IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  CKR2043 16 Program not APF authorized

    Posted Thu March 05, 2026 12:25 PM

    Hello

    With KDFAES migration (all passwords have been converted) we got the error for AU.V passwords verification (zSecure 3.1 - for LEGACY no error)

    CKR2043 16 Program not APF authorized. Cannot perform requested analysis 

    Could you advice what will be the best way to fix this problem pls (e.g find the concatenation libs for our zSecure APFs ? - I did try some with ISRDDN but no success).

    Thx in advance for any hints.



    ------------------------------
    Regards
    Sławomir Bujniak
    Kyndryl
    ------------------------------


  • 2.  RE: CKR2043 16 Program not APF authorized

    Posted Fri March 06, 2026 03:03 AM

    Hi Slawomir,

    The message indicates that you must run the APF-authorized version of CKRCARLA that is named CKRCARLX. 
    The following excerpt is copied from the zSecure Admin and Audit User Reference manual chapter "Calling zSecure", section "Starting zSecure programs using JCL":

    Typically, CKRCARLA runs without APF authorization. If APF authorization is required, you can use the CKRCARLX program. Using CKRCARLA with APF requires READ access to resource CKR.CKRCARLA.APF.
    For details about this resource, see the IBM zSecure CARLa-Driven Components: Installation and Deployment Guide.
    See the zSecure CARLa Command Language for information about which functions require APF authorization. 

    I hope this helps.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------

    Original Message


  • 3.  RE: CKR2043 16 Program not APF authorized

    Posted Fri March 06, 2026 03:37 AM
    Edited by Mike Riches Fri March 06, 2026 05:03 AM

    Hello Slawomir,

    Please review the following technote which explains how to perform password verification with KDFAES:

    https://www.ibm.com/support/pages/node/1107003



    ------------------------------
    Mike Riches
    ------------------------------

    Original Message


  • 4.  RE: CKR2043 16 Program not APF authorized

    Posted Tue March 17, 2026 02:58 AM

    Hello,

    Thank you - yes for jcl batch and PGM=CKRCARLX it works well (but I have impression - it did works well for some other env. in the past - via panels...)



    ------------------------------
    Regards
    Sławomir Bujniak
    Kyndryl
    ------------------------------

    Original Message


Related Content