SE.W communication problems

The SE.W communication is handled by the REXX C2RELSI program. This program creates four files in the home directory of the user:
C2RELSI.userid.LST
The official response file. This file usually contains the install password generated. The password is normally just one line containing ten hexadecimal digits, as shown in the following example:
8337F93AD5
C2RELSI.userid.ERR
The line mode output file, which usually contains only the userid and passwords prompts:
userid:password:
C2RELSI.userid.LSI
The input file with commands for the server. For a P command, the input file would contain:
minigenerateinstallpassword(12.1.100)
echo(!R:)
C2RELSI.userid.LOG
The software log file, which normally contains only the software level and open/close messages as illustrated in the following example:
<20010427 08:11:27 utc> P399M1V0.0L309A5S0E10:Opened C2RELSI.MYUSER.LOG.
Product: racfwin.product.server.app. Version: 1.4.
Builddate: 2001/04/23/13:02. Local time: Fri Apr 27 08:11:27 2001.
<20010427 08:11:28 utc> P399M1V0.0L164A2S0E20:Forced close of C2RELSI.MYUSER.LOG
<20010427 08:11:28 utc> P399M1V0.0L461A5S0E15:Closed C2RELSI.MYUSER.LOG
The following error messages might display at various stages of the SE.W communication process:
Failure to execute

If the REXX C2RELSI cannot find the program lsi, or the current user is not allowed to execute it, the message Failure to execute is displayed in the upper right corner of the screen. If you press PF1 (Help), the long message explaining the cause of the error is displayed as shown in the following example:

/u/C2RSERVE/c2rserve/bin/lsi -t C2RELSI.MYUSER.LOG A:10.0.1.20:8011 C2RELSI.MYUSER.LSI - errno=81 53B006C

The long message specifies an error number (errno) that provides information about the problem. The possible error messages and associated explanations are as follows:

errno=81 594003D
This error occurs when one of the directories in the path to the lsi executable is not found. The path is specified by the C2RWIN parameter in the zSecure configuration. To correct the problem, make sure that the path exists in the z/OS® UNIX System Services zFS file system and that the path was used in job C2RZWUNP.
Note: The C2RWIN parameter is case-sensitive.
errno=81 53B006C

This error occurs when the location of one the zSecure Visual programs is not found. To correct the problem, make sure that the path exists in the z/OS UNIX System Services zFS file system and that the path was used in job C2RZWUNP.

errno=6F 5B400002
This error occurs when the current user has no search access on a directory in the path to the lsi executable. This problem also shows up in the SYSLOG as an access violation:
ICH408I USER(MYUSER ) GROUP(MYGROUP ) NAME(VISUAL RACF ADMIN  )
/usr/lpp/c2r/V2R3M1/lsi
CL(DIRSRCH ) FID(01E2D4E2F0F0F833F409000000000003)
INSUFFICIENT AUTHORITY TO LOOKUP
ACCESS INTENT(--X)  ACCESS ALLOWED(OTHER ---)

To fix the problem, grant the user who is to run SE.W access to the directory where the zSecure Visual server code resides. In job C2RZWUNP, ownership of this directory was established as user C2RUSER and group C2RGROUP (which you might have customized). CONNECT the userid who is to run SE.W to the owning group. Note that SE.W is only required to configure the first workstation. This workstation can then be used to configure subsequent workstations.

Cannot browse an empty file

This ISPF error message can hide the original error message reporting on a failure to execute lsi. This message might display if the zSecure Visual server is not running yet.

an error has occurred
If the password generation fails, this message is displayed in the upper right corner of the screen and is accompanied by one of the following more descriptive error messages.
couldn't open session with bluebook adapter
This descriptive message indicates that the server has not been started, or it has been started but it is not yet ready to accept a password generation request.

If the server has just been started, it is usually ready to generate a password after about 10 seconds on a lightly loaded 30 MIPS machine. If the same error message is displayed after a delay of a few minutes, the server might be unreachable or the IP number might be incorrect.

logon failed
This message is displayed when the server accepts the password generation request but is still not ready to generate a password. To resolve this problem, wait a few seconds (on a 30 MIPS machine) after the failure message displays before attempting another password generation request. When the server is ready to generate a password, the following message displays in the server log:
E5:Dispatch: Started adapter 'RACF'
If the server runs in trace mode, it is ready to generate a password when the following trace message is printed twice:
E0: IpcSetState:setting state ( 6 -> 1 )
Must be numeric
This message displays when the entered agent ID is not of the form 12.1.<NN>, where <NN> is a sequence of decimal digits. To fix this problem, enter an agent ID in the correct form (for example, 12.1.100).
Userid and password messages
  • Unknown userid <userid>.
  • Userid <userid> is revoked.
  • Invalid password.
  • The password has expired.
Resource C2R.SERVER.ADMIN in the <class> class is not covered by a RACF profile.
If this error occurs, you can see the following message in the JES SYSLOG:
ICH13003I C2R.SERVER.ADMIN NOT FOUND
EDC5139I Operation not permitted. Reason code: 00d8.
This message and reason code indicate that the server userid has no READ access to the FACILITY resource BPX.SERVER. If this error occurs, you can see the following message in the JES SYSLOG:
ICH408I USER(C2RSERVE)
  BPX.SERVER CL(FACILITY)
  INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
EDC5139I Operation not permitted. Reason code: 02af.
This message and reason code indicate that one of the modules that is run under control of the Visual Server cannot be loaded because it does not meet the Program Control requirements. See Installation requirements on how to set up Program Control for the Visual Server.
Also, search the SDSF syslog for messages that occurred around the time of the failure. For example, messages like the following may appear:
ICH420I PROGRAM CKRCARLA FROM LIBRARY CKR.SCKRLOAD CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
ICH422I THE ENVIRONMENT CANNOT BECOME UNCONTROLLED.
BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
CSV042I REQUESTED MODULE CKRCARLA NOT ACCESSED. THE MODULE IS NOT PROGRAM CONTROLLED

In particular, messages ICH420I and CSV042I identify the module that does not meet the requirements. Find the PROGRAM profile that covers that module, find from which data set the module is to be loaded, and make sure that that data set is a member of the relevant PROGRAM profile.

C2RW018I The resource class for zSecure security checks cannot be determined
The CKRSITE module does not contain a valid security class. Such a class is required to determine the access of users to various resources. For information about the CKRSITE module, see Site module.
<userid> has no READ access to C2R.SERVER.ADMIN resource in the <class> class.
This message indicates that the userid does not have at least READ access to the C2R.SERVER.ADMIN resource. In the JES SYSLOG, you can see the following message:
ICH408I USER(ABCDEFG)
  C2R.SERVER.ADMIN CL(FACILITY)
  INSUFFICIENT ACCESS AUTHORITY
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
The environment does not satisfy the requirements for program control.
A required module is not program controlled. All load modules (and program objects) that are loaded in the Visual Server address space must be program controlled. Also, the file system that contains the Visual Server software must be mounted with the SECURITY and SETUID attributes. You can identify the uncontrolled module from message CSV0421I in the MVS™ syslog. See Installation requirements and Owner and location preparation for the software. After establishing program control, you must restart the server.
The agent has not been added with A or AP.
This message indicates an attempt to generate a password for an unconfigured client. No password has been generated. Add the client as described in Configuring the Visual Client.