Troubleshooting security problems

If your BMC II for z/OS security environment is not producing the expected results, you can use a variety of tools to diagnose the problem. Use the following procedure to perform checks and verify the overall status of SAF security.

To troubleshoot security problems

  1. To verify security status, check the SYSLOG and the BBI journal for any messages that were created during BBI-SS PAS initialization.The following message is issued when security through the SAF interface is in use:

    SM3209I SECURITY DEFINITIONS RETRIEVED FROM xxxxxxxx ssid

    The variables are defined as follows:

    • xxxxxxxx identifies whether security has been turned on from SYS1.PARMLIB in the Logical Parmlib, or the BBIPARM JCL.
    • ssid is the name of the BBI-SS PAS that is secured.

  2. Check the syntax of the TYPE=BBI statement in the BBSEC member:

    Note

    If message SM3209I did not appear in the SYSLOG or BBI journal during BBI-SS PAS initialization, the syntax of the TYPE=BBI statement in the BBSEC member might be incorrect.

    1. Check the SS parameter to determine that the correct BBI-SS PAS is identified.Regardless of how many BBSEC members exist in SYS1.PARMLIB of the Logical Parmlib and the BBIPARM JCL, BMC II for z/OS uses the first TYPE=BBI statement where the SS=ssid parameter matches the subsystem ID of the BBI-SS PAS. An unexpected match might occur because of wildcards (such as asterisks) in the SS=ssid parameter.
    2. Check the CLASS and PREFIX parameters to determine whether the correct security class and prefix are being used.If the CLASS or PREFIX parameters are not specified correctly, the defaults of CLASS=$BOOLE and PREFIX=BBM are used.
  3. If changes were made to a secured resource, ensure that the resource was correctly refreshed within the ESM.All changes that are made to a user's security access are dynamic. After a user's authority to access a resource is changed within the ESM, those changes are in effect for the next attempt to access that resource.
  4. Check the ESM's audit trail for the resource name and user ID that are being verified. Because a resource can be protected by multiple security profiles when a generic is used, you should perform the following actions:
    1. Enable any tracing or auditing facilities that the ESM provides.
    2. Check the output to determine exactly which resource name and user ID are being verified.
  5. If changes were made to the BBSEC member, ensure that the BBI-SS PAS was restarted.All information related to security is obtained from the BBSEC member during BBI-SS PAS initialization. If you make changes to BBSEC, warm start the affected BBI-SS PAS so that the updates take effect.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*