ACFRPTST-The SAF Trace Report

acf2src
The ACFRPTST report formats and displays the output that was sent to SMF by the SECTRACE command. To run the ACFRPTST report, you must have already run the SECTRACE operator command and set the output destination to SMF. With few exceptions, CA ACF2 processes all z/OS SAF security requests by default.
The SAF Trace report enables you to display the monitored RACROUTE parameter list passed by requests for SAF services. This report also displays additional environmental information, such as job name, user ID, and the program issuing the SAF call. For more information about using the SECTRACE command, see System Programming.
Running the Report Using the ISPF Panel
You can use the ACFRPTCR panel to create your input for the report. The following parameters can be found on the ACFRPTCR ISPF panel.
LOGONID MASK
The logonid or logonid mask for which you want SAF activity reported.
POSTLOG/AFTER
Requests records created after security validation has completed. These records contain the return and reason codes from the security call as well as the modified data structures. The PRELOG and POSTLOG parameters are mutually exclusive. If neither parameter is specified, all pre and post records are displayed.
PRELOG/BEFORE
Requests records created before security validation has occurred. These records contain the information from the external data structures before SAF processing has occurred. The PRELOG and POSTLOG parameters are mutually exclusive. If neither parameter is specified, all pre and post records are displayed.
ASID
Indicates the home address space identifier in which the SAF request is issued and, if applicable, the primary address space identifier in which the code for the task is executed.
TRACEID
Specifies a one- to eight-character trace ID that can be masked. The default is all trace IDs.
LIST ID
Specifies the one- to eight-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTST. For example, if your DFT-PFX is HANDAN01, and you specify TEST as the output list name, your output list data set name is HANDAN01.ACF2.ACFRPTST.TEST.
DETAIL
Specifies that the external data structures identified in the RACROUTE parameter list definition are displayed following the RACROUTE parameters. These external data structures are shown in both hexadecimal and EBCDIC formats.
RECMAN 1/2/3
For a description of these files, see Reporting.
LOGSTREAM
Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Running the Report Using JCL
You can use JCL to run the ACFRPTST report. For more information, see the documentation about input and output files for report generators.
The following are the parameters for this report:
DETAIL
Specifies that the external data structures identified in the RACROUTE parameter list definition are displayed following the RACROUTE parameters. These external data structures are shown in both hexadecimal and EBCDIC formats.
[JOBMASK(
********
|
jobmask,...,jobmask
)]
Requests records created by the specified job name mask. Use commas or spaces to separate multiple masks.
POSTLOG
Requests records created after security validation has completed. These records contain the return and reason codes from the security call as well as the modified data structures. The PRELOG and POSTLOG parameters are mutually exclusive. If neither parameter is specified, all pre and post records are displayed.
PRELOG
Requests records created before security validation has occurred. These records contain the information from the external data structures before SAF processing has occurred. The PRELOG and POSTLOG parameters are mutually exclusive. If neither parameter is specified, all pre and post records are displayed.
[TRACEID(
********
|
traceid
)]
Specifies a one- to eight-character trace ID that can be masked. The default is all trace IDs.
Common Parameters
ACFRPTST accepts the following standard parameters.
  • LINECNT
  • TITLE
  • JOBMASK
  • EDATE
  • SDATE
  • ETIME
  • STIME
  • SELECT
  • SYSID
  • HEX
  • COND
Input and Output Files
ACFRPTST uses SYSPRINT, SYSIN, and RECxxxxx. For more information, see Reporting.
Sample Output
ACFRPTST formats and reports SECTRACE output written to the System Management Facility (SMF). SMF is the only SECTRACE output destination where output is guaranteed because SMF is the only destination that can be written to in any mode.
The following is sample output for ACFRPTST when the DETAIL parameter is not specified.
Sample Output if DETAIL is Not Specified
CA ACF2 SECURITY - ACFRPTST - SAF TRACE REPORT PAGE 59  DATE 01/29/98 (98.029) TIME 14.09 TRACEID(SECOFF) SMFID= VEGA TOD= 14:09:12.57 TRACEID=SECOFF USERID=USER01  JOBNAME= USER01 ASID= 001C / 002F PGM= IKJEFF04 CURR RB= SVC019  SFR/RFR= 0/0:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE  SAFDEF= USER01 GSO MODE= GLOBAL  RACROUTE REQUEST=AUTH,MSGSP=0,WORKA=,ATTR=READ,CLASS='DATASET', DDNAME='SYS00014',DSTYPE=N, ENTITY=('USER01,SPFTEMP0.CNTL',NONE),FILESEQ=0, GENERIC=ASIS,LOG=ASIS,RACFIND=NO,RELEASE=1.8,STATUS=NONE, TAPELBL=STD
The ACFRPTST report always produces entries formatted like the previous sample. The ACFRPTST report produces additional information in the entries when the DETAIL parameter is specified, as shown in Sample Output: DETAIL.
Sample Output: DETAIL
The following sample shows the output of an ACFRPTST report with the DETAIL parameter specified.
CA ACF2 SECURITY - ACFRPTST - SAF TRACE REPORT PAGE 59  DATE 01/29/98 (98.029) TIME 14.09 TRACEID(SECOFF),DETAIL SMFID= VEGA TOD= 14:09:23.35 TRACEID=SECOFF USERID=USER01  JOBNAME= INIT ASID= 000F / 003C PGM= IEFIB600 CURR RB= IEFIB600  SFR/RFR= 0/0:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE  SAFDEF= UISER01 GSO MODE= GLOBAL  RACROUTE REQUEST=VERIFY,MSGSP=0,WORK=,ACTINFO=,ENCRYPT=YES, ENVIR=CREATE,JOBNAME='USER01A',LOG=ASIS,PASSCHK=YES, PGMNAME='MYPROGRAM',RELEASE=1.8,SMC=YES,STAT=ASIS ACTINFO DATA AREA FOLLOWS  00024485 +000 0105E2E2 C402E600 00000000 00000000 *..USER01........*  00024495 +010 00000000 00000000 00000000 00000000 *................*  000244A5 +020 00000000 00000000 00000000 00000000 *................*  000244B5 +030 00000000 00000000 00000000 00000000 *................*  000244C5 +040 00000000 00000000 00000000 00000000 *................*
Following the ACFRPTST output fields, the external data structures identified by the RACROUTE parameter list are displayed in both hexadecimal and EBCDIC formats.
Parameter Descriptions
APF
Specifies whether the requestor was APF-authorized.
ASID
Indicates the home address space identifier in which the SAF request was issued and, if applicable, the primary address space identifier in which the code for the task is executed.
CURR RB
Specifies the program name associated with the current request block (RB) under which the call was made. This field specifies the program request block (PRB) name that the security event must occur in. When an event occurs directly under a PRB, the name of the program specified in that block is used to match what you specify in this field. If an event occurs under a supervisor call request block (SVRB), the RB name is assigned SVC
nnn
, where 
nnn
 is the decimal SVC number. If this RB is the only RB on the active RB chain under an SVRB, the interrupt code (SVC number) cannot be determined. Therefore, another RB name is assigned. If the program manager indicator is set, the assigned RB name is *PMSVRB*. If the indicator is not set, the RB name is *SYSTEM*. If the security event occurs under the control of a service request block (SRB), the assigned RB name is *SRB*.
JOBNAME
Identifies the name of the job for which the SAF request was issued.
LOCKS
Indicates the locks that were held in the address space at the time the SAF event was traced.
MODE
Identifies the operating mode of the address space. There are two different indicators for mode. MODE=TASK indicates that the SAF request was made from a task mode requester. MODE=SRB indicates that the request was made from a SAF mode requester.
PGM
Shows the program that issued the SAF request. This field specifies the program name of the newest PRB on the active RB chain. If no PRB exists on the active RB chain when a monitored event occurs, the name used for the RB field is also used for PROGRAM.
SFR/RFR
Specifies the SAF return code and the security system's return and reason codes (
n
:
n
) from the SAF event. These values are available only on TRACE=POST requests. See the IBM publication, 
External Security Interface (RACROUTE) Macro Reference for MVS and VM
, for information about these return and reason codes.
SMFID
Specifies the SMF CPU identifier of the executing CPU.
TOD
Shows the time of day when the SAF request was issued.
TRACEID
Lists the SECTRACE event identifier. The TRACEID is the ID set in the SECTRACE command.
USERID
Specifies the user ID active in the address space when the SAF event was traced.