IBM Security zsecure. Documentation updates: 64-bit Service Stream Enhancement IBM

Transcription

1 IBM Security zsecure Documentation updates: 64-bit Service Stream Enhancement IBM

2

3 IBM Security zsecure Documentation updates: 64-bit Service Stream Enhancement IBM

4 ii IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

5 Chapter 1. About this document This document lists updates to the IBM Security zsecure documentation as a result of the 64-bit Service Stream Enhancement (SSE). All updates apply to IBM Security zsecure Version This SSE delivers two important functional changes: 1. The ability to run an alternate 64-bit CARLa engine that moves storage for a lot of control blocks above the bar, allowing the processing of much more data at the same time and also freeing up memory below the bar. 2. Changes to the scoping mechanism: a. SPECIAL, ROAUDIT and AUDITOR attributes of the executing user ID now have a similar effect as a CKR.READALL permit b. the effect of SPECIAL vs AUDITOR/ROAUDIT attributes is more visible per complex, based on the privileges the user has on every individual complex c. the CKR0031 message has been enhanced The following IBM Security zsecure publications for V2.2.0 were updated. Other applicable information is also provided. IBM Security zsecure Installation and Deployment Guide IBM Security zsecure CARLa Command Reference IBM Security zsecure Admin and Audit User Reference Manual for RACF IBM Security zsecure Messages Guide Note: Referenced topics that have not changed are not included in this document. You can find them in the publication that the chapter applies to. 1

6 2 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

7 Chapter 2. Other information This chapter provides information that is not contained in the IBM Security zsecure documentation. z/os APAR OA50672 When choosing the 64-bit engine, also be aware of z/os APAR OA50672 (open at the time of publication) against HFS 64-bit support. Without the fix, you might experience CKR0915 messages when writing to a UNIX file within an HFS with RC 157 (MVS environment error) or incorrect RC values. If this happens, switch to the 31-bit engine, apply the fix for APAR OA50672 if available, or allocate a zfs, instead of an HFS, for your UNIX output. Note that the LEEF integrations with IBM QRadar SIEM use UNIX files. ABENDB37 occurs when producing a large report When producing a large report, an ABENDB37 might occur. Symptoms: If running from the UI, on the TSO session you will see, for example: Abend B37000 hex occurred processing command CKR8Z196. The syslog will show the name of the REPORT dataset that ran out of space: IEC030I B37-04,IFG0554A,CRMBMJ1,TSOLOGON,CKR1RPT,0503,T80104, CRMBMJ1.C2R1AF6.REPORT Cause: The default space allocation is not large enough to contain the entire report. Resolution: 1. Use ISPF 3.2 to look at the attributes of the REPORT dataset. This saves the attributes for the next step. 2. Press PF3 from the Data Set Information display in ISPF 3.2, and then type D to delete the existing REPORT dataset. 3. Type A to allocate a new REPORT dataset of the same name, and specify space parameters large enough so that the entire report can be stored. 3

8 4 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

9 Chapter 3. IBM Security zsecure CARLa-Driven Components Installation and Deployment Guide This chapter lists the documentation updates for the zsecure Installation and Deployment Guide as a result of the zsecure 64-bit Service Stream Enhancement (SSE). The following sections include documentation updates: v Chapter 9. Setup for remote data access and command routing, section Configuration file OPTION statement : The introduction has changed and the CKRCARLA parameter was added. v Appendix B. Security setup for zsecure, section Data presentation controls on page 7: Some information was removed. v Appendix C. Restricted mode, section Conditions for restricted mode on page 7: The section was rewritten. Configuration file OPTION statement Use the configuration file OPTION statement to specify server-specific parameters for the zsecure Server or to specify diagnostic settings. In most situations, the OPTION statement is not required. However, if you are running multiple servers on the same systems, the OPTION statement is required to specify unique parameters for each server. The OPTION statement can also be used to specify diagnostic settings. Option OPTION OwnSys(system-name) SIRoutine(CKRSRVIR) SIRoutine(program-name) ServerToken(PRODSERV) ServerToken(token-name) CKRCARLA('ckrcarla-parm-string') InSecure Debug RMTMSG Timestamp, Other-diagnostic-options MSGSUP( message-number ) The keywords and parameters have the following meanings: OwnSys This keyword specifies the system name for the current server. This value 5

10 is needed only if there is more than one ZSECSYS entry that matches the host name of the current TCP/IP stack. Normally, the local system name is determined based on the IPADDRESS of the ZSECSYS definitions. If there are multiple ZSECSYS statements with the same IPADDRESS specification, and OWNSYS is not specified, one of the possible ZSECSYS entries is used for the current server. Which name is used in that case is unpredictable. SIRoutine This keyword specifies the name of the Server Interface Routine. Currently this keyword and parameter are ignored. ServerToken This keyword specifies the eight-character suffix for the name of the Named-Token to be used to anchor the global data area used for this server. The value specified is prefixed by the value CKNSERVE. If the same value is specified for two servers, the second started instance will fail. The default value for the token is PRODSERV. If this keyword is not specified, the default value is used. You need to specify a value for the ServerToken only if you are running multiple zsecure Servers on the same system. CKRCARLA The CKRCARLA keyword can be used to add a CARLA statement to the CKRCARLA call parameters. This keyword is intended to be used for debug parameters that are only effective on the program call parameter. The ckrcarla-parm-string has a maximum length of 80 characters and must be within quotes. InSecure This keyword specifies that insecure communication to other zsecure Servers is acceptable. To enable communication that is not secure between two zsecure Servers, both servers must specify the INSECURE option, and the userid of the server task must have READ access to applicable CKNADMIN profiles in the XFACILITY resource class. This option is for use only during initial setup, and is not for production usage. Debug This keyword specifies that additional diagnostic messages are to be issued to the server CKNPRINT output file. Use this keyword only at the request of IBM Software Support personnel. RMTMSG This keyword can be used to signal the zsecure Server to include the SYSPRINT and SYSTERM output from remote applications in the local CKNPRINT output file. For example, when a client accesses data from a remote RACF database, the remote server uses CKRCARLA to read the RACF database. The output of the remote CKRCARLA is always available in the SYSPRINT file of the client application. Including this same output also in the CKNPRINT of the local server is optional. If you specify the DEBUG option, RMTMSG is selected as well. Timestamp This keyword specifies that messages issued in the server CKNPRINT output file are prefixed with a timestamp. The timestamp information is shown in UTC, and uses a fixed format. MSGSUP This keyword specifies a list of message numbers that are suppressed in 6 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

11 Data presentation controls the server CKNPRINT output file. It can be used in combination with the DEBUG command. Use this keyword only at the request of IBM Software Support personnel. Other-diagnostic-options Several additional diagnostic options are available when specified in the parameter string to the CKNSERVE program. Use these options only at the request of IBM Software Support personnel; they are not intended for customer use. The currently implemented options are NOESTAE, NOCLOSE, NODUMP, NOCLEANUP, NODUMPEXIT, NOGUARD, and STORAGEGC. zsecure uses the system authorization facility (SAF) to determine the data (profiles, rules, SMF records) that users are allowed to see, and to configure menus. The scope of resources and data that users see is controlled using access to the CKR.READALL resource. See Appendix C. Restricted mode in the zsecure Installation and Deployment Guide. The ISPF user interface menus are determined through resources CKR.OPTION.* and the available line commands are controlled using resources CKR.ACTION.*. The capability to ask for all profiles (no mask or name) is controlled through CKR.CONTROL.MASK. Users need at least READ access. Note: Appendix C. Restricted mode in the zsecure Installation and Deployment Guide contains the topic Conditions for restricted mode. The updated version of this topic is contained in this document. Conditions for restricted mode Restricted mode is determined in the following manner: 1. If the user specifies SIMULATE RESTRICT, restricted mode is activated. This is noted in one of the message variants that give some information about what would happen without the SIMULATE RESTRICT: CKR0031 Restricted mode by simulation, although user userid has privilege privilege CKR0031 Restricted mode by simulation, although user userid READ access to class profile CKR0031 Restricted mode by simulation for user userid, although no profile class profile 2. If one of the ALLOC statements refers to a remote node and the (possibly mapped) user ID there has no SPECIAL, AUDIT, or ROAUDIT privilege and no READ permit on CKR.READALL in the security database on that remote node, restricted mode is activated. The class for the CKR.READALL resource on the remote node is determined by the site module on the remote node. See Appendix A. Site module in the zsecure Installation and Deployment Guide. This is noted in one of the message variants that give some information about what would happen without the remote node restriction: CKR0031 Restricted mode by remote node, although user userid has privilege privilege CKR0031 Restricted mode by remote node, although user userid READ access to class profile CKR0031 Restricted mode by remote node for user userid, although no profile class profile Chapter 3. zsecure Installation and Deployment Guide 7

12 If both 1 on page 7 and 2 on page 7 are the case, then the messages use simulation and remote node, instead of giving the similar messages twice. 3. Else, if the user has any of the attributes SPECIAL, AUDITOR, ROAUDIT in the system running the query, unrestricted mode is granted. This is noted with message CKR0031 Unrestricted mode active, user userid has privilege privilege 4. Else, access to the CKR.READALL resource is tested, (in the XFACILIT class, unless you changed this; see Appendix A. Site module in the zsecure Installation and Deployment Guide). If the SAF call takes a decision (through profile or class default RC): a. NO access enforces restricted mode. This is noted with message: CKR0031 Restricted mode active, user userid no READ access to class profile b. READ or higher access grants unrestricted mode. This is noted with message: CKR0031 Unrestricted mode active, user userid READ access to class profile 5. Else, (that is, access to CKR.READALL is undecided) restricted mode is in effect when at least one of the following is true: a. The live system is RACF and the user has only access to (part of) the input via PADS, as described in Setting up Program Control and PADS access in the zsecure Installation and Deployment Guide. This applies to security database, CKFREEZE, SMF, DEFTYPE, and access monitor input files. This is noted with message: CKR0031 Restricted mode active because of [PADS program pathing] user userid b. The Site module (see Appendix A. Site module in the zsecure Installation and Deployment Guide) has been configured to specify restricted mode. This is noted with message: CKR0031 Restricted mode active by installation option; user userid 6. Else, unrestricted mode is granted. This is noted with message: CKR0031 Unrestricted mode active; user userid Note: Access is undecided when there is no covering profile in RACF and there is, in the Site module, a resource class with a default return code of 4. The default class is XFACILIT, which has a default return code of 8, meaning that access is forbidden. Users that have the SPECIAL, AUDITOR, or ROAUDIT attribute on the executing system operate in unrestricted mode by default as explained above, but can be made restricted by using SIMULATE RESTRICT. When using SIM RESTRICT, global audit fields will be invisible to the SPECIAL user who does not also have AUDITOR or ROAUDIT. When accessing a remote system through CKNSERVE, a similar decision is taken based on the system-wide properties and CKR.READALL permit of the mapped user ID on the remote system. When analyzing multiple, possibly remote, security databases in one run, keep in mind that 'Restricted mode' is a condition that is not specific to a complex or file. It applies to all complexes and applicable files after it is activated based on insufficient user authority on any one local or remote system where a query is directed. 8 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

13 When running in restricted mode, the scope used is smaller than for trusted reporting in unrestricted mode. As a consequence, the reports exploiting scope-related information might contain fewer records. This reduced scope is the same one that you get by adding SUPPRESS REASON=(SELFCONNECT, PWDCHANGE, WARN, NOPROFILE, CKGRACMAP CKGRACDCERT) to a scope report. A message CKR2245 is issued to document this if you are using a function that also needs the scope trees. Chapter 3. zsecure Installation and Deployment Guide 9

14 10 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

15 Chapter 4. zsecure CARLa Command Reference This chapter lists the documentation updates for the zsecure CARLa Command Reference as a result of the zsecure 64-bit Service Stream Enhancement (SSE). SUPPRESS command An IO_OVERLAP parameter was added to the SUPPRESS command: IO_OVERLAP This setting applies primarily to the order in which CKFREEZE, UNLOAD, and ACF2 files are read; this option makes the processing order more deterministic. When SUPPRESS IO_OVERLAP is active, if a file is still in an I/O wait after processing of the previous record, CARLa processing does not switch to a different file. Using this option increases run time. The MYACCESS< level parameter description has changed: MYACCESS< level This option applies only to RACF systems. It limits REPORT and NEWLIST output to profiles that you might access at least the level indicated. The levels that can be used are listed with the ACCESS parameter of the REPORT command; see REPORT. As an example, SUPPRESS MYACCESS<ADMIN restricts REPORT and NEWLIST output to those profiles you may administer, for example, profiles that you are owner of, or discrete profiles that you have ALTER access over. For RACF, this keyword is effectively disregarded if you have system special in the database being displayed (because with system special, you have administrative authority over all RACF profiles). This effect of SPECIAL can be suppressed with SUPPRESS REASON=SPECIAL. Also for RACF, note that records will not be suppressed if they are in your CKG scope, in addition to the normal RACF scope. The records seen only because of this can be suppressed by SUPPRESS REASON=CKGOWNER. ALLOCATE command A PROGRAM parameter was added to the Global allocation parameters of the ALLOCATE statement: PROGRAM= programname This parameter is valid only on the CKRCARLA PARM string. It can be used to override the default selection of the hardware-dependent program module. Only program names CKR4Z and CKR8Z196 are recognized. All other program names are ignored and the default program module is used instead. In the 64-bit enablement SSE as shipped in the service stream for zsecure 2.2.0, the default is to run the 31-bit version of the code CKR4Z (so that behavior is unchanged by default). In a future release, the CKRCARLA program might change its default choice, for example based on the hardware the program is running on. Use this parameter if the default selection of the hardware-dependent program module is undesirable. The parameter is an alternative to calling the hardware-dependent program module directly. 11

16 Table 1. Access levels and their meaning Level OWNER QUALOWN CREATE SPECIAL ALTER-M ALTER-P ALTER-S CKGOWNR ADMIN CNGOWNER GLOBAL description update The description of GLOBAL was updated in the REPORT_SCOPE VIA field keywords and descriptions table in the field description for VIA in the REPORT_SCOPE NEWLIST: GLOBAL: Access granted via global access table. Changes to SCOPE= id parameter of NEWLIST command In Chapter 1. CARLa Command Language, the NEWLIST parameter descriptions section of NEWLIST, the SCOPE= id parameter description changed. SCOPE= id Limit the output of a NEWLIST type containing resource information to information inside the scope of authority of the specified ID. For RACF, the ID can be a user or a group. For ACF2, it is a logonid. For RACF, the scope check takes into account system-wide attributes SPECIAL, OPERATIONS, ROAUDIT, and AUDITOR, as well as group-special, group-operations and group-auditor. SCOPE is only supported for selected NEWLIST types. Requesting SCOPE on an unsupported report type results in no output. For RACF, the scope tests also take into account CKG scope and indirect scope reasons. These reasons can be suppressed by SUPPRESS REASON=list. The scope check applies to the UNLOAD command only for NEWLIST TYPE=SMF. SPECIAL entry added to Access levels and their meaning table In REPORT global processing options of the REPORT command, an entry (SPECIAL) was added to Table 27. Access levels and their meaning. (The section is in Chapter 1. CARLa Command Language -> REPORT -> REPORT parameters -> REPORT global processing options.) Meaning Authority through ownership. Authority based on the first qualifier of a data set profile. If the data set HLQ is a user ID, this user has QUALOWN authority. Otherwise, if the data set HLQ is a groupid, any user with group-special for this group has QUALOWN authority. CREATE authority - a more specific profile can be created. Authorization through system-wide SPECIAL ALTER access on 'myself' - a user can alter some fields in their own user profile. ALTER access on a discrete profile (allowing you to issue PERMIT). Authority to alter granted by system level SPECIAL attribute. Access granted by the CKGRACF authorized component of IBM Security zsecure Admin through the CKG.SCP scope profiles. Exactly what can be changed further depends on CKG.CMD profile access. This can only be more access then standard RACF, not less. Same as CKGOWNR. Same as CKGOWNR. 12 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

17 Table 1. Access levels and their meaning (continued) Level ALTER-Q ALTER-O ALTER AD_READ ADD_DEL ADD ADD-S CONTROL D_READ DELETE DELETE-S UPDATE READ READ-S READLPA LOADEXE EXECUTE COPY AUDIT HIDDEN NONE Meaning ALTER access caused by a group-operations attribute giving authority over a high level qualifier of a data set (as modified by naming conventions). ALTER access caused by a group-operations attribute giving authority through the OWNER of a profile in a resource class that is subject to OPERATIONS. ALTER access. ADD, DELETE, and READ authority through a controlling profile in the FACILITY or XFACILIT or similar class. ADD and DELETE authority through a controlling profile in the FACILITY or XFACILIT or similar class. ADD authority through a controlling profile in the FACILITY or XFACILIT or similar class. Limited ADD authority through a controlling profile in the FACILITY or XFACILIT or similar class. CONTROL access. DELETE and READ authority through a controlling profile in the FACILITY or XFACILIT or similar class. DELETE authority through a controlling profile in the FACILITY or XFACILIT or similar class. Limited DELETE authority through a controlling profile in the FACILITY or XFACILIT or similar class. UPDATE access. READ access. Limited READ authority through a controlling profile in the FACILITY or XFACILIT or similar class. The UACC does not allow READ, but the module can be read in the LPA. The UACC does not permit READ, but the module can be run, and it can be read using LOAD. EXECUTE access for running a module A module can be read, but not run. If the operation does not depend on APF or library residence, then anyone can access its function by copying it to their own load library. Audit access without any other access. A PDS member or load module hidden by a similarly named member in a library in front of this library. No access. Values added to SUPPRESS REASON= list In Scoping rules that can be suppressed with REASON= two values (AUDIT and SPECIAL) were added to the SUPPRESS REASON= list to suppress scoping rules. AUDIT Suppresses accesses that would be included because the user has the system-wide AUDITOR attribute or the system-wide ROAUDIT attribute. SPECIAL Suppresses accesses that would be included because the user has the system-wide SPECIAL attribute. Chapter 4. zsecure CARLa Command Reference 13

18 14 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

19 Chapter 5. zsecure Admin and Audit User Reference Manual for RACF This chapter lists the documentation updates for the zsecure Admin and Audit User Reference Manual for RACF as a result of the zsecure 64-bit Service Stream Enhancement (SSE). Updated list in Support for RACF group auditors In Chapter 13. Problem Determination Guide, section Support for RACF group auditors, information was removed from the last list in the section. The resulting list now looks like this: Restricted mode for the SMF processing functions of zsecure is subject to the following limitations: v SMF records for which no RACF userid, RACF profile, or data set can be found can only be selected in unrestricted mode. Typically, these records describe system-wide events or status. v The SUPPRESS CKFREEZE command is ignored, because CKFREEZE data is required to find the correct profile for data sets. The SUPPRESS reasons other than SUPPRESS NOPROFILE do not work for SMF records. 15

20 16 IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

21 Chapter 6. IBM Security zsecure Messages Guide This chapter lists the documentation updates for the zsecure Messages Guide as a result of the zsecure 64-bit Service Stream Enhancement (SSE): CKF931I or CKV931I proc: Buffer overrun - dln=destinationlength sln=sourcelength:: data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. It is possible to suppress the user ABEND 931 by specifying SUPPRESS FMTABEND (see reference to Command Language, SUPPRESS, FMTABEND) or SUPPRESS MSG=931. However, this can result in corrupted output or other errors. Severity: 24 CKG841I Severe function error [msg] PC RC=n - issuing user abend 841 Explanation: While reading from a remote node (SRVIN) or writing to a remote node (SRVOU), the Program Call interface of the server returned an error condition. The function can be SRVIN or SRVOU and, optionally, a message type msg is included. User response: Verify that the server is active, then restart the server and try again. Severity: 16 CKG845I module CKNSRVIR queue file message type from zsecsys length length because waiting on zsecsys2 file file2 Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKG846I module CKNSRVIR return queued file message type from zsecsys length length Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKG931I proc: Buffer overrun - dln=destinationlength sln=sourcelength:: data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. It is possible to suppress the user ABEND 931 by specifying SUPPRESS FMTABEND (see reference to Command Language, SUPPRESS, FMTABEND) or SUPPRESS MSG=931. However, this can result in corrupted output or other errors. Severity: 24 CKN931I proc: Buffer overrun - dln=destinationlength sln=sourcelength:: data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. It is possible to suppress the user ABEND 931 by specifying SUPPRESS FMTABEND (see reference to Command Language, SUPPRESS, FMTABEND) or SUPPRESS MSG=931. However, this can result in corrupted output or other errors. Severity: 24 CKR0031 Restricted mode active by installation option; user userid Explanation: This message indicates that the product was installed with restricted mode active. The restricted mode setting is specified by the RESTRICT installation option in the CKRSITE module. For details on the CKRSITE module and installation options, see IBM Security zsecure CARLa-Driven Components: Installation and Deployment Guide. The output is restricted based on the access the user userid has in the connected security databases. Severity: 00 CKR0031 Restricted mode active because of pads; user userid Explanation: This message indicates that one or more of the input files could only be processed because of read access granted to the program. In that case, restricted mode processing is automatically activated. The message contains either the text PADS or the text program pathing for pads. The output is restricted based on the access the user userid has in the connected security databases. Severity: 00 17

22 CKR0031 CKR0841 CKR0031 Restricted mode active, user userid no READ access to class CKR.READALL Explanation: Through a profile covering the CKR.READALL resource in the class specified in the CKRSITE area it is possible to define which users can read the full database (READ access) and those that will run in restricted mode (covering profile exists and NONE access). The current user has no READ access. The output is restricted based on the access the user userid has in the connected security databases. Severity: 00 CKR0031 Unrestricted mode active, user userid READ access to class CKR.READALL Explanation: Through a profile covering the CKR.READALL resource in the class specified in the CKRSITE area it is possible to define which users can read the full database (READ access) and those that will run in restricted mode (covering profile exists and NONE access). The current user has READ access. Severity: 00 CKR0031 Unrestricted mode active; user userid Explanation: This message indicated that the product defaults to unrestricted mode because it is not installed with the installation option RESTRICT, the input files can be processed without requiring read access granted to the program, and a profile covering the CKR.READALL resource in the class specified in the CKRSITE area is not defined. Severity: 00 CKR0031 Restricted mode by [simulation remote node simulation and remote node], although user userid has privilege [SPECIAL] [AUDITOR] [ROAUDIT] Explanation: This message indicates that either a SIMULATE RESTRICT command was present or there was a remote node that required restricted mode, or both. It overrides the indicated privileges of the executing user ID. The output is restricted based on the access the user userid has in the connected security databases. Severity: 00 CKR0031 Restricted mode by [simulation remote node simulation and remote node], although user userid READ access to class profile Explanation: This message indicates that either a SIMULATE RESTRICT command was present or there was a remote node that required restricted mode, or both. It overrides the READ permission on the indicated resource for the executing user ID. The output is restricted based on the access the user userid has in the connected security databases. Severity: 00 CKR0031 Restricted mode by [simulation remote node simulation and remote node] for user userid, although no profile class profile Explanation: This message indicates that either a SIMULATE RESTRICT command was present or there was a remote node that required restricted mode, or both. It takes precedence over any considerations like all-unconditional read permits on all input sources and no installation override. Because of the absence of the indicated profile and class default RC of 4, these would have been tested if SIMULATE RESTRICT had not been present. The output is restricted based on the access the user userid has in the connected security databases. Severity: 00 CKR0031 Unrestricted mode active; user userid has privilege [SPECIAL] [AUDIT] [ROAUDIT] Explanation: This query is executed in unrestricted mode because the user running the query has one or more of the system-wide attributes SPECIAL, AUDIT, and ROAUDIT on the current (run) system. These attributes are tested before a CKR.READALL resource is checked. Severity: 00 CKR0524 Program was terminated due to storage shortage - increase keyword Explanation: The program was terminated because of a storage (memory) shortage. The value of keyword (REGION or MEMLIMIT) indicates the parameter that is most likely to help when increased. User response: Try increasing the keyword size and running the program again. Severity: 12 CKR0841 Severe function error [msg] PC RC=n - issuing user abend 841 Explanation: While reading from a remote node (SRVIN) or writing to a remote node (SRVOU), the Program Call interface of the server returned an error condition. The function can be SRVIN or SRVOU and, optionally, a message type msg is included. User response: Verify that the server is active, then restart the server and try again. Severity: IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

23 CKR0845 CKR1058 CKR0845 module CKNSRVIR queue file message type from zsecsys length length because waiting on zsecsys2 file file2 Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKR0846 module CKNSRVIR return queued file message type from zsecsys length length Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKR0847 message Explanation: This message is in response to debugging options. If you need information about this message, contact IBM Software Support. Severity: 00 CKR0931 proc: Buffer overrun - dln=destinationlength sln=sourcelength:: data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. It is possible to suppress the user ABEND 931 by specifying SUPPRESS FMTABEND (see reference to Command Language, SUPPRESS, FMTABEND) or SUPPRESS MSG=931. However, this can result in corrupted output or other errors. Severity: 24 CKR0937 routine internal error for string length length Explanation: The indicated routine failed in an attempt to add a dictionary entry with the indicated characteristics. If routine is DICTNEW, this might be a request to add an entry that already existed. User abend 937 is issued. The message and the abend can be suppressed with SUPPRESS MSG=937. If problem remains, contact IBM Software Support. Severity: 24 CKR0940 Request to write record with negative length hexnum to ddname behind record decnum - user abend 940 Explanation: This message indicates either a software problem or an attempt to connect input files to the wrong DD names. User abend 940 is issued. This message is suppressible and results in the record being skipped. However, the resulting output file might be unusable and can give rise to follow-on errors. Suppressing this message is not recommended except as directed by IBM Software Support. User response: Check allocations and the validity of the connected data sets. If your checks do not reveal errors, contact IBM Software Support with relevant documentation. Severity: 16 CKR0969 I/O error for: description [optional 2nd line of description] ddname volser dsn[(member)] [volser dsn ]... Explanation: This message indicates that an I/O error occurred during normal QSAM, BSAM, or BPAM input processing for one of the data sets mentioned. Operation will be continued, but an abend or other error message may follow because of the information missing due to the I/O error. The message contains the one or two lines of diagnostic data returned by the DFP SYNADAF call and is documented there. It is followed by the DD name and the data set concatenation. For BPAM it will also show a member name in one of those data sets. Severity: 8 CKR1012 Not enough storage for summary - Increase keyword Explanation: While preparing the summary, a storage shortage condition was encountered. The value of keyword (REGION or MEMLIMIT) indicates the parameter that is most likely to help when increased. User response: Either increase the keyword or simplify the query or summary. Severity: 16 CKR1058 No storage left for WRAP buffer for fieldaddr fieldname - function disabled - defined at ddname line number Explanation: The indicated field requires special processing for the indicated function. The function can be one of the following: v WRAP (to honor a WRAP or WORDWRAP modifier) v Format translation v DBCS-aware truncation User response: the program. Severity: 08 Increase the storage that is available to Chapter 6. IBM Security zsecure Admin and Audit for RACF User Reference Manual 19

24 CKR2203 CKX931I CKR2203 Nested OTHERWISE test incompatible with type=count test - before token "value" source Explanation: A TEST for a compliance STANDARD command of the form type=count specified an OTHERWISE clause with a nested test. This combination is not supported. User response: Specify the desired compliance tests in a different order. Severity: 12 CKR2233 RETCONC: Audit concern contains variables, however none were found in the concern text Explanation: This message flags an unsupported condition: an audit concern has associated variables, but they could not be substituted into the concern text. To understand the context, re-run the query with DEBUG NLS and examine the CKR1631 message right before this message. User response: Contact IBM Support with at least the associated information from the CKR1631 message referenced in the explanation. Severity: 8 CKR2253 File file remote allocation failed on zsecnode zsecsys Explanation: This message indicates that allocation of a remote file failed. User response: Look for additional messages relating to the file to get more information and correct the ALLOC statement. Severity: 16 CKR2511 Internal error SUMAILEN=0 for SUMA address Explanation: An error occurred during SUMMARY processing. User abend 2511 is issued to produce a summary dump and the run is terminated. User response: Contact IBM Support with the SYSPRINT file containing the summary dump. Severity: 24 CKR999I STORAGE SHORTAGE FOR TASK taskname HEAP heapname IN program - INCREASE keyword Explanation: This message indicates that the program needs more storage. It will be followed by a user abend 16. If the heap name is LOWHEAP or SYSSTACK, then the request is for storage below the 16MB line. If the name is MAINHEAP, then the request is for storage anywhere. If the name is SMFCACHE, then the zsecure Audit job tag system used too much memory; see the SMFCACHE command. For MAINHEAP and SMFCACHE it could be beneficial to use the ALLOC STORAGEGC command, though this will increase CPU usage. The value of keyword (REGION or MEMLIMIT) indicates the parameter that is most likely to help when increased. Severity: 16 CKX841I Severe function error [msg] PC RC=n - issuing user abend 841 Explanation: While reading from a remote node (SRVIN) or writing to a remote node (SRVOU), the Program Call interface of the server returned an error condition. The function can be SRVIN or SRVOU and, optionally, a message type msg is included. User response: Verify that the server is active, then restart the server and try again. Severity: 16 CKX845I module CKNSRVIR queue file message type from zsecsys length length because waiting on zsecsys2 file file2 Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKX846I module CKNSRVIR return queued file message type from zsecsys length length Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKX931I proc: Buffer overrun - dln=destinationlength sln=sourcelength:: data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. It is possible to suppress the user ABEND 931 by specifying SUPPRESS FMTABEND (see reference to Command Language, SUPPRESS, FMTABEND) or SUPPRESS MSG=931. However, this can result in corrupted output or other errors. Severity: IBM Security zsecure: Documentation updates: 64-bit Service Stream Enhancement

25 Chapter 6. IBM Security zsecure Admin and Audit for RACF User Reference Manual 21

26 IBM Printed in USA