Troubleshooting Security Errors
Security errors can show up at signon, at Process start, or at any step of a Process. In general, a return code of 8 means that the error occurred on the PNODE, and a return code of C means the error occurred on the SNODE. This section tells you how to determine the cause of security errors.
Many IBM® Connect:Direct® security-related messages begin with the prefix RACF. This fact does not mean that IBM RACF was necessarily involved with the failure. It is merely a naming convention for IBM Connect:Direct message identifiers.
Often, it is helpful to run a security trace to determine exactly where and why a security failure occurred. See Security Traces, for information on security traces.
Condition: Signon Denied
When you sign on from either batch or the IUI, you receive the a message that indicates the Stage 1 Signon Exit has failed.
|RACF0971||The Stage 1 Signon exit, DGACXSIG, failed to execute properly.
In the Connect:Direct for z/OS® IUI, verify that DGACXSIG is in an APF authorized library and correctly allocated.
|Review both the short text and long text IBM Connect:Direct messages. If you are receiving the message during signon to the IUI, run a batch job after verifying that DGACXSIG is available to the job. For either batch or interactive signon, allocate the APISECUR DD as described in Security Traces. You will be able to view the progression of BLDLs, along with output showing where IBM Connect:Direct looked for DGACXSIG and the results from the search.||
Condition: Lack Authority to Perform a Connect:Direct for z/OS Function
You attempt to perform a Connect:Direct for z/OS function but receive a message that says you are not authorized to perform that function.
|If you are running a Stage 2 security exit, your user ID is defined using an authorization bit mask that does not include the function you are attempting. A security trace will show you the general category of IBM Connect:Direct user assigned to your userid (administrator, operator, or general user). See Security Traces for more information about how to initiate a security trace. If you are using the IBM Connect:Direct authorization file, the functional authority of your userid does not include the function you are trying to perform.||Review both the short text and long text IBM Connect:Direct messages. Have the IBM Connect:Direct administrator at your site ensure that your userid has the authority necessary to perform the function, either by updating your userid record in the IBM Connect:Direct authorization file or by assigning the authority. within the Stage 2 security exit||Output from a security trace showing the validation of your authority to perform the IBM Connect:Direct function|
Condition: Access Denied to File or Data Set on COPY Step
You are denied access to a data set or a file on a COPY step.
|RACF095I||The security subsystem either on your node (RC=8) or the remote node (RC=C) has denied your userid access to the data set.||Review both the short text and long text IBM Connect:Direct messages. Ensure that your userid has the correct access to the data set. If you continue getting this message, run a security trace. See Security Traces for more information about how to initiate a security trace. It might be necessary to use a PNODEID or SNODEID statement to send a valid userid and password to the security system.||
Condition: User Record not Found in the Authorization Data Set
When you sign on to IBM Connect:Direct or submit a Process to another node, you receive message SAFA002I, The user record was not found in the Authorization Data Set.
|SAFA002I||If you are using the IBM Connect:Direct authorization file for security, be aware that the key to that file is a combination of userid and node name. For example, if you are signed on to node CDA with userid USERA and transmitting to node CDB (not using an SNODEID override), the authorization file on CDB must have an entry for the userid USERA and node CDA.||Review both the short text and long text IBM Connect:Direct messages. Check the appropriate IBM Connect:Direct authorization file and verify that the correct userid/node combination is specified. User records in the IBM Connect:Direct authorization file can be added or modified with the Insert User or Update User commands.||None|