How to display Rule REJECTs.

Did not have  ACCEPT * LOGON (IPADDR   in System Rules and could not login from TN3270 terminal.

How do you get a message that the LOGON had been rejected and why?

Release : 3.2

This is regulated by the DISPRULE record in the SECURITY CONFIG file. To view and modify the SECURITY CONFIG file, issue the command:

   ---> VMSECURE CONFIG SECURITY

You might want to run with DISPRULE ALL for a while so you can see ALL rules processing for all commands managed by VM:Secure to help you understand how the rules are being processed. 

Then later, you may just change it to DISPRULE REJECT. DISPRULE REJECT will do specifically what you asked.

VMXACJnnnnx messages are only displayed on the user's console.

There is no way to get them to display simultaneously on the OPERATOR or some other User ID's console.

However, all this information is written to the VM:Secure AUDIT file. This happens regardless of how you have set DISPRULE in the SECURITY CONFIG file, this information is *always* written to the AUDIT file.

So if another user on the system is having difficulty with LOGON, LINK, etc. you can process the AUDIT data using the supplied report VMXSRA to get these kinds of details to help debug the problem.

Here's the link to VM:Secure's DISPRULE record that is defined in the SECURITY CONFIG file:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-with-security/3-2/reference/configuration-file-reference/disprule-record.html