Skip to Content

Troubleshooting

You can use the information on this page to troubleshoot issues in BMC AMI Security Policy Manager (SPM).

Issues occur when you start SPM for the first time

Issue: Issues sometimes occur when you start BMC AMI Security Policy Manager for the first time.

Possible cause: The problems are usually due to unresolved issues during the installation process. Sometimes they are due to RACF or Top Secret authority issues, or other post-installation setup issues.

User action: To identify the cause of the issue, look for SPM-prefixed error messages in the printed output from the SPM JESMSGLG, JESYSMSG, and RSSPRINT data sets and in the MVS console output. All SPM messages are explained in the Messages library.

Verify that the following requirements are met:

  • The SPM load library is APF-authorized.
  • The correct RACF or Top Secret resources and user READ authorities are defined.
  • If RACF or Top Secret resources are defined in anything other than the FACILITY class, the alternative class is specified on the ClassName parameter in the configuration data set.
  • The JCL refers to the correct configuration data set (DD name RSSPARM).
  • The CustomerID and CustomerKey parameters are correct. SPM does not start if the combination of these parameters is invalid and inaccurate.

When SPM is running as expected, you are ready to configure parameters.

SPM doesn't start on an ACF2 system

Issue: SPM doesn't start on a Broadcom ACF2 system.

Possible cause: SPM uses the ACCESS command to obtain the list of logon IDs (LIDs) that have access to a resource. If the GSO OPTS record displays NOACCESS, then SPM doesn't start and it displays the following message:

SPM0588E The ACF2 ACCESS Command is required for ACF2 SPM.  ACCESS SUBCMD must be ENABLED.

User action: To use SPM for ACF2, you must enable the ACF2 ACCESS command in the GSO OPTS record, which then obtains the required resource access information.

As a security administrator, perform the following steps:

  1. In the SPM ISPF panel, select option 6 and set the following global system options (GSO) record:

    ACF
    ​​​​​​SET CONTROL(OPTS)
    LIST OPTS

  2. If ACF2 displays the ACCESS keyword, then the setup is completed and ready. However, if you see the NOACCESS keyword, issue the following command:

    CHANGE OPTS ACCESS

  3. Issue the following command from the console or in ACF2 to refresh the OPTS record:

    F ACF2,REFRESH(OPTS)

  4. Issue the following command from the console or in ACF2 to ensure that the cross-reference tables reflect the new mappings:

    F ACF2,NEWUID

    Issuing these commands ensures that you have fully enabled ACCESS.

  5. Issue the SHOW ACF2 command to confirm that the GSO record has been successfully updated. Make sure that ACCESS SUBCMD=ENABLED is displayed as illustrated in the following example:

    OPTIONS IN EFFECT:
    %CHANGE=ALLOWED          ACCESS SUBCMD=ENABLED    BYPASS STATS=YES   

SPM UI times out when accessing ACF2 reports

Issue: The SPM UI times out when you try to access ACF2 reports and logs you out, resulting in the inability to review data in ACF2 reports.

User action: Specify the keyword InactivityTimeout in the HTTPServer section of the parmlib member and adjust the number of seconds of inactivity before you are timed out. The default value is 15 seconds, but you can specify a value between 3 to 43,200 seconds.

Warning

Important

The earliest supported release for ACF2 in SPM is SPE2510. If you are running an earlier release of SPM and want to run ACF2 reports, you must upgrade to at least SPE2510.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Policy Manager 2.3