$HASP1520 Unable To Extract Key Ring Information With JES2EDS And Top Secret

book

Article ID: 237155

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

When implementing JES2EDS (Email Delivery Service) on z/OS 2.5, the following errors occur at startup of JES2EDS:

$HASP1520 Unable to extract key ring information.
$HASP1522 Unable to locate z/OSMF server.
*$HASP1523 Unable to connect to z/OSMF server.
$HASP1520 Unable to extract key ring information.
$HASP1522 Unable to locate z/OSMF server.
*$HASP1523 Unable to connect to z/OSMF server.
$HASP1520 Unable to extract key ring information.

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

This is a timing issue. The SYSLOG shows the start for Top Secret is requested before the start for JES2:

18:07:44.81 INTERNAL 00000290  S tssproc,SUB=MSTR
18:07:44.81 INTERNAL 00000290  S JES2,PARM=(WARM,NOREQ)

But JES2 starts slightly before Top Secret (note the bypass user IDs assigned prefixed with the '+' character):

18:08:02.63          00000281  IEF695I START JES2     WITH JOBNAME JES2     IS ASSIGNED TO USER +JES2  
18:08:02.63          00000090  IEF403I JES2 - STARTED - TIME=18.08.02
18:08:02.67          00000281  IEF695I START tssproc  WITH JOBNAME tssproc  IS ASSIGNED TO USER +tssacid
18:08:02.67          00000090  IEF403I tssproc - STARTED - TIME=18.08.02    

And much of JES2 processing completes prior to Top Secret becoming fully active. This includes the JES2 Quick Start processing which appears to be responsible for starting the JES2EDS address space:

18:08:05.59          00000090 *$HASP493 JES2 MEMBER-MVS3(1) QUICK START IS IN PROGRESS - z22 MODE
18:08:05.88          00000090  $HASP492 JES2 MEMBER-MVS3(1) QUICK START HAS COMPLETED - z22 MODE

Next is the start of the JES2EDS address space with an STC identifier of STC00487:

18:08:06.31          00000281  IEF196I         1 //IEESYSAS JOB TIME=NOLIMIT,REGION=0M,
18:08:06.31          00000281  IEF196I           // MSGLEVEL=1                  
18:08:06.31          00000281  IEF196I         2 //JES2EDS  EXEC IEESYSAS,[email protected]
18:08:06.32          00000090  IEF403I IEESYSAS - STARTED - TIME=18.08.06  

Since Top Secret has not completed initialization, neither the JES2 or the JES2EDS address spaces are running under the security of a Top Secret user.  This leads to the JES2EDS communication failure messages:

18:08:07.39 STC00487 00000090  $HASP1520 Unable to extract key ring information.
18:08:07.39 STC00487 00000090 *$HASP1523 Unable to connect to z/OSMF server.  

Top Secret finally becomes fully active and new started tasks after this point are assigned Top Secret users from the STC table:

18:08:09.80 STC00489 00000281 *TSS9000I CA TOP SECRET 16.0 KO ACTIVE

18:08:09.85 STC00490 00000090  $HASP100 xxxxxx  ON STCINRDR    BMC xxxxxxx
18:08:09.86 STC00490 00000281  TSS7000I acid LAST-USED 17 FEB 22 08:59 SYSTEM=ssss FACILITY=STC

The information at the following link states:

https://www.ibm.com/docs/en/zos/2.4.0?topic=jeds-retrying-communications

**
If JES2 EDS fails to communicate with the z/OSMF server, JES2 is not able to send email messages. A communication failure is reported with a number of diagnostic messages that explain the specific problem, followed by the message HASP1523, Unable to connect to z/OSMF server.

In most cases, JES2 EDS is able to automatically detect changes in the state of the z/OSMF server and to retry communications without operator intervention. However, there are some configuration changes that JES2 EDS is unable to detect automatically. In these cases, you can use the JES2 operator command $S EDS to force JES2 EDS to retry communications.
**

It is recommended that once Top Secret is active, you try the $S EDS command to see if it will trigger some security activity that will log on the STC user and allow the communications to complete. If that does not work, then you need to come up with a plan to make sure Top Secret is fully active prior to the start of JES2/JES2EDS.