Commands

BMC AMI Security Policy Manager provides commands that you can issue from the IBM MVS console by using the MVS Modify command. For example, to set the message level to trace RACF commands and responses, use the following command:

F RSS,SETMSG RACFTRACE

Authorized users can issue commands from the Tools option in the web interface.

Related topic

Command-and-syntax-reference

To issue commands from the web interface

  1. In Security Policy Manager, click Menu, then click Tools.
  2. From the RSS Commands menu, select a command, or select Custom Command.
  1. Enter a command in the pop-up window and click Submit.

The following figure is an example of the command response:

 tools_rssCommands.png

The following commands are supported by Security Policy Manager:

[ ADDUDSN ] [ ALLOWLIST ] [ APPS ] [ CHKPT ] [ CSA ] [ DBREFRESH ] [ DS ] [ EXECCAT ] [ EXECRULE ] [ HASH ] [ IMPORTDATASET ] [ LOADRULE ] [ LOADRULES ] [ RESETMSG ] [ SERVERS ] [ SESS ] [ SETMSG ] [ SHOWRULES ] [ SHUTDOWN ] [ SMF ] [ SYS ] [ TASKS ] [ TSO

ADDUDSN

The ADDUDSN dataSetName command adds a user data set dynamically to the in-storage list of user data sets.

To make permanent a user data set that is dynamically added, add it to the DatasetFilters section as described in Configuring-parameters.

ALLOWLIST

The ALLOWLIST command lists the active Security Policy Manager allowlists that are in use on the server.

The command response presents the allowlist name and the user IDs that belong to the list. For example:

SPM0546I AllowList TROUBLESHOOT   
SPM0547I    Userid X000001  TRBL1 
SPM0546I AllowList SYSPROG        
SPM0547I    Userid X000003  SYSPG2
SPM0547I    Userid X000002  SYSPG1

The information is returned to the requesting user and logged in the console.

APPS

The APPS command lists the active Security Policy Manager applications that are running on the server and connected to the server.

The command response presents the following information:

Heading

Description

LPAR

LPAR name

APP

Application that is running

JOB

Job name of the address space in which it is running

CHKPT

The CHKPT command displays checkpoint data set statistics.

CSA

The CSA command displays details of the CSA block used by Security Policy Manager.

The command response presents the following information:

Heading

Description

JOBNAME

Job name

ASID

Address space ID

ALET

ALET used internally for communications

DATASPACE

Data space name being used

CMAI

Cross-memory application interface address

DBREFRESH

The DBREFRESH command refreshes the Security Policy Manager database and performs database housekeeping.

Important

The DBREFRESH command forces a full analysis of many system entities, so frequent use of the command might result in higher CPU utilization.

DS

The DS command displays details of master data space.

The command response presents the following information:

Heading

Description

DATASPACE

Data space name

INDEX START

Address of the data space index

INDEX TOP

Address of the top element in the index

INDEX CURRENT

Address of the current element in the index

INDEX END

Address of the last element in the index

DATA START

Start address of the data section

DATA CURRENT

Address of the current element

DATA END

End address of the data section

STATUS

Active and inactive status of the data space

TOTAL BLOCKS

Total number of blocks in the data space

LOW WATER MARK

Data space low watermark

HIGH WATER MARK

Data space high watermark

EXPANSION COUNT

Number of expansions that have occurred

CHECKPOINT COUNT

Number of checkpoint operations that have occurred 

POOL

Pool number

BLOCK LENGTH

Block length of entries in the pool

ALLOCATED

Number of pool entries allocated

DEALLOCATED

Number of pool entries deallocated

TOP BLOCK

Top of the element queue

BOTTOM BLOCK

Bottom of the element queue

EXECCAT

The EXECCAT category command runs all compliance tests for the specified category.

EXECRULE

The EXECRULE memberName command runs the specified single rule.

HASH

The HASH command displays statistics on the Security Policy Manager hash table.

The command response presents the following information:

Heading

Description

&PID

Process ID address

TOKEN

Hash token

ADDRESS

Address of the hash token

IMPORTDATASET

(SPE2107)

To use the ImportDataset command, make sure that you have READ (or higher) access to the BMC.RSS.SPMIMPRT security management resource, which is in the FACILITY class by default.

The IMPORTDATASET command imports SQL data from a data set. The specified data set is passed as the argument for the command.

For example, to import data set MYHLQ.SPMV21.CUSTOM01 into the Security Policy Manager started task server, use the following command:

IMPORTDATASET MYHLQ.SPMV21.CUSTOM01

For more information, see Adding-custom-tables.

LOADRULE

The LOADRULE memberName command reloads the specified rule from the Rules data set.

LOADRULES

The LOADRULES command reloads the entire compliance rule set, including the INDEX member from the Rules data set.

Use the command to dynamically reload the rule set after the INDEX has been modified or a high number of rule definitions have been changed.

RESETMSG

The RESETMSG messageLevel command resets a previously set message level. For more information, see SETMSGin this topic.

The messageLevel parameter settings are the same as for the MessageLevel configuration parameter. For more information about the MessageLevel parameter, see Configuring-parameters.

You can use any of the message levels detailed for the SETMSG command with the RESETMSG command.

SERVERS

The SERVERS command lists the active Security Policy Manager servers and their status.

The command response presents the following information:

Heading

Description

SERVER ID

Server ID

SERVER NAME

Name of the server

IP ADDRESS

IP address of the server

PORT

Port the server listens on

STATUS

Status of the server

SESS

The SESS command displays active Security Policy Manager sessions.

The command response presents the following information:

Heading

Description

USERID

RACF user ID

IP ADDRESS

IP address of the session

LOGON

Time of logon

ACTIVITY

Time of last activity

KEEPALIVE

Time of the last KEEPALIVE operation

SETMSG

The SETMSG messageLevel command sets a new message level.

Normally, the MessageLevel parameter in the configuration data set is set to Info and Error so that only information and error messages are written to SYSOUT. For more information about the MessageLevel parameter, see Configuring-parameters.

If you experience issues with Security Policy Manager, you might need to switch on and off one or more of the tracing message levels. You can do this dynamically by using SETMSG and RESETMSG(which avoids having to re-cycle the product).

The messageLevel parameter settings are the same as for the MessageLevel parameter:

Message level

Description

Error

Output error messages

Info

Output information messages

HTTPTrace

Traces HTTP traffic generated by user interactions with the Security Policy Manager browser interface

RACFTrace

Traces all RACF commands and their output responses

TCPTrace

Traces all TCP communications including SSL exchanges when using HTTPS protocol

XCFTrace

Traces all XCF communications

DLLTrace

Traces key DLL calls

APPTRACE

Activates trace for application supplied diagnostic information

BufTrace

Traces data in all traced exchanges as well as protocol information

DLLTrace

Traces DLL calls

SHOWRULES

The SHOWRULES memberName command lists the currently defined compliance rules. This command does not require any parameters.

The command response presents the following information:

Heading

Description

RULE

Rule name

LAST RUN

Time last run

NEXT RUN

Calculated time of the next run

FAILURES

Number of failures

REFERENCE

Reference from the rule definition

SHUTDOWN

The SHUTDOWN command performs a controlled shutdown of Security Policy Manager.

Tip

You can also shut down Security Policy Manager by using the standard MVS P SPM command.

No confirmation of the command is required. The output displays the following message and the shutdown begins:

RSS0155I Shutdown command accepted

No further output is displayed because the product is shutting down and loses connection to its GUI interface. The Security Policy Manager address space shuts down as soon as it has cleanly terminated any active or waiting tasks.

SMF

The SMF command displays details of master data space SMF exits.

The command response presents the following information:

Heading

Description

EXIT CALLS

Number of times the exit has been called

RECORDS SELECTED

Number of records selected

RECORDS ROUTED

Number of records routed to Security Policy Manager for further processing

SLAVE STATUS

Internal status

SYS

The SYS command displays all Security Policy Manager instances running on the sysplex.

The command response presents the following information:

Heading

Description

SYSPLEX

Sysplex name

SYSID

LPAR name within the sysplex

JOBNAME

Security Policy Manager job name

STATUS

Active, Inactive, or Ready

SERVER

Whether the HTTP server is running on that LPAR

ESM

(SPE2104) RACF, TSS, or ACF2

TASKS

The TASKS command displays active Security Policy Manager tasks.

The command response presents the following information:

Heading

Description

RSS TASK

Name of the RSS task

ADDRESS

Address of the RSS task

TCB ADDRESS

Task's TCB address

THREAD ID

Task's thread ID

PARM

Address of the task's parm

EVENT QUEUE

Event queue address

USER FIELDS 0-2

User fields related to the task

USERFIELDS 3-5

User fields related to the task

TSO

The TSO command displays active Security Policy Manager TSO address space details.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*