SAF trace

The SAF trace documented here requires a diagnostic driver for Developer for z/OS® that creates a console message just before and after the targeted security call, in this case PassTicket generation.

The diagnostic driver issues the following messages when a PassTicket is generated:
  • 09351 12:22:23.75 STC15088 00000090 +FEKP01I before invoking passticket generation module.
  • 09351 12:22:23.78 STC15088 00000090 +FEKP02I after invoking passticket generation module.

Follow these instructions to activate the test driver outside SMP/E.

  1. Make a backup of /usr/lpp/rdz/lib/zosserver.jar:
    mv /usr/lpp/rdz/lib/zosserver.jar /usr/lpp/rdz/lib/zosserver.jar.bu
  2. FTP the attached zosserver.jar in binary to /usr/lpp/rdz/lib/ (59779 bytes).
  3. Make the uploaded file executable:
    chmod 755 /usr/lpp/rdz/lib/zosserver.jar
  4. Verify the change has been made:
    ls -lE /usr/lpp/rdz/lib/zosserver.jar
-rwxr-xr-x —s- 1 IBMUSER SYS1 59779 Dec 17 12:04 zosserver.jar
  5. Restart the RSED started task to pick up the changes.

The next thing to do is set up the system dump and SAF trace. Note that RACF® relies on GTF to create a SAF trace.

See (for z/OS 1.10)http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/IEA2V191/10.0?SHELF=IEA2BK91&DT=20090220211519

  1. Create a GTF started task, or use an existing one:
    //*
//* GTF TRACE
//*
//* START COMMAND : S GTF.GTFUSER
//* STOP COMMAND : P GTFUSER
//*
//GTF PROC TRACE=USER.$$$$$GTF.TRACE,
// DSP=NEW,
// SIZE='CYL,10',
// PLIB=USER.$$$$$GTF.PARMLIB,
// MEMBER=GTFPARM
//*
//IEFPROC EXEC PGM=AHLGTF,TIME=1440,REGION=4096K,
// PARM='MODE=EXT,DEBUG=NO,TIME=YES'
//IEFRDER DD DSN=&TRACE,
// DISP=(&DSP,CATLG),
// UNIT=SYSALLDA,
// SPACE=(&SIZE)
//SYSLIB DD DISP=SHR,DSN=&PLIB(&MEMBER)
//*
  2. Create a GTF trace options file, for example GTFSAF, with the following content:
    TRACE=USRP
USR=(F44)
END
  3. Create a slip trap that triggers on the FEKP02I message (console command):
     SLIP SET,ID=RDZ1,MSGID=FEKP02I,JL=(RACF,RSED*),DN=(1.IRR*),END
  4. Start the GTF trace (console command):
    START GTF.GTFRDZ,MEMBER=GTFSAF
  5. Accept the trace options by replying to AHL125A RESPECIFY TRACE OPTIONS OR REPLY U (console command):
    R xx,U
  6. Enable the SAF trace in RACF (console command):
    @SET TRACE( JOBNAME(RSED*) RACROUTE(TYPE(1)) CALLABLE(TYPE(43)) ) LIST
    Note: The "@" represents the subsystem command prefix you assigned to RACF via the INITPARM value in SYS1.PARMLIB(IEFSSNxx). This implies that the RACF subsystem must be active.

    For more information about this, see http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ICHZA290/4.6.1.1?SHELF=ICHZBK90&DT=20080521121606&CASE= (z/OS 1.10). RACF support will tell you the desired trace options for the specific problem.

Recreate the problem. (Only logon, do not disconnect to avoid trace pollution.)

Finally, disable the trace, collect the data, and undo the changes for test driver.

Disable the trace as soon as possible after the problem has been recreated, to prevent the data from "rolling out" of the trace file.

  1. Disable the SAF trace in RACF (console command):
    @SET TRACE( NOJOBNAME NORACROUTE NOCALLABLE ) LIST
  2. Stop the GTF trace (console command): 
    STOP GTFRDZ
  3. Terse and FTP the dump and trace to IBM®. (Be sure to reference the PMR number.)
  4. Remove the test driver:
    mv /usr/lpp/rdz/lib/zosserver.jar.bu /usr/lpp/rdz/lib/zosserver.jar
  5. Verify the work of the previous command has been done:
     ls -lE /usr/lpp/rdz/lib/zosserver.jar
-rwxr-xr-x —s- 2 IBMUSER SYS1 59669 Dec 16 18:37 zosserver.jar
  6. Restart the RSED started task to pick up the changes.