daemon must run in a program controlled address space. Under the USS shell, the first non-program controlled program that runs (for example ls) makes that particular USS address space "dirty", and unable to subsequently run program controlled code.

    Therefore, if you intend to run the Gateway daemon by executing the ctgstart script directly from a USS shell, set environment variable _BPX_SHAREAS to NO. This ensures that the Gateway daemon runs in a separate "clean" address space.

    Note: This is in direct contrast to the setting of _BPX_SHAREAS used when executing the Gateway daemon via CTGBATCH.
  • The CICS Transaction Gateway failed to authenticate the user ID and password specified in the ECI call.

    If user IDs and passwords are not to be authenticated within the CICS Transaction Gateway , ensure the variable AUTH_USERID_PASSWORD is not set in the CICS Transaction Gateway STDENV file or shell environment.

  • The JAVA_PROPAGATE environment variable has not been set for a CICS Transaction Gateway application running in local mode.
    You must set: 
    JAVA_PROPAGATE=NO
    in the environment under which the application runs.

    If the environment variable is not set, IBM z/OS traces show that a pthread_security_np call with the CREATE_SECURITY_ENV parameter has failed with a 157 (EMVSERR) return code.