Text only | Text with Images

OnDemand Users Group

Support Forums => CMOD for z/OS Server => Topic started by: cmodpuser on May 07, 2018, 07:10:56 PM

Title: OnDemand V9.5 arsload requires read acceess to CSFRNG and CSFIQA profiles
Post by: cmodpuser on May 07, 2018, 07:10:56 PM
I couldn't find this requirement documented anywhere, but when we upgraded OnDemand on z/OS fro V9 to V9.5
the AFP load jobs started getting this violations:
ICH408I USER(.......
  CSFRNG CL(CSFSERV )                           
  INSUFFICIENT ACCESS AUTHORITY                 
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
ICH408I USER(........
  CSFIQA CL(CSFSERV )                           
  INSUFFICIENT ACCESS AUTHORITY                 
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
Has someone else run into this?
We disabled SAF authorization checking for the CSFRNG services as recommended in
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.csfb300/ctlserv.htm
but it appears we will have to grant read access for CSFIQA profile to all userids that load AFP reports,

Title: Re: OnDemand V9.5 arsload requires read acceess to CSFRNG and CSFIQA profiles
Post by: Ed_Arnold on May 07, 2018, 07:37:56 PM
9.5.0.3 introduced new encryption functions.

It's mentioned somewhat in this thread - follow all of the links.

9.5.0.3 Rollup for z/OS --- new function, extensive HOLD ACTION, LE Maint req'd

http://ODUG.net/index.php?topic=1734.0 (http://odug.net/index.php?topic=1734.0)

Also, you might want to review this from the V9.5 Release Notes thread:

http://ODUG.net/index.php?topic=1543.msg8502#msg8502

Ed

Text only | Text with Images