NFSU84 TRACE NMI AUTHORIZATION ERROR
search cancel

NFSU84 TRACE NMI AUTHORIZATION ERROR

book

Article ID: 45396

calendar_today

Updated On:

Products

NetMaster Network Automation NetMaster Network Management for SNA NetMaster Network Management for TCP/IP NetMaster File Transfer Management

Issue/Introduction

I’m seeing the following error in my SSILOG once every minute. What does it mean and how do I resolve it?

NFSU81 TRACE NMI SUBTASK INIT FOR STACK TCPIP FAILED, RC: R15=00000000 CODE: 8 SUBCODE: 0

NFSU84 TRACE NMI AUTHORIZATION ERROR, EZBRCIFR FUNCTION: OPEN RETVAL: FFFFFFFF RETCODE: 0000006F RSNCODE: 786000DC


The  Summary screen in the Netmaster region is likely showing IPSD0003 for Applications, TCP Server port, Remote Networks and IP Protocol. 

 

Environment

Netmaster 12.1, 12.2

Cause

NFSU8* messages are usually access problems with the SERVAUTH class resources.
The IPSD0003 messages are a result of the access issue.

The recommended method for collecting packets changed between 12.1 and 12.2.

In 12.1, maintenance was added to allow for the use of IBM's Trace NMI for collecting packets and a new parameter was added to the SSI parms, PATRACENMI.
By default, this parameter is set to NO. 


In 12.2, The IBM Trace NMI packet capture capability was delivered as part of the base product, so the PATRACENMI parameter is set to YES by default.

Use of the IBM Trace NMI requires additional security definitions which are the same for both 12.1 and 12.2

If these are not defined, errors will appear in the SOLVESSI log as well as the IP Summary screen in the Netmaster region.

Resolution

The presence of NFSU8n messages in the SOLVE SSI log indicates access problems to the SERVAUTH class resources EZB.TRCCTL.** and EZB.TRCSEC.**  resources.

In order for the SOLVE SSI to make use of the IBM real-time application-controlled TCP/IP trace network management interface (Trace NMI), you must define new System Authorization Facility (SAF) profiles in the SERVAUTH class and authorize the user ID assigned to the SOLVE SSI address space to the profiles. 


The user ID assigned to the SOLVE SSI address space must be permitted READ access to the following resources: 

- EZB.TRCCTL.sysname.tcpname.OPEN 

- EZB.TRCCTL.sysname.tcpname.PKTTRACE 

- EZB.TRCSEC.sysname.tcpname.IPSEC 


where: 

- 'sysname' specifies the MVS system name where the SOLVE SSI and TCP/IP stack are running. 

- 'tcpname' specifies the TCP/IP stack name for which packet analysis is enabled. 


If this has already been defined correctly, please check to ensure that the SERV- AUTH class is active.


If not, the command to activate this in  RACF is

SETROPTS CLASSACT(SERVAUTH).


 

Additional Information

If the error condition persists long enough, it can result in excessive ESQA memory consumption with expansion into ECSA.

 

Fix RO97641 for 12.2 prevents more than 10 occurrences of the error so prevents storage problems but does not correct the underlying problem.

 

WORKAROUND: until security can be corrected, set PATRACENMI to NO in the SSIPARMS.



Powered by Wolken Software