Success — RACROUTE Working Correctly
The issue has been resolved with the following key adjustments:
Changes Implemented:
Increased WORKAREA to 512 bytes
Required by Top Secret to avoid S0C4 and RACROUTE parameter errors.
Adjusted RESTORE and RETURN sequence:
L R13,4(R13) ; Restore previous save area pointer
L R14,12(R13) ; Restore return address
LM R1,R12,24(R13) ; Restore registers R1–R12
This aligns with standard linkage conventions.
Replaced ENTITY=(R1) with ENTITY=ENTITY
Simplifies addressing and ensures the resource name is correctly interpreted.
Removed STATUS=ACCESS
While previously needed due to ACEE issues, it was removed after cleanup.
This re-enabled full auditing through Top Secret.
Execution Result:
TSS7250E 136 J=TS0042AS A=XXXXXX TYPE=UR2 RESOURCE=APP.DATA
TSS7251E Access Denied to UR2 <APP.DATA>
This confirms:
The RACROUTE macro was valid
Security controls are engaged
Access denial is logged in TSSUTIL audit reports
Thanks to everyone who helped. I appreciate the technical insight!
Thank You
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Jon
Perryman
Sent: Tuesday, July 15, 2025 3:57 PM
To: [email protected]
Subject: Re: TSS Resource Class
!
CAUTION! EXTERNAL SENDER! STOP, ASSESS, AND VERIFY Do you know this person?
Were you expecting this email? If not, report it using the Report Phishing
Button!
On Tue, 15 Jul 2025 16:53:26 +0000, Steely.Mark <[email protected]> wrote:
>*-- SET POINTER TO ENTITY (FIXED)
> LA R1,ENTITY
> RACROUTE REQUEST=AUTH,ENTITY=(R1),CLASS='UR2',ATTR=READ, X
> WORKA=WORKAREA
>* STATUS=ACCESS,WORKA=WORKAREA
>
>ENTITY DC C'APP.DATA' RESOURCE NAME
> DC X'00' NULL TERMINATOR (OPTIONAL)
1. R1 should be avoided because R0, R1, R14 & R15 are used internally by
RACROUTE. Why not code ENTITY=ENTITY?
2. Resource names are NOT null terminated. The resource name length must match
the class definition. I'm not familiar with classes UR1 & UR2. Class="DATASET"
has a length of 44 which means the resource name must be 44 bytes (no less and
no more).
3. Alternatively, specify ENTITYX= because it will work for all classes that
are not shorter than the specified resource name.
4. If I remember correctly, STATUS=ACCESS returns user's access, ignores the
ATTR= and bypasses audit. I suggest removing this argument unless you need it.
5. Since I don't know the UR1 & UR2 class attributes, I suggest starting with
something simple like CLASS='DATASET'. Once you get it working, proceed with
UR1 & UR2.
6. In theory, authorization should not be required but you might try AC(1) from
an authorized library. Maybe STATUS=ACCESS requires running authorized.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
