CA ACF CA RS 1404 Service List

Transcription

1 CA ACF CA RS 1404 Service List Description Hiper 15.0 RO62960 EXPIRED CERTIFICATE MESSAGES MISSING AT MIDNIGHT RO64759 UNIX FILES WITH NO EXECUTE PERMISSIONS MISHANDLED RO65121 USERS GETTING ACF6C004 CHANGE COMMAND FROM A MUSASS RO65139 MMS COMPILE GETS CNLC145W FOR ACF68073 & ACF68076 RO65150 ABEND S0C4-38 IN SAFOEOTS OR SDC2 IN ACF0AENT RO65259 PSWD HISTORY & PHRASES NOT SYNCED TO Z/VM RO65284 ALLOW SEV PASSWORD CHANGES TO BE EXCLUDED FROM CPF RO65304 NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS RO65305 NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS RO65322 CICS: ACFAE751 ACFAESAF UNABLE TO LOCATE SRT RO65357 BPX.DEFAULT.USER TRACE NOT ENABLED AT STARTUP RO65592 ADD NEW FIELDS TO GSO UNIXOPTS PANEL RO65772 ABEND S0C4 IN SAFOESMF ON A INIT_USP CALL RO65813 ACCESS SUBCOMMAND - ADD SUPPORT FOR MASKED ROLES RO65876 CICS: ACFAE763 DUMP: DUPLICATE ACEE FOUND FOR DELETE RO65979 ADD TASID FIELDS TO RCVT RO66172 CICS: AZTS/OTHER ABEND W/EXIT AND CONCURRENCY(REQUIRED) RO66603 CHANGE ACFESAGE MSG FROM ACF3014E TO ACFE014E RO66836 NULL PASSWORD VERIFY CREATE PASSCHK=YES BYPASSED RO67467 CICS: XCMD VALIDATION FOR JESSPOOL ON INQUIRE TEMPSTORAGE RO67560 CICS: REGION HANG/LOOP ON FOR_USERID XSRC CALLS **HIPER** RO67587 CHKCERT OUTPUT DIFFERS AFTER RO61513 RO67765 ACFRPTXR WAIT/HANG ACF4DLDS OFFSET X'28E' RO67897 ACFRPTOM R_CHOWN EVENT UID INCORRECT RO68280 INITUSP FOR IOSAS FAILS DURING IPL RO68723 ERRORS IN ACFESAGE FLAT FILE FOR 0630 RECORDS The CA RS 1404 service count for this release is 26

2 CA ACF CA RS 1404 Service List Description Hiper 14.0 NO-SRVC CA RS 1404 Contains No Service For This Release of This Product. The CA RS 1404 service count for this release is 0

3 CA ACF2 3 CA RS 1404 Service List for CAX1F00 FMID Service Description Hiper CAX1F00 RO62960 EXPIRED CERTIFICATE MESSAGES MISSING AT MIDNIGHT RO64759 UNIX FILES WITH NO EXECUTE PERMISSIONS MISHANDLED RO65121 USERS GETTING ACF6C004 CHANGE COMMAND FROM A MUSASS RO65139 MMS COMPILE GETS CNLC145W FOR ACF68073 & ACF68076 RO65150 ABEND S0C4-38 IN SAFOEOTS OR SDC2 IN ACF0AENT RO65259 PSWD HISTORY & PHRASES NOT SYNCED TO Z/VM RO65284 ALLOW SEV PASSWORD CHANGES TO BE EXCLUDED FROM CPF RO65304 NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS RO65357 BPX.DEFAULT.USER TRACE NOT ENABLED AT STARTUP RO65592 ADD NEW FIELDS TO GSO UNIXOPTS PANEL RO65772 ABEND S0C4 IN SAFOESMF ON A INIT_USP CALL RO65813 ACCESS SUBCOMMAND - ADD SUPPORT FOR MASKED ROLES RO65979 ADD TASID FIELDS TO RCVT RO66603 CHANGE ACFESAGE MSG FROM ACF3014E TO ACFE014E RO66836 NULL PASSWORD VERIFY CREATE PASSCHK=YES BYPASSED RO67587 CHKCERT OUTPUT DIFFERS AFTER RO61513 RO67765 ACFRPTXR WAIT/HANG ACF4DLDS OFFSET X'28E' RO67897 ACFRPTOM R_CHOWN EVENT UID INCORRECT RO68280 INITUSP FOR IOSAS FAILS DURING IPL RO68723 ERRORS IN ACFESAGE FLAT FILE FOR 0630 RECORDS The CA RS 1404 service count for this FMID is 20

4 CA ACF2 4 CA RS 1404 Service List for CAX1F03 FMID Service Description Hiper CAX1F03 RO65305 NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS RO65322 CICS: ACFAE751 ACFAESAF UNABLE TO LOCATE SRT RO65876 CICS: ACFAE763 DUMP: DUPLICATE ACEE FOUND FOR DELETE RO66172 CICS: AZTS/OTHER ABEND W/EXIT AND CONCURRENCY(REQUIRED) RO67467 CICS: XCMD VALIDATION FOR JESSPOOL ON INQUIRE TEMPSTORAGE RO67560 CICS: REGION HANG/LOOP ON FOR_USERID XSRC CALLS **HIPER** The CA RS 1404 service count for this FMID is 6

5 CA ACF CA RS PTF RO RO62960 RO62960 M.C.S. ENTRIES = ++PTF (RO62960) EXPIRED CERTIFICATE MESSAGES MISSING AT MIDNIGHT Messages ACF79464 and ACF79468 pertaining to certificate expiration do not get displayed at midnight if no SHIFT records exist. Messages pertaining to certificate expiration are not displayed at midnight. ACF2 administrators may not be aware that certificates are about to expire or have already expired. Insert a SHIFT record PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 14.0 Release 15.0 ACF2MS 9558 Copyright (C) 2013 CA. All rights reserved. R00978-ACF150-SP1 DESC(EXPIRED CERTIFICATE MESSAGES MISSING AT MIDNIGHT). PRE ( RO54831 RO62039 ) SUP ( TR62960 ) ++HOLD (RO62960) SYSTEM FMID(CAX1F00) REASON (ACTION ) DATE (13259) Product: CA-ACF2-MVS Release 15.0 Sequence: After Apply Purpose: Activate change without IPL Relevance: All users Knowledge required: Operator commands Access required: z/os Operator console Steps to Perform: 1. LLA Refresh 2. Restart ACF2

6 CA ACF CA RS PTF RO RO64759 RO64759 M.C.S. ENTRIES = ++PTF (RO64759) UNIX FILES WITH NO EXECUTE PERMISSIONS MISHANDLED The ck_access service (IRRSKA00) mishandles calls for Unix files that have no execute permissions. If the requested access is execute and the user has UID 0, the access attempt should fail. Under some situations the ck_access processing issues an erroneous FASTAUTH call against the SUPERUSER.FILESYS FACILITY and allows such files to be executed if the FASTAUTH call succeeds. A Unix file can be successfully executed when the file permission bits would ordinarily cause a "FSUM9209 cannot execute" condition for a user with UID 0. Execution of a Unix file proceeds without error when the file permission bits should prevent execution by a UID 0 user. None PRODUCT(S) AFFECTED: CA ACF2 Release 14.0 CA ACF2 Release 15.0 ACF2MS 9451 Copyright (C) 2013 CA. All rights reserved. R00993-ACF150-SP1 DESC(UNIX FILES WITH NO EXECUTE PERMISSIONS MISHANDLED). PRE ( RO35100 RO35876 RO36913 RO45571 RO54826 RO55702 RO60391 RO62767 ) SUP ( BR35100 RO40627 RO61796 RO64671 TR40627 TR52983 TR60950 TR61796 TR64314 TR64553 TR64671 TR64759 ) ++HOLD (RO64759) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13326) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh 2. Execute console command 'F ACF2,NEWMOD(ACF00SVA)' 3. Execute console command 'F ACF2,NEWMOD(SAFOEDRV)'

7 CA ACF CA RS PTF RO RO65121 RO65121 M.C.S. ENTRIES = ++PTF (RO65121) USERS GETTING ACF6C004 CHANGE COMMAND FROM A MUSASS If the CA ACF2 for z/os command processor, ACFCMD, is invoked from within a MUSASS under ACF2 r15.0, the caller may incorrectly get the ACF6C004 message instead of the listing of the logonid that was updated. To date, the problem has manifested only in LDAP sites. ÝLDAP: error code 80 - LDP0406E ACF2 error modifying lid(acf6c004 LOGONID YOIM109 CHANGED) None, the change command worked. Do not attempt to invoke the ACF2 command processor from a MUSASS under ACF2 r15.0 until the fix has been installed. PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9547 Copyright (C) 2013 CA. All rights reserved. R00996-ACF150-SP1 DESC(USERS GETTING ACF6C004 CHANGE COMMAND FROM A MUSASS). PRE ( RO60393 ) SUP ( TR47323 RO47323 TR65121 ) ++HOLD (RO65121) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13326) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh

8 CA ACF CA RS PTF RO RO65139 RO65139 M.C.S. ENTRIES = ++PTF (RO65139) MMS COMPILE GETS CNLC145W FOR ACF68073 & ACF68076 When assembling the National Language support, the ACF60MSF member gets CNLC145W for messages ACF68073 & ACF68076 after RO62039 is applied. The CNLC174E messages appears for ACF79482 & ACF This is caused by the same message number being used for different messages within ACF79CFS, ACF79MAS, and ACF79REF. The correction for this is to change the ACF79482/ACF79483 messages produced by ACF79CFS, our sysplex code. The new message numbers are ACF79484 and ACF CNLC145W IMBEDDED BLANKS FOUND IN TOKEN,ACF68073, 00725, ACF60MSF, T CNLC145W IMBEDDED BLANKS FOUND IN TOKEN,ACF68076, 00728, ACF60MSF, T CNLC174E MESSAGE KEY IS INCOMPATIBLE WITH A PREVIOUS RECORD, KEY=ACF79482 CNLC174E MESSAGE KEY IS INCOMPATIBLE WITH A PREVIOUS RECORD, KEY=ACF79483 ACF79484 C.F. NO ALTERNATE STRUCTURE DEFINED - SWITCH FAILED ACF79485 C.F. STRUCTURE SWITCH COMPLETE The compile fails. The CAX1MENU dataset can be updated manually. The ACF60MSF member has the following for the messages in error: ACF68073 The SIGNWITH &1 cannot be found. The certificate cannot be renewed using the RENEW command ACF68076 Unsupported &1 algorithm. Cannot &2 the certificate These should be updated to be: ACF68073 The SIGNWITH &1. cannot be found. The certificate cannot be renewed using the RENEW command ACF68076 Unsupported &1. algorithm. Cannot &2. the certificate There is no circumvention for the CNLC174E message. PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9577 Copyright (C) 2013 CA. All rights reserved. R00997-ACF150-SP1 DESC(MMS COMPILE GETS CNLC145W FOR ACF68073 & ACF68076). PRE ( RO35100 RO61513 RO62039 ) SUP ( BC55970 RO64945 TR64945 TR65139 ) ++HOLD (RO65139) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13364) PURPOSE Activate change without IPL KNOWLEDGE MVS Message Services (MMS) REQUIRED z/os Sysytems commands ACCESS Run-time message library REQUIRED Operator Console

9 CA ACF CA RS PTF RO Follow steps to implement National Language Support. 2. Issue an LLA refresh. 3. Stop and restart ACF2 SYSPLEX processing

10 CA ACF CA RS PTF RO RO65150 RO65150 M.C.S. ENTRIES = ++PTF (RO65150) ABEND S0C4-38 IN SAFOEOTS OR SDC2 IN ACF0AENT There is a possibility of getting an abend S0C4-38 in SAFOEOTS or SDC2 in ACF0AENT when using either AUTOUID or AUTOGID. When the OMVS table is built, we build a main table that contains all of the current GIDs and UIDs. We also create an extension table that will be used to hold any AUTOUIDs or AUTOGIDs created. If the extension table fills up, we will combine the extension table with the main table and then create a new empty extension table. The abend is when we try to get a larger combined table. SVCARECV S0C4 at 232FFAE2 LMOD ACF00SVA CSECT SAFOEOTS A or SVCARECV SDC2 at 017DFCF6 LMOD N/A CSECT N/A +N/A No new GIDs or UIDs can be added to the table until the 'f acf2,omvs' command is done. This means no new UIDs or GIDs can be assigned to an active session. The 'f acf2,omvs' console command can either be used to prevent the abends from happening or cleanup the tables if either abend has occurred. PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9574 Copyright (C) 2013 CA. All rights reserved. R00998-ACF150-SP1 DESC(ABEND S0C4-38 IN SAFOEOTS OR SDC2 IN ACF0AENT). PRE ( RO25852 RO26856 RO42623 RO42626 RO54826 RO61511 RO61513 RO62767 ) SUP ( TR17134 TR34271 TR34561 TR36993 TR36998 TR37278 RO34271 RO34561 RO36998 RO37278 TR36549 TR43056 TR44280 RO44280 TR45951 RO45951 TR57872 TR57882 TR65150 ) ++HOLD (RO65150) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13326) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh

11 CA ACF CA RS PTF RO F ACF2,NEWMOD(ACF00SVA)

12 CA ACF CA RS PTF RO RO65259 RO65259 M.C.S. ENTRIES = ++PTF (RO65259) PSWD HISTORY & PHRASES NOT SYNCED TO Z/VM With Database Synchronization enabled (to synchronize database changes between z/os and z/vm) some changes to password history records (PUSRPASSWORD) and password phrase records (PUSRPWPHRASE) are not being synchronized from z/os to z/vm. The records are not synchronized if the password (or password phrase) is changed at system entry time. Password phrase changes and password history are not synchronized from z/os to z/vm. Users who change their password phrase on z/os are unable to use the new password phrase on z/vm. Extended password history is not accurate. Change the password (or passphrase) from a security administrator instead of at system entry time. PRODUCT(S) AFFECTED: CA ACF2 Release 15.0 ACF2MS 9580 Copyright (C) 2013 CA. All rights reserved. R01000-ACF150-SP1 DESC(PSWD HISTORY & PHRASES NOT SYNCED TO Z/VM). PRE ( RO36462 RO61511 ) SUP ( TR65259 ) ++HOLD (RO65259) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13324) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. SMP apply 2. LLA Refresh 3. Execute console command 'F ACF2,NEWMOD(ACF00SVA)'

13 CA ACF CA RS PTF RO RO65284 RO65284 M.C.S. ENTRIES = ++PTF (RO65284) ALLOW SEV PASSWORD CHANGES TO BE EXCLUDED FROM CPF Currently we only allow sites to turn on a flag in the ACALT block to have a request bypass CPF. This fix will allow a site to turn on a flag in the ACVALD block to bypass a password change at SEV time from going thru CPF. The new flag is: ACVXFLG3 DS X Extended flag byte 3 ACVX3NCP EQU X'04' Skip CPF for password change TA9581B A site cannot control if a SEV request should bypass CPF. None None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9581 Copyright (C) 2013 CA. All rights reserved. R01002-ACF150-SP1 DESC(ALLOW SEV PASSWORD CHANGES TO BE EXCLUDED FROM CPF). PRE ( RO54833 RO60393 ) SUP ( TR65284 ) ++HOLD (RO65284) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13326) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. SMP apply 2. LLA Refresh 3. Execute console command 'F ACF2,NEWMOD(ACF00SVA)' ***NOTE*** Any sites that will be using the new bit setting with R15 need to reassemble their code with the new ACVALD macro.

14 CA ACF CA RS PTF RO RO65304 RO65304 M.C.S. ENTRIES = ++PTF (RO65304) NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS CA ACF2 added support in R15 to allow a non-privileged user the ability to administer certain fields in the logonid. This was done for the TSO/E and batch environments. This support will add the capability for a user to do updates to logonids from CICS. A user cannot be given update access to a field through CASECAUT support from a CICS region. Cannot update fields that were given to a user through the CASECAUT support. None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9572 Copyright (C) 2014 CA. All rights reserved. R01003-ACF150-SP1 DESC(NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS). PRE ( RO18636 RO60393 ) SUP ( RO47323 RO64337 RO65121 TR47323 TR64337 TR65121 TR65304 ) ++IF FMID(CAX1F03) REQ( RO65305). ++HOLD (RO65304) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14009) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh 2. Execute console command 'F ACF2,NEWMOD(ACF00SVA)'

15 CA ACF CA RS PTF RO RO65305 RO65305 M.C.S. ENTRIES = ++PTF (RO65305) NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS CA ACF2 added support in R15 to allow a non-privileged user the ability to administer certain fields in the logonid. This was done for the TSO/E and batch environments. This support will add the capability for a user to do updates to logonids from CICS. A user cannot be given update access to a field through CASECAUT support from a CICS region. Cannot update fields that were given to a user through the CASECAUT support. None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9572 Copyright (C) 2014 CA. All rights reserved. R01003-ACF150-SP1 DESC(NO CASECAUT FOR CICS/ACFM CP ACF COMMANDS). FMID (CAX1F03) PRE ( RO46083 ) SUP ( RO31559 RO49298 RO57232 TR31559 TR49298 TR57232 TR65305 ) ++IF FMID(CAX1F00) REQ( RO65304). ++HOLD (RO65305) SYSTEM FMID(CAX1F03) REASON (DYNACT ) DATE (14009) CA-ACF2-MVS CICS Release 15.0 PURPOSE Put new code into place. KNOWLEDGE SMP/E ACCESS Product libraries REQUIRED CICS region access 1. SMP APPLY the PTF 2. Issue CICS transaction(s): CEMT SET PROG(ACFAECMD) NEWC CEMT SET PROG(ACF6CLID) NEWC

16 CA ACF CA RS PTF RO RO65322 RO65322 M.C.S. ENTRIES = ++PTF (RO65322) CICS: ACFAE751 ACFAESAF UNABLE TO LOCATE SRT For Function Shipping/DTP/WEB services that exploit Channels/Containers, MRO FORMAT=ACF2 credential data may not be detected until after the task begins, and not fully registered. This may result in validations performed under the MRO Default LOGONID, and/or message and dump ACFAE751 ACFAESAF UNABLE TO LOCATE SRT due to incomplete registration of the MRO FORMAT=ACF2 credential data if later signon activity it initiated. Message and dump: ACFAE751 ACFAESAF UNABLE TO LOCATE SRT Incorrect LOGONID (MRO default) used for validations. Extraneous diagnostic dumps produced. None. PRODUCTS AFFECTED: CICS/TS Interface for CA ACF2 FOR Z/OS Release 15.0 ACF2MS 9582 CICS STORAGE VIOLATION ON CSMI MIRROR TASK/REMOTE FILE READ A storage violation may occur in a remote CICS region in the CSMI transaction. When using the ACF2 CICS MRO logonid inheritance (MRO TRANSMIT=YES,RECEIVE=YES,FORMAT=ACF2), the inbound function shipping TIOAs may be split by VTAM RU size. This may break the ACF2 CICS data into pieces. The incomplete pieces are not recognized and left alone. A Partial inbound piece combined with residual inbound data in exactly the right location may be interpreted as complete data. When this makeshift area is picked up and cleared, the trailing Storage Accounting Area (SAA) of the CICS storage block will be destroyed. By nature, this problem is sporadic and unpredictable. The following message will appear: DFHSM0102 jjjjj A storage violation (code X'0D05') has been detected by module DFHSMMF. Failure of the CSMI transaction. None. PRODUCTS AFFECTED: CA ACF2 Security for z/os ACF2MS 8803 Copyright (C) 2014 CA. All rights reserved. R01004-ACF150-SP1 DESC(CICS: ACFAE751 ACFAESAF UNABLE TO LOCATE SRT). FMID (CAX1F03) PRE ( RO26405 ) SUP ( AR33238 RO33238 RO38788 TR33238 TR38788 TR65322 ) ++HOLD (RO65322) SYSTEM FMID(CAX1F03) REASON (DYNACT ) DATE (14057) PURPOSE Put new code into place.

17 CA ACF CA RS PTF RO65322 KNOWLEDGE Linklist contents (optional) REQUIRED Console commands ACCESS CICS region access REQUIRED ACFE transaction access 1. Perform an LLA REFRESH (if applicable) 2. Issue CICS transaction(s): ACFE=NEWC=ACFAEXFM

18 CA ACF CA RS PTF RO RO65357 RO65357 M.C.S. ENTRIES = ++PTF (RO65357) BPX.DEFAULT.USER TRACE NOT ENABLED AT STARTUP RO55702 added a feature that allows sites to trace initusp calls that rely on the default OMVS UID and/or GID from BPX.DEFAULT.USER. The intent of RO55702 was that the trace would be enabled via a FACILITY rule with $KEY(TRACE.BPX.DEFAULT.USER) and $USERDATA(TRACE However, even with that rule defined the trace is not properly enabled when ACF2 initializes. This fix replaces the FACILITY TRACE.BPX.DEFAULT.USER toggle mechanism with a new GSO UNIXOPTS record field called TRACEDFT which determines whether the trace is active. Tracing of initusp calls that rely on BPX.DEFAULT.USER does not work. Sites that are attempting to trace usage of BPX.DEFAULT.USER do not get accurate trace data. None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9579 Copyright (C) 2014 CA. All rights reserved. R01006-ACF150-SP1 DESC(BPX.DEFAULT.USER TRACE NOT ENABLED AT STARTUP). PRE ( RO54826 RO55702 RO60391 RO62767 RO64759 ) SUP ( RO64671 TR64553 TR64671 TR65357 ) ++HOLD (RO65357) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14015) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh 2. Execute console command 'F ACF2,NEWMOD(ACF00SVA)'

19 CA ACF CA RS PTF RO RO65592 RO65592 M.C.S. ENTRIES = ++PTF (RO65592) ADD NEW FIELDS TO GSO UNIXOPTS PANEL Add new BYP-FSA, DENYEXEC, and TRACEDFT fields to GSO UNIXOPTS panel. BYP-FSA, DENYEXEC, and TRACEDFT missing from GSO UNIXOPTS panel. None. Administer GSO UNIXOPTS record changes using ACF command processor. PRODUCT(S) AFFECTED: CA ACF2 Release 15.0 ACF2MS 9590 Copyright (C) 2014 CA. All rights reserved. R01007-ACF150-SP1 DESC(ADD NEW FIELDS TO GSO UNIXOPTS PANEL). SUP ( TR65592 )

20 CA ACF CA RS PTF RO RO65772 RO65772 M.C.S. ENTRIES = ++PTF (RO65772) ABEND S0C4 IN SAFOESMF ON A INIT_USP CALL There is a possibility of getting an 0c4 abend in SAFOESMF when trying to create an smf record for an INIT_USP call. The call that may abend is one that is done to create a default USP. The IBM Callable Services document for INIT_USP states that there is a service for use by z/os UNIX servers and the MVS BCP where they can do an INIT_USP to get a default USP area built for a critical address space. It is our process to create this default USP that we may abend with an 0c4. We are going beyond the current page of storage we allocated to copy data to the USP. If the page of storage beyond our page of storage is not allocated an 0c4 abend will occur. If the page of storage is allocated no visible problem occurs. CCSR010E SAFOEUSP S0C4 at 25F66B66 LMOD SAFOEDRV CSECT SAFOESMF ACF2 N/A ACF2 The INIT_USP call fails. None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9586 Copyright (C) 2014 CA. All rights reserved. R01009-ACF150-SP1 DESC(ABEND S0C4 IN SAFOESMF ON A INIT_USP CALL). PRE ( RO55702 ) SUP ( AR29487 RO29487 RO32090 RO49476 TR29482 TR29487 TR32090 TR48778 TR49476 TR65772 ) ++HOLD (RO65772) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14009) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh 2. F ACF2,NEWMOD(SAFOEDRV)

21 CA ACF CA RS PTF RO RO65813 RO65813 M.C.S. ENTRIES = ++PTF (RO65813) ACCESS SUBCOMMAND - ADD SUPPORT FOR MASKED ROLES - Add support to the ACCESS subcommand for rule lines that use roles that contain masked INCLUDE, and possibly EXCLUDE statements. For example, the rule line is: ABC.- ROLE(TOPDOG) READ(A) And the X(ROL) record called TOPDOG has: INCLUDE(XYZ-,BBB-) EXCLUDE(XYZ12-,BBBBOB) - Fixed erroneous output caused by RO If the ACCESS subcommand specified a DSN that specifically matched a rule entry with UID(*) PREVENT the ACCESS processing continued to interpret subsequent rule lines and display them. This behavior is not consistent with the r14 ACCESS subcommand processing and r15 ACCESS subcommand processing before application of RO ACCESS subcommand did not work correctly when an X(ROL) record had masking in the INCLUDE statements. - With RO54834, if the ACCESS subcommand specified a DSN that specifically matched a rule entry with UID(*) PREVENT the ACCESS processing continued to interpret subsequent rule lines and display them. None None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9503 Copyright (C) 2014 CA. All rights reserved. R01010-ACF150-SP1 DESC(ACCESS SUBCOMMAND - ADD SUPPORT FOR MASKED ROLES). PRE ( RO20695 RO27471 RO30324 RO33981 RO36462 RO36896 RO41317 RO42279 RO52747 RO54825 RO54827 RO54834 RO54836 RO55652 ) SUP ( RO20617 RO26526 RO29575 RO38007 RO59280 RO62824 RO63238 RO65333 TR20617 TR26132 TR26526 TR29575 TR37157 TR37802 TR38007 TR54581 TR54838 TR59278 TR59280 TR59659 TR62824 TR63238 TR65333 TR65813 ) ++HOLD (RO65813) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14057) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh

22 CA ACF CA RS PTF RO Restart ACF2

23 CA ACF CA RS PTF RO RO65876 RO65876 M.C.S. ENTRIES = ++PTF (RO65876) CICS: ACFAE763 DUMP: DUPLICATE ACEE FOUND FOR DELETE The CA ACF2 for z/os CICS interface may incorrectly attempt to delete a 'residual' ACEE even though it has been given to CICS during some signon processing. If this occurs, the error is identified by CAKSRINT and a diagnostic dump produced. This has been observed in conjunction with assigment of the MRO default LOGONID in a remote CICS region. SVC Dump produced, titled: ACFAE763 ACF2/CICS CAKSRINT DUPLICATE ACEE FOUND FOR DELETE DIAGNOSTIC DUMP Overhead of dump production None PRODUCTS AFFECTED: CICS/TS Interface for CA ACF2 FOR Z/OS Release 15.0 ACF2MS 9593 Copyright (C) 2014 CA. All rights reserved. R01011-ACF150-SP1 DESC(CICS: ACFAE763 DUMP: DUPLICATE ACEE FOUND FOR DELETE). FMID (CAX1F03) PRE ( RO32495 RO53745 RO54786 RO55435 RO56382 ) SUP ( TR65876 ) ++HOLD (RO65876) SYSTEM FMID(CAX1F03) REASON (DYNACT ) DATE (14028) PURPOSE Enable new code KNOWLEDGE CICS regions in use ACCESS CICS region access REQUIRED ACFE transaction Issue CICS transaction(s): ACFE=NEWC=CAKSSIGN

24 CA ACF CA RS PTF RO RO65979 RO65979 M.C.S. ENTRIES = ++PTF (RO65979) ADD TASID FIELDS TO RCVT TASID is a free tool developed internally within IBM to monitor activity on a z/os system. There is a section of the output of the TASID display that displays some information about the password security This system keeps a history of 0 passwords. Automatic revocation for invalid passwords is not active. Password warning is not in effect Revocation for inactivity is not in effect. RACF program control is not available This fix will update the RCVT to contain the information we can provide for sites with ACF2. The output will be similiar to the following This system keeps a history of 10 passwords. Automatic revocation after 2 invalid logon attempts. Password warning is 1 days before password expires. Revocation for inactivity is not in effect. RACF program control is not available The last 2 items are not part of ACF2. The TASID does not display the ACF2 values for the 3 password related lines of data. None The ACF2 SHOW command can be used to display password related fields. PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9585 Copyright (C) 2013 CA. All rights reserved. R01013-ACF150-SP1 DESC(ADD TASID FIELDS TO RCVT). PRE ( RO52548 RO62039 ) SUP ( RO21453 RO24637 RO26259 TR17989 TR21453 TR24637 TR26259 TR65979 ) ++HOLD (RO65979) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (13351) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console

25 CA ACF CA RS PTF RO LLA Refresh 2. Issue any modify refresh ACF command like 'F ACF2,REFRESH(OPTS)'

26 CA ACF CA RS PTF RO RO66172 RO66172 M.C.S. ENTRIES = ++PTF (RO66172) CICS: AZTS/OTHER ABEND W/EXIT AND CONCURRENCY(REQUIRED) Defining a CICS application program as CONCURRENCY(REQUIRED) means that it is considered 'threadsafe', and from the start of the program, it always runs on an open task control block (open TCB) instead of the main CICS quasi-reentrant TCB (QR TCB If CICS must switch to the QR TCB to process an EXEC CICS command, CICS switches back to the open TCB before returning control to the application program. If the ACF2 CICS user exit program gets control with CONCURRENCY(REQUIRED) in effect, control may be returned back to ACF2 CICS from the user exit program on the open TCB rather than the QR TCB it was originally running on. This may then cause ACF2 CICS to return control back to CICS on the open TCB rather than the QR TCB it was originally running on, resulting in a CICS abend. An AZTS abend has been reported when this sequence occurred within ATTACH_SIGN_ON processing. CICS AZTS or other as-yet unidentified abends. Varies depending on abend and region situation/environment Avoid defining a CICS application program as CONCURRENCY(REQUIRED) PRODUCTS AFFECTED: CICS/TS Interface for CA ACF2 FOR Z/OS Release 15.0 ACF2MS 9594 Copyright (C) 2014 CA. All rights reserved. R01015-ACF150-SP1 DESC(CICS: AZTS/OTHER ABEND W/EXIT AND CONCURRENCY(REQUIRED)). FMID (CAX1F03) PRE ( RO31705 RO31941 RO32495 RO45361 RO46083 RO49397 RO53745 RO59229 ) SUP ( BR44651 RO27274 RO38393 RO43425 RO44221 RO46524 RO58084 TR27274 TR38393 TR42712 TR42869 TR43128 TR43173 TR43245 TR43425 TR43563 TR44221 TR46524 TR55119 TR58084 TR66172 ) ++HOLD (RO66172) SYSTEM FMID(CAX1F03) REASON (DYNACT ) DATE (14030) PURPOSE Put new code into place. KNOWLEDGE CICS region use ACCESS CICS region(s) REQUIRED ACFE transaction Recycle CICS -OR-

27 CA ACF CA RS PTF RO The region appropriate version of the following: ACFE=NEWC=CAKSRD63 For CICS/TS: 2.1 ACFE=NEWC=CAKSRD ACFE=NEWC=CAKSRD ACFE=NEWC=CAKSRD ACFE=NEWC=CAKSRD ACFE=NEWC=CAKSRD ACFE=NEWC=CAKSEXIT

28 CA ACF CA RS PTF RO RO66603 RO66603 M.C.S. ENTRIES = ++PTF (RO66603) CHANGE ACFESAGE MSG FROM ACF3014E TO ACFE014E Message ACF3014E Open failed for SYSIN file is issued when running the ACFESAGE report without a //SYSIN DD * Statement and without any JCL parameters i.e. TITLE DATFFMT Currently message ACF3014E is not documented in the CA ACF2 R15 Message Reference Guide Message ACF3014e issued if //SYSIN statement missing, it should be message ACFE014e. Message is not documented correctly. none available. PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9600 Copyright (C) 2014 CA. All rights reserved. R01019-ACF150-SP1 DESC(CHANGE ACFESAGE MSG FROM ACF3014E TO ACFE014E). PRE ( RO19351 RO21351 RO21734 RO26996 RO36463 RO39136 RO44641 RO47863 RO58433 RO63347 ) SUP ( RO27780 RO54224 RO56898 RO61666 RO64768 TR27780 TR54224 TR56898 TR61666 TR64768 TR66603 ) ++HOLD (RO66603) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14010) PURPOSE Dynamic installation of this fix. USERS All users. KNOWLEDGE Operator commands ACCESS z/os Operator console 1. Perform an LLA REFRESH.

29 CA ACF CA RS PTF RO RO66836 RO66836 M.C.S. ENTRIES = ++PTF (RO66836) NULL PASSWORD VERIFY CREATE PASSCHK=YES BYPASSED If a RACROUTE VERIFY with PASSCHK=YES is specified and the supplied password is null or blanks, password validation is incorrectly being bypassed if the userid supplied is the same as the address space userid. This problem only occurs for batch jobs. Message ACF01007 is not being issued. The signon request continues processing. Run the equivalent process as a started task. PRODUCT(S) AFFECTED: CA ACF2 ACF2MS 9605 Copyright (C) 2014 CA. All rights reserved. R01022-ACF150-SP1 DESC(NULL PASSWORD VERIFY CREATE PASSCHK=YES BYPASSED). PRE ( RO36829 RO45722 RO58369 RO61511 ) SUP ( TR17095 TR27787 RO27787 TR36141 TR38461 TR38482 RO36141 RO38461 RO38482 TR66836 ) ++HOLD (RO66836) SYSTEM FMID(CAX1F00) REASON (ACTION ) DATE (14043) PURPOSE NULL PASSWORD VERIFY CREATE PASSCHK=YES BYPASSED USERS AFFECTED All users KNOWLEDGE REQUIRED SMP/E Experience ACCESS REQUIRED Access to ACF2 loadlibs 1. SMP APPLY the fix. 2. Issue operator command 'F LLA,REFRESH'. 3. Issue operator command 'F ACF2,NEWMOD(ACF00SVA)'.

30 CA ACF CA RS PTF RO RO67467 RO67467 M.C.S. ENTRIES = ++PTF (RO67467) CICS: XCMD VALIDATION FOR JESSPOOL ON INQUIRE TEMPSTORAGE Some Command Level (XCMD) validations are performed against the wrong resource names. Actual Resources Validated Resources CAPTURESPEC ENABLE CSD EXTRACT TEMPSTORAGE JESSPOOL XMLTRANSFORM DISABLE Non-specific depending on if and how these resources are validated. Non-specific depending on if and how these resources are validated. Do not use Command Validation IE: Specify CICSKEY R=XCMD,O=IGNORE in ACF2PARM or via ACFM transaction, Function OM, Option C.H PRODUCTS AFFECTED: CICS/TS Interface for CA ACF2 FOR Z/OS ACF2MS 9607 Copyright (C) 2014 CA. All rights reserved. R01026-ACF150-SP1 DESC(CICS: XCMD VALIDATION FOR JESSPOOL ON INQUIRE TEMPSTORAGE). FMID (CAX1F03) PRE ( RO32495 RO35975 RO45361 RO46083 RO53745 ) SUP ( TR67467 ) ++HOLD (RO67467) SYSTEM FMID(CAX1F03) REASON (DYNACT ) DATE (14043) CA-ACF2-MVS CICS Release 15.0 PURPOSE Engage updated code KNOWLEDGE Linklist contents (optional) REQUIRED Console commands ACCESS Master console 1. SMP APPLY the PTF 2. Perform an LLA REFRESH (if applicable) 3. Restart CICS region(s)

31 CA ACF CA RS PTF RO RO67560 RO67560 M.C.S. ENTRIES = ++PTF (RO67560) CICS: REGION HANG/LOOP ON FOR_USERID XSRC CALLS CICS Transaction Server for z/os (CTS) has recently started exploiting the 'FOR(userid)' clause on DFHXSRC resource validation calls. The DFHXSRC parameter list had been updated at CTS 3.2 to support the syntax, but was not used until recently under CTS 4.2. If the 'FOR(userid)' data is present, ACF2 CICS validates resource access against the ID supplied in the FOR clause instead of against the current task's LOGONID as is normally done. When processing these calls, a loop may occur on CICS Resource Check (XSRC) calls that specify FOR(userid) that is the same as the current TRANSACTION_USER. If the current task is not terminal related, and the FOR(userid) ACEE is the same as that of the TRANSACTION_USER, and the resource being validated is not found in the user's session cache buffer from a prior validation, a loop of ACFAERUL issuing ACF2 SVC-A ACGRSRC Resource Validation calls will result. This has been reported for CICS Transaction code validation in a WEB Services environment. Possible: Region hang AICA trasaction abends Excessive SMF data if the Resource Check logs the access. Possible region outage. None PRODUCTS AFFECTED: CICS/TS Interface for CA ACF2 FOR Z/OS R15.0 ACF2MS 9610 Copyright (C) 2014 CA. All rights reserved. R01031-ACF150-SP1 DESC(CICS: REGION HANG/LOOP ON FOR_USERID XSRC CALLS). FMID (CAX1F03) PRE ( RO31705 RO32495 RO46083 RO59229 ) SUP ( AR59229 TR67560 ) ++HOLD (RO67560) SYSTEM FMID(CAX1F03) REASON (DYNACT ) DATE (14058) CA-ACF2-MVS CICS Release 15.0 PURPOSE Enable updated code USERS All Users KNOWLEDGE Linklist contents (optional) REQUIRED Console commands ACCESS CICS Region REQUIRED ACFE Trransaction

32 CA ACF CA RS PTF RO Perform an LLA REFRESH (if applicable) 2. Issue CICS transaction: ACFE=NEWC=CAKSRVAL

33 CA ACF CA RS PTF RO RO67587 RO67587 M.C.S. ENTRIES = ++PTF (RO67587) CHKCERT OUTPUT DIFFERS AFTER RO61513 The changes made by RO61513 may cause CHKCERT command output to be incomplete on systems that share INFO databases. The problem is evident when a CERTDATA record is inserted on one system and then CHKCERT'ed on another system sharing the INFO database. If the certificate table has not been rebuilt prior to the CHKCERT the output may fail to display certain information including the label, private key type and size, PKDS label and CERTDATA LIST output. CHKCERT output is inconsistent on systems sharing the INFO database. The inconsistencies are: 1) The "Label:" display is missing 2) Instead of "Private Key Type:" and "Private key bit size:" the CHKCERT output shows "Public Key Type:" and "Public key bit size:". 3) The "PKDS Label:" display is missing 4) "This certificate is registered with CA ACF2" line is missing along with the line showing the CERTDATA record key 5) The LIST of the CERTDATA record is missing CHKCERT output is inconsistent when issued in a shared INFO database environment. Issue "F ACF2,OMVS(CERTDATA)" to rebuild the certificate table, then re-do the CHKCERT command. PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9611 Copyright (C) 2014 CA. All rights reserved. R01032-ACF150-SP1 DESC(CHKCERT OUTPUT DIFFERS AFTER RO61513). PRE ( RO25852 RO34534 RO35100 RO54831 RO61513 ) SUP ( TR67587 ) ++HOLD (RO67587) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14051) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console LLA refresh

34 CA ACF CA RS PTF RO RO67765 RO67765 M.C.S. ENTRIES = ++PTF (RO67765) ACFRPTXR WAIT/HANG ACF4DLDS OFFSET X'28E' ACFRPTXR hangs in ACF4DLDS on an MVS CHECK at offset x'28e' for I/O to complete. ACFRPTXR hangs and never completes. The ACFRPTXR utility fails to complete. None. PRODUCT(S) AFFECTED: CA ACF2 ACF2MS 9615 Copyright (C) 2014 CA. All rights reserved. R01035-ACF150-SP1 DESC(ACFRPTXR WAIT/HANG ACF4DLDS OFFSET X'28E'). PRE ( RO54827 RO54834 ) SUP ( TR63153 RO63153 TR67765 ) ++HOLD (RO67765) SYSTEM FMID(CAX1F00) REASON (ACTION ) DATE (14069) PURPOSE Describe requirements and steps required to install this fix. USERS AFFECTED All users KNOWLEDGE REQUIRED SMP/E Experience ACCESS REQUIRED Access to ACF2 loadlibs 1. SMP APPLY the fix. 2. Issue operator command 'F LLA,REFRESH'.

35 CA ACF CA RS PTF RO RO67897 RO67897 M.C.S. ENTRIES = ++PTF (RO67897) ACFRPTOM R_CHOWN EVENT UID INCORRECT The ACFRPTOM report may report an incorrect UID in the "UID To Be Set:" field of R_chown events. The problem is likely when a chown command is issued against a zfs file. Invalid UID reported in ACFRPTOM R_chown events. ACFRPTOM report data is incorrect for R_chown events. None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9618 Copyright (C) 2014 CA. All rights reserved. R01039-ACF150-SP1 DESC(ACFRPTOM R_CHOWN EVENT UID INCORRECT). PRE ( RO29055 RO32871 RO35100 RO35876 RO55702 ) SUP ( TR23569 RO23569 TR40555 TR40732 RO40732 TR54539 RO54539 RO60280 TR60280 TR67897 ) ++HOLD (RO67897) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14057) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh 2. Execute console command 'F ACF2,NEWMOD(SAFOEDRV)'

36 CA ACF CA RS PTF RO RO68280 RO68280 M.C.S. ENTRIES = ++PTF (RO68280) INITUSP FOR IOSAS FAILS DURING IPL During the z/os IPL certain addresses spaces including IOSAS are allowed to initialize prior to the point when ACF2 is fully initialized. Those address spaces are not able to successfully complete initusp processing at z/os 2.1. The problem occurs because the group field in the ACEE for those address spaces contains '*' which does not match a group/gid defined to the ESM and the BPX.DEFAULT.USER GID is no longer used at z/os The following message is issued during IPL: IOS628E ENCRYPTION ON DEVICE xxxx HAS FAILED DUE TO USS FAILURE 2. ACRPTOM report shows failed initusp call for IOSAS with group *. Tape encryption processing fails None PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9621 Copyright (C) 2014 CA. All rights reserved. R01041-ACF150-SP1 DESC(INITUSP FOR IOSAS FAILS DURING IPL). PRE ( RO20461 RO46590 RO54833 RO55702 RO60391 RO60393 ) SUP ( TR17283 TR17308 TR20945 RO20945 TR26131 TR29482 TR29487 AR29487 RO29487 TR32090 RO26131 TR33002 TR33050 TR33080 RO33080 TR34727 TR37808 TR41922 TR42041 RO34727 RO37808 RO42041 TR47622 RO47622 TR48295 RO32090 TR48778 TR49476 RO48295 TR51345 RO51345 TR56644 TR60367 AR60393 TR65152 RO49476 TR65772 RO56644 RO60367 RO65152 RO65772 TR68280 ) ++HOLD (RO68280) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14085) PURPOSE Activate change without IPL KNOWLEDGE Operator commands ACCESS z/os Operator console 1. LLA Refresh 2. Execute console command 'F ACF2,NEWMOD(SAFOEDRV)' 3. Execute console command 'F ACF2,NEWMOD(ACF9C000)'

37 CA ACF CA RS PTF RO RO68723 RO68723 M.C.S. ENTRIES = ++PTF (RO68723) ERRORS IN ACFESAGE FLAT FILE FOR 0630 RECORDS If a RULE has a quoted ruleline, the $KEY is added as the high level qualifier. Also if there is a $PREFIX the $KEY is used as the high level qualifier, instead of the $PREFIX. Also resolved an SC03 abend if the SYSIN contained more the 12 lines which should result in an: ACFE016E SYSIN CONTAINS TOO MANY STATEMENTS message 0630 record in the ACFESAGE Flat File has an incorrect High Level Qualifier. ACFE016E SYSIN CONTAINS TOO MANY STATEMENTS bad data. Modify the file manually PRODUCTS AFFECTED: PRODUCT(S) AFFECTED: CA-ACF2-MVS Release 15.0 ACF2MS 9623 Copyright (C) 2014 CA. All rights reserved. R01046-ACF150-SP1 DESC(ERRORS IN ACFESAGE FLAT FILE FOR 0630 RECORDS). PRE ( RO19351 RO21351 RO21734 RO26996 RO36463 RO39136 RO44641 RO47863 RO58433 RO63347 ) SUP ( RO27780 RO54224 RO56898 RO61666 RO64768 RO66603 TR27780 TR54224 TR56898 TR61666 TR64768 TR66603 TR68432 TR68723 ) ++HOLD (RO68723) SYSTEM FMID(CAX1F00) REASON (DYNACT ) DATE (14085) PURPOSE Dynamic installation of this fix. USERS All Users. KNOWLEDGE Operator commands. ACCESS z/os Operator console. 1. Perform an LLA REFRESH.