How To Debug A Pass Ticket Problem?

book

Article ID: 49025

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

How do you debug a Pass Ticket problem?

Solution:

The following documentation is generally used to debug passticket problems:

  1. If the user receives a security violation with a Detailed Reason Code (DRC) of 009, then a diagtrap is needed:

    TSS MODI DIAGTRAP(1,ON,KER,AcidName,009) where AcidNAme is the acid name of acid having the issue.

    To reset:

    TSS MODI DIAGTRAP(1,OFF)

  2. Output from a TSS LIS(NDT) DATA(SESSKEY) command.

  3. If the passticket is generated and validated with the IBM RACF callable services R_ticketserv / R_GenSec, then an OMVS trace and SECTRACE will be needed.

    3-1. TSS ADD(acid) TRACE
    3-2. TSS REFRESH(acid) JOBNAME(*)
    3-3. TSS MODI(SECTRACE(ACT,WTL))
    3-4. ST SET,TYPE=OMVS,FUNC=ALL,DSN=datasetname,END (issued on the console)
    3-5. This will route all trace records to the MVS syslog....
    3-6. Recreate the problem.
    3-7. TSS MODI SECTRACE(OFF)
    3-8. ST DEL,ID=xx (issued on the console)
    3-9. TSS REM(acid) TRACE
    3-10. TSS LIST(acid) DATA(ALL,PROFILE)

The dataset for the DSN= must be pre-allocated. Please make sure it is large enough to hold enough trace data otherwise the trace will stop once is full. You can also don't specify DSN= and specify DEST=SYSLOG to have the OMVS trace output going to the syslog along with the SECTRACE output.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: