How To Debug A Pass Ticket Problem?

book

Article ID: 49025

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

How do you debug a Pass Ticket problem?

Solution:

The following documentation is generally used to debug passticket problems:

  1. If the user receives a security violation with a Detailed Reason Code (DRC) of 009, then a diagtrap is needed:

    TSS MODI DIAGTRAP(1,ON,KER,AcidName,009) where AcidNAme is the acid name of acid having the issue.

    To reset:

    TSS MODI DIAGTRAP(1,OFF)

  2. Output from a TSS LIS(NDT) DATA(SESSKEY) command.

  3. If the passticket is generated and validated with the IBM RACF callable services R_ticketserv / R_GenSec, then an OMVS trace and SECTRACE will be needed.

    3-1. TSS ADD(acid) TRACE
    3-2. TSS REFRESH(acid) JOBNAME(*)
    3-3. TSS MODI(SECTRACE(ACT,WTL))
    3-4. ST SET,TYPE=OMVS,FUNC=ALL,DSN=datasetname,END (issued on the console)
    3-5. This will route all trace records to the MVS syslog....
    3-6. Recreate the problem.
    3-7. TSS MODI SECTRACE(OFF)
    3-8. ST DEL,ID=xx (issued on the console)
    3-9. TSS REM(acid) TRACE
    3-10. TSS LIST(acid) DATA(ALL,PROFILE)

The dataset for the DSN= must be pre-allocated. Please make sure it is large enough to hold enough trace data otherwise the trace will stop once is full. You can also don't specify DSN= and specify DEST=SYSLOG to have the OMVS trace output going to the syslog along with the SECTRACE output.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: