Question & Answer
I am able to start a CICS Liberty JVM server and it successfully enables. But, when I try to run the com.ibm.cics.wlp.defaultapp to test the Liberty JVM server, I get the following messages:
ICH420I PROGRAM DFHSIP FROM LIBRARY HLQ.SDFHAUTH CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED. BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
I am running CICS Transaction Server for z/OS (CICS TS) 5.3 on z/OS 2.2. Why is this error occurring?
Message ICH420I is occurring because you are using a CICS Liberty JVM server and are attempting to access a secured Liberty web application from the browser. The CICS Liberty JVM server security implementation uses the Liberty Angel process to perform authorized security checks. If Liberty is unable to connect to the Angel process, it will default to using Unix System Services (USS) security which requires all members in the STEPLIB and DFHRPL concatenations to be program controlled. However, you should not program control your load libraries.
First you need to check that you have configured the Liberty Angel process and that it is running. The first few lines in the Liberty message.log file will indicate if the Angel is set up correctly or not.
If you see these messages, they indicate that the Angel is not set up correctly:
CWWKB0101I: The angel process is not available. No authorized services will be loaded. The reason code is 1. CWWKB0104I: Authorized service group KERNEL is not available. CWWKB0104I: Authorized service group LOCALCOM is not available. CWWKB0104I: Authorized service group PRODMGR is not available. CWWKB0104I: Authorized service group SAFCRED is not available. CWWKB0104I: Authorized service group TXRRS is not available. CWWKB0104I: Authorized service group WOLA is not available. CWWKB0104I: Authorized service group ZOSAIO is not available. CWWKB0104I: Authorized service group ZOSDUMP is not available. CWWKB0104I: Authorized service group ZOSWLM is not available. CWWKB0104I: Authorized service group CLIENT.WOLA is not available.
Since the Angel is not running, you need to ensure that you have the correct security profiles in place. In CICS TS 5.3 and above, ensure the safRegistry element in the server.xml file has the enableFailover option set to false:
<safRegistry id="saf" enableFailover="false" />
To enable the Angel, you will need to enter various RACF commands as documented in the following sections:
Configuring security for a Liberty JVM server in the CICS TS documentation
The Liberty server angel process in the CICS TS documentation
Enabling z/OS authorized services in Liberty for z/OS in the WebSphere Application Server (WAS) documentation
If you still experience problems after referencing the above information, please open a problem with IBM and provide the RACF output for these commands.
RLIST STARTED BBGZANGL.* STDATA ALL RLIST STARTED BBGZSRV.* STDATA ALL RLIST SERVER BBG.ANGEL ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.WOLA ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.WOLA ALL RLIST SERVER BBG.AUTHMOD.BBGZSAFM.ZOSAIO ALL RLIST SERVER SERVER BBG.AUTHMOD.BBGZSCFM ALL RLIST SERVER SERVER BBG.AUTHMOD.BBGZSCFM ALL
Cheers, Shayla Robinson
IBM CICS CICSPlex SM Level2 Support
CICS/TS CICSTS CICS TS CICS Transaction Server
17 January 2018