ACF2

Hello,
We are experiencing issues with many users becoming suspended and needing to be unsuspended before logging into CICS.  The userid is not suspended due to Password violations.  The message they receive in CICS is regarding Group access has been revoked.  When the user logs on they logon with * group.  What group is ACF2 checking?  Why is the id being suspended? 

DFHSN1120 03/24/2020 09:20:52 AZCICSP Signon at netname J44F by user D048947 has failed because the group access has been revoked.

Listing of id in ACF2:
list D048947
D048947 VJB10B2B0XD048947 Jeff Smith M 555-1212-1212 721C II9
CANCEL/SUSPEND CSDATE(03/24/20) CSWHO(CICSMP) SUSPEND
PRIVILEGES ACTIVE(08/31/18) CICS JOB NO-STORE
ACCESS ACC-CNT(2,876) ACC-DATE(03/24/20) ACC-SRCE(J44G)
ACC-TIME(07:00)
PASSWORD KERB-VIO(0) KERBCURV() MAXDAYS(30) MINDAYS(7)
PSWA1TOD(03/23/20-07:53) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-SRC(J0VU) PSWD-TIM(10:31) PSWD-TOD(03/23/20-07:53)
PSWD-VIO(0) PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(D048947)
STATISTICS CRE-TOD(08/31/18-11:48) SEC-VIO(0)
UPD-TOD(03/24/20-09:20)
CICS CICSACCT(3271) IDLE(15)

------------------------------

------------------------------

The group message is an IBM message, not an ACF2 message, so the text might be in error.  I would suggest you run the violation reports ACFRPTRV and ACFRPTPW for the user since they last logged on successfully and open a case with ACF2 Support.
Original Message:
Sent: 03-24-2020 02:00 PM
From: Sean Dilmore
Subject: Suspended ids

Hello,
We are experiencing issues with many users becoming suspended and needing to be unsuspended before logging into CICS.  The userid is not suspended due to Password violations.  The message they receive in CICS is regarding Group access has been revoked.  When the user logs on they logon with * group.  What group is ACF2 checking?  Why is the id being suspended?

DFHSN1120 03/24/2020 09:20:52 AZCICSP Signon at netname J44F by user D048947 has failed because the group access has been revoked.

Listing of id in ACF2:
list D048947
D048947 VJB10B2B0XD048947 Jeff Smith M 555-1212-1212 721C II9
CANCEL/SUSPEND CSDATE(03/24/20) CSWHO(CICSMP) SUSPEND
PRIVILEGES ACTIVE(08/31/18) CICS JOB NO-STORE
ACCESS ACC-CNT(2,876) ACC-DATE(03/24/20) ACC-SRCE(J44G)
ACC-TIME(07:00)
PASSWORD KERB-VIO(0) KERBCURV() MAXDAYS(30) MINDAYS(7)
PSWA1TOD(03/23/20-07:53) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-SRC(J0VU) PSWD-TIM(10:31) PSWD-TOD(03/23/20-07:53)
PSWD-VIO(0) PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(D048947)
STATISTICS CRE-TOD(08/31/18-11:48) SEC-VIO(0)
UPD-TOD(03/24/20-09:20)
CICS CICSACCT(3271) IDLE(15)

------------------------------

------------------------------

Correct, it is an IBM CICS message.  We have run the reports and doesn't show much.  Unfortunately, the customer is at an unsupported version of ACF2 and they will not open a case without purchase of extended support.
Original Message:
Sent: 03-24-2020 02:20 PM
From: Kenneth Suchomel
Subject: Suspended ids

The group message is an IBM message, not an ACF2 message, so the text might be in error.  I would suggest you run the violation reports ACFRPTRV and ACFRPTPW for the user since they last logged on successfully and open a case with ACF2 Support.
Original Message:
Sent: 03-24-2020 02:00 PM
From: Sean Dilmore
Subject: Suspended ids

Hello,
We are experiencing issues with many users becoming suspended and needing to be unsuspended before logging into CICS.  The userid is not suspended due to Password violations.  The message they receive in CICS is regarding Group access has been revoked.  When the user logs on they logon with * group.  What group is ACF2 checking?  Why is the id being suspended?

DFHSN1120 03/24/2020 09:20:52 AZCICSP Signon at netname J44F by user D048947 has failed because the group access has been revoked.

Listing of id in ACF2:
list D048947
D048947 VJB10B2B0XD048947 Jeff Smith M 555-1212-1212 721C II9
CANCEL/SUSPEND CSDATE(03/24/20) CSWHO(CICSMP) SUSPEND
PRIVILEGES ACTIVE(08/31/18) CICS JOB NO-STORE
ACCESS ACC-CNT(2,876) ACC-DATE(03/24/20) ACC-SRCE(J44G)
ACC-TIME(07:00)
PASSWORD KERB-VIO(0) KERBCURV() MAXDAYS(30) MINDAYS(7)
PSWA1TOD(03/23/20-07:53) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-SRC(J0VU) PSWD-TIM(10:31) PSWD-TOD(03/23/20-07:53)
PSWD-VIO(0) PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(D048947)
STATISTICS CRE-TOD(08/31/18-11:48) SEC-VIO(0)
UPD-TOD(03/24/20-09:20)
CICS CICSACCT(3271) IDLE(15)

------------------------------

------------------------------

Hi Sean,

Based off what you have provided, it appears you are experiencing an issue due to this statement from the ACF2 Manual about Groups: If you do not specify GROUP at system entry, CA ACF2 uses the value that is specified in the GROUP field of the user logonid record for validation. 

In the listing above of user D048947 it does not show the GROUP() field set on its lid. Try granting the user access to a group and have them enter the GROUP name at login.

Have your Sec Admin invoke the following:
SET LID
List D048947
Cha D048947 GROUP(XXXXX) 

SET RES(TGR)
List XXXXX
Grant D048947 access to XXXXX group
F ACF2,REBUILD(TGR)

SET PROF(USER) DIV(OMVS)
List D048947 to confirm if the user has a OMVS segment defined to the lid.
INSERT D048947 HOME(/A) OMVSPGM(/B) UID(##)
F ACF2,OMVS

/A - A field that defines the pathname of the initial directory used when a user enters the OMVS command or enters the ISPF shell.
/B - An optional field that defines the user's UNIX System Services shell program started when the OMVS command is entered or when a UNIX System Services batch job is started using the BPXBATCH program. 

Here is some documentation on Group Profiles in ACF2:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/control-system-entry/specify-group-or-project-name-at-logon.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/user-profile-records/omvs-user-profile-data-records.html


------------------------------
Mainframe Security Engineer
M&T Bank
------------------------------

Original Message:
Sent: 03-24-2020 05:08 PM
From: Sean Dilmore
Subject: Suspended ids

Correct, it is an IBM CICS message.  We have run the reports and doesn't show much.  Unfortunately, the customer is at an unsupported version of ACF2 and they will not open a case without purchase of extended support.
Original Message:
Sent: 03-24-2020 02:20 PM
From: Kenneth Suchomel
Subject: Suspended ids

The group message is an IBM message, not an ACF2 message, so the text might be in error.  I would suggest you run the violation reports ACFRPTRV and ACFRPTPW for the user since they last logged on successfully and open a case with ACF2 Support.
Original Message:
Sent: 03-24-2020 02:00 PM
From: Sean Dilmore
Subject: Suspended ids

Hello,
We are experiencing issues with many users becoming suspended and needing to be unsuspended before logging into CICS.  The userid is not suspended due to Password violations.  The message they receive in CICS is regarding Group access has been revoked.  When the user logs on they logon with * group.  What group is ACF2 checking?  Why is the id being suspended?

DFHSN1120 03/24/2020 09:20:52 AZCICSP Signon at netname J44F by user D048947 has failed because the group access has been revoked.

Listing of id in ACF2:
list D048947
D048947 VJB10B2B0XD048947 Jeff Smith M 555-1212-1212 721C II9
CANCEL/SUSPEND CSDATE(03/24/20) CSWHO(CICSMP) SUSPEND
PRIVILEGES ACTIVE(08/31/18) CICS JOB NO-STORE
ACCESS ACC-CNT(2,876) ACC-DATE(03/24/20) ACC-SRCE(J44G)
ACC-TIME(07:00)
PASSWORD KERB-VIO(0) KERBCURV() MAXDAYS(30) MINDAYS(7)
PSWA1TOD(03/23/20-07:53) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-SRC(J0VU) PSWD-TIM(10:31) PSWD-TOD(03/23/20-07:53)
PSWD-VIO(0) PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(D048947)
STATISTICS CRE-TOD(08/31/18-11:48) SEC-VIO(0)
UPD-TOD(03/24/20-09:20)
CICS CICSACCT(3271) IDLE(15)

------------------------------

------------------------------

I think what is happening is that users are hitting the IDLE time and entering the password incorrectly at the PROMPT and hitting the MAXTRY limit which will therefore SUSPEND the id.  The issue that is not clear to me is why does the PSWD-VIO or PSWDCVIO not increase for a LID when a user is entering an invalid Password at the CICS when at the following prompt after IDLe time has been exceeded.   ACFAE908 PLEASE ENTER YOUR PASSWORD FOR SYSID ssss =>
Original Message:
Sent: 03-24-2020 06:53 PM
From: Byron Smith
Subject: Suspended ids

Hi Sean,

Based off what you have provided, it appears you are experiencing an issue due to this statement from the ACF2 Manual about Groups: If you do not specify GROUP at system entry, CA ACF2 uses the value that is specified in the GROUP field of the user logonid record for validation.

In the listing above of user D048947 it does not show the GROUP() field set on its lid. Try granting the user access to a group and have them enter the GROUP name at login.

Have your Sec Admin invoke the following:
SET LID
List D048947
Cha D048947 GROUP(XXXXX)

SET RES(TGR)
List XXXXX
Grant D048947 access to XXXXX group
F ACF2,REBUILD(TGR)

SET PROF(USER) DIV(OMVS)
List D048947 to confirm if the user has a OMVS segment defined to the lid.
INSERT D048947 HOME(/A) OMVSPGM(/B) UID(##)
F ACF2,OMVS

/A - A field that defines the pathname of the initial directory used when a user enters the OMVS command or enters the ISPF shell.
/B - An optional field that defines the user's UNIX System Services shell program started when the OMVS command is entered or when a UNIX System Services batch job is started using the BPXBATCH program.

Here is some documentation on Group Profiles in ACF2:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/control-system-entry/specify-group-or-project-name-at-logon.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/user-profile-records/omvs-user-profile-data-records.html


------------------------------
Mainframe Security Engineer
M&T Bank

Original Message:
Sent: 03-24-2020 05:08 PM
From: Sean Dilmore
Subject: Suspended ids

Correct, it is an IBM CICS message.  We have run the reports and doesn't show much.  Unfortunately, the customer is at an unsupported version of ACF2 and they will not open a case without purchase of extended support.
Original Message:
Sent: 03-24-2020 02:20 PM
From: Kenneth Suchomel
Subject: Suspended ids

The group message is an IBM message, not an ACF2 message, so the text might be in error.  I would suggest you run the violation reports ACFRPTRV and ACFRPTPW for the user since they last logged on successfully and open a case with ACF2 Support.
Original Message:
Sent: 03-24-2020 02:00 PM
From: Sean Dilmore
Subject: Suspended ids

Hello,
We are experiencing issues with many users becoming suspended and needing to be unsuspended before logging into CICS.  The userid is not suspended due to Password violations.  The message they receive in CICS is regarding Group access has been revoked.  When the user logs on they logon with * group.  What group is ACF2 checking?  Why is the id being suspended?

DFHSN1120 03/24/2020 09:20:52 AZCICSP Signon at netname J44F by user D048947 has failed because the group access has been revoked.

Listing of id in ACF2:
list D048947
D048947 VJB10B2B0XD048947 Jeff Smith M 555-1212-1212 721C II9
CANCEL/SUSPEND CSDATE(03/24/20) CSWHO(CICSMP) SUSPEND
PRIVILEGES ACTIVE(08/31/18) CICS JOB NO-STORE
ACCESS ACC-CNT(2,876) ACC-DATE(03/24/20) ACC-SRCE(J44G)
ACC-TIME(07:00)
PASSWORD KERB-VIO(0) KERBCURV() MAXDAYS(30) MINDAYS(7)
PSWA1TOD(03/23/20-07:53) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-SRC(J0VU) PSWD-TIM(10:31) PSWD-TOD(03/23/20-07:53)
PSWD-VIO(0) PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(D048947)
STATISTICS CRE-TOD(08/31/18-11:48) SEC-VIO(0)
UPD-TOD(03/24/20-09:20)
CICS CICSACCT(3271) IDLE(15)

------------------------------

------------------------------

Good Afternoon Sean,

 

Great points and I believe this below is what your experiencing. Try checking the values set in GSO for the PSWD to see what the values are set to for PASSLMT and MAXTRY. And also check the values in the CICS Region parms.

 

PASSLMT(2|nnn)

Specifies the maximum number of invalid password, SAF Kerberos key and password phrase attempts permitted in a single day before CA ACF2 denies all accesses to the system by the logonid. For example, if the maximum number of invalid password attempts is two, CA ACF2 denies all access attempts after the second invalid attempt. If you try to log on after the PASSLMT has been reached, you receive a message telling you that your logonid has been suspended.

 

NOTE: If the GSO PASSLMT field of the PSWD record is reduced, users can be suspended if their PSWD-VIO count is equal to or greater to the new value. For example, if PASSLMT is reduced from 5 to 3, logonids are considered suspended if the PSWD-VIO field in those logonids had a value of more than three.

 

Using an Invalid Password

If the terminal operator supplies an invalid password to a prompt other than sign-on, the CICS interface prompts the terminal operator for the correct password until the OPTION MAXVIO or the GSO PSWD record PASSLMT value is reached. When the limit is reached, it signs off the terminal operator. If SUSPEND PASSWORD=YES is specified, the SUSPEND logonid field is set. The CICS interface disposes of the terminal according to the specification of the OPTION DISCONNECT parameter. The host system does not count password violations as a result of password verifications after sign-on.

------------------------------
Mainframe Security Engineer
M&T Bank
------------------------------

Original Message:
Sent: 04-02-2020 03:30 PM
From: Sean Dilmore
Subject: Suspended ids

I think what is happening is that users are hitting the IDLE time and entering the password incorrectly at the PROMPT and hitting the MAXTRY limit which will therefore SUSPEND the id.  The issue that is not clear to me is why does the PSWD-VIO or PSWDCVIO not increase for a LID when a user is entering an invalid Password at the CICS when at the following prompt after IDLe time has been exceeded.   ACFAE908 PLEASE ENTER YOUR PASSWORD FOR SYSID ssss =>
Original Message:
Sent: 03-24-2020 06:53 PM
From: Byron Smith
Subject: Suspended ids

Hi Sean,

Based off what you have provided, it appears you are experiencing an issue due to this statement from the ACF2 Manual about Groups: If you do not specify GROUP at system entry, CA ACF2 uses the value that is specified in the GROUP field of the user logonid record for validation.

In the listing above of user D048947 it does not show the GROUP() field set on its lid. Try granting the user access to a group and have them enter the GROUP name at login.

Have your Sec Admin invoke the following:
SET LID
List D048947
Cha D048947 GROUP(XXXXX)

SET RES(TGR)
List XXXXX
Grant D048947 access to XXXXX group
F ACF2,REBUILD(TGR)

SET PROF(USER) DIV(OMVS)
List D048947 to confirm if the user has a OMVS segment defined to the lid.
INSERT D048947 HOME(/A) OMVSPGM(/B) UID(##)
F ACF2,OMVS

/A - A field that defines the pathname of the initial directory used when a user enters the OMVS command or enters the ISPF shell.
/B - An optional field that defines the user's UNIX System Services shell program started when the OMVS command is entered or when a UNIX System Services batch job is started using the BPXBATCH program.

Here is some documentation on Group Profiles in ACF2:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/control-system-entry/specify-group-or-project-name-at-logon.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/user-profile-records/omvs-user-profile-data-records.html


------------------------------
Mainframe Security Engineer
M&T Bank

Original Message:
Sent: 03-24-2020 05:08 PM
From: Sean Dilmore
Subject: Suspended ids

Correct, it is an IBM CICS message.  We have run the reports and doesn't show much.  Unfortunately, the customer is at an unsupported version of ACF2 and they will not open a case without purchase of extended support.
Original Message:
Sent: 03-24-2020 02:20 PM
From: Kenneth Suchomel
Subject: Suspended ids

The group message is an IBM message, not an ACF2 message, so the text might be in error.  I would suggest you run the violation reports ACFRPTRV and ACFRPTPW for the user since they last logged on successfully and open a case with ACF2 Support.
Original Message:
Sent: 03-24-2020 02:00 PM
From: Sean Dilmore
Subject: Suspended ids

Hello,
We are experiencing issues with many users becoming suspended and needing to be unsuspended before logging into CICS.  The userid is not suspended due to Password violations.  The message they receive in CICS is regarding Group access has been revoked.  When the user logs on they logon with * group.  What group is ACF2 checking?  Why is the id being suspended?

DFHSN1120 03/24/2020 09:20:52 AZCICSP Signon at netname J44F by user D048947 has failed because the group access has been revoked.

Listing of id in ACF2:
list D048947
D048947 VJB10B2B0XD048947 Jeff Smith M 555-1212-1212 721C II9
CANCEL/SUSPEND CSDATE(03/24/20) CSWHO(CICSMP) SUSPEND
PRIVILEGES ACTIVE(08/31/18) CICS JOB NO-STORE
ACCESS ACC-CNT(2,876) ACC-DATE(03/24/20) ACC-SRCE(J44G)
ACC-TIME(07:00)
PASSWORD KERB-VIO(0) KERBCURV() MAXDAYS(30) MINDAYS(7)
PSWA1TOD(03/23/20-07:53) PSWD-DAT(00/00/00) PSWD-INV(0)
PSWD-SRC(J0VU) PSWD-TIM(10:31) PSWD-TOD(03/23/20-07:53)
PSWD-VIO(0) PSWDCVIO(103) PWP-DATE(00/00/00) PWP-VIO(0)
TSO DFT-PFX(D048947)
STATISTICS CRE-TOD(08/31/18-11:48) SEC-VIO(0)
UPD-TOD(03/24/20-09:20)
CICS CICSACCT(3271) IDLE(15)

------------------------------

------------------------------