View Only

Demystifying ACF2

By Jasdeep Singh posted Jan 31, 2022 11:16 AM


“The best way to learn is to teach” – Latin quote

As a new member of ACF2 support team who joined Broadcom around eight months ago, I am following this well-known quote daily. I am learning about the ACF2 world, the most common areas where problems occur and how to troubleshoot as I strengthen myself in my role.

We all know the robust nature of the mainframe and that mission-critical applications rely on it. Protecting these resources and data is a key focal point for all businesses using mainframes. We have all read the security breach news and we see the acceleration and innovations in threats today, right?

That’s where the external security products like ACF2 and Top Secret come into the picture. These products are highly reliable and provide comprehensive access control security for all of your mainframe assets. In my first blog, I will focus on basic ACF2 processing, possible issue areas, and data to capture for faster problem analysis. In my coming blogs, I will go into more details on specific components and features of ACF2.

First, let’s discuss how ACF2 works and how it acts as a shield to protect your critical data and resources. Before I get into details, I want to mention an important security component of z/OS: System Authorization Facility (SAF), allows software to interface with external security products. SAF, RACF, and RACROUTE terms are used interchangeably. RACROUTE is the actual z/OS macro that your application uses to make a security call.

When an application makes a SAF or RACROUTE call with a particular resource CLASS, ACF2 intercepts it using the ACF2 SAF router, looks for SAFDEF record, and checks which parameters match the call. The router then tells ACF2 how to process the specific RACROUTE call. Next, ACF2 uses CLASMAP records to translate a resource CLASS that can be up to eight characters into a three-character TYPE CODE. Finally, the TYPE CODE is used to look for the defined resource rules to do the validations for access. Figure 1 explains this ACF2 processing.

Figure 1: ACF2 Processing Topology Diagram

Now, the most important part: where can issues occur? You might encounter an incorrect SAFDEF record, incorrect CLASMAP mapping, and/or issues with resource rules.

First and foremost, if you are experiencing any resource violations, please run the ACFRPTRV report with the DETAIL parameter pointing to SMF active at the time of the error and share the output with Broadcom Support for faster analysis of the problem. To force SMF logging, a TRACE bit can be turned on a logonid (CHANGE logonid TRACE) so that ACF2 creates SMF loggings for all resource access attempts made by the logonid in question.

Another powerful debug option is SECTRACE, which traces any requests made to SAF that interfaces with ACF2. SECTRACE shows what SAF calls are being made by a vendor's product and displays the RACROUTE parameter list passed by SAF requests. Here is an example on how to turn on MVS SECTRACE from console and next print the entries using ACFRPTST report:


After re-creating the problem, SECTRACE can be deleted/disabled using


The first blog is a crash course in basic ACF2 processing for RACROUTE calls. As I mentioned, I will be writing a series of blogs related to ACF2 components and features. If there is any other topic you are interested in hearing more about, please let us know.

Our support team has created a series of modularized videos that provide an excellent opportunity for you to learn and **** digital certificates. Please check them out and let us know what you think!