|
View previous topic :: View next topic
|
| Author |
Message |
praveenedward_2009
New User
.jpg)
Joined: 26 Aug 2009
Posts: 21
Location: Chennai
|
|
|
|
Hi,
I am getting the message in one of the system Lpars as given below.This Check run for every 45 mins.
M 4040000 HCLZ9 09233 08:45:11.89 STC04738 00000090
*HZS0003E CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES): 533
D 533 00000090 IRRH204E the RACF_SENSITIVE_RESOURCES check has found one or
E 533 00000090 more potential errors in the security controls on this system.
I need to resolve this exception , I tried the following.to run the check in the debug mode.
F HZSPROC,UPDATE,CHECK=(IBMRACF,RACF_SENSITIVE_RESOURCES),DEBUG=ON
the result was
NC0000000 HCLZ9 09237 12:05:38.12 HCLZ9 00000290 F HZSPROC,UPDATE,CHECK=(IBMRACF,RACF_SENSITIVE_RESOURCES),DEBUG=ON
MR0000000 HCLZ9 09237 12:05:38.13 STC04738 00000090 HZS0400I CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES): 064
I also tried with the diagnosis option
F HZSPROC,DISPLAY,CHECKS,CHECK=(IBMRACF,RACF_SENSITIVE_RESOURCES),DIAG
which results in the display as
DR 107 00000090 INTERNAL DIAGNOSTICS - CHECK TOKEN: 01020038.7FD8F000
DR 107 00000090 ROUTINE: IRRHCR00-7EF991C8 MSGTBL: IRRHCM00-7EF97B98 FUNC: CLEANUP
ER 107 00000090 LAST CPU TIME: 535.736 MAX CPU TIME: 564.326
In the attachment,word doc I get the " APF Dataset Report ' which has datasets with status as "e"-exception and "v" - volume exception.
Let me know how to resolve these exceptions.I tried to delete few of the datasets for volume exceptions. |
|
| Back to top |
|
 |
praveenedward_2009
New User
Joined: 26 Aug 2009
Posts: 21
Location: Chennai
|
|
|
|
Adding to my post as mentioned above..
a) If I disable /deactivate the policy ( Health Check - Through Modify command / SDSF ) this will work as a temporary fix ? till we do a IPL on that LPAR right ..? I would go in for a permanant fix ..In this case ..please let me know the right approach.
Thanks& regards
Praveen |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10888
Location: italy
|
|
|
|
| Quote: |
D 533 00000090 IRRH204E the RACF_SENSITIVE_RESOURCES check has found one or
E 533 00000090 more potential errors in the security controls on this system.
I need to resolve this exception |
well...
stop whining
read and understand the health check output
work with the systems support to fix the issue
do not post attachment, not everybody is authorized to unload them
by the way, what is that You, Your support do not understand in the report  
everithing is spoken in clear words
fix the IEAAPF parmlib member
since we do not have access to Your system we cannot do the work You are getting paid for |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10888
Location: italy
|
|
|
|
follow on
| Quote: |
| If I disable /deactivate the policy ( Health Check - Through Modify command / SDSF ) this will work as a temporary fix ? |
depends what You, Your security audit team, Your support, define as temporary fix
seems a <stupid> question to me
like asking if disabling the high oil pressure indicator will fix an high oil pressure issue  |
|
| Back to top |
|
|
praveenedward_2009
New User
Joined: 26 Aug 2009
Posts: 21
Location: Chennai
|
|
|
|
Thanks for the reply message
Actually,I am only the system support and system admin.We are not into production yet on this LPAR and I am trying to check the pros and cons through temporary fix first if it can be worked on.
I am new to the systems side and I am learning bit by bit by going through manuals .So I need to have a fair suggestion on wht needs to be done for this exception.There is no such requirement as such as it needs to be a temporary fix / permanant fix to avoid the exception.
I need to have a best solution here..pls suggest me on the same.
thanks
Praveen |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10888
Location: italy
|
|
|
|
| Quote: |
.So I need to have a fair suggestion on wht needs to be done for this exception
|
You were already given a reply... fix the IEAAPF parmlib member
| Quote: |
| Actually,I am only the system support and system admin. |
ask Your organization to give You proper traing
and gain experience by working side by side with more experienced people
managing and supporting a complex system is not something that can be learned only on the manuals
since this is not the first LPAR it should not be difficult to
find help within Your organization
look very expensive from any point of view to have a LPAR supported by only one unexperienced person |
|
| Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006
Posts: 262
|
|
|
|
| Quote: |
ask Your organization to give You proper training
and gain experience by working side by side with more experienced people
look very expensive from any point of view to have a LPAR supported by only one unexperienced person
|
Hi Enrico you are obviously one of the lucky ones who is working for an enlightened company. The places I tend to end up have cancelled all training courses as they are too expensive, gaining experience by working with others more experienced is impossible as if you can find someone the chances are they are in a different timezone and speak a different language. As for your last point nowadays this tends to be the norm. I was recently working for a site (in the US) where the upgrade from z/OS 1.8 to z/OS 1.10 was done by operating. They received tapes to restore and a set of instruction of what to do and off they went. Management was then surprised when it did not work first time........ but very happy as they saved money. Unfortunately the idea of training staff seems to have fallen by the wayside ........ much to expensive |
|
| Back to top |
|
|
praveenedward_2009
New User
Joined: 26 Aug 2009
Posts: 21
Location: Chennai
|
|
|
|
Can anyone explain me how to resolve the exception
D 533 00000090 IRRH204E the RACF_SENSITIVE_RESOURCES check has found one or
E 533 00000090 more potential errors in the security controls on this system.
With respect to my earlier question , if I disable the policy check through the below mentioned command
f hzsproc,deactivate,check=(IBMRACF,RACF_SENSITIVE_RESOURCES),exitrtn=IRRHCA00
it worked fine and I can see the policy is deactivated.. but this isa temp fix.How can we go for a permanant fix.Pls let me know on the same.. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10888
Location: italy
|
|
|
|
looks like You are not capable of reading...
what is that You did not understand in my previous replies
You were already told what to do to fix the issue ...
look at the health check report, and act accordingly on the flagged entities
the health check report is quite clear in it' s explanations
You are getting paid not us
so You went for the <stupid> approach
disabling the check is not a temporary fix is just ignore possible errors
any modification we might suggest to YOUR IEAAPF might be wrong
we do know nothing about Your environment
for example in the exception report the are some dataset flagged with V
which means that they are not on the volume indicated
how in H**L are we supposed to know on what D**N volume those datasets reside
You know ( or You should ) we do not
and yes, I AM SHOUTING ( if You did not notice ) |
|
| Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006
Posts: 262
|
|
|
|
Hi Praveen, By deactivating the check you will stop getting the warning messages every 45 mins, I assume this is what you meant by a temporary solution. What you need to do is check the PROGxx member in Parmlib (most sites stopped using the IEAAPFxx member 10 years ago).
To find which PROG member you are using in parmlib issue a D IPLINFO (mvs command) this will tell you which IEASYS member you are using to ipl . Look in the IEASYSxx member in your SYS1.PARMLIB (or other parmlib) and you will see an entry in there PROG=(XX,YY)
Look in these prog members and in them you will see the APF entries. You just need to go through these entries and correct them.
The V exceptions are easy you have a dataset authorised on a disk but the dataset does not exist on this disk. Either correct the volser or delete the entry.For the E exceptions health checker has decided that the level of access to these datasets is inappropiate . This is not necessarily an error . Good Luck. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10888
Location: italy
|
|
|
|
sorry for the braincheck about ieaapf...
right now I am working on some retro computing...
mvs 3.8, and os 21.8 and I have in mind the old terminology
as nevilh pointed out I should have said PROGxx
still instead if the whining(*) I would have expected some feedback even on the style
what the H**K do You mean by IEAAPF
and I would have implied more cohoperation on the TS side
( had read the answers and tried to carry on some actions )
(*) repeated asking for generic help |
|
| Back to top |
|
|
praveenedward_2009
New User
Joined: 26 Aug 2009
Posts: 21
Location: Chennai
|
|
|
|
Thanks Enrico and Nevil
D IPLINFO resulted as below
RESPONSE=HCLZ9
IEE254I 10.05.55 IPLINFO DISPLAY 892
SYSTEM IPLED AT 19.01.15 ON 08/25/2009
RELEASE z/OS 01.07.00 LICENSE = z/OS
USED LOAD09 IN SYS1.IPLPARM ON D705
ARCHLVL = 2 MTLSHARE = N
IEASYM LIST = (00, L)
IEASYS LIST = (00) (OP)
IODF DEVICE D705
IPL DEVICE D700 VOLUME Z17RS1
Here we get the entry as IEASYS LIST = (00) (OP).Checked the same in SYS1.PARMLIB
001800 PROG=00, SELECT PROG00, DYNAMIC APF LIST under SYS1.PARMLIB(IEASYS00)
I found that the APF entries were in CPAC.PARMLIB(PROG00) .We can find the APF entries in this .If you have the exception entry as
E OMXEDB2.DB2XE.RKANMOD AZSYS2 in the APF report then we can see the APF entries defined as
000174 APF ADD DSNAME(OMXEDB2.DB2XE.RKANMOD) VOLUME(AZSYS2) in CPAC.PARMLIB(PROG00)
Please let me know if I need to delete these APF defined entries in CPAC.PARMLIB(PROG00) so that when the check is run again after the IPL for tht LPAR ,these exceptions are not generated. |
|
| Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006
Posts: 262
|
|
|
|
| Quote: |
| Please let me know if I need to delete these APF defined entries |
Sorry we can't help you there . These entries are incorrect, you either have to correct them or delete them, only someone at your site can decide which is the correct course of action |
|
| Back to top |
|
|
praveenedward_2009
New User
Joined: 26 Aug 2009
Posts: 21
Location: Chennai
|
|
|
|
Ok fine I will check on the same Nevil.Thanks a ton for those post and it was valuable to start with.  |
|
| Back to top |
|
|
|
|
