Troubleshooting › Troubleshoot Customization Problems

Troubleshoot Customization Problems

Customization problems can stem from any one of the three supported CA Top Secret customization techniques:

• The z/OS Security Interface
• The Installation Exit
• The Application Interface

To determine the cause of customization problems

1. Write down all message numbers and text displayed by CA Top Secret. See the Messages and Codes Guide to determine the meaning of the CA Top Secret messages.
2. Turn on the CA Top Secret TRACE:

   F TSS,SECTRACE(ACT,WTL)
   

   TSS ADDTO(acid) TRACE
   

3. If the acid is signed on, either issue TSS REFRESH(acid) JOBNAME(*) or have the acid signoff and back on again.
4. To turn off the TRACE:

   TSS MODIFY(SECTRACE(OFF))
   

   TSS REMOVE(acid) TRACE
   

5. Examine the TRACE information. The TRACE shows the information being passed to CA Top Secret along with DRCs and other diagnostic information.
6. Obtain a dump using DC F'00' or the CA Top Secret DIAGTRAP control option. Examine the parameter list being sent to CA Top Secret.

Customization Tips and Checkpoints

Check that the listed items have been incorporated into your customization code:

• Parameter lists
  • Is the correct format being used?
  • Have you supplied a length?
• RACDEF and RACLIST have NOT been used for customization.
• The INSTLN operand of the Security macro is being used to obtain information feedback.
• The ACEE= parameter is present for multi‑user address space on all requests to security (RAC macros or RACROUTE), except in task per user environments (TCBSENV).
• RACROUTE
  • Used by current releases of z/OS (state‑of‑the‑art).
  • Preferred to the usage of RACINIT, RACHECK, and FRACHECK.
  • Your call is one that is supported by CA Top Secret- that is, REQUEST=AUTH, REQUEST=FASTAUTH
  • REQUEST=VERIFY, REQUEST=EXTRACT
  • A valid Class Name is being used.
  • If using the Dynamic Extract/Update Facility, you are not trying to extend or reduce the size of the INSTDATA (Installation Data) field.
  • If using RACROUTE REQUEST=VERIFY to build a facility, review the facility entries to make sure they were entered correctly.
  • RACROUTE REQUEST=VERIFY, ENVIR=DELETE ‑ ensure ACEE parameter points to the address if the address of the ACEE is returned with RACROUTE REQUEST=VERIFY, ENVIR=CREATE.
  • Program issuing RACROUTE REQUEST=VERIFY (top RB) matches a valid facility.
  • If the facility does not have the NOAUTHINIT attribute, ensure that the program is issuing RACROUTE REQUEST=VERIFY APF authorized in system Key 0 or Supervisor state.

Note: NOAUTHINIT is only valid for STC.

If using RACROUTE REQUEST=VERIFY use the installation feedback area for returned DRCs.

Installation Exit

Installation exit checks:

• The Installation Exit is executed in Key 0, Supervisor State, when live; therefore, it must be coded and tested with great care.
• The activation matrix contains a non zero entry for the desired function.
• The customized code is in the appropriate section of the TSSINSTX module.
• The EXIT control option is ON. F TSS,STATUS lists the status of EXIT.
• Under TSO, the installation exit code is tested in Key 8 by:
  • Loading TSSINSTX
  • Building your own parameter list as expected by the exit
  • Passing control to TSSINSTX
  • Examining the parameter list, feedback areas, and return codes

To test your installation exit code set up debug code which executes the exit only for a particular ACID, jobname:

• Locate the correct branch point in the Installation Exit.
• Check for the ACID, jobname, and so on:
• To locate the jobname or TSO session name, use the following code:

  L    R2,PSATOLD‑PSA(0)    TCB
  L    R2,TCBTIO‑TCB(R2)    TIOT
        CLC  TIOCNJOB‑TIOT1(8,R2)=CL8”jobname or TSO session”
  *
        BE   OURJOB   it's our job so perform the exit code
   *
         BNE  NOTJOB   it's not our job, exit so we don't interfere
         with other users
  *
  .
  .
  .
  IHAPSA     PSA expansion
  KJTCB      TCB expansion
  IEFTIOT1   TIOT expansion
  

  Since the acidname is passed into a particular field in the installation exit, another way to locate the ACID is to examine the field.

• If running under ESA or XA, refresh LLA after linking a new exit:

  F LLA,REFRESH