The RACF® manager performs
operations on the RACF database
at the request of the RACF commands, RACF utility programs, and RACF SVC processing routines. Failures
that occur during RACF manager
processing can cause serious problems in the index entries and other
records in the RACF database.
If RACF is enabled
for sysplex communication,
a system experiencing a problem with one or more RACF cache structures might enter read-only
mode, with RACF issuing message IRRX004A.
Except for statistics updates during logon and job initiation, and
other statistics updates made with ICHEINTY ALTERI requests, the RACF manager rejects requests to
update the RACF database with
return code X'50'.
For messages IRR402I, IRR403I, and IRR404I, see z/OS Security Server RACF Messages and Codes for
the error recovery procedures listed
with each message under the heading “Problem Determination.”
For messages other than IRR402I, IRR403I, and IRR404I that indicate
a failure has occurred during RACF manager
processing, the system programmer or security administrator performs
the following steps:
- Reenter the RACF command
or RACF utility, or perform
the system operation again.
- If the failure occurs again, it is likely that you have a problem
with an index entry or profile entry in your RACF database. Because the index structure is
required to locate profile data, it is essential to have a valid index
structure. Therefore, you should perform the following steps in order
during problem determination to find the failing profile.
- Run the RACF database verification
utility program (IRRUT200) with the INDEX and MAP ALL options to identify
problems with the RACF database. For
a description of the types of problems the utility finds, see the
description of IRRUT200 in RACF database utilities.
If
IRRUT200 does not detect any problems in the RACF database structure (it verifies the index
structure down to the profile level), try running the RACF database unload utility (IRRDBU00). The
IRRDBU00 utility must read every profile in the database and thereby
might (implicitly) identify profiles with errors. If IRRDBU00 encounters
a profile in error, it might issue message IRR67092. This message
contains an ICHEINTY return and reason code and also the entry name
of the profile being processed.
If you do not receive this
message, but rather abend or terminate in another fashion, you might
also be able to determine the profile in error. To do this, look
in the output data set (OUTDD) and find the last profile (at the bottom)
that was unloaded. It is likely that this profile is correct. However,
the next profile in the database (in the same class) could possibly
be in error, if indeed a bad profile is causing the utility to terminate.
You
can find the next profile in the database by examining the output
of an IRRUT200 utility run (specifying INDEX FORMAT), or by using
the BLKUPD command to examine an online database.
- Attempt to correct the problem using RACF commands. If this does not work, use BLKUPD to
correct the problem in the RACF database.
- Rerun the IRRUT200 utility program to determine if there are any
additional problems. If so, use BLKUPD to correct the additional
problems.
For messages IRR402I, IRR403I, and IRR404I, the system programmer
or security administrator should perform steps 2a and 2b.