A fix is available
APAR status
Closed as new function.
Error description
Currently for Take Action command (Reflex Automation command) of a Situation distributed to OMEGAMON XE agents, or any other z/OS based agent, the Take Action command will run per the Tivoli Enterprise Portal (TEP) userID. OA49763 introduces new functionality that applies only to z/OS TEMS and Agents running on z/OS. The new functionality enables users to specify that a Situation's Take Action, also known as Reflex Automation, is executed per same userID as the userID of the running Agent task, instead of the default behavior of executing Take Action as Tivoli Enterprise Portal (TEP) userID. To enable this feature you specify the TEMS environment variable named KMS_SIT_ACTION_RUNAS_PROCESS_USER in the Tivoli Monitoring Server's configuration file and assign it a value of "Y". You will need to set KMS_SIT_ACTION_RUNAS_PROCESS_USER on HUB TEMS and Remote TEMS. KMS_SIT_ACTION_RUNAS_PROCESS_USER=Y When the Monitoring Server starts it reads the above value, and if set to "Y", TEMS will perform special processing for Reflex Automation commands. The Monitoring Server will identify Reflex Automation commands specified by the user and override default behavior, forcing the Reflex Automation command to be executed (run as) per the Agent Job's Effective userID. For these Reflex Automation commands executed per Agent Job's Effective userID, their TEP User value may appear in the Tivoli Enterprise Portal's Audit Log as either "REFLXUSR" or the Agent Job's Effective userID; note the 'Runas' userID will always be the actual userID (Agent Job's Effective userID) used to execute Reflex Automation command. The Job's Effective userID is displayed as TEP User in the Audit Log when Reflex Automation command is being processed in emulation mode; emulation mode is in effect depending upon various aspects of a Situation's definition, e.g. Persistence > 1 or use of COUNT, AVG, SUM, MIN or MAX functions is Situation's predicate.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All TEMS users. * **************************************************************** * PROBLEM DESCRIPTION: ITM 6.3.0 FIX PACK 6 INTERIM FIX 1 * * Enhance Situation and Policy Reflex * * Automation (Take Actions) processing to * * allow the Take Action to be executed as * * a different user than the user * * associated with Situation or Policy. * **************************************************************** * RECOMMENDATION: Apply the PTF. * **************************************************************** For security purposes users want to execute Situation and Policy Take Actions as the effective userid of the target Agent process. This enhancement provides this functionality.
Problem conclusion
Currently for Take Action command (Reflex Automation command) of a Situation distributed to OMEGAMON XE agents, or any other z/OS based agent, the Take Action command will run per the Tivoli Enterprise Portal (TEP) userID. OA49763 introduces new functionality that applies only to z/OS Monitoring Server (TEMS) and Agents running on z/OS. The new functionality enables users to specify that a Situation's Take Action or a Policy's TakeAction, also known as Reflex Automation, be executed per same userID as the userID of the running Agent task, instead of the default behavior of executing Take Action as Tivoli Enterprise Portal (TEP) userID. To enable this feature a new TEMS environment variable, named KMS_SIT_ACTION_RUNAS_PROCESS_USER, has been introduced. If user chooses to enable this new feature KMS_SIT_ACTION_RUNAS_PROCESS_USER=Y must be declared on hub Monitoring Server and on any remote Monitoring Server(s). For more details on the new Environment Variable see "Install Actions" section, at end of this Problem Conclusion section. When the Monitoring Server starts it reads the above value, and if set to "Y", the Monitoring Server will perform special processing for Reflex Automation commands. The Monitoring Server will identify Reflex Automation commands specified by the user and override default behavior, forcing the Reflex Automation command to be executed (run as) per the Agent Job's Effective userID. For these Reflex Automation commands executed per Agent Job's Effective userID, their Tivoli Enterprise Portal User value may appear in the Tivoli Enterprise Portal's Audit Log as either "REFLXUSR" or the Agent Job's Effective userID; note the 'Runas' userID will always be the actual userID (Agent Job's Effective userID) used to execute Reflex Automation command. The Job's Effective userID is displayed as Tivoli Enterprise Portal User in the Audit Log when Reflex Automation command is being processed in emulation mode; emulation mode is in effect depending upon various aspects of a Situation's definition, e.g. Persistence >1 or use of COUNT, AVG, SUM, MIN or MAX functions is Situation's predicate. Install Actions: A. z/OS TEMS Enablement Steps for an Existing RTE: 1. Edit %RTE_PLIB_HILEV%.%RTE_NAME%.WCONFIG(KDS$PENV) override imbed to WKANPARU(KDSENV) TEMS runtime member. Override KMS_SIT_ACTION_RUNAS_PROCESS_USER=N parameter to KMS_SIT_ACTION_RUNAS_PROCESS_USER=Y prior to rerunning WCONFIG($PARSE) job. Note: The KMS_SIT_ACTION_RUNAS_PROCESS_USER=N default parameter is introduced in PARMGEN 1Q16 APAR OA48678. For existing RTEs created prior to APAR OA48678, WCONFIG(KDS$PENV) already exists (preserved member). To enable the function, add the KMS_SIT_ACTION_RUNAS_PROCESS_USER=Y override parameter to WCONFIG(KDS$PENV) imbed member to xKANPARU(KDSENV). 2. Submit WCONFIG($PARSEPR) job to recreate the RTE's %RTE_PLIB_HILEV%.%RTE_NAME%.WKANPARU(KDSENV) TEMS runtime member. 3. Submit WKANSAMU(KCIJPW2R) job to refresh the KDSENV member from WKANPARU to the product execution user library RKANPARU when you are ready to stage your KDSENV updates. 4. Recycle the %KDS_TEMS_STC% TEMS started task. 5. Repeat steps #1 - #4 for additional z/OS TEMS that will enable the function. B. z/OS TEMS Enablement Steps for new RTE configuring z/OS TEMS: 1. Follow the preferred RTE Implementation Scenario documented in the OMEGAMON XE shared publications in IBM Knowledge Center (URL: http://www.ibm.com/support/knowledgecenter/SSAUBV/com.ibm.omegam on_share.doc_6.3.0.2/parmgenref/PARMGEN_scenarios_intro.htm?cp=S SAUBV%2F1-9-0) 2. As part of the "Customizing the configuration profiles" step, edit %RTE_PLIB_HILEV%.%RTE_NAME%.WCONFIG(KDS$PENV) override imbed to WKANPARU(KDSENV) TEMS runtime member. Override KMS_SIT_ACTION_RUNAS_PROCESS_USER=N parameter to KMS_SIT_ACTION_RUNAS_PROCESS_USER=Y prior to running WCONFIG($PARSE) job. 3. Complete the remaining steps as documented in the RTE Implementation Scenario.
Temporary fix
Comments
Currently for Take Action command (Reflex Automation command) of a Situation distributed to OMEGAMON XE agents, or any other z/OS based agent, the Take Action command will run per the Tivoli Enterprise Portal (TEP) userID. This APAR introduces new functionality that applies only to z/OS Monitoring Server (TEMS) and Agents running on z/OS. The new functionality enables users to specify that a Situation's Take Action, also known as Reflex Automation, is executed per same userID as the userID of the running Agent task, instead of the default behavior of executing Take Action as Tivoli Enterprise Portal (TEP) userID. To enable this feature, specify the TEMS environment variable named KMS_SIT_ACTION_RUNAS_PROCESS_USER in the Tivoli Monitoring Server's configuration file and assign it a value of "Y". You must set KMS_SIT_ACTION_RUNAS_PROCESS_USER on both Hub TEMS and Remote TEMS. Here is an example: KMS_SIT_ACTION_RUNAS_PROCESS_USER=Y When the Monitoring Server starts it reads the above value, and if set to "Y", TEMS will perform special processing for Reflex Automation commands. The Monitoring Server will identify Reflex Automation commands specified by the user and override default behavior, forcing the Reflex Automation command to be executed (run as) per the Agent Job's Effective userID. For these Reflex Automation commands executed per Agent Job's Effective userID, their Tivoli Enterprise Portal User value may appear in the Tivoli Enterprise Portal's Audit Log as either "REFLXUSR" or the Agent Job's Effective userID; note the 'Runas' userID will always be the actual userID (Agent Job's Effective userID) used to execute Reflex Automation command.
APAR Information
APAR number
OA49763
Reported component name
MGMT SERVER DS
Reported component ID
5608A2800
Reported release
630
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-01-21
Closed date
2016-01-22
Last modified date
2017-03-01
APAR is sysrouted FROM one or more of the following:
IV79101
APAR is sysrouted TO one or more of the following:
Modules/Macros
KGELIB KGLBASE KRALIB KSMOMS
Fix information
Fixed component name
MGMT SERVER DS
Fixed component ID
5608A2800
Applicable component levels
R630 PSY UA80426
UP16/01/30 P F601
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSRJ5K","label":"Tivoli Management Server for Distributed Systems on z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"LOB17","label":"Mainframe TPS"}}]
Document Information
Modified date:
01 March 2017