PassTicket - Access not authorized (8/8/16)
Message
ACF04056 ACCESS TO RESOURCE IRRPTAUTH.FEKAPPL.userid TYPE
RPTK BY userid NOT AUTHORIZED
ERROR class com.ibm.etools.zos.server.ZosClient: (R_ticketserv)
SafRc=8, racfRc=8 racfRsn=16 at com.ibm.eserver.zos.racf.IRRPassTicket.generateExplanation
Any command can cause this PassTicket generation error with ACF2 or Top Secret. The initial report was for JESminer but the problem may still exist for other Developer for z/OS® host code.
The JESMiner thread is running continuously
until the client disconnects from the RSE Server. The JESMiner thread
generates a PassTicket at the time of CONNECT request. When the same
thread tries to generate a PassTicket again (for example, for reconnect),
ACF2/TSS issues error message "Access not authorized" for the PassTicket
function. This is because ACF2/TSS changes the effective ID to the
client ID after the thread-level security is established for the client.
On the other hand, RACF® does
not change the effective ID even if the thread-level security is changed
for the client. So, RACF always
generates the PassTicket under the authority of the started task ID,
but ACF2/TopSecret tries to generate the PassTicket under the authority
of the client ID after the thread-level security is established. The
client ID does not have any authority to generate a PassTicket, and
so SafRc=8, racfRc=8, racfRsn=16 (codes
for "no authority") are issued.
The following Developer for z/OS fix resolves the ACF2/TSS-specific problem:
- Version 7.6.2.1 APAR PM23923, Version 8.0.1.0 GA.
In another occurrence, a change was made in Developer for z/OS Version
8.0.1 that resulted in two pthread_secutity_np() calls
in a single thread. Due to the effective ID switching done by ACF2/TSS,
the second call fails with return codes 8/8/16.
The following Developer for z/OS fix resolves this ACF2/TSS-specific problem:
- Version 8.0.2.0 APAR PM29925.
Additional information
None.