How do you debug a Pass Ticket problem?
The following documentation is generally used to debug passticket problems:
- If the user receives a security violation with a Detailed Reason Code (DRC) of 009, then a diagtrap is needed:
TSS MODI DIAGTRAP(1,ON,KER,AcidName,009) where AcidNAme is the acid name of acid having the issue.
TSS MODI DIAGTRAP(1,OFF)
- Output from a TSS LIS(NDT) DATA(SESSKEY) command.
- If the passticket is generated and validated with the IBM RACF callable services R_ticketserv / R_GenSec, then an OMVS trace and SECTRACE will be needed.
3-1. TSS ADD(acid) TRACE
3-2. TSS REFRESH(acid) JOBNAME(*)
3-3. TSS MODI(SECTRACE(ACT,WTL))
3-4. ST SET,TYPE=OMVS,FUNC=ALL,DSN=datasetname,END (issued on the console)
3-5. This will route all trace records to the MVS syslog....
3-6. Recreate the problem.
3-7. TSS MODI SECTRACE(OFF)
3-8. ST DEL,ID=xx (issued on the console)
3-9. TSS REM(acid) TRACE
3-10. TSS LIST(acid) DATA(ALL,PROFILE)
The dataset for the DSN= must be pre-allocated. Please make sure it is large enough to hold enough trace data otherwise the trace will stop once is full. You can also don't specify DSN= and specify DEST=SYSLOG to have the OMVS trace output going to the syslog along with the SECTRACE output.