Troubleshooting Datacom Security Failures at MUF Startup
Article ID: 250689
Updated On:
Products
Issue/Introduction
When starting a MUF that has been recently converted to use External Security capabilities, there are three main areas of potential problems:
- The MUF Startup Options for SECURITY
- The attributes for the user under which the MUF is started
- The ESM configuration for specific Datacom classes
This article will give some tips on troubleshooting a MUF startup failure or a MUF startup when External Security is not enabled as expected.
This is not meant to be an extensive primer on using security; instead, it is designed to be a high-level overview of the pieces that need to be in place.
Environment
Release : any
Component : Datacom/AD
Component : Datacom/DB
ESM: RACF
Resolution
When a MUF is started with the expectation of using External Security definitions but error messages are presented that indicate a problem, here are some things to check:
The MUF Startup Options for SECURITY
In order to use External Security to control access to your databases and their data, you need to add entries to your MUF Startup Options to identify up to 10 distinct access paths. These paths are identified via the SECURITY values in the MUF Startup Options. Here is an example of a simple configuration:
SECURITY DBDCSCI,DBDCSCQ,DBDCRCI,DBDCRCQ,DBDCRAQ
SECURITY DBDCSSR,DBDCRSR,DBDCSQL,DBDCSQQ,DBDCRAT
If these options are not found in your MUF SYSIN, please refer to the description for the SECURITY option in the documentation section Modify MUF Startup Options and Console Commands.
The attributes for the user under which the MUF is started
The userid/logonid that is used to start the MUF must be defined carefully, and because of the architecture of Datacom External Security, certain privileges that bypass explicit authorizations are not allowed. For example, a non-cancelable user or a user that can access any resource even if not defined is not allowed. For RACF, this is commonly seen as a result of the TRUSTED or PRIVILEGED attributes.
Use the following RACF command to check if the userid has these special attributes:
RLIST STARTED muf_userid.* STDATA NORACF
To change it to the desired settings, use these commands:
RALTER STARTED muf_userid.* STDATA(USER(muf_userid) GROUP(stc-group) NOTRUSTED NOPRIVILEGED)
SETROPTS RACLIST(STARTED) REFRESH
The ESM configuration for specific Datacom classes
This section deals with the main setup for using External Security. The Datacom configuration has four primary classes of rules, and these are used to handle administrative access, identifying which functions use External Security or not, different utility functions and their control, and the access to data in specific tables in the databases. As noted above, there is an extensive explanation of this in the Security Overview documentation (see link below), so details on how to create this are not discussed here.
To see your current definitions for these classes, use these commands:
RLIST DT@DMIN * AUTHUSER
RLIST DT@YSTEM * AUTHUSER
RLIST DT@TIL * AUTHUSER
RLIST DC@ABLE * AUTHUSER
(Note that this class is called D"C"@ABLE because of the MUF SECURITY option values of DBD"C"SCI (or others). If using SECURITY DBDFSCI, you would RLIST class DF@ABLE. Here are the possible values for this resource:
- DC@ABLE
- DF@ABLE
- DG@ABLE
- DH@ABLE
- DP@ABLE
- DQ@ABLE
- DR@ABLE
- DS@ABLE
- DT@ABLE
- DX@ABLE
Additional Information
This article will hopefully help you find and correct the errors preventing the MUF from starting as you would like. For more information about using External Security with Datacom, please refer to the Security Overview section of the Datacom Core 15.1 documentation.
As always, please contact Broadcom support for Datacom if you have further questions.
Feedback
