How do you debug a Pass Ticket problem with Top Secret?

The following documentation is generally used to debug passticket problems:

1. If the user receives a security violation with a Detailed Reason Code (DRC) of 009, then a DIAGTRAP is needed:
   
   TSS MODI DIAGTRAP(1,ON,KER,acid,009,*,*,1) where 'acid' is the acid having the issue.
   
   To reset:
   
   TSS MODI DIAGTRAP(1,OFF)
   
   
2. Output from a TSS LIS(NDT) DATA(SESSKEY) command.
   
   
3. If the passticket is generated and validated with the IBM RACF callable services R_ticketserv / R_GenSec, then an OMVS trace and SECTRACE will be needed.
   
   3-1. TSS ADD(acid) TRACE
   3-2. TSS REFRESH(acid) JOBNAME(*)
   3-3. TSS MODI(SECTRACE(ACT,WTL))
   3-4. ST SET,TYPE=OMVS,FUNC=ALL,DSN=datasetname,END (issued on the console)
   3-5. This will route all trace records to the MVS syslog....
   3-6. Recreate the problem.
   3-7. TSS MODI SECTRACE(OFF)
   3-8. ST DEL,ID=xx (issued on the console)
   3-9. TSS REM(acid) TRACE
   3-10. TSS LIST(acid) DATA(ALL,PROFILE)

The dataset for the DSN= must be pre-allocated. Please make sure it is large enough to hold enough trace data otherwise the trace will stop once is full. You can also don't specify DSN= and specify DEST=SYSLOG to have the OMVS trace output going to the syslog along with the SECTRACE output.

CR24-RMB