Skip to Content

Troubleshooting

You can use the information on this page to troubleshoot issues in BMC AMI Security Policy Manager (SPM).

Issues occur when you start SPM for the first time

Issue: Issues sometimes occur when you start BMC AMI Security Policy Manager for the first time.

Possible cause: The problems are usually due to unresolved issues during the installation process. Sometimes they are due to RACF or Top Secret authority issues, or other post-installation setup issues.

User action: To identify the cause of the issue, look for SPM-prefixed error messages in the printed output from the SPM JESMSGLG, JESYSMSG, and RSSPRINT data sets and in the MVS console output. All SPM messages are explained in the Messages library.

Verify that the following requirements are met:

  • The SPM load library is APF-authorized.
  • The correct RACF or Top Secret resources and user READ authorities are defined.
  • If RACF or Top Secret resources are defined in anything other than the FACILITY class, the alternative class is specified on the ClassName parameter in the configuration data set.
  • The JCL refers to the correct configuration data set (DD name RSSPARM).
  • The CustomerID and CustomerKey parameters are correct. SPM does not start if the combination of these parameters is invalid and inaccurate.

When SPM is running as expected, you are ready to configure parameters.

SPM doesn't start on an ACF2 system

Issue: SPM doesn't start on a Broadcom ACF2 system.

Possible cause: SPM uses the ACCESS command to obtain the list of logon IDs (LIDs) that have access to a resource. If the GSO OPTS record displays NOACCESS, then SPM doesn't start and it displays the following message:

SPM0588E The ACF2 ACCESS Command is required for ACF2 SPM.  ACCESS SUBCMD must be ENABLED.

User action: To use SPM for ACF2, you must enable the ACF2 ACCESS command in the GSO OPTS record, which then obtains the required resource access information.

As a security administrator, perform the following steps:

  1. In the SPM ISPF panel, select option 6 and set the following global system options (GSO) record:

    ACF
    ​​​​​​SET CONTROL(OPTS)
    LIST OPTS

  2. If ACF2 displays the ACCESS keyword, then the setup is completed and ready. However, if you see the NOACCESS keyword, issue the following command:

    CHANGE OPTS ACCESS

  3. Issue the following command from the console or in ACF2 to refresh the OPTS record:

    F ACF2,REFRESH(OPTS)

  4. Issue the following command from the console or in ACF2 to ensure that the cross-reference tables reflect the new mappings:

    F ACF2,NEWUID

    Issuing these commands ensures that you have fully enabled ACCESS.

  5. Issue the SHOW ACF2 command to confirm that the GSO record has been successfully updated. Make sure that ACCESS SUBCMD=ENABLED is displayed as illustrated in the following example:

    OPTIONS IN EFFECT:
    %CHANGE=ALLOWED          ACCESS SUBCMD=ENABLED    BYPASS STATS=YES   

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Policy Manager 2.3