IBM Power Systems
About This Blog
Warm wishes and welcome to all AS400 Administrators and Operators.
This is exclusive blog for iSeries system Administrators working anywhere in the world. Also a place for guys and gals who want to share knowledge pertaining to iSeries. This blog has been designed for exchanging knowledge on AS400 or iSeries server administration and operations.
Wednesday, June 30, 2010
Fixing QAOK* Files in QUSRSYS
To compare the files on the system to a system with the correct logical files and physical files, use the following command:
WRKOBJPDM LIB(QUSRSYS) OBJ(QAOK*) OBJTYPE(*FILE)
The following is a list of things to do to fix the files without restoring QUSRSYS. Ensure there are no locks on the QAOKL03A file. You should do the following:
Note: The user must determine the best method. Involving IBM in this requires a consulting agreement. WRKF command can be used to display and manipulate the needed files.
1. Make a list of the logical files and what physical files they point to.
2. Look at the physical files and determine which ones have data. Make a note of those files.
3. If you have a good logical file pointing to a good physical file, there is no need to do anything.
4. If you have a good logical file pointing to a wrong physical file, do the following:
o If the wrong physical file contains the data, delete the correct named file, and rename the wrong file to the correct file name (the logical file will follow the rename).
o If the correct physical contains the data, type CLRPFM on the wrong file. Then copy the file of the correct physical file to the wrong physical file with the CPYF command. Delete the correct physical file, and rename the wrong physical file to the correct physical file name.
5. If you have a wrong logical file pointing to a good physical file, make a backup of a good logical file, delete the correctly named logical file, rename the wrong logical file to the correct name, and correct the description.
6. If you have a wrong logical file pointing to a wrong physical file, delete both files.
Note:This takes time because you must chart out what the problems are.
You can use the DSPDBR command on a physical file to see what logical file is attached to it.
Verify All Mail Pointers on the System
The following commands can be run to verify all mail pointers on the system. The commands should be run when there is no mail activity. Normally, you can only ensure that there is no mail activity by putting the system into a restricted state (ENDSBS *ALL *IMMED).
1 DLTDST DSTID(*ERROBJ) OPTION(*ERROR) OBJ(*ALL)
2 CALL QZDRECLM
3 CALL PGM(QSYS/QOHFIXIX) PARM(Y)
IBM i Trends & Directions - New Power Equation !!
PC5250 Connection Error MSGPROG706
Making a Client Access connection over TCP/IP, PC5250 may report a Program Check 706 (PROG 706) error. The text of this message is, An SNA message was received with incorrect chaining.
This usually indicates a network issue. Check the average time for a PING. Also, try the following:
ping -l 1000 [AS/400name]
This will PING the AS/400 system with 1000 bytes of data rather than the 10 bytes of a regular PING. This may yield a very high average time, or it may time out. In this case, the network is most likely loosing frames. A lost frame will result in a TCP protocol error.
Theoretically, protocol errors should not be reported to the PC5250 application, but in this case they might. The error text indicates an SNA error because the PROG message text was written prior to SNA connectivity for this product. The PC5250 interprets a missing frame as an SNA chaining error.
This usually indicates a network issue. Check the average time for a PING. Also, try the following:
ping -l 1000 [AS/400name]
This will PING the AS/400 system with 1000 bytes of data rather than the 10 bytes of a regular PING. This may yield a very high average time, or it may time out. In this case, the network is most likely loosing frames. A lost frame will result in a TCP protocol error.
Theoretically, protocol errors should not be reported to the PC5250 application, but in this case they might. The error text indicates an SNA error because the PROG message text was written prior to SNA connectivity for this product. The PC5250 interprets a missing frame as an SNA chaining error.
Preventing Startup Program from Running
In the QCTL controlling subsystem, there is an auto job entry called QSTRUPJD. It runs as soon as the QCTL is started. In the QSTRUPJD job description, a request data CALL QSYS/QWDAJPGM retrieves system value QSTRUPPGM. The program that is specified in the system value will run. If system value QSTRUPPGM is set to *NONE, there is no startup program to call.
To change the system value, on the operating system command line type the following:
CHGSYSVAL SYSVAL(QSTRUPPGM) VALUE(*NONE)
Press the Enter key.
The help text on the operating system for the system value includes the following:
A change to this system value takes effect the next time the system is IPLed. The shipped value is QSYS/QSTRUP.
Automatic System Tuning
Tuning is a way of adjusting the performance of a system. For basic tuning, automatic system tuning is a useful method to maintain good performance. This can be done by setting the system value QPFRADJ to indicate that system tuning adjustments are performed at IPL time or dynamically while the system is running.
Do not use the QPFRADJ value and the SETOBJACC command at the same time for a shared pool. QPFRADJ removes storage from a shared pool that has no paging activity. If the SETOBJACC command is used to preload an object into the same pool, it may lose some of its storage. The SETOBJACC command is used to cause no page faulting to occur in the pool, and QPFRADJ would consider that pool a prime candidate for removing storage.
In some cases, QPFRADJ at IPL should not be used because IPL tuning can undo acceptable performance that is achieved by dynamic tuning or manual tuning done during normal system operation. In an environment with the same number of active jobs and no new applications, QPFRADJ is set to 0 after it has been used to obtain optimal paging rates across the system.
Can IASP data be saved in Restricted system state?
If the system is in restricted state, it is possible to save the security data by using the command SAVSECDTA ASPDEV(*ALLAVL). This command will save the private authorities for all available IASPs.
To save the IASP at V5R2, it must be in AVAILABLE or ACTIVE status. The IASP status changes from AVAILABLE to ACTIVE when all subsystems are closed because the jobs that service the ASP are under QSYSWRK.
Starting from V5R3, it is possible to save the IASP only if it is in AVAILABLE status. This does not mean that the security data cannot be saved if the system is in restricted status because if the IASP is AVAILABLE before the closure of all subsystems, the status will not be changed to ACTIVE any more. In fact, the jobs that service the IASP are system jobs that are no longer under subsystem QSYSWRK, so they will not be ended any more when going to restricted state.
Starting of TCP/IP Interface Fails with Message TCP1B01
When using the STRTCPIFC command, or when trying to start a TCP/IP interface from the NETSTAT or CFGTCP menus, the start attempt times out with error message TCP1B01. The message reads:
Message ID . . . . . . . . . : TCP1B01
Message file . . . . . . . . : QTCPMSG
Library . . . . . . . . . : QSYS
Message . . . . : Unable to determine if &1 interface started.
Cause . . . . . : The QTCPIP job in the QSYSWRK subsystem is not active, or the default wait time for your job was exceeded while waiting for the interface to start.
Recovery . . . : Use the Work with Active Jobs (WRKACTJOB) CL command to list the active jobs in the QSYSWRK subsystem. If the QTCPIP job is not active, issue the End TCP/IP (ENDTCP) CL command followed by the Start TCP/IP (STRTCP) CL command. After STRTCP completes processing, issue the Start TCP/IP Interface (STRTCPIFC) CL command again. If the QTCPIP job in the QSYSWRK subsystem is active, continue to look in the QTCPIP job log to determine if the &1 interface was started. To avoid this problem when using STRTCPIFC, wait for system activity to decrease, or increase the default wait time for your job using the Change Job (CHGJOB) CL command.
Despite the recovery action listed, the problem can actually be due to authority issues. When using the WRKJOB command on the QTCPIP job (WRKJOB QTCPIP), it is possible to see no active QTCPIP jobs. Working with the most recent job in OUTQ status, and reviewing the joblog, it is very likely that message CPFA09C is posted in the joblog. Typically this message refers to an object named QLGPGCMA.LOCALE. However, the message can vary. It is very possible that the object is an Integrated File System object and is potentially the root directory ('/'). Verify the root directory's authority by using the command WRKLNK OBJ('/') or verify the authority to the object identified in the error message. Use Option 9 to view the authority, and ensure *PUBLIC is not set to *EXCLUDE.
Displaying Previous Sign-On Information
When the QDSPSGNINF is set to one, the Previous Signon Date and Time is displayed correctly when using Client Access connectivity. The last date/time of signon for the user profile is updated when the security API is called to verify a positive indicator and also updates the user profile. If the password is good for the ID provided, the API returns a positive indicator and also updates the user profile. There is no implication that this sign-on was for an interactive job.
The Signon Server for Client Access (for APPC and Sockets) calls the security API. Other products (such as an OEM emulator) may not call the security API, for example, Telnet from the DOS prompt. In addition, the PCOMM product (not the emulator shipped with Client Access) goes straight to the Telnet server and will not go through the Client Access Signon Server.
The Client Access Signon Server is used for a specific reason. If the Client Access user is running Data Transfer or RMTCMD, security must verify a user ID and password, and that would be a previous signon. The term signon means the last time a user ID and password were verified but not necessarily when a an interactive job was started. Client Access has a suite of functions that do not use a interactive job. In that case, the Client Access Signon Server is used to verify that the user ID and password are correct. Therefore, the date and time stamps for the user profile reflects the previous time that the user ID and password were checked rather than only the last time that an interactive job was started. This is working as designed and is not a defect.
As long as the same user ID and password are used for the Client Access sign-on and again later at the time the interactive job is started, you will see where the date and time stamps are correct for the previous sign-on. We understand that, in some cases, this information may not mean much. But, the last time that the password was verified and the user attempted any type of signon is always the date listed. This occurs when starting Client Access for the first time or when closing a Client Access connection and the user is prompted for the AS/400 sign-on information.
Setting Up the System So a User Does Not Have to Enter a User ID and Password
At security level 30 and below, signing on by pressing the Enter key without a user ID and password is possible with certain subsystem descriptions. At security level 40 and higher, the system stops any attempt to sign on without a user ID and password.
After changing your security level to 20 or higher, signing on without a user ID and password is not allowed in the subsystems shipped by IBM®. However, defining a subsystem and job description combination that allows default sign on is possible and represents a security exposure. When the system routes an interactive job, it looks at the workstation entry in the subsystem description for a job description. If the job description specifies USER(*REQ), the user must enter a valid user ID and password at the sign-on display. If the job description specifies a user profile in the USER field, anyone can press the Enter key and sign on as that user.
CPF3810 during PTF Installation
Some users are seeing message CPF3810 authority error being received during PTF install processing.
Problem
Message CPF3810:
Message . . . . : Save file &1 not restored to library &3. (One of the typical libraries we see in this message is QSRV)
Cause . . . . . : You do not have sufficient authority to restore a save file that does not exist on the system.
Recovery . . . : Do one of the following:
1) Obtain authority to the CRTSAVF command from your security officer and use the RSTOBJ command to restore the save file.
2) Have your security officer restore the save file.
Resolution
To resolve the problem, do the following:
1 Sign in as the actual QSECOFR profile.
2 Verify that QSYS library is at the top of the system library list using the DSPLIBL command. If not, consider temporarily removing the library above QSYS with the following command:
CHGSYSLIBL LIB(xxxxxx) OPTION(*REMOVE)
3 Install the PTFs.
4 If you removed a library from the system library list during Step 2, add the library back in the system library list using the following command:
ADDLIBLE LIB(xxxxxx)
Problem
Message CPF3810:
Message . . . . : Save file &1 not restored to library &3. (One of the typical libraries we see in this message is QSRV)
Cause . . . . . : You do not have sufficient authority to restore a save file that does not exist on the system.
Recovery . . . : Do one of the following:
1) Obtain authority to the CRTSAVF command from your security officer and use the RSTOBJ command to restore the save file.
2) Have your security officer restore the save file.
Resolution
To resolve the problem, do the following:
1 Sign in as the actual QSECOFR profile.
2 Verify that QSYS library is at the top of the system library list using the DSPLIBL command. If not, consider temporarily removing the library above QSYS with the following command:
CHGSYSLIBL LIB(xxxxxx) OPTION(*REMOVE)
3 Install the PTFs.
4 If you removed a library from the system library list during Step 2, add the library back in the system library list using the following command:
ADDLIBLE LIB(xxxxxx)
Group Profile Names Cannot Be Used for Authentication
User names that are group profiles cannot be used as the Security Server ID when security is enabled with the LocalOS user registry. Nor can group profiles be used to authenticate to IBM® WebSphere® Application Server when attempting to access any protected WebSphere resource. Use the DSPUSRPRF command to determine if a user profile is used as a group profile. Each such user profile is assigned a unique group ID number.
Securing a Library from Some Users but Allowing *PUBLIC Access
There are times when you want a person or group to have less access than *PUBLIC has. To be the most secure possible, you can even make the entire system excluded from the user except what you want that user to be able to see.
For the person or group, do the following:
1 To exclude a person from all libraries on the system and, therefore, all objects in libraries on the system, run the following command:
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(xxxx) AUT(*EXCLUDE)
2 Run the following command:
DSPSYSVAL QSYSLIBL
Document every library in the system library list.
3 For each library in the system library list, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
This allows the user to access the libraries in the system library list. Without this, the user cannot sign on.
4 Do the same thing for each library in the user library list (which is listed in their job description). Then, repeat Step 3 for each library added to the user's library list.
5 For each additional library you want the excluded user to be able to use objects in that library, do one of the following:
To give the user the same authority that public does, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
If a user is *EXCLUDE from a library, that user is excluded from all objects in the library. However, if the user can *USE the library, the user can do more than merely *USE the objects within. The authority goes down to the specific object authorities. Therefore, the user might be able to change or even delete objects within the library.
The user must always have access to the following:
o The libraries in their library list.
o Most objects available to *PUBLIC in QSYS.
o The device that they're signing in from, with at least *CHANGE authority.
o Their own user profile, with at least Operator and Management data authorities, and all data authorities.
Without these, the user is not able to sign on.
For the person or group, do the following:
1 To exclude a person from all libraries on the system and, therefore, all objects in libraries on the system, run the following command:
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(xxxx) AUT(*EXCLUDE)
2 Run the following command:
DSPSYSVAL QSYSLIBL
Document every library in the system library list.
3 For each library in the system library list, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
This allows the user to access the libraries in the system library list. Without this, the user cannot sign on.
4 Do the same thing for each library in the user library list (which is listed in their job description). Then, repeat Step 3 for each library added to the user's library list.
5 For each additional library you want the excluded user to be able to use objects in that library, do one of the following:
To give the user the same authority that public does, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
If a user is *EXCLUDE from a library, that user is excluded from all objects in the library. However, if the user can *USE the library, the user can do more than merely *USE the objects within. The authority goes down to the specific object authorities. Therefore, the user might be able to change or even delete objects within the library.
The user must always have access to the following:
o The libraries in their library list.
o Most objects available to *PUBLIC in QSYS.
o The device that they're signing in from, with at least *CHANGE authority.
o Their own user profile, with at least Operator and Management data authorities, and all data authorities.
Without these, the user is not able to sign on.
What happens if the QSECOFR user profile gets deleted?
If the QSECOFR user profile gets deleted from the system, the best way to ensure it is properly re-created is to restore it from your latest full system backup tapes or security backups (created with the SAVSECDTA command).
This ensures that all authorities are returned. (Others who might have security authorities might not have the complete range of special authorities and, therefore, cannot authorize other users to these.) If full system or security backups are not available, the default values for QSECOFR can be restored from PID tapes or CD-ROM.
This ensures that all authorities are returned. (Others who might have security authorities might not have the complete range of special authorities and, therefore, cannot authorize other users to these.) If full system or security backups are not available, the default values for QSECOFR can be restored from PID tapes or CD-ROM.
Users Cannot Log In - Error 19114
When attempting to sign on to DB2® Web Query, a user may be blocked and given error code 19114, if both their user profile and the QWEBQRYADM profile are blocked from using the Remote Command server. The Remote Command server can be blocked by the QIBM_QZRC_RMT exit point.
You must make sure if you use a third party security product that you allow the user and QWEBQRYADM to use the Remote Command server.
You must make sure if you use a third party security product that you allow the user and QWEBQRYADM to use the Remote Command server.
Tuesday, June 15, 2010
Subscribe to:
Posts (Atom)