z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1280I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1280I
applname client CONNECTION ATTEMPT FROM USER userid AT IP ADDRESS ip_addr FAILED REASON CODE reason

Explanation

The Advisor received a connection request at the specified IP address at the specified IP address from an Agent or load balancer with the specified user ID. Authorization for connection to the Advisor failed for the specified user ID.

In the message text:
applname
The name of the application that received the connection request. Possible values are:
  • LBADV for the z/OS® Load Balancing Advisor (Advisor).
  • The job name of the Advisor, if it is configured for subplexing.
client
The type of client that attempted to connect to the Advisor. Possible values are:
  • AGENT for the z/OS Load Balancing Agent
  • LB for a load balancer or ADNR connection
userid
The user ID of the load balancer or Load Balancing Agent that is requesting access to the Advisor. If the user ID is not obtained from AT-TLS, the value is UNKNOWN.
ip_addr
The IP address of the load balancer or Load Balancing Agent.
reason
A code that explains the failure. Possible values are:
1
The Advisor TCP/IP stack is not configured for Application Transparent Transport Layer Security (AT-TLS), and the Advisor configuration file did not allow connections from this client. The TTLS option in the TCP/IP profile TCPCONFIG statement enables the stack for AT-TLS.
2
There is not a usable AT-TLS policy for this connection, and the Advisor configuration file did not allow connections from this client. For example, the policy agent is not active, or the AT-TLS policy for this connection specifies the wrong port.
3
The AT-TLS policy defined for this onnection does not enable AT-TLS, and the Advisor configuration file did not allow connections from this client. In the policy, the TTLSGroupAction statement is not configured with TTLSEnabled set to ON.
4
The AT-TLS policy that is defined for this connection does not define the Advisor as a controlling application, and the Advisor configuration file did not allow connections from this client. In the policy, the TTLSEnvironmentAdvancedParms parameter is not configured with ApplicationControlled set to On for the Advisor.
5
The AT-TLS handshake failed for this connection, and the Advisor configuration file did not allow connections from this client.
6
System authorization facility (SAF) authorization failed for this connection. The SERVAUTH class profile EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname (for a load balancer connection) or EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname (for an Agent connection) exists but the user is not authorized to use this profile. The system does not use the Advisor configuration file because the user is not authorized to use the SERVAUTH class profile.
7
The Advisor was unable to obtain storage for processing an AT-TLS connection request, and the Advisor configuration file did not allow connections from this client.
8
The Advisor call to the SIOCTTLSCTL IOCTL failed unexpectedly, and the Advisor configuration file did not allow connections from this client.
9
System authorization facility (SAF) authorization failed for this connection, and the Advisor configuration file did not allow connections from this client. The SERVAUTH class profile EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname (for a load balancer connection) or EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname (for an Agent connection) is not protected by SAF.

System action

The system continues processing. The client that attempted to connect to the Advisor might continue to attempt to connect.

Operator response

If you are not using AT-TLS for this connection, save the Advisor syslogd file and contact the system programmer.

If you are using AT-TLS for this connection, take the action appropriate for the reason as follows:
reason
action
2
Start the Policy Agent if it is not already started. If the AT-TLS policy for the Advisor connections has changed, refresh the Policy Agent. If the problem is not corrected, save the Advisor syslogd file, the AT-TLS syslogd file, and the policy agent syslogd file, then contact the system programmer.
7
If the storage problem cannot be corrected, save the Advisor syslogd file. If a dump was not created, take a dump of the Advisor address space, then contact the system programmer.
All other reasons
Save the system console, the Advisor syslogd file, the AT-TLS syslogd file, and the policy agent syslogd file, then contact the system programmer.

See z/OS Communications Server: IP Diagnosis Guide for information about collecting diagnostic data.

System programmer response

If you are not using AT-TLS, examine the Advisor syslogd file for errors. Correct the configuration file as needed. See z/OS Communications Server: IP Configuration Reference for information about configuring the Advisor and Agent and ADNR application.

If you are using AT-TLS for this connection, take action appropriate for the reason as follows:
1
Activate AT-TLS with the TCPCONFIG TTLS configuration statement. Either correct and resubmit the original TCP/IP profile or submit a VARY TCPIP,,OBEYFILE command. See the information about the TCPCONFIG statement in z/OS Communications Server: IP Configuration Reference for more information about the TTLS parameter.
2
If the Policy Agent is active and has been refreshed since the last change to the AT-TLS policy, examine the system console, the Advisor syslogd file, the AT-TLS syslogd file, and the policy agent syslogd file for errors. Correct the AT-TLS policy for this connection. See the information about diagnosing AT-TLS problems in z/OS Communications Server: IP Diagnosis Guide and Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Refresh the Policy Agent after changing the policy.
3
Change the AT-TLS policy for this connection in the TTLSGroupAction statement to TTLSEnabled On. See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Refresh the Policy Agent after changing the policy.
4
Change the AT-TLS policy for this connection in the TTLSEnvironmentAdvancedParms statement to ApplicationControlled On for the server (Advisor). See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Refresh the Policy Agent after changing the policy.
5
Correct the TLS handshake parameters in the AT-TLS policy for this connection.
  • See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference. Refresh the Policy Agent after changing the policy. For example,
    • Ensure that the HandshakeTimeout value for the Advisor policy is sufficient (for example, 30 seconds)
    • Ensure that the HandshakeRole value for the Advisor is ServerWithClientAuth or Server.
    • Ensure that the HandshakeRole value for the Agent and load balancers is Client.
6
Ensure that the user ID has at least read access to the correct SERVAUTH class profile (EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname for a load balancer connection, EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname for an Agent connection). For more information, see z/OS Security Server RACF Command Language Reference .
7
If the storage problem cannot be corrected, contact IBM® software support services with all supporting documentation. The application syslogd file is the minimum diagnostic data that should be provided. See z/OS Communications Server: IP Diagnosis Guide for information about collecting diagnostic data.
8
Examine the system console, the Advisor syslogd file, the AT-TLS syslogd file, and the policy agent syslogd file for errors. Ensure that the certificate is correct. For more information, see z/OS Security Server RACF Command Language Reference. If the problem is not corrected, contact IBM software support services with all supporting documentation. See z/OS Communications Server: IP Diagnosis Guide for information about collecting diagnostic data.
9
Define and permit the LBACCESS and AGENTACCESS profiles on each system where the Advisor can run. Ensure that the user ID has at least read access to the correct SERVAUTH class profile (EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname for a load balancer connection, EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname for an Agent connection). See the z/OS Security Server RACF Command Language Reference for information about the RDEFINE (Define General Resource Profile).

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: Load Balancing Advisor

Module

lmmain

Routing code

10

Descriptor code

12

Example

EZD1280I LBADV AGENT CONNECTION ATTEMPT FROM USER AGENT1 AT IP ADDRESS 192.10.1.1 FAILED  REASON CODE 6
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014