IBM Support

ICH420I DFHSIP from hlq.SDFHAUTH when trying to run com.ibm.cics.wlp.defaultapp

Question & Answer


Question

I am able to start a CICS Liberty JVM server and it successfully enables. But, when I try to run the com.ibm.cics.wlp.defaultapp to test the Liberty JVM server, I get the following messages:

 ICH420I PROGRAM DFHSIP FROM LIBRARY HLQ.SDFHAUTH CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.    
 BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.

I am running CICS Transaction Server for z/OS (CICS TS) 5.3 on z/OS 2.2. Why is this error occurring?

Answer

Message ICH420I is occurring because you are using a CICS Liberty JVM server and are attempting to access a secured Liberty web application from the browser. The CICS Liberty JVM server security implementation uses the Liberty Angel process to perform authorized security checks. If Liberty is unable to connect to the Angel process, it will default to using Unix System Services (USS) security which requires all members in the STEPLIB and DFHRPL concatenations to be program controlled. However, you should not program control your load libraries.

First you need to check that you have configured the Liberty Angel process and that it is running. The first few lines in the Liberty message.log file will indicate if the Angel is set up correctly or not.

If you see these messages, they indicate that the Angel is not set up correctly:

 CWWKB0101I: The angel process is not available. No authorized services will be loaded. The reason code is 1.
 CWWKB0104I: Authorized service group KERNEL is not available.
 CWWKB0104I: Authorized service group LOCALCOM is not available.
 CWWKB0104I: Authorized service group PRODMGR is not available.
 CWWKB0104I: Authorized service group SAFCRED is not available.
 CWWKB0104I: Authorized service group TXRRS is not available.
 CWWKB0104I: Authorized service group WOLA is not available.
 CWWKB0104I: Authorized service group ZOSAIO is not available.
 CWWKB0104I: Authorized service group ZOSDUMP is not available.
 CWWKB0104I: Authorized service group ZOSWLM is not available.
 CWWKB0104I: Authorized service group CLIENT.WOLA is not available.

Since the Angel is not running, you need to ensure that you have the correct security profiles in place. In CICS TS 5.3 and above, ensure the safRegistry element in the server.xml file has the enableFailover option set to false:

 <safRegistry id="saf" enableFailover="false" />

To enable the Angel, you will need to enter various RACF commands as documented in the following sections:

If you still experience problems after referencing the above information, please open a problem with IBM and provide the RACF output for these commands.

 RLIST STARTED BBGZANGL.* STDATA ALL
 RLIST STARTED BBGZSRV.* STDATA ALL
 RLIST SERVER BBG.ANGEL ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.WOLA ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.WOLA ALL
 RLIST SERVER BBG.AUTHMOD.BBGZSAFM.ZOSAIO ALL
 RLIST SERVER SERVER BBG.AUTHMOD.BBGZSCFM ALL
 RLIST SERVER SERVER BBG.AUTHMOD.BBGZSCFM ALL

Cheers, Shayla Robinson
IBM CICS CICSPlex SM Level2 Support

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"Liberty","Version":"","Line of Business":{"code":"LOB17","label":"Mainframe TPS"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Document Information

Modified date:
17 January 2018

UID

dwa1418388