Getting unexpected results from safauth

Discussion of the Co:Z Co-Processing Toolkit for z/OS
Post Reply
sctebnt
Posts: 30
Joined: Mon Nov 02, 2009 10:47 pm

Getting unexpected results from safauth

Post by sctebnt » Thu Sep 02, 2010 2:41 pm

When I run the following from a cozagent shell

cozclient safauth DATASET BAS00095.T.STUFF alter
echo rc = $?
cozclient safauth DATASET BAS8042.T.STUFF read
echo rc = $?
cozclient safauth DATASET @17171.T.PARMLIB read
echo rc = $?

I expect to get
RC=0
RC=non zero
RC=0

What I get is
rc = 102
rc = 102
rc = 102

And I get the following in STDERR
About to execute -/bin/bash -c /bin/bash -l
version: 1.0.5 2008-03-01
Using getaddrinfo() to start connection to server 127.0.0.1 at port 9880
clientCodePage 'ISO8859-1' (via COZ_CLIENT_CODEPAGE)
server exit_code=102
No exit status packet received, skipping byte count check.
version: 1.0.5 2008-03-01
Using getaddrinfo() to start connection to server 127.0.0.1 at port 9880
clientCodePage 'ISO8859-1' (via COZ_CLIENT_CODEPAGE)
server exit_code=102
No exit status packet received, skipping byte count check.
version: 1.0.5 2008-03-01
Using getaddrinfo() to start connection to server 127.0.0.1 at port 9880
clientCodePage 'ISO8859-1' (via COZ_CLIENT_CODEPAGE)
server exit_code=102
No exit status packet received, skipping byte count check.

When I run safauth under USS (w/o the use of cozagent) I get the following:
$ safauth DATASET BAS8042.P.STUFF read
[1] + Done(137) safauth DATASET BAS8042.P.STUFF read
659098 Killed /hewitt/coz/current/bin/safauth

Thanks for your help.

- Scott

dovetail
Site Admin
Posts: 1948
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Thu Sep 02, 2010 2:53 pm

This is probably due to an abend in your security manager.

When I do this in RACF, I see the following abend in the system log:

*ICH409I 282-018 ABEND DURING RACHECK PROCESSING
+CEE0374C CONDITION=CEE3250C TOKEN=00040CB2 61C3C5C5 00000000 272
WHILE RUNNING PROGRAM ICHRFR00
AT THE TIME OF INTERRUPT
PSW 078D2400 80CFDC62
GPR 0-3 198EBC6C 00000000 00CFD188 00FC81D0
GPR 4-7 FFFFFFFF 00000002 00000001 198EBB20
GPR 8-B 198EBAB8 198EBBDC 00000000 198EBBE4
GPR C-F 00CFD188 198EBBE4 00000002 00000000
FLT 0-2 4DC685C5E4E1E49C 41120DD750429B6D
FLT 4-6 4116A09E667F3BCD 3FD45F306DC9C883

If you look this up, the 018 reason code says "Volume serial required but not supplied."

You would need to refer to the RACF (or ESM product) for more information.

We do, however, need to enhance "safauth" to add an ESTAE on this so that we print a nice error message to stderr from safauth.

dovetail
Site Admin
Posts: 1948
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Thu Sep 02, 2010 3:46 pm

The real problem with this is that for the underlying RACROUTE REQUEST=AUTH request, a VOLSER= is required for CLASS=DATASET. It turns out that for SMS managed datasets, this volser is not used. So, we will probably either change the safauth command to take a VOLSER, and we will probably supply a default of VOLSER=XXXXXX.

sctebnt
Posts: 30
Joined: Mon Nov 02, 2009 10:47 pm

Post by sctebnt » Thu Sep 02, 2010 9:51 pm

Thanks, looking forward to the update!

dovetail
Site Admin
Posts: 1948
Joined: Thu Jul 29, 2004 12:12 pm

Post by dovetail » Wed Oct 06, 2010 5:42 pm

The latest release (1.7.4) includes an enhanced safauth command that addresses this requirement.

see: http://dovetail.com/docs/coz/dsp-ref_safauth.html

Post Reply