This section lists the security services messages. The security services provide an interface to an external security manager (ESM). Supported ESMs are:
This is an information message that appears during initialization to indicate the type of external security manager (ESM) interface that has been selected and activated for the coordinating address space (CAS). The CAS PROC contains a BBSECURE DD statement that defines the security parameter library used during initialization. Some parameter values in the ESM statement contained in member BBMTSS00 of the security parameter library are listed in this message and each specifies a value that defines how the security interface will operate.
The type parameter indicates the value of the ESM statement ESMTYPE parameter specified for the security services interface. Allowable type values are:
The subsystem value is specified by the SUBSYS parameter of the ESM statement. This parameter value is used when the ESM is invoked by way of RACROUTE for any address space request. If there is no SUBSYS parameter specified in the ESM statement, the CAS PROC subsystem ID (ssid= parameter) appears in this message. If a null value (SUBSYS(' ')) is specified by the ESM statement, no subsystem value is passed to the ESM with RACROUTE and <NULL> appears in this message.
The requestor value is specified by the REQSTOR parameter of the ESM statement, located in member BBMTSS00 of the security parameter library (DD name BBSECURE). This requester specification is used for all invocations of the ESM by means of RACROUTE within the CAS, and is the default for invocations within a CICSPlex® SM address space (CMAS).
If no value is specified for the REQSTOR parameter, <asis> is displayed. The value asis indicates that the specific, unique requester name that is specified by a CAS or CMAS resource manager-level component is used as is, without modification or override.
If a null value (REQSTOR(' ')) is specified, <NULL> is displayed, indicating that no requester name is passed to the ESM by means of RACROUTE.
The applid value is specified by the APPL parameter of the ESM statement, in member BBMTSS00 of the security parameter library (DD name BBSECURE). The APPL parameter is used for invocations of the ESM by means of RACROUTE within the CAS.
Normally, each CMAS allows another applid name (which you can specify) to be used for invocations of the ESM within the CMAS.
If the value of applid is not otherwise specified or defaulted by a CMAS, this applid value (normally used only for the CAS) also is used for ESM invocations within the CMAS.
If no value is specified for the APPL parameter, asis is displayed. The value asis indicates that the specific, unique application ID that is specified by each ESM invocation request by a CAS or CMAS resource manager-level component is used as is, without modification or override.
If APPL(' ') is specified, <blanks> is displayed, indicating that a blank application name is passed to the ESM by means of RACROUTE.
The CAS continues to initialize.
If the values are correct for your system, no action is required. If the values are not correct for your system, specify the correct values on the ESM statement in member BBMTSS00 of the security parameter library pointed to by the BBSECURE DD statement.
During coordinating address space (CAS) initialization, the selected external security manager (ESM) interface name, type, was not recognized by the security services function. The type value is specified in the ESMTYPE() parameter of the ESM statement in member BBMTSS00 of the security parameter library. This library is defined by the BBSECURE DD statement in the CAS PROC.
CAS initialization is terminated.
Perform the following steps:
If the problem persists, contact your IBM® Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
The version or release of the external security manager (ESM) software named type that is installed on your system is release1. This version or release is no longer supported.
The type value that can appear in this message is:
This message is always issued with message BBMSS006E.
Message BBMSS006E is issued.
See the user response for message BBMSS006E.
This message is a continuation of message BBMSS005E. This message indicates that the minimum version or release level of the ESM type that is supported is release2. Message BBMSS005E contains the type value for the ESM.
coordinating address space (CAS) initialization is terminated.
Do one of the following:
If the correct level is already installed, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
Initialization of the server subtask for the external security manager (ESM) interface failed with a return code of xx. The return code is the internal START request return code for the failure.
This message is usually preceded by other messages that indicate the cause of the failure.
CAS initialization is terminated.
Look for other messages and follow the user response provided.
The version or release of the external security manager (ESM) software named type that installed on your system is release. Support for this version or release requires a specific level of support.
The type value that can appear in this message is:
This message is always issued with message BBMSS009E.
Message BBMSS009E is issued.
See the user response for message BBMSS009E.
This message is a continuation of message BBMSS008E. This message indicates that the specific level of support for the external security manager (ESM) software named type shown in message BBMSS008E is not installed in the security parameter library pointed to by the BBSECURE DD statement in the coordinating address space (CAS) PROC.
CAS initialization is terminated.
Install the PTF that provides support and restart the CAS and all connected address spaces. If the problem persists, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
If the PTF that provides support is unknown, contact your IBM Support Center for information about the planned availability of the release or PTF that provides such support.
An unrecognized or unidentified error message (such as from an installation security system exit) has been returned to the ESM interface. The message text helps identify the source of the unidentified message.
The text of the unrecognized message is incorporated into this message.
Determine the source of the unidentified message and take the action given for the variable message text that is displayed.
An unrecognized or unidentified multiple-line error message (such as from an installation security system exit) has been returned to the ESM interface. The message text helps identify the source of the unidentified message.
The text of the unrecognized message is incorporated into this message.
Determine the source of the unidentified message and take the action given for the variable message text that is displayed.
This is an informational message that is issued to a window or to the operator console during user session initialization to show parameter values associated with the session environment.
The external userid of the user that requested the session is shown as userid. The session is connected from a terminal, with a logical unit or port of entry (POE) called terminal, to an application, known by the external security manager (ESM) as applid.
The uidtype parameter indicates the label used for the security system's 'subject' object. For RACF, this value is the userid.
The internal parameter indicates the internal userid of the established session, which is usually identical to the external userid value; however, internal may be different in some installations where:
The groupid parameter indicates the GROUP IDENT with which the security environment for the session was established.
The security environment for the session is established as indicated.
None, unless the session encounters resource access difficulties. If difficulties with the session occur, use the information in this message to diagnose the problem by ensuring that the proper values have been specified, selected, or used.
This is an informational message that is issued to show parameter values associated with a session termination.
The external userid of the user that requested the session that has terminated is shown as userid. The session was connected from a terminal, with a logical unit name or port of entry (POE) called terminal, to an application, known by the ESM as applid.
The security environment for the session is deleted.
None
The security interface invoked the external security manager (ESM) by issuing a RACROUTE REQUEST=request macro instruction. Up to three different return codes provided by the ESM do not conform to expected values as a result of executing the macro instruction.
The three code values that appear in this message are shown as:
This may or may not indicate a problem, depending upon the specific RACROUTE request type. This message is issued to alert the user that results may be unexpected.
Depends upon the particular RACROUTE request type that was executed and the reason it was executed. For resource access authorization or system entry validation requests, access is denied. Other messages may be issued.
Report the contents of this message and any related messages to your security administrator.
If the reason for the error cannot be determined or if the problem persists, contact your IBM Support Center with the contents of this message and any related messages.
An attempt was made to establish an end user session using the external userid of userid. The external security manager (ESM) did not authorize the security environment create request for userid because the userid is not defined and no default security environment could be established.
The session is not established.
If userid is not defined and it should be, contact your security administrator to obtain authorization for the userid.
An attempt was made to establish an end user session using an internal userid of internal. The internal parameter indicates the userid value as known to the external security manager (ESM); however, the ESM did not authorize the security environment request for internal because the userid was not defined and no default security environment could be established.
The session is not established.
If internal is not defined and it should be, contact your security administrator to obtain authorization for the userid.
The password provided is either not correct for the specified userid, or has an invalid format, such as being too short or containing illegal characters. The external security manager (ESM) has rejected the system entry validation request during end user session establishment.
The session is not established.
If you did not enter a password, then the security system or security interface has been configured incorrectly; contact your IBM Support Center.
If you did enter a password, it is incorrect. Reattempt access and specify the correct password.
An error occurred when a security environment could not be created or inherited in response to a request (such as opening a window) by the specified userid.
If the security environment could not be created, the required password was not specified by the user.
If the security environment could not be inherited, the external security manager (ESM) determined that the existing environment had either an incorrect or unavailable password for the userid, so a new environment could not be inherited from the existing security environment. This occurs when it is necessary for the security interface to use a password to inherit a security environment, so the userid's password, which is usually encrypted, is extracted from the existing security environment. If no encrypted password is available to be extracted, the inheritance is attempted anyway because the target system may not require a password to establish a security environment. However, if the target system does require a password and none was available when the attempt was made to extract the password, an error results and this message is issued.
The security environment is not established.
Attempt to determine why no password was available for the userid. If this cannot be determined, contact your security administrator with the text of all additional messages that accompany this message.
The user's security environment could not be created or inherited on the target system because the GROUP is not defined on the target system or the user is not connected to the GROUP.
If RACF is the external security manager being used, this message is accompanied by message ICH408I, which contains the GROUP name being used.
The security environment is not established.
Either define the group on the target system, use a different group on the originating system, or, if the group is defined, connect to the group using the RACF CONNECT command. If you are not authorized to perform the appropriate action, contact your security administrator with the text of any accompanying messages.
System access using this userid is temporarily revoked by the external security manager (ESM) or a security administrator at your site. The userid still is defined and valid, and the correct password, if any, was entered; however, the userid cannot be used to establish any session with an application on this system.
The session is not established.
If this is not correct, contact your security administrator to determine why the userid is denied access to any session applications on this system and/or to correct the problem.
The userid cannot be used to establish a session from the current terminal or port of entry (POE) because the userid is not authorized by the external security manager (ESM) to use this terminal or POE.
The session is not established.
Use another terminal or POE.
If this is not correct, contact your security administrator to obtain authorization for your userid to use the terminal or POE.
The userid cannot be used to establish a session during the current day or at this time of day because the userid is not authorized by the external manager (ESM).
The session is not established.
Try again later or use another terminal.
If this is not correct, contact your security administrator to obtain authorization for the day or time of day for your userid to use the terminal or POE.
The userid cannot be used to establish a session during the current day or at this time of day from the terminal or port of entry (POE) because the userid is not authorized by the external security manager (ESM).
The session is not established.
Try again later or use another terminal or POE.
If this is not correct, contact your security administrator to obtain authorization for the day or time of day for your userid to use the terminal or POE.
The userid cannot be used to create a session with the application that the user was attempting to access.
The session is not established.
Contact your security administrator to obtain authorization for your userid to access the application.
An internal component or product incorrectly attempted to delete the address space-level security environment established by MVS™, for the external userid named userid. The esmid value shows the userid as known to the external security manager (ESM).
The request to delete the ACEE defined by ASXBSENV is ignored; processing continues.
Contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
An internal component or product incorrectly attempted to delete a nonexistent or incorrectly constructed security environment for the external userid named userid. The esmid value shows the userid as known to the external security manager (ESM).
The delete request is ignored; processing continues.
Contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
An attempt was made to access some resource identified by CLASS name class and ENTITY name entity. The level of access to the indicated resource is identified by the type parameter, and is READ, WRITE, ALTER, or another level value. The esm value indicates the external security manager (ESM) interface being used and can be:
Access to the indicated resource, class(entity), is denied.
Contact your security administrator to obtain authorization for the required resource for your userid.
While processing security service requests that invoke the external security manager (ESM), the security services interface subcomponent detected an unexpected abend.
This message is usually accompanied by a system dump (SDUMP) of the affected address space.
The security services server subtask attempts to recover from the abend condition and continue processing.
Check the SDUMP for the affected address space to determine the cause of the problem. If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
This message is always issued with messages BBMSS805E, BBMSS806E, and BBMSS807E. Message BBMSS804E indicates that an attempt has been made in a CICSPlex SM address space (CMAS) to either create or inherit a user security environment, but the attempt failed.
Message BBMSS805E is issued.
See the user response for message BBMSS807E.
This message is a continuation of message BBMSS804E, and also is issued with messages BBMSS806E and BBMSS807E.
Message BBMSS805E shows the name of the external userid, as userid, that attempted an action (such as opening a window) that required the establishment of a security environment. The external userid has an internal external security manager (ESM)-defined userid of securityid. The idtype value is userid for RACF.
Message BBMSS806E is issued.
See the user response for message BBMSS807E.
This message is a continuation of message BBMSS805E, and also is issued with messages BBMSS804E and BBMSS807E.
Message BBMSS806E shows the internal ESM-defined userid for the CICSPlex SM address space (CMAS) as address. The address has an idtype of userid for RACF.
Message BBMSS807E is issued.
See the user response for message BBMSS807E.
This message is a continuation of message BBMSS806E and is always issued with BBMSS804E, BBMSS805E, and BBMSS806E.
Message BBMSS807E indicates that an attempt was made in a CICSPlex SM address space (CMAS) to establish a user security environment and the attempt failed because the required attributes of the external security manager (ESM) USER or userid specified for CICSPlex SM are not in effect.
The attributes value is a list of the required attributes that are not in effect for the address space-level USER or userid.
The security environment creation request is rejected and a session with the target for the window or process involved is not established.
Contact the systems programmer or security administrator at the site where the target CMAS is executing and report this message and the attributes value(s). The listed attributes must be in effect for the USER or userid used for the address space for the session to be established.
This message is issued as part of the security environment creation when the RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT macro fails. The security interface is attempting to extract the ESM-encrypted password.
The current target system was successfully able to inherit an end user security environment from another system, but the security interface may not be able to recreate additional security environments on this system or another system for the user from the newly inherited security environment.
Normal processing continues, but inheritance of additional security environments for this user on this system may not be possible.
If this security environment cannot be successfully inherited from RACF, check the RACF security configuration or userid attributes for the userid to determine a reason the password cannot be extracted.
The security services server subtask subcomponent failed and was attempting to restart itself in order to continue operation, but the restart function also failed with a return code of xx. The return code is the internal START request return code for the failure. Some abends and other errors that the security services interface detects can be caused by external or installation actions, such as varying RACF inactive.
Depending upon the suspected cause or nature of the error, the security services server subtask might attempt one or more additional restarts, up to a security parameter library-specified maximum.
If additional restarts are not possible, a system dump is scheduled and termination of the service structure in the address space is initiated.
If additional restart attempts are made and the security parameter library-specified maximum is reached, the error is typically caused by a condition of the external security manager (ESM). Correct any problems with the ESM and restart the CAS.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established security environment for external userid userid had not been deleted yet. The user was logged on through a terminal with an ID of terminal. The esmid value shows the userid as known to the external security manager (ESM).
If this message occurs during forced or abnormal terminations for unrelated causes, usually this message does not indicate a problem. However, if this message occurs during the normal termination of any address space, a problem with deleting the security environment established on behalf of the installation or an end user may exist.
The security environment is deleted.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established security environment for external userid userid had not been deleted yet. The user was logged on through a terminal with an ID of terminal. The esmid value shows the userid as known to the external security manager (ESM). An abend occurred when the address space was attempting to delete the security environment.
The abend might be related, but is not necessarily related, to the reason the previously established security environment was not already deleted.
Termination processing continues.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established security environment for external userid userid had not been deleted yet. The user was logged on through a terminal with an ID of terminal. The esmid value shows the userid as known to the external security manager (ESM). An error occurred when the address space was attempting to delete the security environment.
The error might be related, but is not necessarily related, to the reason the previously established security environment was not already deleted.
Termination processing continues.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established resource list had not been deleted yet. The resource list belongs to the security class named class and the filter string for the resource list is filter. The filter value appears as ** if no filter specification exists.
During forced or abnormal terminations for unrelated causes, this message does not indicate a problem. However, if this message occurs during a normal termination of any address space, the message indicates a problem with deleting a resource list that was previously established.
The resource list is deleted.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established resource list for class class had not been deleted yet. The filter string for the resource list is filter. The filter value appears as ** if no filter specification exists. An abend occurred when the address space was attempting to delete the resource list.
The abend might be related, but is not necessarily related, to the reason the previously established resource list was not already deleted.
Termination processing continues.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established resource list for class class had not been deleted yet. The filter string for the resource list is filter. The filter value appears as ** if no filter specification exists. An error occurred when the address space was attempting to delete the resource list.
The error might be related, but is not necessarily related, to the reason the previously established resource list was not already deleted.
Termination processing continues.
If the cause of the problem is unknown, contact your IBM Support Center with any of the information available from the list shown in Diagnostic information for BB messages.
During termination of an address space, the security services interface subcomponent detected that a previously established resource list has not been freed. The resource list belongs to the security class named iclass which is mapped to the class named eclass through the Global Resource Property Table.
During forced or abnormal terminations for unrelated causes, this message does not indicate a problem. However, if this message occurs during a normal termination of any address space, the message indicates a problem with freeing a previously established resource list.
The resource list is freed.
If the cause of the problem is unknown, contact your IBM Support Center with any information available from the list shown in Diagnostic information for BB messages.