Re: IXGLOGR and RACF

2006-12-17 Thread Shmuel Metz (Seymour J.) 
In <[EMAIL PROTECTED]>, on 11/29/2006
   at 03:06 PM, Walt Farrell <[EMAIL PROTECTED]> said:

>It is either in the ICHRIN03 load module that you installed, or in
>the  STARTED class.

I'd advise switching to STARTED if he's still using ICHRIN03.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-30 Thread Chase, John 
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman
> 
> 
> 
> > I am in the midst of installing z/OS V1.7 and having troubles
with the 
> >IXGLOGR task.  . . .
> >  
> >
> -
> The profile being referenced here is a DATASET profile, not a 
> USER profile. The USER IXGLOGR needs to be PERMIT'ted to the 
> DATASET profile "IXGLOGR.**" with at least UPDATE access, if 
> not ALTER access.

Another option that is safe (and "suggested" in Setting Up a Sysplex) is
to specify "trusted" in the STDATA of the IXGLOGR STARTED profile.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-30 Thread Rick Fochtman 




I am in the midst of installing z/OS V1.7 and having troubles
with the IXGLOGR task.  The following messages are issued when starting
CICS T/S V3.1.  Similar messages are issued when IPL'ing while logger
functions are starting and as you can see I have set the definition for
IXGLOGR.** from FAIL to WARN:

IEF196I ICH408I JOB(IXGLOGR ) STEP(IXGLOGR )
IEF196I   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
IEF196I   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
IEF196I   FROM IXGLOGR.** (G)   
IEF196I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )   
ICH408I JOB(IXGLOGR ) STEP(IXGLOGR ) 192
 IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
 WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
 FROM IXGLOGR.** (G)   
 ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )  



I attempted to add the user IXGLOGR with the following command:
adduser IXGLOGR dfltgrp(STCGRP) nopassword nooidcard

But received the message:
ICH51002I NAME TO BE ADDED TO RACF DATA SET ALREADY EXISTS 
ICH01010I IXGLOGR  NOT ADDED.  


When I attempt to display user IXGLOGR I get:
ICH30001I UNABLE TO LOCATE USERENTRY IXGLOGR 


Failure messages point to RACF not containing a valid ACEE containing
user, group or name.  As well as the started task not defined in the
RACF started procedures table.

How can I check the RACF started proc table?  Why the conflicting
information on user IXGLOGR?

Any information you could provide concerning this issue would be greatly
appreciated,
 


-
The profile being referenced here is a DATASET profile, not a USER 
profile. The USER IXGLOGR needs to be PERMIT'ted to the DATASET profile 
"IXGLOGR.**" with at least UPDATE access, if not ALTER access.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: STDATA (was: IXGLOGR and RACF)

2006-11-29 Thread Shane 
Does anybody have an explanation why STDATA isn't included in a new
STARTED entry if it is modelled on an existing entry ??.

Catches our RACF people out damn near every time.

Shane ...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-29 Thread Strudwick, Martin 
R.S., David Mueller and all,

Thanks for your response.  I added IXGUSER, and issued a RALTER
for the IXGLOGR.* STDATA(user(IXGUSER) info.  As well, I added IXGUSER
to the appropriate group with permissions to IXGLOGR.**.  I am no longer
receiving RACF fail/warn messages.

Thanks again for your quick and informative responses, now on to the
next fire!

Martin

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of R.S.
Sent: Wednesday, November 29, 2006 11:30 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: IXGLOGR and RACF


Strudwick, Martin wrote:
> Group,
> 
>   I am in the midst of installing z/OS V1.7 and having troubles
with 
> the IXGLOGR task.  The following messages are issued when starting 
> CICS T/S V3.1.  Similar messages are issued when IPL'ing while logger 
> functions are starting and as you can see I have set the definition 
> for
> IXGLOGR.** from FAIL to WARN:
> 
> IEF196I ICH408I JOB(IXGLOGR ) STEP(IXGLOGR )
> IEF196I   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
> IEF196I   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
> IEF196I   FROM IXGLOGR.** (G)   
> IEF196I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )   
> ICH408I JOB(IXGLOGR ) STEP(IXGLOGR ) 192
>   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
>   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
>   FROM IXGLOGR.** (G)   
>   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )  
> 
> 
> I attempted to add the user IXGLOGR with the following command: 
> adduser IXGLOGR dfltgrp(STCGRP) nopassword nooidcard
> 
> But received the message:
> ICH51002I NAME TO BE ADDED TO RACF DATA SET ALREADY EXISTS
> ICH01010I IXGLOGR  NOT ADDED.  
> 
> When I attempt to display user IXGLOGR I get:
> ICH30001I UNABLE TO LOCATE USERENTRY IXGLOGR 
> 
> Failure messages point to RACF not containing a valid ACEE containing 
> user, group or name.  As well as the started task not defined in the 
> RACF started procedures table.
> 
> How can I check the RACF started proc table?  Why the conflicting 
> information on user IXGLOGR?
> 
> Any information you could provide concerning this issue would be 
> greatly appreciated,

You have address space, IXGLOGR.
This address space needs a userid assigned to.
Useid need not be named IXGLOGR, it can be JOHN if you want:
AU JOHN NAME('STC LOGGER') NOPASSWORD ...other parameters
RDEF STARTED IXGLOGR.* STDATA(USER(JOHN))
SETR RACLIST(STARTED) REFRESH
PE 'IXGLOGR.**' ID(JOHN) ACC(ALTER)

now you have to RESTART your IXGLOGR or re-IPL.
Restart is not trivial:
FORCE IXGLOGR,ARM
S IXGLOGRS (note the S )

BTW: I believe you didn't use SYSPLEX.OPERLOG in the past. There is not 
must to do it now.
-- 
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE:  The information contained in this electronic mail transmission is 
intended by the sender for the sole use of the named individual or entity to 
which it is directed and may contain information that is privileged or 
otherwise confidential.  Please do not copy it or use it for any purposes, or 
disclose its contents to any other person.  To do so could violate state and 
Federal privacy laws.  If you have received this electronic mail transmission 
in error, please delete it from your system without copying or forwarding it, 
and notify the sender of the error by reply email or by telephone, so that the 
sender's address records can be corrected.  Thank you for your cooperation.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-29 Thread Walt Farrell 

On 11/29/2006 2:12 PM, Strudwick, Martin wrote:

I am in the midst of installing z/OS V1.7 and having troubles
with the IXGLOGR task.  The following messages are issued when starting
CICS T/S V3.1.  Similar messages are issued when IPL'ing while logger
functions are starting and as you can see I have set the definition for
IXGLOGR.** from FAIL to WARN:

IEF196I ICH408I JOB(IXGLOGR ) STEP(IXGLOGR )
IEF196I   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
IEF196I   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
IEF196I   FROM IXGLOGR.** (G)   
IEF196I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )   
ICH408I JOB(IXGLOGR ) STEP(IXGLOGR ) 192
  IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
  FROM IXGLOGR.** (G)   
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )  



I attempted to add the user IXGLOGR with the following command:
adduser IXGLOGR dfltgrp(STCGRP) nopassword nooidcard

But received the message:
ICH51002I NAME TO BE ADDED TO RACF DATA SET ALREADY EXISTS 
ICH01010I IXGLOGR  NOT ADDED.  


When I attempt to display user IXGLOGR I get:
ICH30001I UNABLE TO LOCATE USERENTRY IXGLOGR 


That would indicate that you have a group named IXGLOGR, rather than a 
user.  You can not have both.




Failure messages point to RACF not containing a valid ACEE containing
user, group or name.  


Yes, but it's not clear which address space.  Since this happened when 
you started CICS, it is possible that your problem is that CICS is not 
running with a RACF identity.  Or it is possible that IXGLOGR does not 
have an identity.  With the information so far you can not tell which 
has occurred.




As well as the started task not defined in the
RACF started procedures table.

How can I check the RACF started proc table?  


It is either in the ICHRIN03 load module that you installed, or in the 
STARTED class.




Why the conflicting
information on user IXGLOGR?


Explained above: it can not be both a group and a user, and you probably 
have a group defined.  That -may- be OK, if your started proc table 
specifies that IXGLOGR runs with a different user ID than IXGLOGR, but 
is likely a problem.


Walt Farrell, CISSP
z/OS Security Design, IBM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-29 Thread Jack Kelly 
seems like you already have the dsn profile (ixglogr.**), so it sounds 
more like a permission's pblm.

Jack Kelly
LA Systems @ US Courts
x 202-502-2390

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-29 Thread Mueller, David 
Things like this might reach a RACF-knowledgeable audience if sent to
"RACF Discussion List [EMAIL PROTECTED]".

In your case, IXGLOGR is apparently defined as a group in RACF. Check
for that.
Also, the JOB/STEP part of the message means that you have to define
STDATA in the STARTED class for the task.

David Mueller | Systems Programmer | DMS/EITS
Phone: 850-414-9134 (Rm 107 SRC) | Fax: 850-921-8343
E-mail: [EMAIL PROTECTED]
  
-Original Message-
I am in the midst of installing z/OS V1.7 and having troubles
with the IXGLOGR task.  The following messages are issued when starting
CICS T/S V3.1.  Similar messages are issued when IPL'ing while logger
functions are starting and as you can see I have set the definition for
IXGLOGR.** from FAIL to WARN:

IEF196I ICH408I JOB(IXGLOGR ) STEP(IXGLOGR )
IEF196I   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
IEF196I   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
IEF196I   FROM IXGLOGR.** (G)   
IEF196I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )   
ICH408I JOB(IXGLOGR ) STEP(IXGLOGR ) 192
  IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
  FROM IXGLOGR.** (G)   
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )  


I attempted to add the user IXGLOGR with the following command:
adduser IXGLOGR dfltgrp(STCGRP) nopassword nooidcard

But received the message:
ICH51002I NAME TO BE ADDED TO RACF DATA SET ALREADY EXISTS 
ICH01010I IXGLOGR  NOT ADDED.  

When I attempt to display user IXGLOGR I get:
ICH30001I UNABLE TO LOCATE USERENTRY IXGLOGR 

Failure messages point to RACF not containing a valid ACEE containing
user, group or name.  As well as the started task not defined in the
RACF started procedures table.

How can I check the RACF started proc table?  Why the conflicting
information on user IXGLOGR?

Any information you could provide concerning this issue would be greatly
appreciated,

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IXGLOGR and RACF

2006-11-29 Thread R.S. 

Strudwick, Martin wrote:

Group,

I am in the midst of installing z/OS V1.7 and having troubles
with the IXGLOGR task.  The following messages are issued when starting
CICS T/S V3.1.  Similar messages are issued when IPL'ing while logger
functions are starting and as you can see I have set the definition for
IXGLOGR.** from FAIL to WARN:

IEF196I ICH408I JOB(IXGLOGR ) STEP(IXGLOGR )
IEF196I   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
IEF196I   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
IEF196I   FROM IXGLOGR.** (G)   
IEF196I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )   
ICH408I JOB(IXGLOGR ) STEP(IXGLOGR ) 192
  IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
  FROM IXGLOGR.** (G)   
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )  



I attempted to add the user IXGLOGR with the following command:
adduser IXGLOGR dfltgrp(STCGRP) nopassword nooidcard

But received the message:
ICH51002I NAME TO BE ADDED TO RACF DATA SET ALREADY EXISTS 
ICH01010I IXGLOGR  NOT ADDED.  


When I attempt to display user IXGLOGR I get:
ICH30001I UNABLE TO LOCATE USERENTRY IXGLOGR 


Failure messages point to RACF not containing a valid ACEE containing
user, group or name.  As well as the started task not defined in the
RACF started procedures table.

How can I check the RACF started proc table?  Why the conflicting
information on user IXGLOGR?

Any information you could provide concerning this issue would be greatly
appreciated,


You have address space, IXGLOGR.
This address space needs a userid assigned to.
Useid need not be named IXGLOGR, it can be JOHN if you want:
AU JOHN NAME('STC LOGGER') NOPASSWORD ...other parameters
RDEF STARTED IXGLOGR.* STDATA(USER(JOHN))
SETR RACLIST(STARTED) REFRESH
PE 'IXGLOGR.**' ID(JOHN) ACC(ALTER)

now you have to RESTART your IXGLOGR or re-IPL.
Restart is not trivial:
FORCE IXGLOGR,ARM
S IXGLOGRS (note the S )

BTW: I believe you didn't use SYSPLEX.OPERLOG in the past. There is not 
must to do it now.

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

IXGLOGR and RACF

2006-11-29 Thread Strudwick, Martin 
Group,

I am in the midst of installing z/OS V1.7 and having troubles
with the IXGLOGR task.  The following messages are issued when starting
CICS T/S V3.1.  Similar messages are issued when IPL'ing while logger
functions are starting and as you can see I have set the definition for
IXGLOGR.** from FAIL to WARN:

IEF196I ICH408I JOB(IXGLOGR ) STEP(IXGLOGR )
IEF196I   IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
IEF196I   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
IEF196I   FROM IXGLOGR.** (G)   
IEF196I   ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )   
ICH408I JOB(IXGLOGR ) STEP(IXGLOGR ) 192
  IXGLOGR.SYSPLEX.OPERLOG.A000 CL(DATASET ) VOL(Z17997) 
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
  FROM IXGLOGR.** (G)   
  ACCESS INTENT(UPDATE )  ACCESS ALLOWED(READ   )  


I attempted to add the user IXGLOGR with the following command:
adduser IXGLOGR dfltgrp(STCGRP) nopassword nooidcard

But received the message:
ICH51002I NAME TO BE ADDED TO RACF DATA SET ALREADY EXISTS 
ICH01010I IXGLOGR  NOT ADDED.  

When I attempt to display user IXGLOGR I get:
ICH30001I UNABLE TO LOCATE USERENTRY IXGLOGR 

Failure messages point to RACF not containing a valid ACEE containing
user, group or name.  As well as the started task not defined in the
RACF started procedures table.

How can I check the RACF started proc table?  Why the conflicting
information on user IXGLOGR?

Any information you could provide concerning this issue would be greatly
appreciated,

TIA, 

Martin A. Strudwick
Sr. Systems Programmer
Z.C. Sterling Insurance Agency


NOTICE:  The information contained in this electronic mail transmission is 
intended by the sender for the sole use of the named individual or entity to 
which it is directed and may contain information that is privileged or 
otherwise confidential.  Please do not copy it or use it for any purposes, or 
disclose its contents to any other person.  To do so could violate state and 
Federal privacy laws.  If you have received this electronic mail transmission 
in error, please delete it from your system without copying or forwarding it, 
and notify the sender of the error by reply email or by telephone, so that the 
sender's address records can be corrected.  Thank you for your cooperation.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html