ibm infosphere guardium s-tap for ims on z/os v9.1 … · upgrading from v9.0 to v9.1 in...

115
IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide Version 9 Release 1

Upload: duonghuong

Post on 29-Aug-2018

236 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

IBM InfoSphere Guardium S-TAP for IMSon z/OS V9.1 User's GuideVersion 9 Release 1

���

Page 2: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

ii IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 3: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Contents

Chapter 1. What does IBM InfoSphereGuardium S-TAP for IMS on z/OS do? . . 1What's new in IBM InfoSphere Guardium S-TAP forIMS on z/OS V9.1 . . . . . . . . . . . . 1InfoSphere Guardium S-TAP for IMS on z/OScomponents. . . . . . . . . . . . . . . 2

InfoSphere Guardium system . . . . . . . . 2InfoSphere Guardium S-TAP for IMS agent . . . 3

Chapter 2. Installing IBM InfoSphereGuardium S-TAP for IMS on z/OS . . . . 5Hardware and software prerequisites . . . . . . 5User ID authorities required for installation . . . . 5

Chapter 3. InfoSphere Guardium S-TAPfor IMS security . . . . . . . . . . . 7APF authorization . . . . . . . . . . . . 7DBRC RECON data sets . . . . . . . . . . 7OMVS segment . . . . . . . . . . . . . 7IMS RESLIB data sets . . . . . . . . . . . 8SMF and IMS archive log data sets . . . . . . . 8z/OS log streams . . . . . . . . . . . . . 8

Chapter 4. Upgrading from the previousversion of InfoSphere Guardium S-TAPfor IMS . . . . . . . . . . . . . . . 9Upgrading from V9.0 to V9.1 in compatibility mode 10Upgrading from V9.0 to V9.1 in exploitation mode 10

Chapter 5. Configuration overview . . . 13Planning your configuration and customizing yourenvironment . . . . . . . . . . . . . . 13

Customizing the ISPF edit macro . . . . . . 14Job cards for the sample JCL in the SAMPLIB . . 15Setting up the VSAM repository . . . . . . 15Setting up z/OS log streams. . . . . . . . 16

Chapter 6. Configuring the InfoSphereGuardium S-TAP for IMS agent . . . . 23Customize the agent using agent parameterkeywords . . . . . . . . . . . . . . . 23Agent configuration . . . . . . . . . . . 34Customizing the agent JCL . . . . . . . . . 34Starting and stopping the agent . . . . . . . 34Agent security considerations . . . . . . . . 35

Chapter 7. Setting up an IMSenvironment for auditing . . . . . . . 37Customizing IMS environments to capture DLI calls 37Customizing IMS cataloged procedures . . . . . 37Coexisting with other DFSFLGX0 and DFSISVI0 exitroutines . . . . . . . . . . . . . . . 38

Customizing IMS to use a System z IntegratedInformation Processor (zIIP) . . . . . . . . . 39Copying common load modules from SAUILOADto SAUIIMOD . . . . . . . . . . . . . 40Security considerations for IMS processing . . . . 40

Chapter 8. Using agent configurationkeywords to customize auditing . . . . 41Specifying multiple SMF data set masks . . . . . 42Disabling SMF auditing at the agent level . . . . 42Controlling the frequency of SMF z/OS catalogqueries . . . . . . . . . . . . . . . . 43Changing the retention period of incomplete SMFevents . . . . . . . . . . . . . . . . 43Changing the name of the SMF address space JCL 43Auditing IMS data set access . . . . . . . . 43Changing the types of events that are audited usingSMF records . . . . . . . . . . . . . . 44Overriding the range of ports used forcommunication between address spaces . . . . . 44Specifying agent messages to issue to the operatorconsole . . . . . . . . . . . . . . . . 44Creating a spill area for short-term outages . . . . 45Disabling IMS SLDS auditing at the agent level . . 45Controlling the frequency with which IMS SystemLog Data Sets are allocated and read . . . . . . 45Changing the name of the IMSL address space JCL 45Changing the types of events audited using IMSSLDS records . . . . . . . . . . . . . . 46Changing the name of the Common MemoryManagement address space JCL . . . . . . . 46Excluding DLI calls occurring on specific LPARSfrom being audited . . . . . . . . . . . . 47Running more than one agent in a SYSPLEX . . . 47Using the System z Integrated InformationProcessor (zIIP) . . . . . . . . . . . . . 47Using multiple Guardium systems. . . . . . . 48

Providing Guardium system failover . . . . . 49

Chapter 9. InfoSphere Guardium S-TAPfor IMS agent reference information . . 51Sample library members . . . . . . . . . . 51Agent environment . . . . . . . . . . . . 51APF authorization . . . . . . . . . . . . 52Agent job output . . . . . . . . . . . . 52Stopping the agent . . . . . . . . . . . . 52Starting and stopping the secondary address spaces 52

Chapter 10. Data collection . . . . . . 55IMS database DLI calls . . . . . . . . . . 55SMF records . . . . . . . . . . . . . . 55Records from IMS system log data sets (SLDS) . . 56Filtering stages . . . . . . . . . . . . . 57

Stage 0 filtering . . . . . . . . . . . . 57Stage 1 filtering . . . . . . . . . . . . 58

iii

||

Page 4: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Stage 2 filtering . . . . . . . . . . . . 58Policy pushdown . . . . . . . . . . . . 59

Chapter 11. Creating and modifyingIMS definitions . . . . . . . . . . . 61Navigating to the IMS Definitions panel . . . . . 61IMS Definition fields . . . . . . . . . . . 61IMSPLEX data sharing and XRF considerations . . 62Adding an IMS definition . . . . . . . . . 63Modifying an IMS definition . . . . . . . . 63Deleting an IMS definition . . . . . . . . . 63

Chapter 12. Reference information . . . 65Data collection monitors . . . . . . . . . . 65IMS Logtypes and SMF record types collected byInfoSphere Guardium S-TAP for IMS . . . . . . 68Fields used for IMS policy pushdown . . . . . 69

Chapter 13. Troubleshooting . . . . . 71Messages and codes for IBM InfoSphere GuardiumS-TAP for IMS on z/OS . . . . . . . . . . 71

Error messages and codes: AUIAxxxx . . . . 71Error messages and codes: AUIBxxxx . . . . . 75Error messages and codes: AUIFxxxx . . . . . 75Error messages and codes: AUIGxxxx . . . . 77Error messages and codes: AUIIxxxx . . . . . 79Error messages and codes: AUIJxxxx . . . . . 83Error messages and codes: AUILxxxx . . . . . 91Error messages and codes: AUIPxxxx . . . . . 92Error messages and codes: AUIRxxxx. . . . . 93Error messages and codes: AUITxxxx . . . . . 94Error messages and codes: AUIUxxxx . . . . 97Error messages and codes: AUIXxxxx. . . . . 97Error messages and codes: AUIYxxxx . . . . 105Error messages and codes: AUIZxxxx . . . . 105

Index . . . . . . . . . . . . . . . 111

iv IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 5: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 1. What does IBM InfoSphere Guardium S-TAP forIMS on z/OS do?

IBM® InfoSphere® Guardium® S-TAP® for IMS™ on z/OS® (also referred to asInfoSphere Guardium S-TAP for IMS) is an auditing tool that collects andcorrelates data access information from IMS Online regions, IMS batch jobs, IMSarchived log data sets, and SMF records to produce a comprehensive view ofbusiness activity occurring within one or more IMS environments.

InfoSphere Guardium S-TAP for IMS assists auditors in determining who read orupdated a particular IMS database and its associated data sets, what mechanismwas used to perform that action, and when the access took place.

InfoSphere Guardium S-TAP for IMS can collect and correlate many different typesof information, including:v Accesses to databases and segments from IMS Online regions.v Accesses to databases and segments from IMS DLI/DBB batch jobs.v Accesses to databases, image copies, IMS logs, and RECON data sets and

security violations to these data sets as recorded by SMF.v IMS Online region START and STOP, database and PSB change of state activity

and USER signon and signoff as recorded in the IMS Archived Log data sets.

What's new in IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1Here is what's new in version 9.1 of IBM InfoSphere Guardium S-TAP for IMS onz/OS.

S-TAP administration client removedRemoval of the InfoSphere Guardium S-TAP for IMS Windows-basedadministration client.

You can now configure all product functions and parameters from theGuardium system user interface.

Configuration file format changesThe keyword and parameter formatting convention is now used by theconfiguration file. The configuration file is used by the agent and agentsubtasks to convey site-specific agent information.

If you are upgrading from a previous version of this product, a utility isprovided to convert the XML-based configuration file used by previousversions into the new keyword and parameter format. See Chapter 4,“Upgrading from the previous version of InfoSphere Guardium S-TAP forIMS,” on page 9 for more information.

Agent subtask JCL changesIt is now optional to manually specify the configuration file in the agentsubtask JCLs (AUIFSTC, AUILSTC). Manual specification of theconfiguration file is still required for the AUIUSTC task.

Shared memory segments created by the AUIASTC task are now used tocommunicate the configuration parameters to be used by the AUIFSTC andAUILSTC subtasks.

1

Page 6: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Agent and subtask message sent through the Guardium systemInformational, warning, and error messages originating from the agent oragent subtasks are now formatted and sent over a TCP/IP connection tothe Guardium system.

Limiting Memory Management address space routing to specific LPARSYou can now limit the routing of the Memory Management address space(AUIUSTC) to specific LPARS through the use of a configuration keywordand parameter. See Chapter 6, “Configuring the InfoSphere GuardiumS-TAP for IMS agent,” on page 23 for details on the use of the“AUIU_EXCLUDE_LPAR” keyword.

Limiting search of ports for intra-agent communicationFor communication between the agent and agent subtasks using a TCP/IPconnection, the agent and subtasks sequentially scan ports for use, startingat port number 41500 and ending at port 65535.

You can now specify the port to be used to start the scan, as well as thenumber of ports to be scanned. See Chapter 6, “Configuring the InfoSphereGuardium S-TAP for IMS agent,” on page 23 for information on how touse the “LOG_PORT_SCAN_START” and “LOG_PORT_SCAN_COUNT”keywords.

zIIP support for audited DLI callsThe reading of audited DLI calls from the z/OS log streams, as well as theTCP/IP send of these audited events to the Guardium system are nowcapable of running in a zIIP-enabled enclave. A configuration keyword andparameter is used to enable this feature. See Chapter 6, “Configuring theInfoSphere Guardium S-TAP for IMS agent,” on page 23 for information onhow to use the “ZIIP_AGENT_DLI” keyword.

Reduced overhead during TCP/IP send of audited events to the GuardiumSystem

In previous versions of InfoSphere Guardium S-TAP for IMS, the flow ofdata from the agent or agent subtasks was interrupted every 5 seconds topermit the transmission of a ping message to the Guardium system.Changes to the Guardium system remove the need for the data flowinterruption, allowing a higher rate of data transfer.

New communication of active filtering policiesA communications link between the agent (AUIASTC) and the MemoryManagement address spaces (AUIUSTC) enables communication of activefiltering policies from the agent to the AUIUSTC address space. TheAUIUSTC address space can now communicate the processing success, orthe details of certain types of failures, back to the agent.

InfoSphere Guardium S-TAP for IMS on z/OS componentsInfoSphere Guardium S-TAP for IMS consists of an agent, a Common StorageManagement Utility, a VSAM repository, and the InfoSphere Guardium system.

InfoSphere Guardium systemThe Guardium system can gather, and report on, information from multiple agentsrunning on multiple z/OS systems.

Guardium system

The Guardium system:

2 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 7: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

v Provides the user interface, which processes requests and displays the resultinginformation.

v Enables you to create collection policies, which specify the types of data to becollected by the agent.

v Stores the collected data.

Guardium system and S-TAP agent communication

The Guardium system and the S-TAP agent communicate using a TCP/IPconnection. The policies you create, using the Guardium system user interface, tellthe agent what data to collect. The policy specifies filter information, such as whichdata sets are to be monitored for data accesses.

InfoSphere Guardium S-TAP for IMS agentThe InfoSphere Guardium S-TAP for IMS agent coordinates the collection ofaudited data, and the transmission of audited DLI call data to the Guardiumsystem.

The InfoSphere Guardium S-TAP for IMS agent can collect data from one or moreof the following sources within a SYSPLEX:v A single IMS systemv Multiple IMS systems that share a common set of RECON data setsv Multiple IMS systems using diverse RECON data sets

The agent maintains the communication links that are needed to exchangeinformation with:v The Guardium systemv IMS Online and Batch data collectors and activity monitorsv The IMS Archive Log data set and SMF activity monitors

The agent also provides data collection schemas, called policies, to the activitymonitors on which detail the IMS artifacts are to be audited, and to what level.

The agent runs as a started task on the z/OS host. An example of the JCL to beused is in member AUIASTC of the SAUISAMP installation data set.

The agent collects data from the following sources:v IMS online activitiesv IMS batch activitiesv SMF datav IMS archived log datav IMS RECON data setsv VSAM repository data

For more information about how data is collected from these sources, see “Datacollection monitors” on page 65.

Chapter 1. What does IBM InfoSphere Guardium S-TAP for IMS on z/OS do? 3

Page 8: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

4 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 9: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 2. Installing IBM InfoSphere Guardium S-TAP for IMSon z/OS

The following sections describe hardware, software, and user ID authorityprerequisites for product installation.

Review the InfoSphere Guardium S-TAP for IMS V9.1 Program Directory for a listof product materials and SMP/E installation instructions.

Hardware and software prerequisitesThe following hardware and software are required to operate InfoSphereGuardium S-TAP for IMS.v z/OS Version 1 Release 11 or later.v IMS V11, V12, or V13.v Any hardware capable of running z/OS Version 1 Release 11 or later.

InfoSphere Guardium S-TAP for IMS requires use of the following:v 64-bit memoryv TCP/IP connectivityv z/OS System logger log streamsv UNIX System Servicesv OMVS segment

User ID authorities required for installationThis topic describes z/OS USERID authorities needed to install InfoSphereGuardium S-TAP for IMS.

If you are installing this product, your z/OS user ID must have the authority to:v Define z/OS system log streamsv Update the IMS cataloged procedure data set members DLIBATCH and

DBBBATCH to include product load libraries

5

Page 10: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

6 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 11: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 3. InfoSphere Guardium S-TAP for IMS security

InfoSphere Guardium S-TAP for IMS requires access to various IMS data sets andGuardium system components.

APF authorizationInfoSphere Guardium S-TAP for IMS requires certain data sets to be accessible andAPF-authorized on all LPARS of the SYSPLEX where IMS batch jobs or IMS onlineregions to be monitored might run.

About this task

Refer to the z/OS information center for more information about how to APFauthorize libraries.

Procedure1. APF-authorize product data set SAUILOAD on all LPARS of the SYSPLEX.

SAUILOAD contains the IMS Online and Batch Activity Monitor executablecode.

2. APF-authorize product data set SAUIIMOD on all LPARS of the SYSPLEXwhere IMS batch jobs or IMS online regions to be monitored might run.SAUIIMOD contains IMS specific executable load modules.

DBRC RECON data setsInfoSphere Guardium S-TAP for IMS uses the native VSAM services to read datafrom the RECON data sets. These RECON data sets must be accessible from all theLPARS where the InfoSphere Guardium S-TAP for IMS agents might run.

VSAM access to the RECON data sets is READ-ONLY, allowing the InfoSphereGuardium S-TAP for IMS jobs and started tasks with a security access of READ toprocess the RECON data sets.

Consult your security administrator to determine how your RECON data sets areprotected, and how to grant the required access.

OMVS segmentTCP/IP connectivity and other UNIX System services on z/OS require that theaddress space using these services use a z/OS user ID or group name that isdefined with an OMVS segment.

Defining your z/OS user ID or group name with an OMVS segment might requirethe use of the IBM RACF command ADDUSER/ALTUSER xxxxxx OMVS(UID(zzz)) or asecurity product equivalent command. Review your z/OS Security Serverdocumentation for more information.

7

Page 12: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

IMS RESLIB data setsREAD access to the IMS RESLIB/SDFSRESL data sets is required for each IMSsystem that requires the IMS SLDS to be processed by InfoSphere Guardium STAPfor IMS. READ access is required to allow a LOAD/READ of module DFSVC000to determine the version release level of the audited IMS.

SMF and IMS archive log data setsREAD access to the SMF data sets and the IMS archived logs data sets (SLDS) isrequired for the user under whose authority the agent runs. If these data sets areprotected by RACF® or another security product, a policy must be defined to grantthis access. The z/OS catalogs containing the names of these data sets, as well asthe physical data sets themselves, must be accessible from the LPAR on which theInfoSphere Guardium S-TAP for IMS agent runs.

Consult your security administrator to determine what is currently protected andhow to grant the required access.

z/OS log streamsIMS batch jobs and online regions monitored by InfoSphere Guardium S-TAP forIMS write the audit data to z/OS log streams.

To ensure that IMS online systems and DLI/DBB batch jobs can write to these logstreams, assign the universal security access of UPDATE to the z/OS log stream.

8 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 13: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 4. Upgrading from the previous version of InfoSphereGuardium S-TAP for IMS

Use the process described in this section to upgrade from InfoSphere GuardiumS-TAP for IMS V9.0 to V9.1. Read the following information for details on featuresand restrictions related to upgrading, as well as information on whether toupgrade in compatibility or exploitation mode.

Note: New versions or releases of InfoSphere Guardium S-TAP for IMS should beinstalled as a new installation base. However, if circumstances prevent you fromdoing so, follow these instructions to upgrade from the previous version'sinstallation base instead.

Compatibility mode

Retention of product assetsUpgrading from V9.0 to V9.1 in compatibility mode enables you to useexisting V9.0 product assets, such as JCLs, configuration files, andrepository data set content in V9.1. To retain V9.0 z/OS assets in V9.1,product load libraries in the agent (AUIAxxxx) and agent subtask JCLs(AUIFxxxx, AUILxxxx and AUIUxxxx) must be made available to the newproduct version.

Adding V9.0 IMS definitions to V9.1The IMS definitions you configured using the V9.0 administration userinterface must be added to the Guardium system, using the Guardium userinterface. Customizing and running the utility in the AUIMIG91 member ofthe SAMPLE data set provided with this product produces a report of thenames and content of the IMS definitions set for V9.0.

Compatibility mode restrictionsIf you upgrade to V9.1 in compatibility mode, new V9.1 features will notbe supported, such as zIIP support for reading DLI audit events from thez/OS log streams, and the resulting TCP/IP sends to the Guardiumsystem. IMS artifacts will be audited by using the V9.0 configuration, butto use new V9.1 features, you must use the configuration file syntax andmake minor JCL changes to the agent and agent subtasks.

Exploitation mode

Exploitation mode enables the use of V9.0 product assets, such as JCLs andconfiguration and repository contents, to be upgraded to V9.1, while allowing thefull use and functionality of the V9.1 product. Upgrading from V9.1 of InfoSphereGuardium S-TAP for IMS on z/OS to future versions or releases might require thata new V9.1 installation, or a V9.0 exploitation upgrade to V9.1 be the minimumenvironment.

9

Page 14: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Upgrading from V9.0 to V9.1 in compatibility modeComplete the following steps to upgrade from V9.0 to V9.1 in compatibility mode.Compatibility mode enables V9.0 product assets to be used, such as JCLs,configuration files, and repository data set content. New product features of V9.1,such as zIIP support for reading DLI audit events from the z/OS log streams, andthe resulting TCP/IP sends to the Guardium system, are not supported incompatibility mode.

Procedure1. Deactivate or uninstall all policies that apply to the agent being upgraded.2. Shut down the agent being upgraded.3. Back up, or copy, the VSAM repository data set specified using the

<repository-dsn> XML tag in the agent current configuration file. The REPOfunction of the IDCAMS or similar program can be used.

4. Customize the AUIMIG91 SAMPLIB member to produce a report. Thecomments contained in the AUIMIG91 SAMPLIB member describe how toproduce a report.

5. Update the “//AUICFG DD” JCL statement to point to the V9.0 configurationfile currently in use by your agent, and submit.

6. Use the IMS definition report produced by the AUIMIG91 job to add the IMSdefinitions to your Guardium system.

7. Update the AGENT (AUIAxxxx) and agent sub-task JCLs (AUIFxxxx,AUILxxxx, and AUIUxxxx) to use the V9.1 product load library (SAUILOAD).

8. Update the IMS Control region JCLs audited by this agent to use the V9.1product IMS load library (SAUIIMOD).

9. Update the IMS DBBBATCH and DLIBATCH cataloged procedures, and anyequivalent JCL members, to use the V9.1 product IMS load library(SAUIIMOD).

10. Start the agent.11. Install or activate the policies that you want to apply.12. Stop and restart your IMS systems.

What to do next

Now, you can:v Install additional policies on the z/OS host by using the Guardium system user

interface.v Manage agent and IMS definitions by using the Guardium system user interface.

Upgrading from V9.0 to V9.1 in exploitation modeComplete the following steps to upgrade from V9.0 to V9.1 in exploitation mode.Exploitation mode enables the use of V9.0 product assets, such as JCLs andconfiguration and repository contents, to be upgraded to V9.1, while allowing thefull use and functionality of the V9.1 product.

Procedure1. Deactivate or uninstall all policies that apply to the agent being upgraded.2. Shut down the agent being upgraded.3. Customize the AUIMIG91 SAMPLIB member to convert the configuration file

and repository to V9.1 format, and submit. The comments contained in the

10 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 15: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIMIG91 SAMPLIB member describe how to customize the JCL. A V9.1format configuration file, an updated VSAM repository, and an IMS definitionreport will be produced.

4. Use the IMS definition report produced by the AUIMIG91 job to add the IMSdefinitions to your Guardium system.

5. Update the new configuration file produced by the AUIMIG91 utility with anychanges.

6. Update the AGENT (AUIAxxxx) and Memory Management Utility(AUIUxxxx) JCLs as follows:a. Remove the “//AUICFG DD“ JCL statement.b. Add a “//AUICONFG DD“ JCL statement, and set it to reference the new

configuration member produced by the AUIMIG91 utility.c. Change the “//STEPLIB DD” JCL statement to reference the V9.1 product

load library (SAUILOAD).d. Remove the “//AUIREPOS DD” JCL statement from the AUIUxxxx JCL.

7. Update the SMF (AUIFxxxx) and IMS Archive Log (AUILxxxx) JCLs asfollows:a. Remove the “//AUICFG DD” JCL statement, and any procedure

parameters that reference it.b. Change the “//STEPLIB DD” JCL statement to reference the V9.1 product

load library (SAUILOAD).8. Update the IMS Control region JCLs audited by the agent to use the V9.1

product IMS load library (SAUIIMOD).9. Update the IMS DBBBATCH and DLIBATCH cataloged procedures, and any

equivalent JCL members, to use the V9.1 product IMS load library(SAUIIMOD).

10. Start the agent.11. Install or activate the policies that you want to apply.12. Stop and restart your IMS systems.

What to do next

Now, you can:v Install additional policies on the z/OS host by using the Guardium system user

interface.v Manage agent and IMS definitions by using the Guardium system user interface.

Chapter 4. Upgrading from the previous versions of InfoSphere Guardium S-TAP for IMS 11

Page 16: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

12 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 17: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 5. Configuration overview

These actions are required to configure InfoSphere Guardium S-TAP for IMS.

Review the following steps, which are described in greater detail in the followingsections:v Verify that you have the resource authorizations required to configure the

product.v Review the preconfiguration tasks section for planning steps and required

information.v Set up the VSAM repository by creating the VSAM data set, as well as the

related limitations, restrictions, and security considerations.v Set up the z/OS log streams. Review the CFRM and log stream size

requirements, and the related security considerations, limitations, andrestrictions. Define the log streams for batch and online jobs.

v Determine a naming convention for the agent (AUIASTC, AUIFSTC, AUILSTC,and AUIUSTC) started tasks, where "STC" can be changed to any one to eightcharacter length string. The AUI* prefix should be retained to simplify taskidentification.

v Configure the agent by customizing the configuration file, customizing the agentJCL, and starting the agent.

v Set up the IMS environment for auditing by customizing the IMS catalogedprocedure, configuring IMS exits, customizing IMS to use an IBM System z®

Integrated Information Processor (zIIP), and review the related securityconsiderations.

Note: No WLM (Workload Manager) considerations are necessary. All agentstarted tasks use the STC WLM class.

Planning your configuration and customizing your environmentCollect user ID and environment information before you configure InfoSphereGuardium S-TAP for IMS V9.1.

Tip: To upgrade to InfoSphere Guardium S-TAP for IMS V9.1 from a previousversion, refer to the Chapter 4, “Upgrading from the previous version ofInfoSphere Guardium S-TAP for IMS,” on page 9. If you are upgrading from aprevious version to V9.1, no further configuration steps are required. Upgrading toV9.1 requires the use of, and modifications to, the same agent name and JCLs thatwere used with the previous version. For your reference, see the “Sample librarymembers” on page 51 listing.

Before you configure a new installation of InfoSphere Guardium S-TAP for IMSV9.1, determine the following:v The user IDs that will be used to run the agent started tasksv Where the agent started tasks will run

Then, customize the ISPF edit macro, provide a valid job card, and set up theVSAM repository, as described in the following sections.

13

Page 18: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Customizing the ISPF edit macroThe SAUISAMP data set shipped with InfoSphere Guardium S-TAP for IMSincludes an ISPF edit macro to help with the editing of the rest of the SAMPLIBmembers to be used in the subsequent steps.

About this task

The edit macro is named AUIEMAC1 and provides a straightforward way tocustomize the variable values for the variables that appear in the JCL that will run.Use this edit macro as part of a command list (CLIST) to edit the other SAMPLIBmembers.

Procedure1. To set up the edit macro, copy AUIEMAC1 from the #HLQ.SAUISAMP to a

CLIST library.2. Edit the macro by providing the appropriate values for each of the variables.3. To run the macro, type the name of the edit macro in the command line in

ISPF.

Results

After you modify the edit macro, you can use it as a command to customize otherSAMPLIB members in the following steps, unless otherwise specified.

Example

The contents of the edit macro AUIEMAC1 included in the SAMPLIB are asfollows:ISREDIT MACRO (NP)ISPEXEC VGET (ZUSER)ISREDIT CHANGE ALL ’#AUILOAD’ AUI.IBMTAPE.SAUILOADISREDIT CHANGE ALL ’#AUIIMOD’ AUI.IBMTAPE.SAUIIMODISREDIT CHANGE ALL ’#AUISAMP’ AUI.IBMTAPE.SAUISAMPISREDIT CHANGE ALL ’#AUIREPOS’ AUI.V910.REPOS

This table describes each variable in the edit macro AUIEMAC1 included in theSAMPLIB:

Table 1. AUIEMAC1 Edit macro variables

Variable Default Instructions

#AUILOAD AUI.IBMTAPE.SAUILOAD

Change the default value to point to thelocation of the SAUILOAD for InfoSphereGuardium S-TAP for IMS.

#AUIIMOD AUI.IBMTAPE.SAUIIMOD

Change the default value to point to thelocation of the SAUIIMOD for InfoSphereGuardium S-TAP for IMS.

#AUISAMP AUI.IBMTAPE.AUISAMP

Change the default value to point to thelocation of the SAUISAMP data set, orcopy of that data set where you will beperforming the configuration andcustomization edits.

14 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

|

|||

|

||||

|

||

|

||

|

||

|

||

||||||

||

||

|||

||||||

||||||

||||||||

Page 19: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Table 1. AUIEMAC1 Edit macro variables (continued)

Variable Default Instructions

#AUIREPOS AUI.V910.REPOS Specify the location of the VSAMrepository to be used by the agent'sprimary and secondary address spaces.Note: The VSAM repository must beaccessible from all LPARs in a specificSYSPLEX.

Job cards for the sample JCL in the SAMPLIBSome JCL members included with the product SAMPLIB have a filler card for thejob card.

A valid job card conforming to your site's JCL standards must be provided beforesubmitting any of the JCL.

Setting up the VSAM repositoryInfoSphere Guardium S-TAP for IMS uses a VSAM KSDS data set to store productconfiguration details and collection profile information across all LPARS of aSYSPLEX environment.Related reference:“Agent security considerations” on page 35The user ID of the agent started tasks (the primary and the secondary startedtasks) should have the proper RACF profiles to read the control file contents, andto read and update the VSAM repository.

Creating the VSAM repository data setThe VSAM repository data set is created using the AUISJ001 JCL member of theSAUISAMP installation data set. AUISJ001 will delete a previously defined VSAMKSDS data set, DEFINE the KSDS using the appropriate keywords and parameters,and initialize the data set with an initialization record.

Customize the AUISJ001 JCL member:1. Supply a job card as required by your installation.2. Code a data set name where the “#AUIREPOS” variable is specified.

Customization and use of the AUIEMAC1 edit macro causes the data set namechosen for the #AUIREPOS variable during AUIEMAC1 customization to beused.

3. Execute the customized AUISJ001 JCL member to create and initialize theVSAM repository data set.

Size restrictions and security considerationsThis section specifies the record lengths to use in order to make space calculations,as well as the relevant security considerations.

VSAM limitations and restrictions

The VSAM repository file must be accessible by all LPARS in the SYSPLEX. Adefault size of five cylinders is supplied, but your installation may require morespace.

Chapter 5. Configuration overview 15

|

|||

|||||||||

|

Page 20: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

VSAM repository space calculations

Space calculations can be made using the following record lengths:v 300 bytes will be consumed by each IMS subsystem that is audited by the agent.v 528 bytes will be consumed by each agent using the repository.v 258 bytes will be consumed for each SMF mask defined to each agent.

Note: The VSAM repository file must be updatable by all product started tasksthat might run on the SYSPLEX.

Setting up z/OS log streamsIBM InfoSphere Guardium S-TAP for IMS uses the z/OS System Logger to funnelevents from IMS online regions and DLI/DBB batch jobs to the DLI eventprocessor (AUIASTC task). Both XCF based and DASD based log streams aresupported.

Each agent requires two unique log streams:v one log stream for DLI events generated by IMS Control regionsv one log stream for DLI events generated by DLI/DBB batch jobs

Log streams cannot be shared between agents. Each log stream name must beunique.

It is recommended that XCF based log streams be used whenever possible, becausethis type of log stream is accessible from any LPAR within a sysplex, and hasperformance benefits. For more information about the two types of log streams,refer to the IBM publication: System Programmer's Guide to: z/OS System Logger.

Log stream securityVerify the following conditions have been met to insure log stream security.

Important:

v The USERID your IMS online control region runs under must have WRITEaccess to the log stream.

v If DLI/DBB batch jobs runs under a common USERID, that USERID must haveWRITE permission to the log stream.

v The USERID under which the DLI Event Collector (AUIASTC task) executesmust have READ/WRITE access to the log streams.

v If individual users are permitted to run DLI/DBB batch jobs under their ownUSERID, a universal access of WRITE is recommended for the log stream.

XCF-based log streamsThe advantages of using XCF-based log streams as opposed to DASD-based logstreams include accessibility from any LPAR within the sysplex, and improvedperformance.

AUILSTR1

Two JCL members in the SAUISAMP product data set are included to assist in thedefinition of XCF-based log streams.

This JCL is used to define the XCF structures to a CFRM policy needed by the logstreams used by the DLI/DBB batch and IMS online control regions. Detailedinstructions are in the comments of the JCL.

16 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 21: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Note: The addition of structures to a CFRM policy are cumulative, and theexecution of this JCL without consideration to previously defined structures withinthe CFRM policy may result in the loss of existing CFRM structure definitions. It ishighly recommended that a systems programmer customize and submit this JCL.

There are two DEFINE STRUCTURE sections for this JCL: one for the batchstructure, and one for the online structure. The following values must becustomized for the batch structure:

The name of the batch structure(NAME(batch_struc_name))

The coupling facility used to contain the structure(PREFLIST(cfname))

The following values must be customized for the online structure:

The name of the online structure(NAME(online_struc_name))

The coupling facility used to contain the structure(PREFLIST(cfname))

Do not change any other values, such as SIZE, INITSIZE, and ALLOWAUTOALTwithout carefully considering the impact that your changes will have onperformance and data integrity.

Note: AUILSTR1 must run successfully before proceeding.

AUILSTR2

This JCL is used to add the XCF based log streams to a LOGR policy used by theIMS Control region and DLI/DBB batch jobs. Detailed instructions are in thecomments of the JCL.

Note: The addition of structures to a CFRM policy are cumulative, and theexecution of this JCL without consideration to previously defined structures withinthe CFRM policy may result in the loss of existing CFRM structure definitions. It ishighly recommended that a systems programmer customize and submit this JCL.

There are two DEFINE STRUCTURE sections for this JCL: one for the batchstructure and log stream, and one for the online structure.The following values must be customized for the batch structure and log stream:

The name of the batch structure(NAME(batch_struc_name))

The coupling facility used to contain the structure(PREFLIST(cfname))

Values which must be customized for IMS Batch processing include:

DEFINE STRUCTURE values:

The name of the batch structure (from AUILSTR1)(NAME(batch_struc_name))

The name of this log stream is used as input to the Batch DLI Log Stream Namefield when defining log streams to the agent. Use the LOG_STREAM_DLIB

Chapter 5. Configuration overview 17

Page 22: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

keyword of the configuration member that is specified by the AUICONFG DDstatement of the agent (AUIASTC) JCL. The LOGSNUM, MAXBUFSIZE andAVGBUFSIZE should not be changed from the default values.

The name of the batch structure (from AUILSTR1)(STRUCTNAME(batch_struc_name))

The selection of the Staging data set classes(STG_DATACLAS, STG_MGMTCLAS, and STG_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates a staging data set for the log stream. The IBM publication, SystemProgrammer's Guide to: z/OS System Logger contains recommendations andconsiderations for the choice of these parameters.

The selection of offload data set classes(LS_DATACLAS, LS_MGMTCLAS, and LS_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates an offload data set for the log stream. The IBM publication, SystemProgrammer's Guide to: z/OS System Logger contains recommendations andconsiderations for the choice of these parameters.

The size of the Batch Log stream DASD data sets(STG_SIZE)

Note: This can be removed if the STG_DATACLAS value is specified.

The allocation/size of the offload data sets(LS_SIZE(13500))

A value of 13500 (the number of 4K blocks) is the default/supplied value. The IBMpublication, System Programmer's Guide to: z/OS System Logger containsrecommendations and considerations for the choice of this size.

The High level qualifier of the offload and staging data sets(HLQ or EHLQ)

The HLQ and EHLQ are mutually exclusive and only one may be used. Otherparameters found in the batch structure and online log stream definition may havea "do not change" comment. These parameters contain the recommended valuesand should not be altered without careful consideration of the impact of changesto log stream performance and data integrity. The IBM publication, SystemProgrammer's Guide to: z/OS System Logger contains recommendations andconsiderations of each potential parameter.

You must customize the following values for online structure and log streamprocessing:

DEFINE STRUCTURE values:

The name of the online structure (from AUILSTR1)(NAME(online_struc_name))

The LOGSNUM, MAXBUFSIZE and AVGBUFSIZE should not be changed from thedefault values.

DEFINE LOGSTREAM values:

18 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 23: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

The name of the log-stream(NAME(online_logstream_name))

The name of this log stream is used as input to the Online DLI Log Stream Namefield when defining log streams to the agent. Use the LOG_STREAM_DLIOkeyword of the configuration member specified by AUICONFG DD statement ofthe agent (AUIASTC) JCL.

The name of the online structure (from AUILSTR1)(STRUCTNAME(online_struc_name))

The selection of the Staging data set classes(STG_DATACLAS, STG_MGMTCLAS, and STG_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates a staging data set for the log stream. The IBM publication, SystemProgrammer's Guide to: z/OS System Logger contains recommendations andconsiderations of each potential parameter.

The size of the ONLINE Log stream DASD data sets(STG_SIZE)

Note: This can be removed if the STG_DATACLAS value is specified.

The selection of offload data set classes(LS_DATACLAS, LS_MGMTCLAS, and LS_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates an offload data set for the log stream. The IBM publication, SystemProgrammer's Guide to: z/OS System Logger contains recommendations andconsiderations of each potential parameter.

The allocation/size of the offload data sets(LS_SIZE(13500))

A value of 13500 (the number of 4K blocks) is the default/supplied value. The IBMpublication, System Programmer's Guide to: z/OS System Logger containsrecommendations and considerations for the choice of this size.

The High level qualifier of the offload and staging data sets(HLQ or EHLQ)

The HLQ and EHLQ are mutually exclusive and only one may be used. Otherparameters found in the batch structure and online log stream definition may havea "do not change" comment. These parameters contain the recommended valuesand should not be altered without careful consideration of the impact of changesto log stream performance and data integrity. The IBM publication, SystemProgrammer's Guide to: z/OS System Logger contains recommendations andconsiderations of each potential parameter.

DASD-based log streamsThis section provides rules and information about DASD-based log streams.

DASD-based logs streams can only be accessed from one LPAR at a time. Any IMSOnline Control regions and DLI/DBB batch jobs to be audited must run on thesame LPAR as the agent runs on.

One JCL member in the SAUISAMP product data is included to assist in thedefinition of DASD-based log streams.

Chapter 5. Configuration overview 19

Page 24: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUILSTR3

This JCL is used to add the DASD based log streams to a LOGR policy used by theIMS Control region and DLI/DBB batch jobs. Detailed instructions may be foundwithin the comments of the JCL.

Note: It is highly recommended that a systems programmer customize and submitthis JCL.There are two DEFINE STRUCTURES sections to this JCL: one for the batchstructure, and one for the online structure. Values which must be customized forIMS batch log stream processing are as follows:

DEFINE LOGSTREAM values:

The name of the log-stream(NAME(batch_logstream_name))

The name of this log stream is used as input to the Batch DLI Log Stream Namefield when defining log streams to the agent. Use the LOG_STREAM_DLIOkeyword of the configuration member specified by AUICONFG DD statement ofthe agent (AUIASTC) JCL.

The selection of the Staging data set classes(STG_DATACLAS, STG_MGMTCLAS and STG_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates a staging data set for the log stream. Other parameters found in the batchstructure and online log stream definition may have a "do not change" comment.These parameters contain the recommended values and should not be alteredwithout careful consideration of the impact of changes to log stream performanceand data integrity. For more information, the IBM publication, System Programmer'sGuide to: z/OS System Logger contains recommendations and considerations for thechoice of these parameters, and can be found on the IBM Information Center.

The selection of offload data set classes(LS_DATACLAS, LS_MGMTCLAS and LS_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates an offload data set for the log stream. For more information, the IBMpublication, System Programmer's Guide to: z/OS System Logger containsrecommendations and considerations for the choice of these parameters, and canbe found on the IBM Information Center.

The size of the Batch Log stream DASD data sets(STG_SIZE)

Note: This can be removed if the STG_DATACLAS value is specified.

The allocation/size of the offload data sets(LS_SIZE(13500))

A value of 13500 (the number of 4K blocks) is the default/supplied value. Formore information, the publication, System Programmer's Guide to: z/OS SystemLogger contains recommendations and considerations for the choice of this size,and can be found on the IBM Information Center.

The High level qualifier of the offload and staging data sets(HLQ or EHLQ)

20 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 25: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

The HLQ and EHLQ are mutually exclusive and only one may be used. For moreinformation, the IBM publication, System Programmer's Guide to: z/OS System Loggercontains recommendations and considerations of each potential parameter, and canbe found on the IBM Information Center.

Values which must be customized for IMS ONLINE processing include thefollowing:

DEFINE LOGSTREAM values:

The name of the log-stream(NAME(online_logstream_name))

The name of this log stream is used as input to the Online DLI Log Stream Namefield when defining log streams to the agent using the Guardium user interface.

The selection of the Staging data set classes(STG_DATACLAS, STG_MGMTCLAS, and STG_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates a staging data set for the log stream. For more information, the IBMpublication, System Programmer's Guide to: z/OS System Logger containsrecommendations and considerations for the choice of these parameters, and canbe found on the IBM Information Center.

The size of the ONLINE Log stream DASD data sets(STG_SIZE)

Note: This can be removed if the STG_DATACLAS value is specified.

The selection of offload data set classes(LS_DATACLAS, LS_MGMTCLAS, and LS_STORCLAS)

These parameters indicate the SMS classes to be used when the System loggerallocates an offload data set for the log stream. For more information, thepublication, System Programmer's Guide to: z/OS System Logger containsrecommendations and considerations for the choice of these parameters, and canbe found on the IBM Information Center.

The allocation/size of the offload data sets(LS_SIZE(13500))

A value of 13500 (the number of 4K blocks) is the default/supplied value. Formore information, the publication, System Programmer's Guide to: z/OS SystemLogger contains recommendations and considerations for the choice of this size,and can be found on the IBM Information Center.

The High level qualifier of the offload and staging data sets(HLQ or EHLQ)

The HLQ and EHLQ are mutually exclusive and only one may be used. Otherparameters found in the batch structure and online log stream definition mighthave a do not change comment. These parameters contain the recommendedvalues and should not be altered without careful consideration of the impact ofchanges to log stream performance and data integrity. For more information, thepublication, System Programmer's Guide to: z/OS System Logger containsrecommendations and considerations of each potential parameter, and can befound on the IBM Information Center.

Chapter 5. Configuration overview 21

Page 26: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

22 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 27: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 6. Configuring the InfoSphere Guardium S-TAP forIMS agent

This section describes the information necessary for configuring the agent.

The agent has a primary agent address space that runs as a started task(AUIASTC) and multiple secondary address spaces (AUIFSTC, the SMF collector,AUILSTC, the IMS log collector, AUIUSTC, the common storage utility) that areautomatically started and stopped by the primary address space.

The agent primary address space reads the configuration file specified by theAUICONFG DD statement in the AUIASTC JCL, and passes the appropriateconfiguration information to the associated AUIFSTC and AUILSTC tasks. TheAUIUSTC JCL requires the same configuration file to be specified as was specifiedfor the AUIASTC task. Use the AUICONFG DD statement to specify theconfiguration file.

The SAUISAMP member AUICONFG provides a sample configuration that can beused by the agent's primary address space started task.

Refer to the following instructions about the AUICONFG data set or theinstructions in the data sets to complete the next steps.

Note:

v The data set must be edited using the EBCDIC encoding (1047 CCSID).v It is recommended that you make a copy of the AUICONFG from SAUISAMP

and customize it for use by a given agent.

Customize the agent using agent parameter keywordsUse agent parameter keywords to customize the agent. The agent configuration fileprovides the parameters that can be customized. The parameters that do not havea default value must be specified before you start the agent started task.

How to use the agent parametersv Use the AUICONFG DD statement to reference these parameters with the agent

JCL (AUIASTC) and Memory Management secondary address space JCL(AUIUSTC).

v The AUICONFG DD can be used in other agent secondary address space JCLs(AUIFSTC and AUILSTC).

v Define the data set (DSORG=PS) or data set member (DSORG=PDS|PDS/E) thatcontains these parameters as RECFM=FB LREL=80.

v Specify only one keyword and parameter per line.v An asterisk (*) or hypen (-) in column one indicates that the line is a comment.v Characters in column 72 and beyond are ignored.

Required parameters

The following parameters must be manually configured:v APPLIANCE_SERVER

23

Page 28: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

v LOG_STREAM_DLIBv LOG_STREAM_DLIOv REPOSITORYv SMF_DSN_MASKv SMF_SPILL_FILE

All available agent parameters

ADS_SHM_IDRequired: No

Default: None

Description: This keyword is optional when only one agent exists in asysplex environment. If more than one agent exists, the configuration filefor each agent should have this keyword specified with a unique integerwith a value of 100000 - 999999 specified as its parameter. This keywordidentifies a shared memory segment that is specific to each agent.

Note:

v This keyword must be used in combination with ADS_LISTENER_PORT.v If you specify this keyword, you must add an //AUICONFG DD

statement to the AUIFSTRC and AUILSTC address space JCLs. This DDstatement should point to the same data set and member as the agentAUIASTC and AUIUSTC JCLs to enable communication between allparticipating address spaces.

Syntax: ADS_SHM_ID(Shared_Memory_label)

Example: ADS_SHM_ID(100010)

ADS_LISTENER_PORTRequired: No

Default: 39987

Description: This keyword is optional when only one agent exists in asysplex environment. If more than one agent exists, the configuration filefor each agent should have this keyword specified with a unique portnumber specified. This keyword identifies an agent-specificcommunications port between the agent (AUIASTC) and the agentsecondary address spaces (AUIFSTC, AUILSTC). Valid port numbers are 1- 65535. Check with your network administrator for a list of ports availablefor this use.

Note:

v This keyword must be used in combination with ADS_SHM_ID.v If you specify this keyword, you must add an //AUICONFG DD

statement to the AUIFSTRC and AUILSTC address space JCLs. This DDstatement should point to the same data set and member as the agentAUIASTC and AUIUSTC JCLs to enable communication between allparticipating address spaces.

Syntax: ADS_LISTENER_PORT(port_number)

Example: ADS_LISTENER_PORT(16055)

APPLIANCE_SERVERRequired: Yes

24 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 29: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Default: None

Description: The host name or IP address (in dotted decimal notation, forexample: 1.2.3.4) of the Guardium System to which the agent (AUIASTC)should connect.

Note: This parameter must be correctly configured to enable a connectionto the Guardium system. This value can contain up to 128 characters.

Syntax: APPLIANCE_SERVER(hostname|IP_address)

Example: APPLIANCE_SERVER(192.168.2.205)

APPLIANCE_SERVER _FAILOVER_[1-5]Required: No

Default: None

Description: The host name or IP address (in dotted decimal notation, forexample: 1.2.3.4) of the Guardium system for the InfoSphere GuardiumS-TAP for IMS agent to use if the primary system (APPLIANCE_SERVER)is not available. This value can contain up to 128 characters. The agentattempts to connect to subsequent Guardium system beginning withAPPLIANCE_SERVER_FAILOVER_1, and ending withAPPLIANCE_SERVER_FAILOVER_5.

Note:

v The use of this keyword does not eliminate the need for theAPPLIANCE_SERVER keyword.

v This parameter must be correctly configured to enable a connection tothe Guardium system.

Syntax: APPLIANCE_SERVER_FAILOVER_1(hostname|IP_address)

Example: APPLIANCE_SERVER_FAILOVER_1(192.168.2.205)

APPLIANCE_PORTRequired: No

Default: 16022

Valid ports: 16022 and 16023

Description: The IP port number of the Guardium system to which theInfoSphere Guardium S-TAP for IMS agent should connect. This parametermust be correctly configured to enable a connection to the Guardiumsystem. If port 16023 is used, encryption support is required for theconnection to the appliance.

Note: Specifying this keyword and parameter designates the port onwhich the InfoSphere Guardium appliance is listening to the S-TAP. Theport is dedicated to the IP address of the appliance. Port 16022 or 16023can also be in use on z/OS by another application.

Syntax: APPLIANCE_PORT(port_number)

Example: APPLIANCE_PORT(16022)

APPLIANCE_PING_RATERequired: No

Default: 5

Chapter 6. Configuring the InfoSphere Guardium S-TAP for IMS agent 25

Page 30: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Description: Specifies the interval time between accesses to the Guardiumsystem to prevent timeout disconnections during idle periods. The value isin number of seconds.

Syntax: APPLIANCE_PING_RATE(ping_interval)

Example: APPLIANCE_PING_RATE(5)

APPLIANCE_NETWORK_REQUEST_TIMEOUTRequired: No

Default: 500

Description: Specifies a value in milliseconds of time to wait for thecompletion of a network communication request to send or receive. Avalue of 0 results in no timeout period. Range: 0 or 500 - 12000.

Syntax: APPLIANCE_NETWORK_REQUEST_TIMEOUT(milliseconds)

Example: APPLIANCE_NETWORK_REQUEST_TIMEOUT(500)

AUIU_EXCLUDE_LPARRequired: No

Default: None

Description: Specifies a list of LPAR names (one to eight characters) in aSYSPLEX environment where the Common Storage Management Utility(AUIUSTC) should not be scheduled.

Note: Use this keyword with caution. DLI calls run on the excludedLPARS are not audited.

Syntax: AUIU_EXCLUDE_LPAR (list_of_lpars)

Example: AUIU_EXCLUDE_LPARS(RS21,MYLPAR,YOURLPAR)

AUIU_PROC_NAMERequired: No

Default: AUIUSTC

Description: Specifies the PROCLIB member name that contains theCommon Storage Management Utility JCL. This JCL is supplied as membername AUIUSTC in the sample library (AUISAMP). If multiple agents areused within a sysplex, each agent requires a separate JCL for eachAUIUSTC address space.

Syntax: AUIU_PROC_NAME(auiu_mbr_name)

Example: AUIU_PROC_NAME(AUIUV91)

IMSL_AUDIT_LEVELSRequired: No

Default: ALL

Description: Specifies the events to be audited from those are found usingthe IMS Archive Log task (AUILSTC) for each IMS instance under controlof this agent. A specification other than ALL limits auditing to the eventsyou specify. For instance, if USERS is specified, then all audited IMSinstances under the agent report USER signons and signoffs. If you specifyALL, further limitations on what is audited can be made for each auditedIMS subsystem, using the Guardium system user interface.

26 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 31: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Table 2. IMSL_AUDIT_LEVELS audit parameters and events.

Parameter Audited event

ALL All events are audited (default)

CTL_STRT IMS control region stops and starts

USERS User signon and signoff

DBOPN Database opens and closes

DBD_PSB DBDDUMP, DBD/PSB START/STOP/LOCK/UNLOCK

Syntax:IMSL_AUDIT_LEVELS(ALL|CTL_STRT|USERS|DBOPN|DBD_PSB)

Example: IMSL_AUDIT_LEVELS(ALL)

IMSL_CYCLE_INTERVALRequired: No

Default: 15

Description: Specifies the frequency (in minutes) that the IMS Archive Logtask (AUILSTC) checks the RECON data sets for new IMS SLDS (SystemLog Data Sets) to process. This value should correspond to the frequencyat which IMS generates SLDS data sets during a normal workload. Forexample, if IMS SLDS are produced every 20 minutes, theIMSL_CYCLE_INTERVAL should be set to 20. A value of 0 (zero) can bespecified to instruct the agent not start the AUILSTC task for any IMSsubsystem that the agent controls. Valid parameters are 0 – 1440.

Syntax: IMSL_CYCLE_INTERVAL(time_in_minutes)

Example: IMSL_CYCLE_INTERVAL(45)

IMSL_PROC_NAMERequired: No

Default: AUILSTC

Description: Specifies the PROCLIB member name that contains the IMSArchive Log JCL. This JCL is supplied as member name AUILSTC in thesample library (AUISAMP). If multiple agents are used within a sysplex,each agent requires a separate JCL for each AUILSTC address space.

Syntax: IMSL_PROC_NAME (auil_mbr_name)

Example: IMSL_PROC_NAME(AUILV91)

LOG_PORT_SCAN_STARTRequired: No

Default: 41500

Description: Specifies the first communications port number to be checkedfor availability to be used for internal message logging communications.Use this keyword if environmental conditions dictate that a sequential scanand test of ports from port numbers 41500 - 65535 should not beperformed. You can override the starting port with a port of your choice.This keyword and parameter can be used with theLOG_PORT_SCAN_COUNT keyword to limit the ports that are scanned toa specific range.

Syntax: LOG_PORT_SCAN_START (port_number)

Chapter 6. Configuring the InfoSphere Guardium S-TAP for IMS agent 27

Page 32: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Example: LOG_PORT_SCAN_START(41500)

LOG_PORT_SCAN_COUNTRequired: No

Default: 10

Description: This keyword can be used in conjunction with theLOG_PORT_SCAN_START keyword to limit number of the ports that arescanned and tested for availability. The integer specified (1 – 65534)represents the number of ports that should be scanned. If the port numberspecified by the LOG_PORT_SCAN_START value plus theLOG_PORT_SCAN_COUNT value exceeds 65535, the scan terminates atport 65535.

Syntax: LOG_PORT_SCAN_COUNT (number_of_ports)

Example: LOG_PORT_SCAN_COUNT(1000)

LOG_STREAM_DLIBRequired: Yes

Default: None

Description: This required keyword is used to specify the z/OS SystemLogger log stream to stream audited events from DLI DBB batch jobs. Thevalue should be the batch_logstream_name value specified as the DEFINELOGSTREAM NAME parameter of the AUILSTR2 or AUILSTR3 JCLs.

Syntax: LOG_STREAM_DLIB(log_stream_name)

Example: LOG_STREAM_DLIB(AUI_BATCH_LOG_STREAM)

LOG_STREAM_DLIORequired: Yes

Default: None

Description: This required keyword is used to specify the z/OS SystemLogger log stream to be used to stream audited events from IMS ControlRegions. The value should be the “online_logstream_name” value specifiedas the “DEFINE LOGSTREAM NAME” parameter of the AUILSTR2 orAUILSTR3 JCLs.

Syntax: LOG_STREAM_DLIO(log_stream_name)

Example: LOG_STREAM_DLIO(AUI_ONLINE_LOG_STREAM)

LOOPBACK_ADDRESSRequired: No

Default: LOCALHOST

Description: Specifies the loopback host or IP address that is used forcommunications between the agent and the agent secondary addressspaces. For most network configurations, the default value ofLOCALHOST can be used. If LOCALHOST cannot be resolved on yoursystem, consult your network specialist for the correct loopback mnemonicor IP address to be used.

Syntax: LOOPBACK_ADDRESS(hostname|IP_address)

Example: LOOPBACK_ADDRESS(LOOPBACK)

LPAR_MONITOR_INTERVALRequired: No

28 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 33: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Default: 5

Description: Specifies the frequency (in minutes) for the agent to request alist of LPARs that are active within the SYSPLEX. Schedule the CommonStorage Management Utility (AUIUSTC) tasks on any LPAR coming onlineto the SYSPLEX. Valid parameters are integers between 1 and 60.

Syntax: LPAR_MONITOR_INTERVAL(minutes)

Example: LPAR_MONITOR_INTERVAL(5)

MESSAGE_LOG_LEVELRequired: No

Default: I

Description: Controls the amount of output log information that isgenerated by the agent.

Table 3. Message severity codes and descriptions.

Message severitycode Description

I Includes all log messages

W Includes all log messages with a warning severity or higher

E Includes all log messages with an error severity or higher

O Instructs the agent not to log error messages

S Includes all log messages with a severe error code

Syntax: MESSAGE_LOG_LEVEL(I|W|E|O|S)

Example: MESSAGE_LOG_LEVEL(I)

OUTAGE_SPILL_AREA_SIZERequired: No

Default: 0

Description: Determines the maximum amount of memory in megabytesto be allocated for the retention of audit data in the event of a Guardiumsystem connection outage. A value of 0, or the absence of this keyword,disables spill area support. The maximum value permitted as a parameteris 1024.

Syntax: OUTAGE_SPILL_AREA_SIZE(memory_size)

Example: OUTAGE_SPILL_AREA_SIZE(15)

POLICY_READ_INTERVALRequired: No

Default: 5

Description: Determines the frequency in seconds that the connection tothe Guardium system checks for changes to the installed policies that areused to determine audited event collection.

Syntax: POLICY_READ_INTERVAL(time_in_seconds)

Example: POLICY_READ_INTERVAL(5)

REPOSITORYRequired: Yes

Default: None

Chapter 6. Configuring the InfoSphere Guardium S-TAP for IMS agent 29

Page 34: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Description: Points to the VSAM repository data set required by theproduct. This data set can be allocated using the AUISJ001 member of thesample data set. Only one repository should be used for all agents withinone SYSPLEX.

Syntax: REPOSITORY(vsam_repository_dsn)

Example: REPOSITORY(AUI.V910.REPOSITORY)

SMF_AUDIT_LEVELSRequired: No

Default: ALL

Description: Specifies which events to audit of those found using the SMFtask (AUIFSTC). A specification other than ALL limits the events to beaudited to the events you specify. For example, if DELETE is specified,then all audited IMS instances under the agent would only be capable ofreporting data set delete events. If ALL is specified, you can further limitswhat is audited for each audited IMS subsystem, using the Guardiumsystem interface.

Table 4. SMF_AUDIT_LEVELS audit parameters and events

Parameter Audited event

ALL All events are audited (default)

UPDATE Data sets opened with UPDATE access

DELETE Data sets deleted

READ Data sets opened with READ access

CREATE Data sets created

ALTER Data sets opened with ALTER access

RACF RACF violations on data sets

Syntax:SMF_AUDIT_LEVELS(ALL|UPDATE|DELETE|READ|CREATE|ALTER|RACF)

Example: SMF_AUDIT_LEVELS(ALL)

SMF_CYCLE_INTERVALRequired: No

Default: 300

Description: Specifies the frequency (in minutes) that the SMF task(AUIFSTC) checks the z/OS catalog for new data sets, which meet thespecified data set masks, using the SMF_DSN_MASK keyword. This valueshould correspond to the frequency at which your z/OS system swapsSMF logging VSAM files (sometimes known as SMF MANX|MANY)during a normal workday. For example, if the SMF logging files areswapped every 8 hours, the SMF_CYCLE_INTERVAL should be set to 480(8 hours * 60 minutes). A value of zero can be specified to indicate that theagent should not start the AUIFSTC task and SMF auditing should not beperformed. Valid parameters are 0 – 1440.

Syntax: SMF_CYCLE_INTERVAL(time_in_minutes)

Example: SMF_CYCLE_INTERVAL(45)

SMF_DSN_MASK_[1-10]Required: Yes

30 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 35: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Default: None

Description: At least one instance of this keyword is required(SMF_DSN_MASK_1). This keyword provides a data set mask used toquery the z/OS catalog for sequential format data sets containing SMFdata offloaded from the SMF log-files (MANX|MANY) using theIFASMFDP program. These sequential files can be the original files createdwhen offloading the MANX|MANY files, or a copy of these sequentialfiles created by customizing and running AUISMFDF and AUISMFDP jobslocated in the product sample data set. In most environments, only oneSMF_DSN_MASK would be specified, but up to 10 are allowed.

Table 5. Masking character rules

Character Rule

% Indicates that only one alphanumeric or national character can occupy thatposition

%%% Indicates that more than one character can be substituted, with the number ofsubstitution characters being equal to the number of percent signs specified.

Example 1: specifying a GDG data set in the mask: If the AUISMFDP jobhas been customized to produce a GDG data set as the SORTOUT DDoutput data sets, you can choose to specify the fully qualified GDG basename in the mask for system name field. For example, A.B.C. InfoSphereGuardium S-TAP for IMS uses catalog services to determine the names ofall cataloged GDG entries under this name, for example:v A.B.C.G0001V00v A.B.C.G0002V00v A.B.C.G0003V00

Example 2: specifying a data set name explicitly: Provide the generationand version values as a mask. For example, A.B.C.G%%%%V%%.InfoSphere Guardium S-TAP for IMS uses catalog services to determine thenames of all cataloged data sets that match this mask, for example:v A.B.C.G0021V00v A.B.C.G0022V00v A.B.C.G0023V00

Example 3: specifying a DSN using a DATE/TIME naming convention: Ifyou have customized the AUISMFDP job to produce a data set name thatcontains date and time values as qualifiers within the data set name as theSORTOUT DD output data sets, you can specify the data set name using astring of percent signs within the date and time qualifier names. Forexample: HLQ.D%%%%%%.T%%%%%%.SMFDATA. InfoSphere GuardiumS-TAP for IMS uses catalog services to determine the names of allcataloged data sets matching the mask, for example:v HLQ.D091122.T131000.SMFDATAv HLQ.D091123.T131100.SMFDATAv HLQ.D091124.T131200.SMFDATA

Note: The percent (%) wildcard character should only be specified for thenumeric characters of the generation and version node of GDG data sets,or as the numeric characters of date or time nodes of the SMF dataset.

Syntax: SMF_DSN_MASK_1(SMF.DUMP.DSN)

Chapter 6. Configuring the InfoSphere Guardium S-TAP for IMS agent 31

Page 36: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Example:SMF_DSN_MASK_1(AUI.SMF.DUMP.COPY)SMF_DSN_MASK_2(AUI.SMF.DUMP.GDG.G%%%%V%%)SMF_DSN_MASK_3(AUI.SMF.D%%%%%%.T%%%%%%.COPY)

SMF_EVENT_EXPIRYRequired: No

Default: 5

Description: Specifies the number of days that incomplete SMF eventsshould be retained in the SMF spill file. Incomplete SMF events are auditedevents that have not yet received the associated SMF Type 30 record, whichindicates that the step/job is complete, and contains information that isneeded to complete the reporting of the event. When an event exceeds theexpiration date, it is flagged as incomplete, sent to the Guardium system,and removed from the SMF spill file. The valid range is 1 to 180 days.

Syntax: SMF_EVENT_EXPIRY(days)

Example: SMF_EVENT_EXPIRY(5)

SMF_PROC_NAMERequired: No

Default: AUIFSTC

Description: Specifies the PROCLIB member name that contains the SMFsecondary address space JCL. This JCL is supplied as member nameAUIFSTC in the sample library (AUISAMP). If multiple agents are usedwithin a sysplex, each agent requires a separate JCL for each AUIFSTCaddress space.

Syntax: SMF_PROC_NAME(auif_mbr_name)\

Example: SMF_PROC_NAME(AUIFV91)

SMF_SELF_AUDITRequired: No

Default: N

Description: Indicates whether to audit the accesses of IMS data sets thatare used by the product to determine the names of IMS artifacts to beaudited. Examples of IMS data sets that can be accessed include RECONdata sets and IMS archived logs (SLDS). The NO (N) parameter indicatesthat these accesses should not be audited. A value of Y (YES) indicates thatthese data sets should be considered for auditing.

Syntax: SMF_SELF_AUDIT(N|Y)

Example: SMF_SELF_AUDIT(N)

SMF_SPILL_FILERequired: Yes

Default: None

Description: Specifies the DSN of a sequential format fixed block data setwith a LRECL of 300. This data set is used to store incomplete auditedSMF events. Incomplete audited SMF events are events triggered by SMFrecords that have yet to encounter an SMF Type 30 record, indicating thestep or job has completed. The AUIFUSPL member of the SAUISAMP dataset provides an example of the allocation specifications for this data set.

32 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 37: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Syntax: SMF_SPILL_FILE(dsn)

Example: SMF_SPILL_FILE(AUI.V910.SPILL)

TCPIP_BUFFER_SIZERequired: No

Default: 32768

Description: Specifies the size of an internal buffer that is used to holdaudited events in preparation of the TCP/IP send to the Guardium system,and specifies the size of the TCP/IP buffer. In most environments, the sizeof this buffer should not be changed

Syntax: TCPIP_BUFFER_SIZE(buffer_size)

Example: TCPIP_BUFFER_SIZE(32768)

WTO_MSGRequired: No

Default: None

Description: Allows a user to request that specific informational, warning,or error messages written to the AUILOG DD statement of the agent(AUIASTC) or agent secondary address spaces (AUIFSTC, AUILSTC orAUIUSTC) also be written to the Operator Console (WTO). This enablesthese messages to be recognized by an automated operations tool, orprovides higher operator visibility for these messages and allowsappropriate action to be taken. Each message requires a separate keyword,and each keyword must be specified on a separate line.

Syntax: WTO_MSG(msgnumber)

Example:WTO_MSG(AUIJ011I)WTO_MSG(AUIL607W)WTO_MSG(AUIY006E)

ZIIP_AGENT_DLIRequired: No

Default: N

Description: Indicates that the following agent processes should be zIIPcapable: agent reads of audited events from the z/OS System Logger logstreams, formatting of these events into protobuf style messages, andsending of these messages to the Guardium system using TCP/IP.

Note: Use of the zIIP depends on the presence of a zIIP on the LPARwhere the agent is running, as well as use of the Workload ManagementService Policies. For more information about zIIP, see the topic onCustomizing IMS to use a System z Integrated Information Processor(zIIP).

Syntax: ZIIP_AGENT_DLI(Y|N)

Example: ZIIP_AGENT_DLI(Y)Related reference:

Chapter 6. Configuring the InfoSphere Guardium S-TAP for IMS agent 33

Page 38: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

“Customizing IMS to use a System z Integrated Information Processor (zIIP)” onpage 39IBM InfoSphere Guardium S-TAP for IMS on z/OS allows you to configure an IMScontrol region to prepare specific auditing functions for execution on a System zIntegrated Information Processor (zIIP). Execution on a zIIP is governed by theWorkload Management software on your appliance, as well as the workloadalready assigned to the zIIP.

Agent configurationThe IP addresses of the Guardium system appliances are specified using theSAUISAMP data set AUICONFG member using the APPLIANCE_SERVER andAPPLIANCE_SERVER_FAILOVER_[1-5] keywords.

See “Providing Guardium system failover” on page 49 for more information.

Customizing the agent JCLThe SAUISAMP member AUIASTC provides a sample JCL that can be used for theagent started task. The JCL can be customized as follows:

Procedure1. Edit SAUISAMP members AUIASTC, AUIFSTC, AUILSTC and AUIUSTC by

running the ISPF edit macro. See “Planning your configuration andcustomizing your environment” on page 13 for more details.

2. Modify the CFG=AUI.V900.AGTCFG(AUICONFG) in AUIASTC to specify thelocation of the customized configuration data set for the agent created in theprevious section.

3. Optional: You can rename the AUIASTC member to any character name that isvalid for started tasks in your environment.

4. Optional: You can rename the AUIFSTC, AUILSTC, and AUIUSTC. AUIFSTC,AUILSTC, and AUIUSTC names should match the values of theIMSL_PROC_NAME, SMF_PROC_NAME, and AUIU_PROC_NAME keywordsthat you supply in the configuration file.

5. Copy the AUIASTC, AUIFSTC, AUILSTC and AUIUSTC members to thePROCLIB for the site. Contact the z/OS systems programmer to determine thelocation of the PROCLIB.

Note: APF authorization of the AUILOAD file is required for each of thesemembers before they are started.

Starting and stopping the agentThe agent can be started using the command /S AUIASTC from the SDSF commandline. The primary agent address space starts the AUIFSTC address spaces. One ormore instances of AUILSTC might also be started, depending on the list of activecollections.

The agent can be stopped by issuing the command /STOP AUIASTC, or /MODIFYAUIASTC,STOP, from the SDSF command line. The primary agent address space thenstops all the secondary address spaces that are online, and shuts down. Dependingon the load, and the activity in the other secondary address spaces, the shut down

34 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 39: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

process can take time. Monitor the AUILOG DD of the primary address spaceAUIASTC for informational messages on the status of the secondary addressspaces.

Agent security considerationsThe user ID of the agent started tasks (the primary and the secondary startedtasks) should have the proper RACF profiles to read the control file contents, andto read and update the VSAM repository.

Important: Contact your system administrator to ensure that localhost isresolving to 127.0.0.1 (loopback address). The TCP/IP communication between theagent and the secondary address spaces relies on this resolution. If this is notpossible at your site, use the loop-back-address element in the AUICONFG samplibmember to avoid localhost resolution by specifying the loopback IP addressdirectly, or by specifying an appropriate host name that resolves to the loopbackaddress.Related reference:“Setting up the VSAM repository” on page 15InfoSphere Guardium S-TAP for IMS uses a VSAM KSDS data set to store productconfiguration details and collection profile information across all LPARS of aSYSPLEX environment.

Chapter 6. Configuring the InfoSphere Guardium S-TAP for IMS agent 35

Page 40: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

36 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 41: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 7. Setting up an IMS environment for auditing

This section describes how to customize IMS environments to capture DLI calls,including customizing IMS catalogued procedures, coexisting with otherDFSFLGX0 and DFSISVI0 exit routines, customizing IMS to use a zIIP, copyingcommon load modules from SAUILOAD to SAUIIMOD, and the securityconsiderations related to IMS processing.

Customizing IMS environments to capture DLI callsFor InfoSphere Guardium S-TAP for IMS to report on IMS database accesses, itneeds to be sensitive to IMS DL/I calls. Use the following sections to establishproper set up of the relationship between your IMS online and batch environmentsand InfoSphere Guardium S-TAP for IMS.

Note: The InfoSphere Guardium S-TAP for IMS programs used to communicatewith your IMS environments are found in the SAUIIMOD data set created duringproduct installation.

Customizing IMS cataloged proceduresFor InfoSphere Guardium S-TAP for IMS to monitor DL/I calls from IMS onlineTransactions, BMPs and DLI/DBB batch jobs, the IMS Control region andDLI/DBB batch jobs require access to these InfoSphere Guardium S-TAP for IMSprograms.

The InfoSphere Guardium S-TAP for IMS programs that must be accessed reside inthe SAUIIMOD installation data set. The preferred method of installing InfoSphereGuardium S-TAP for IMS into your IMS environment is to copy the entire contentsof the SAUIIMOD data set into your IMS RESLIB (IMS.SDFSRESL) data set.

If copying InfoSphere Guardium S-TAP for IMS programs into your IMS RESLIB isnot possible, then the SAUIIMOD data set must be included in your IMS controlregion JCL as the first data set of the STEPLIB DD concatenation. The SAUIIMODdata set must also be included as the first data set of the STEPLIB DDconcatenation of the DLI batch cataloged procedure (DLIBATCH member of theIMS PROCLIB data set) and the DBB batch cataloged procedure (DBBBATCHmember of the IMS PROCLIB data set).

Note:

v If the SAUIIMOD data set is included in any JCL, you must ensure that it isAPF-authorized.

v InfoSphere Guardium S-TAP for IMS provides and uses the DFSFLGX0 andDFSISIV0 IMS exits to establish communication with IMS services, however nocustomization of these exits is required.

37

Page 42: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Coexisting with other DFSFLGX0 and DFSISVI0 exit routinesInfoSphere Guardium S-TAP for IMS provides product-specific DFSFLGX0 (IMSLogger) and DFSISVI0 (IMS Batch) exits to enable the product to report on IMSDL/I call activity. In some IMS environments, user requirements or third-partyvendor products also require the use of these exits. InfoSphere Guardium S-TAPfor IMS can accommodate the use of multiple DFSFLGX0 and DFSISVI0 exitroutines.

Using IMS Tools Generic Exits

IMS Tools Generic Exits are a collection of components that provide commoncommand and exit routine interfaces to support the operation of IMS tools in anIMS environment.

InfoSphere Guardium S-TAP for IMS supports the protocols used by the IMS ToolsGeneric Exit product. You can define the InfoSphere Guardium S-TAP for IMS copyof the DFSFLGX0 exit by either supplying IMS with a PROCLIB member using aBPE-style control statement, or by building a load module that contains therequired information.

An example of the PROCLIB control statement follows:EXITDEF(TYPE(LOGR) EXITNAME(AUIFLGX0) LOADLIB(AUI.SAUIIMOD))

See the IBM IMS Tools Generic Exit Reference Manual for Generic Logger Exitsetup and usage.

Important: The IBM IMS Tools Generic Exit product does not support exitDFSISVI0.

Using InfoSphere Guardium S-TAP for IMS exit cascading

For situations where the IBM IMS Tools Generic Exit is not available for use,InfoSphere Guardium S-TAP for IMS provides a method of supporting twoinstances of the DFSFLGX0 and DFSISVI0 exits.

When loaded and run, the InfoSphere Guardium S-TAP for IMS supplied programAUIFLGX0 (DFSFLGX0) and AUIISVI0 (DFSISIV0) determines from which DSNwithin the JOBLIB/STEPLIB concatenation it was loaded from. It then searches allsubsequent DSNs within the JOBLIB/STEPLIB DD concatenation, looking for thenext occurrence of the exit with the same name.v If none are found, or it is determined that the IMS Tools Generic Exit product is

involved in executing the exit, no cascading is done.v If an exit is found, and it is determined that the exit found is in fact another

instance of the InfoSphere Guardium S-TAP for IMS exit (as could happen if theSAUIIMOD data set was specified multiple times in the JOBLIB/STEPLIBconcatenation), the search will continue with the remainder of the DSNs in theconcatenation.

v If a non-InfoSphere Guardium S-TAP for IMS Exit is found, this new exit isloaded, and called with R13 pointing to the save area supplied by IMS. A new512 byte user work area, obtained specifically for this exit instance, is thenpointed to by the SXPLAWRK field of the IMS Standard User Exit ParameterList (DFSSXPL). This 512 byte work area is obtained when the first (or INIT) callis done; the work area address (in the SXLPAWRK field) and work area contentare maintained for all subsequent calls.

38 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 43: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Exit cascading restrictions

Note: These restrictions only apply when using the exit cascading feature, and notwhen using the IBM IMS Tools Generic Exit product.The InfoSphere Guardium S-TAP for IMS Exit (AUIFLGX0 or AUIISVI0) must befirst in the JOBLIB/STEPLIB concatenation, unless the exit that exists in a priorDSN also has a method of cascading calls to other exits, and is capable ofproviding an IMS formatted area in R13 and the address of a unique, persistent512 byte work area in the SXPLAWRK parameter list field to the AUIFLGX0 orAUIISVI0 program.

In a non-APF-authorized environment, such as when executing programDFSULTR0 or an IMS DLI/DBB batch program, the exit load module to becascaded to must have an ALIAS, and the ALIAS must be appropriately eitherDFSFLGX0 or DFSISVI0, if the target exit module has the RENT or REUS attributeon.

Customizing IMS to use a System z Integrated Information Processor(zIIP)

IBM InfoSphere Guardium S-TAP for IMS on z/OS allows you to configure an IMScontrol region to prepare specific auditing functions for execution on a System zIntegrated Information Processor (zIIP). Execution on a zIIP is governed by theWorkload Management software on your appliance, as well as the workloadalready assigned to the zIIP.

To use this feature, the LPAR on which the IMS Control region executes must havea zIIP installed. The IMS Control Region should also make use of the z/OSWorkload Manager product. For more information on using z/OS WorkloadManager with the IMS Control Region, see the “Workload Manager and IMS”section of the IBM IMS System Administration manual.

The following processes can be scheduled on a zIIP:v Calling of the compiled filter to determine if the DLI event is to be audited, and

if the segment concatenated key or segment data should be sent to theGuardium appliance.

v Movement of the audited DLI calls to a storage buffer used to hold audited datauntil a write to the z/OS System Logger log-stream can be executed

v Calling of the z/OS System Logger IXGWRITE, which moves the audited datafrom the buffer to the log-stream when the buffer fills, or a flush of the buffer isscheduled

To indicate that the IMS Control region should attempt to schedule these processeson the zIIP, a //AUIZIIP DD DUMMY DD statement should be added to the IMSControl Region JCL. When detected, the audit code produces the informationalmessage AUII055I, indicating that zIIP processing will be attempted.

Warning messages AUII042W and AUII043W are issued if zIIP processing isrequested when a zIIP is not available, and when IMS is not using WorkloadManager. Error message AUII044E indicates that the request was rejected. In allinstances where the attempt to use the zIIP has failed, audit processing continueswithout attempting to execute the audit code on the zIIP.Related reference:

Chapter 7. Setting up an IMS environment for auditing 39

Page 44: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

“Customize the agent using agent parameter keywords” on page 23Use agent parameter keywords to customize the agent. The agent configuration fileprovides the parameters that can be customized. The parameters that do not havea default value must be specified before you start the agent started task.

Copying common load modules from SAUILOAD to SAUIIMODAfter the initial SMP/E installation of InfoSphere Guardium S-TAP for IMS, copycommon load modules from the SAUILOAD to SAUIIMOD data set using themodules described in this topic.

AUI$NAPModule used to trace data

Provided in the SAUILOAD data set

Also needed in the SAUIIMOD data set

AUICPMODAn SAUISMAP member

Performs a copy of the AUI$NAP module from the SAUILOAD to theSAUIIMOD data set

Should be customized and submitted after the initial SMP/E installation

Security considerations for IMS processingInfoSphere Guardium S-TAP for IMS does not impose any additional RACF orother security restrictions on IMS assets during IMS processing. However, the IMScontrol region and any DLI/DBB batch jobs being executed, must have UPDATEauthority to the z/OS system log streams you have defined for use by InfoSphereGuardium S-TAP for IMS.

40 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 45: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 8. Using agent configuration keywords to customizeauditing

Some agent configuration keywords must be used for the product to function. Youcan also use agent configuration keywords for optional auditing specifications.

Required keywords

The following keywords must be set for the product to function:

APPLIANCE_SERVERThis is the host name, or IP address, of the Guardium system to which theagent should connect.

LOG_STREAM_DLIOThis is the log stream name for online DLI calls.

LOG_STREAM_DLIBThis is the log stream name for batch DLI calls.

REPOSITORYThis is the VSAM data set name.

You can also audit accesses to database-related data sets using SMF records. Toaudit accesses to IMS data sets that occur outside of IMS services, use thefollowing keywords:

SMF_SPILL_FILEThis is the data set name.

SMF_DSN_MASK_1This is the data set mask value.

Optional keywords

To set the following optional specifications, use the keyword that is listed. Moreinformation about each specification is provided, following this list.

Using multiple SMF data set masksSMF_DSN_MASK_2 through SMF_DSN_MASK_10

Disabling SMF auditing at the agent levelSMF_CYCLE_INTERVAL(0)

Controlling the frequency of SMF z/OS catalog queriesSMF_CYCLE_INTERVAL(time in minutes)

Changing the retention period of incomplete SMF eventsSMF_EVENT_EXPIRY(number of days)

Changing the name of the SMF address space JCLSMF_PROC_NAME(new name)

Auditing IMS data set accessSMF_SELF_AUDIT(Y)

Changing the type of events audited using SMF recordsSMF_AUDIT_LEVELS(events list)

41

Page 46: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Overriding the range of ports used for address space communicationsLOG_PORT_SCAN_START(41501), LOG_PORT_SCAN_COUNT(24003)

Requesting specific agent messages to be issued to the operator consoleWTO_MSG(AUIF507E), WTO_MSG(AUIT013I)

Providing Guardium system redundancyAPPLIANCE_SERVER_FAILOVER_1 through 5(IP address or host name)

Providing a spill area for short term outagesOUTAGE_SPILL_AREA_SIZE(megabytes)

Disabling IMS SLDS auditing at the agent levelIMSL_CYCLE_INTERVAL(0)

Controlling the frequency IMS System Log Data Sets are allocated and readIMSL_CYCLE_INTERVAL(time in minutes)

Changing the name of the IMSL address space JCLIMSL_PROC_NAME(new name)

Changing the types of events audited using IMS SLDS recordsIMSL_AUDIT_LEVELS(CTL_STRT, USERS,DBOPN, DBD_PSB)

Changing the name of the Common Memory Management address space JCLAUIU_PROC_NAME(new name)

Excluding DLI calls occurring on specific LPARS from being auditedAUIU_EXCLUDE_LPAR(lpar1, lpar2...lpar9)

Running more than one agent in a SYSPLEXADS_SHM_ID(100010), ADS_LISTENER_PORT(16055)

Using the System z Integrated Information Processor (zIIP)ZIIP_AGENT_DLI

Specifying multiple SMF data set masksYou can use the SMF_DSN_MASK keyword to specify up to nine SMF data setmasks.

Specifying multiple SMF data set masks

The naming conventions of some environments prohibit the use of aSMF_DSN_MASK_1 value, which allows all required data sets to be read. To auditaccesses to database-related data sets from multiple LPARS of your SYSPLEX, youcan specify up to nine additional data set mask values: SMF_DSN_MASK_2through SMF_DSN_MASK_10.

Disabling SMF auditing at the agent levelYou can use the SMF_CYCLE_INTERVAL keyword to disable SMF auditing at theagent level.

For any IMS systems that are audited by this agent, you can disable audit access toIMS data sets that occur outside the use of IMS services. To do so, specify thefollowing keyword with the value of zero: SMF_CYCLE_INTERVAL(0)

Specifying SMF_CYCLE_INTERVAL(0) turns off auditing process that uses SMFrecords. The agent address space (AUIASTC) will not start the SMF auditingaddress space (AUIFSTC).

42 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 47: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Controlling the frequency of SMF z/OS catalog queriesYou can change the frequency of SMF z/OS catalog queries by using theSMF_CYCLE_INTERVAL keyword to specify a value in minutes:

To determine if any new, unread data sets match the specified SMF_DSN_MASK_xvalues, the SMF processing address space (AUIFSTC) periodically performs aquery against the z/OS catalog, looking for data sets to process. By default, thisquery is performed when the AUIFSTC task is started, and repeated every 300minutes (5 hours). To change the default time value, use the keywordSMF_CYCLE_INTERVAL(time in minutes). If you specify a time value of zero, theSMF auditing feature will be disabled.

Changing the retention period of incomplete SMF eventsBy default, incomplete SMF events will be retained in your SMF spill data set for 5days. You can change this time range by specifying the SMF_EVENT_EXPIRYkeyword:

In some situations, such as a canceled job or end-of-memory events, a type 30record is not produced for a step or job. To keep these types of records from fillingyour SMF spill data set, you can set a time limit in days to determine how longincomplete SMF records are retained. The default value is 5 days and can bechanged by specifying the SMF_EVENT_EXPIRY keyword to indicate the numberof days of your choice: SMF_EVENT_EXPIRY(number of days).

Changing the name of the SMF address space JCLTo change the name of the AUIFSTC JCL member name, use theSMF_PROC_NAME keyword to change AUIFSTC to a name of your choice:

AUIFSTC is the name of the JCL that provides auditing of data set accesses usingSMF records. AUIFSTC is provided in the product installation sample data set(SAUISAMP). If the name AUIFSTC conflicts with your site's naming conventionstandards, or if more than one agent is being used, you can change the name ofthis JCL. Use the SMF_PROC_NAME keyword to change the member name fromAUIFSTC to a name of your choice: SMF_PROC_NAME(new name).

Ensure that this JCL resides in a procedure data set (PROCLIB) that allows thez/OS START command S taskname to be used.

Auditing IMS data set accessTo obtain a report of IMS artifact access, use the SMF_SELF_AUDIT keyword.

InfoSphere Guardium S-TAP for IMS reads the IMS RECON data sets and systemlog data sets produced by IMS (SLDS) to obtain IMS environment information,such as IMS artifact names. IMS artifact names determine the databases and datasets that are used to create audit information.

By default, InfoSphere Guardium S-TAP for IMS does not report accesses of IMSartifacts. To obtain a report of these accesses, specify a value of Y using theSMF_SELF_AUDIT keyword: SMF_SELF_AUDIT(Y).

Chapter 8. Using agent configuration keywords 43

Page 48: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Changing the types of events that are audited using SMF recordsUse the SMF_AUDIT_LEVELS keyword to indicate a list of events to be audited,instead of collecting all event types.

When auditing using SMF records is enabled, the default action is to provideauditing for all of the following accesses to data sets:v Open events with READ accessv Open events with UPDATE/WRITE accessv Open events with ALTER accessv Data set DELETE eventsv Data set CREATE eventsv Access denied (RACF violation)

To specify some and not all of these events for auditing, use theSMF_AUDIT_LEVELS keyword with a list of events to be audited:SMF_AUDIT_LEVELS (READ,UPDATE,DELETE,CREATE,ALTER,RACF)

Remember: This keyword affects the SMF auditing level for all IMS subsystemscontrolled by this agent. If you do not include READ accesses in theSMF_AUDIT_LEVELS parameter, then no READ accesses will be reported for anyof the IMS environments that are audited using the agent.

Overriding the range of ports used for communication betweenaddress spaces

You can set the available port scan starting point and limit the number of ports tocheck for availability.

InfoSphere Guardium S-TAP for IMS uses a communications port to pass messagesbetween threads within each address space. The default port is 41500. If theaddress space determines that port 41500 is not available for use, all subsequentports up to 65535 are examined, and the first available port is used.

Some installations have restrictions on which ports should be examined and used.Use the LOG_PORT_SCAN _START and LOG_PORT_SCAN_COUNT keywords toset the available port scan starting point and limit the number of ports to bechecked for availability:v LOG_PORT_SCAN_START(41501)v LOG_PORT_SCAN_COUNT(24003)

The sum of the value of the SCAN_START port number plus the SCAN_COUNTshould not exceed 65535.

Specifying agent messages to issue to the operator consoleYou can use the WTO_MSG keyword to specify the messages to issue to theoperator console.

InfoSphere Guardium S-TAP for IMS allows you to specify informational, warning,or error messages to be written to the operator console. This allows an automatedoperations product to take some predefined action or provide a higher level ofoperator visibility to these messages. You can use the WTO_MSG to specify whichmessages should be write-to-operated.

44 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 49: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

v WTO_MSG(AUIF507E)v WTO_MSG(AUIT013I)

You can specify one message ID per WTO_MSG instance. Messages originatingfrom the AUIASTC, AUIFSTC, AUILSTC, and AUIUSTC address spaces aresupported.

Creating a spill area for short-term outagesUse the OUTAGE_SPILL_AREA_SIZE keyword and parameter to indicate the sizein megabytes to allocate for the spill area.

Short-term communication outages between the agent address spaces and theGuardium System can be handled by using a z/OS data space spill area. Use ofthe spill area can prevent the loss of audited data by allowing the z/OS agent tosave audited data until the connection to the Guardium system is restored. Therestoration of the communications link results in the flushing of the data spacecontents to the Guardium system.

Use the OUTAGE_SPILL_AREA_SIZE keyword and parameter to indicate the sizein megabytes to allocate for the spill area: OUTAGE_SPILL_AREA_SIZE(megabytes).If you specify zero or omit this keyword, the spill area will not be allocated orused. The maximum value you can specify is 1024 MB.

Disabling IMS SLDS auditing at the agent levelYou can turn off the auditing process that uses IMS SLDS records by specifying theIMSL_CYCLE_INTERVAL keyword with a value of zero.

For any IMS systems to be audited by this agent, you can disable audit events thatare determined by reading IMS System Log Data Sets (SLDS). To disable theauditing process that uses IMS SLDS records, specify the following keyword withthe value of zero: IMSL_CYCLE_INTERVAL(0). The agent address space(AUIASTC) will not start the IMS SLDS auditing address space (AUILSTC).

Controlling the frequency with which IMS System Log Data Sets areallocated and read

You can specify the frequency of IMS RECON data set queries by specifying theIMSL_CYCLE_INTERVAL keyword.

For the product to determine if any new, unread IMS System Log Data Sets LDSdata sets have been created by the IMS Online system, the IMSL processingaddress space (AUILSTC) periodically performs a query against the IMS RECONdata sets, looking for new SLDS. This query is performed when the AUILSTC taskis started, and then by default, every 15 minutes. The frequency can be changed byproviding a value in minutes by using the IMSL_CYCLE_INTERVAL keyword:IMSL_CYCLE_INTERVAL(time in minutes)

A value of zero will cause the IMS SLDS auditing feature to be disabled.

Changing the name of the IMSL address space JCLTo change the JCL member name AUILSTC, use the IMSL_PROC_NAME keyword.

Chapter 8. Using agent configuration keywords 45

Page 50: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUILSTC is the name of the JCL that is used to audit data sets using IMS SLDSrecords. AUILSTC is provided in the product installation sample data set(SAUISAMP). If this name conflicts with your site's naming convention standards,or if more than one agent is being used, you can change the name of this JCL.

Use the IMSL_PROC_NAME keyword to change the member name fromAUILFSTC to a name of your choice: IMSL_PROC_NAME(new name)

Ensure that this new JCL is in a procedure data set (PROCLIB) that allows thez/OS START command S taskname to be used.

Changing the types of events audited using IMS SLDS recordsTo audit some, instead of all event types, you can specify each event type to beaudited using the IMSL_AUDIT_LEVELS keyword.

When you enable auditing by using IMS SLDS records, the default is to provideauditing for all of the following event types:v IMS Online region starts and stopsv Users sign on/sign offv Database Opens and Closesv PSB|DBD start, stop, lock, unlock, and DBDDUMP

To audit only some of these events, you can specify each event type to be auditedusing the IMSL_AUDIT_LEVELS keyword: IMSL_AUDIT_LEVELS(CTL_STRT,USERS,DBOPN, DBD_PSB)

This keyword governs the IMS SLDS auditing level for all IMS subsystems that arecontrolled by this agent. For example, if user signon/signoff is not included in theIMSL_AUDIT_LEVELS parameter, then no signon or signoff events will bereported from any of the IMS environments that are audited using the agent.

Changing the name of the Common Memory Management addressspace JCL

Use the AUIU_PROC_NAME keyword to change the member name fromAUIUSTC to a name of your choice.

AUIUSTC is the name of the JCL that is used to build filtering criteria in E/CSAon all LPARS of the SYSPLEX. AUIUSTC is provided in the product installationsample data set (SAUISAMP). If this name conflicts with your site's namingconvention standards, or if more than one agent is being used, you can change thename of this JCL.

Use the AUIU_PROC_NAME keyword to change the member name fromAUIUSTC to a name of your choice: AUIU_PROC_NAME(new name).

Ensure that this JCL resides in a procedure data set (PROCLIB) that allows thez/OS START command S taskname to be used.

46 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 51: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Excluding DLI calls occurring on specific LPARS from being auditedTo stop the transmission of the AUIUSTC address spaces to all LPARs, theAUIU_EXCLUDE_LPAR keyword can be used to exclude specific LPARS from thetarget list of eligible LPARS.

By default, the InfoSphere Guardium S-TAP for IMS agent creates CommonMemory Management address spaces (AUIUSTC) on all LPAR members of aSYSPLEX. This allocates E/CSA memory, and inserts DLI call filtering criteriaacross all LPARS. A single agent monitors IMS control regions and DLI/DBB batchjobs running on any LPAR of the SYSPLEX.

If you do not want to transmit the AUIUSTC address spaces to all LPARs, theAUIU_EXCLUDE_LPAR keyword can be used to exclude specific LPARS from thetarget list of eligible LPARS: AUIU_EXCLUDE_LPAR(lpar1, lpar2...lpar9)

The LPAR where the agent is running cannot be excluded.

Running more than one agent in a SYSPLEXIf two or more IMS agents are running on one SYSPLEX, use the ADS_SHM_IDand ADS_LISTENER_PORT keywords to differentiate the shared memory segmentand port for each agent environment.

The agent address space (AUIASTC) and subordinate address spaces (AUIFSTCand AUILSTC) communicate by using a shared memory segment andcommunications port. Multiple agents require multiple unique shared memorysegments and port values to ensure correct inter-address space communications. Ifyou need to have two or more InfoSphere Guardium S-TAP for IMS agentsavailable on one SYSPLEX, the following keywords provide a method of uniquelyidentifying the shared memory segment and port for each agent environment:v ADS_SHM_ID(100010)v ADS_LISTENER_PORT(16055)

Specification of the ADS_SHM_ID and ADS_LISTENER_PORT requires theaddition of a //AUICONFG DD statement to the AUIFSTRC and AUILSTCaddress space JCLs. This DD statement should point to the same data set andmember as the AUIASTC and AUIUSTC JCLs for the agent, to ensure thatcommunications between all participant address spaces use the correct memoryobject and ports.

See “Customize the agent using agent parameter keywords” on page 23 forcomplete descriptions of all valid parameters, including the ADS_SHM_ID andADS_LISTENER_PORT keywords.

Using the System z Integrated Information Processor (zIIP)You can use the System z Integrated Information Processor (zIIP) when runningInfoSphere Guardium S-TAP for IMS code in the IMS Control region address space,and in the agent address space (AUIASTC). Use the ZIIP_AGENT_DLI keywordwith the Y parameter to cause the agent to make a zIIP-enabled enclave SRBinitialization attempt.

Chapter 8. Using agent configuration keywords 47

Page 52: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

IMS control region

The following processes are moved to the zIIP in the IMS Online Control Region,pending redirection by the operating system:v DLI call filteringv IXGWRITE of audited DLI call data to the z/OS System Logger log stream

To use a zIIP in the IMS Online Control region, add a “//AUIZIIP DD DUMMY”to the IMS control region JCL.

Agent address space

The following processes are moved to the zIIP in the agent address space(AUIASTC), pending redirection by the operating system:v IXGBROWSE read of audited data from the z/OS System Logger log streams for

both Online and Batch DLI callsv TCP/IP send of the data to the Guardium system

To use a zIIP in the agent address space, use the ZIIP_AGENT_DLI keyword withthe Y parameter to the configuration file that is pointed to by the AUICONFG DDstatement in the agent JCL (AUIASTC).

Using multiple Guardium systemsYou can configure multiple Guardium systems for automatic failover. Byconfiguring one or more backup systems, you ensure continuous auditingcapability.

Primary and secondary Guardium systems

IBM InfoSphere Guardium S-TAP for IMS on z/OS uses the concept of a singleprimary Guardium system and multiple secondary backup systems.v When a primary Guardium system goes offline, the InfoSphere Guardium S-TAP

for IMS agent automatically establishes a connection to a secondary Guardiumsystem, and the audited data is sent to the secondary system.

v When a primary Guardium system comes back online, the InfoSphere GuardiumS-TAP for IMS agent detects it, and reestablishes the connection to the primaryGuardium system and restarts, sending data to the primary system.

This allows the use of any Guardium system as a short-term backup, while alwaysattempting to use the primary system as the main data storage medium.

In the following example failover scenario, where none of the systems are online,the InfoSphere Guardium S-TAP for IMS agent attempts to connect to the primaryGuardium system at a regular interval and follows the usual failover logic if theprimary Guardium system is offline. A connection is reestablished to any of theconfigured appliances as soon as one becomes available.

Example failover scenario

Audit data flows to the primary Guardium system “A”.

The TCP/IP connection from the InfoSphere Guardium S-TAP for IMS agent to theprimary Guardium system fails.

48 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 53: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

A connection is made to the secondary Guardium system “B”.

Audit data is now flowing to the secondary Guardium system “B”.

The TCP/IP connection from the InfoSphere Guardium S-TAP for IMS agent to theprimary Guardium system is reestablished.

Audit data now flows to the primary Guardium system “A”.

InfoSphere Guardium S-TAP for IMS agent and Guardium system “B” disconnect.

Providing Guardium system failoverYou can specify up to five additional Guardium systems to be connected to theagent by using the APPLIANCE_SERVER_FAILOVER_x keyword, where x = adigit between one and five.

InfoSphere Guardium S-TAP for IMS allows the specification of up to fiveadditional Guardium systems to be connected to the agent. This feature providesfailover protection, which allows the agent to continue to send audited data to oneof a number of backup Guardium systems in the event of a communication failurewith the primary Guardium system. The use of the APPLIANCE_SERVERkeyword is mandatory with this feature, because the Guardium system that isreferenced by this keyword is the primary connection. You can specify additionalGuardium Systems by using the APPLIANCE_SERVER_FAILOVER_x keyword,where x = a digit from 1 to 5.v APPLIANCE_SERVER_FAILOVER_1(IP address 1)v APPLIANCE_SERVER_FAILOVER_2(host name 2)v APPLIANCE_SERVER_FAILOVER_3(IP address3)v APPLIANCE_SERVER_FAILOVER_4(IP address 4)v APPLIANCE_SERVER_FAILOVER_5(host name 5)

Chapter 8. Using agent configuration keywords 49

Page 54: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

50 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 55: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 9. InfoSphere Guardium S-TAP for IMS agentreference information

The InfoSphere Guardium S-TAP for IMS agent provides access to database andappliance services, in support of the product's remote clients. The agent also readsaudited DLI events placed in the z/OS System Logger log streams by the IMSOnline and DLI/DBB batch Data collectors and sends the DLI events to theGuardium system using TCP/IP connections.

Sample library membersUse the following sample library members shipped with InfoSphere GuardiumS-TAP for IMS to install and configure the product.

Table 6. Sample library members

Member Type Description

AUIASTC JCL Primary agent address space JCL

AUICONFG CONFIG Configuration file containing only the minimum requiredkeywords

AUICONFX CONFIG Configuration file containing all available keywords

AUICPMOD JCL JCL to copy utility programs from SAUILOAD to SAUIIMODdata set

AUIEMAC1 MACRO Edit macro to facilitate changes to other sample librarymembers

AUIFSTC JCL SMF data collection address space JCL

AUIFUSPL JCL JCL to create the SMF incomplete event spill file for an agent.

AUILSTC JCL IMS archived log data collection address space JCL

AUILSTR1 JCL JCL to add CFRM structures for batch and online log streamsto a CFRM policy

AUILSTR2 JCL JCL to add batch and online log streams to your CFRMenvironment.

AUILSTR3 JCL JCL to add DASD-only log streams to your LOGRenvironment

AUIMIG91 JCL JCL used to assist in the upgrade from V9.0 to V9.1

AUIMLOG JCL JCL used to read the IMS RECONS, detect missing logs, andsend notification to the Guardium system

AUISJ001 JCL JCL to create and initialize the VSAM repository file

AUISMFDF JCL JCL sample, showing the creation of a GDG file base for SMFdata collection

AUISMFDP JCL JCL sample, showing the use of program IFASMFDP to filterSMF record types.

AUIUSTC JCL Common storage management utility address space JCL

Agent environmentThe agent must be running in order for InfoSphere Guardium S-TAP for IMS usersto perform any functions related to the IMS subsystems monitored by that agent.

51

Page 56: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

APF authorizationFor agent security, the InfoSphere Guardium S-TAP for IMS agent must beAPF-authorized before it can be run.

Agent job outputThe primary output of the agent job consists of log messages written to theAUILOG DD. These messages provide status information about the ongoingoperation of the agent, and also record additional messages if errors occur.

In the event of exceptional conditions, additional messages might be written to theSYSOUT DD. If an abend occurs, dump information can be written to theCEEDUMP and SYSUDUMP DDs, if they are supplied. That information can beused in diagnosis by product support.

Stopping the agentWhen running on z/OS, the agent accepts standard z/OS /MODIFY and /STOPcommands. When stopping the agent, all secondary address spaces controlled bythe agent will also receive a stop request.

From SDSF (or anywhere else that you can issue commands), you can issue one ofthese commands to the agent:

/STOP agent-job-nameThis is the recommended command to use to stop the agent. It initiates agraceful agent shutdown, which causes the agent to:1. Wait for all existing requests to finish.2. Exit.

/MODIFY agent-job-name,STOPPerforms the same function as the /STOP agent-job-name command.

/MODIFY agent-job-name,FORCEThis initiates an agent hard stop which causes the agent to:1. Initiate hard cancels on all running threads.2. Exit as soon as the threads exit.

Starting and stopping the secondary address spacesThis topic describes the /MODIFY commands to start and stop the secondary addressspaces.

Commands to start and stop the SMF data collector addressspace

When the agent address space is started, secondary address spaces under thecontrol of the agent may are also started. These include the SMF data collectoraddress space (SAUISAMP member AUIFSTC) which collects events using SMF logdata as input and sends the events to the Guardium appliance. One IMS ArchiveLog event Data collector (SAUISAMP member AUILSTC) is also started for eachIMS with an active collection.

Note: The following commands should be used against the agent's primaryaddress space.

52 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 57: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

v /MODIFY <jobname>,START COLLECTOR SMF

v /MODIFY <jobname>,STOP COLLECTOR SMF

Optionally, the STOP command may be used to stop the SMF address space:v /STOP <jobname>

Commands to start and stop the IMS Archive Log Data collector

There is no z/OS command to start the address space because the IMS ArchiveLog data collector address space is specific to an IMS definition with an activecollection. The AUILSTC address is started by the agent address space, oractivation of a collection.

Stopping a specific AUILSTC address space requires the use of the /STOP<jobname>.<token> command. The <token> value to be used can be found duringAUILSTC startup in the AGENT JOBLOG. For example, in /SAUILRS22.AAAAAAAC, AAAAAAAC is the token value, or when viewing theAUILSTC task in TSO SDFS, the token is displayed as the STEPNAME.

Chapter 9. InfoSphere Guardium S-TAP for IMS agent reference information 53

Page 58: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

54 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 59: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 10. Data collection

The collection process involves the gathering of audit event data at run time.Specify various filtering criteria to capture all relevant events and limit the amountof data that is collected and stored.

InfoSphere Guardium S-TAP for IMS gathers audited events from the followingsources:v IMS database DLI calls performed from within IMS Online Control regions and

DLI/DBB batch jobsv SMF recordsv IMS Log records from IMS System Log Data Sets (SLDS).

A single policy containing selection criteria that indicates the events to be audited,is applied to each source.

IMS database DLI callsInfoSphere Guardium S-TAP for IMS can filter audit events generated by databaseDLI calls by the following call types: Read, Update, Insert, and Delete.

Note: Database DLI calls that do not result in a DBPCB status code of blanks, GA,or GK, are not audited. DLI calls performed using an IOPCB or TPPCB are notaudited.

Database DLI calls issued from specific PSBs and USERIDs can be included orexcluded from auditing. PSB names and USERIDs can be specified for auditingusing fully qualified names, or by using wildcard characters.

Further filtering can be performed by including or excluding specific database andsegment names. Wildcard support is available for both the database and segmentname.

When auditing IMS DLI calls, you can obtain the concatenated key value ofsegments that are audited for all or specific database DLI calls, as well as thesegment data for UPDATE, and INSERT calls. The segment data can also beobtained for READ and UPDATE calls where these calls are logically linked in theGuardium appliance to provide a before and after image of updated segments.

SMF recordsInfoSphere Guardium S-TAP for IMS allows the filtering of audit events generatedby access methods outside of IMS DLI services, including z/OS access methodssuch as VSAM or QSAM requests generated from z/OS batch jobs or TSO.

Some IMS Database Batch Utilities access IMS databases using access methodsother the IMS Database DLI calls. As a result, the source of auditing records forthese batch jobs will be the SMF records produced.

55

Page 60: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

These audit events are based on z/OS SMF records and are processed from withinthe AUIFSTC Agent subtask. Policy criteria input for SMF data auditing is thesame as for IMS DLI calls, but because of the nature of the SMF data, it is useddifferently.

The following data is not relevant, and therefore not used:v DLI calls typesv PSB namesv Segment names

Database names are relevant because SMF data is based on data set names (part ofthe process that converts a policy to a filter, examines the IMS RECON data setsfor artifacts in the RECON which relate to the INCLUDED database). Theseartifacts include database data set names (DSG/AREA/ADS) and database imagecopy data sets for each database data set. The AUIFSTC tasks also audit other IMSrelated data sets.

By default, these data sets have been included because changes to these data setscan have an effect on data integrity:v IMS RECON data setsv logging data sets generated by IMS DLI/DBB batch jobsv SLDS/RLDS data setsv IMS Online log data sets (OLDS)

It is possible to ignore the auditing of these data set types, as well as the databaseimage copy data sets, by adding a DUMMY DD statement to the AUIFSTC JCL.

This table lists the data sets and corresponding DD DUMMY statement to includein the AUIFSTC JCL if you want to exclude the auditing of each of these types.

Table 7. Data sets and DD DUMMY statements

Data set Type IMS RECONS IMS LOGS IMS OLDSDB ImageCopies

DD NAME AUINRCN AUINLOG AUINOLD AUINICS

Specify filtering of SMF events at the agent level, using access type or securityviolation, with the use of the SMF_AUDIT_LEVELS keyword in the configurationfile. The keyword is pointed to by the AUICONFG DD statement of the agent(AUIASTC) JCL. Data set accesses to be audited are:v OPEN for Read/Updatev data set Alter/Create/Deletev any security product (such as RACF) violations

The auditing of these accesses can be specified at the agent level (for example, allIMS systems defined to the agent), or at the IMS level. See the Changing the type ofevents audited using SMF records section for more details.

Records from IMS system log data sets (SLDS)InfoSphere Guardium S-TAP for IMS allows the filtering of audit events generatedby IMS Online Control regions which are logged to IMS log data sets and areprocessed from within the AUILSTC started task.

56 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 61: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Policy criteria input for IMS Log data auditing is the same as for IMS DLI calls,but because of the nature of IMS log data, is used differently:v DLI calls types are not relevant and therefore not used.v Segment names are not relevant and therefore not used.v PSB names are checked only when relevant to the event being examined.v USERIDs are checked only when relevant to the event being examined.v DBD names are checked only when relevant to the event being examined.

In addition to filtering performed using the policy criteria, you can further filterIMS log data by event types, using the Guardium user interface. Using theIMSL_AUDIT_LEVELS keyword, you can set specific events to be audited,including:v IMS Control Region Starts and Stopsv USER signon and signoffsv database OPEN/CLOSEv DBD and PSB STARTS/STOPS/LOCK/UNLOCK

Occurrences of the DB DBDUMP command can also be audited. Auditing of theseevents can be specified at the agent level (for example, all IMS systems defined tothe agent), or at the IMS level (for example, only for a specific IMS system). Formore information, see the Changing the types of events audited using IMS SLDSrecords section.

Filtering stagesStage 0, Stage 1, and Stage 2 filtering is available for Collector Agent audit eventcollection when processing DLI calls.

Filtering occurs at one or more of the stages, 0, 1, and 2, depending on what fieldsare included in your filter. As many audit events as possible are filtered at theearliest possible stage (0, 1, or 2). You can control filtering performance by thefields you include in the rules for the active collection profile.

Stage 0 filteringStage 0 filtering occurs immediately after IMS executes the DLI call and it isdetermined that the call is a candidate for auditing, meaning one of the supportedDLI call types and blanks, or another acceptable DLI status code, is returned.

InfoSphere Guardium S-TAP for IMS checks for an active policy for the IMSsubsystem and determines if any rules governed by the active policy require theauditing of the DLI call type. If no policy is active, or no rules require the auditingof the DLI call type, processing control is returned to the application program. Thisis the most efficient form of filtering and should be used when possible.

Consider this example, wherein an active policy contains three rules:v One rule only addresses INSERT requests.v The second rule only addresses DELETE requests.v The third rule only addresses UPDATE requests.

Chapter 10. Data collection 57

Page 62: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

In this example, the READ DLI call is performed, and returns a status code ofblanks. Since InfoSphere Guardium S-TAP for IMS determines that no rules in thepolicy can reference a READ, processing control returns to the applicationprogram.

If the event that the DLI call performed in the example was an INSERT request,Stage 1 filtering would be invoked.

Stage 1 filteringStage 1 filtering occurs through the use of USERID and PSB name values.

For Stage 1 filtering to occur, all rules of the active policy must contain identicalUSERID and PSB name values. Any inconsistencies in these values between rulesprevents Stage 1 filtering from occurring.

Stage 1 filtering allows DLI calls that should be rejected, due to USERID or PSBname, to be excluded from the list of values to be audited. This can be due to theitems not being included, or being intentionally excluded.

The determination that the USERID or PSB is causing the DLI call to be rejected ismade by call to the Stage 2 compiled filters. The call to the Stage 2 complied filtersis made when the USERID or PSB name of the current DLI call is not the same asthe USERID or PSB name of the previous DLI call made in the same processingregion.

In this example, the processing flow is demonstrated when discussing a BMP:v The first DLI call is made and passes through Stage 0 processing.v Stage 2 filtering is invoked, and it is determined that DLI calls from this USERID

should not be audited. The DLI call is not audited, and control is returned to theapplication program.

v The next DLI call is made, and the USERID is the same as the previous DLI callin the region. The previous DLI call was not audited due to the USERID value,therefore this DLI call will not be audited.

v This process continues until the BMP STEP terminates with only one DLI callgoing through to Stage 2 filtering, and the remaining DLI calls are rejectedduring Stage 1 processing.

The same benefit can be seen with DLI and DBB batch jobs, because the USERIDand PSB will not change during the execution step.

This process benefits online transactions and other processing threads wheremultiple DLI calls are performed from within a single unit-of-work, as well aswhen DLI calls are performed using “C” and “D” IMS command codes wheremultiple segments are affected by a single DLI call and auditing may be requiredon more than one segment within the hierarchical path.

Stage 2 filteringStage 2 filtering occurs through the use of a filtering program that is compiled atthe time of policy installation, using the criteria specified in the policy.

All DLI calls that are not rejected by Stage 0 and Stage 1 filtering are processed bythe compiled filter. The compiled filter determines if the DLI call is to be auditedbased on all the policy criteria including DBD and segment name.

58 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 63: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

If the DLI call is to be audited, additional information is returned by the compiledfilter, such as if the segment data and concatenated key should be included in theaudited data block.

Policy pushdownThis topic describes the policy pushdown process of mapping policies to anInfoSphere Guardium S-TAP for IMS collection profile.

When the InfoSphere Guardium S-TAP for IMS agent starts, it establishes adedicated connection to the Guardium appliance for the reading of installedpolicies. Immediately after the connection is established, any installed policies arepushed down to the InfoSphere Guardium S-TAP for IMS agent by the Guardiumappliance. The Guardium appliance pushes down a full policy to all connectedInfoSphere Guardium S-TAP for IMS agents each time a policy is installed oruninstalled from the Guardium appliance.

Upon receipt of a policy, the InfoSphere Guardium S-TAP for IMS agent comparesthe applicable rules with the existing collections, and performs a differential install.

Differential installA differential install of the policy indicates that only policies that havebeen modified since the last install are acted upon.

If a policy has been uninstalled, the equivalent collection policy in theInfoSphere Guardium S-TAP for IMS agent’s repository is uninstalled, andthe relevant collection is deactivated.

If a new policy has been installed, an equivalent collection profile iscreated in the InfoSphere Guardium S-TAP for IMS agent’s repository, andthe relevant collection is activated.

The following processing occurs in the InfoSphere Guardium S-TAP for IMS agentupon receipt of a policy:v The new policy is compared to the currently active policy if the new policy

contains one or more rules.– If the policies are identical, no further processing is required.– If the policies are not identical, the policy is stored as a collection profile in

VSAM repository and it becomes the active collection policy.v If the new policy does not apply to this subsystem, processing continues without

any changes.– If there is an active policy, the collection continues using it.– If no policy is active, none is started.

v If you remove the collection policies, InfoSphere Guardium S-TAP for IMSdeactivates and removes them from the VSAM repository.

Chapter 10. Data collection 59

Page 64: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

60 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 65: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 11. Creating and modifying IMS definitions

An IMS definition establishes a connection from your Guardium system to the IMSenvironment that you want to audit. To create and modify IMS definitions fromthe Guardium system interface, the agent address space (AUIASTC) must have apreestablished connection to the Guardium system.

Navigating to the IMS Definitions panelIMS definitions can be created, modified, and deleted from the IMS Definitionspanel of the Guardium system interface.

Procedure1. From the Administration Console tab, select the Local Taps menu.2. Select the IMS Definitions option.

IMS Definition fieldsThe following fields are available in the IMS Definitions panel for your use indefinition an IMS entry. Required fields are indicated with an asterisk.

IMS Name

*IMS Entry NameA unique 1 - 8 character name to identify this IMS entry.

DescriptionAn optional description of the IMS Entry.

*Agent NameThe name of the agent that audits this IMS entry.

RECONs

The RECON data set names are used to logically link the IMS definition, the activepolicy, the IMS Online Control region, and the DLI/DBB batch jobs that arerunning on z/OS, to audit the correct IMS instances.

*RECON1 Data Set NameThe RECON1 data set name that is used by IMS on z/OS.

*RECON2 Data Set NameThe RECON2 data set name that is used by IMS on z/OS.

RECON3 Data Set NameThe RECON3 data set name that is used by IMS on z/OS.

IMS Data Sets

The IMS RESLIB data sets are used to determine the IMS release, duringprocessing of the IMS System Log Data Sets (SLDS), using the AUILSTC addressspace. If more than one data set name is required, the data set names can bedelimited by a comma.

*RESLIB Data Set NamesA data set containing the IMS DFSVC000 module.

61

Page 66: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUII050I Message FrequencyMessage AUII050I provides the number of DLI calls that are considered forauditing, and the number of DLI calls that were audited, based on theauditing criteria of the active policy. This message is produced based onthe number of DLI calls that are considered, based on the followingformula:

Number of DLI calls in thousands (K) or Millions (M)

or, by using both the formula and the time interval since the last AUII050Imessage was issued.

Example: If you provide values of 100K (Number of DLI calls = 100,000)and 0100 (time interval of 1 hour), message AUII050I is issued when100,000 DLI calls are seen by the product code, or by the 1 hour timeinterval, whichever comes first. The DLI counts and time interval resetwhen message AUII050I is issued.

Number of DLI callsxxx K|M

Time IntervalHH:MM

Auditing Levels

Auditing levels can be set for both IMS Log and SMF events. For an explanation ofthe levels of auditing that are available for IMS Log and SMF events, seeChapter 5, “Configuration overview,” on page 13 for a description of theIMSL_AUDIT_LEVELS and SMF_AUDIT_LEVELS configuration keywords.

IMS LOG EventsAudit All IMS Log Events

Audit Control Region Starts/Stops

Audit User Signon/Signoff

Audit DBD Open/Close

Audit DBD/PSB/DUMP/START/STOP/LOCK/UNLOCK

SMF EventsAudit All SMF Events

Audit Dataset Open for Update

Audit Dataset Deletes

Audit Dataset Open for Read

Audit Dataset Create

Audit Dataset Alter

Audit Dataset RACF Violations

IMSPLEX data sharing and XRF considerationsWhen you are considering IMS data sharing and XRF systems, take the followingIMSPLEX data sharing and XRF considerations into account.

62 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 67: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

IMSPLEX Data Sharing Considerations

Regardless of the number of LPARS that are involved, only one IMS definition isrequired in an IMS data sharing environment where all databases are shared bymultiple IMS subsystems.

In an IMS data sharing environment where only a subset of databases are shared,an IMS definition must be created for each IMS subsystem with nonshareddatabases to be audited.

XRF Considerations

Only one IMS definition is required in an IMS XRF environment. InfoSphereGuardium S-TAP for IMS is not sensitive to which XRF partner is currently active.The product continues to produce audit data in the event of an XRFACTIVE/BACKUP switch.

Adding an IMS definitionAdd an IMS definition to the IMS Definitions List to include a defined IMSenvironment in the list of environments to be audited.

Procedure1. From the IMS Definitions List, select the Add symbol, indicated by a plus

sign, at the top of the list of defined IMS systems. Enter the information in theIMS Definitions panel to define the new IMS environment to be audited.

2. Select Apply to save the new IMS definition.

Modifying an IMS definitionYou can modify the attributes that are set for an IMS definition on the IMSDefinitions List.

Procedure1. Select the entry that you want to modify.2. Modify the IMS definition fields.3. Select APPLY to save your changes.

Deleting an IMS definitionDelete an IMS definition from the IMS Definitions List to remove the IMS entryfrom the list of IMS environments to be audited.

About this task

IMS definitions can be deleted if no active IMS policies reference the IMSdefinition name. Only IMS definitions that are not part of an installed policy canbe deleted.

Procedure1. From the IMS Definitions List, select the IMS Definition that you want to

delete.2. Click the Delete icon. Click OK in the confirmation message to confirm the

IMS entry deletion.

Chapter 11. Creating and modifying IMS definitions using the Guardium system interface 63

Page 68: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

64 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 69: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 12. Reference information

This chapter provides IBM InfoSphere Guardium S-TAP for IMS on z/OS referenceinformation.

Data collection monitorsInfoSphere Guardium S-TAP for IMS collects data from IMS online and batchactivities, SMF, IMS archived logs, IMS RECON data sets, and VSAM repositorydata sets, by using the internal product monitors described here.

IMS Online Activity MonitorThe IMS Online Activity Monitor interfaces with IMS DL/I Language callanalyzer module (DFSDLA00), and the IMS/VS Fast-Path Inter-regionCommunications Controller module (DBFIRC10), in order to be sensitive tothe DL/I call type, and to access the data that is necessary for producingan audited event. When an INIT call is made to the IMS logger Exitroutine (DFSFLGX0)I, interfaces to the IMS modules are activated, and theyremain active until the DFSFLGX0 routine receives a TERM notification.

For the activity monitor to be recognized by the IMS Online region, theIMS control region must be stopped and restarted with the SAUIIMODdata sets included as the first data sets in the STEPLIB DD concatenation.

The IMS Online Activity Monitor and the agent communicate datacollection criteria by using E/CSA control blocks. Determination of whichDL/I calls and databases/segments is made at the time the DL/I call isperformed, by using information derived from the data collection policycreated through the Guardium system's Access Rule definition process.

The z/OS System Logger transports the audit data from the IMS OnlineActivity Monitor to the agent. All IMS online systems controlled by anagent use the same z/OS System Logger log stream. This z/OS system logstream is unique to the agent, and only contains audited events from IMSOnline regions.

IMS Batch Activity MonitorThe IMS Batch Activity Monitor interfaces with IMS DL/I language callanalyzer module (DFSDLA00) in order to identify the DL/I call type anddata that is necessary to produce an audited event. When the IMS BatchExit routine (DFSISVI0) is invoked, the interface with the DL/I callanalyzer is activated, and remains active until the batch step terminates.

The IMS Batch Activity Monitor and the agent use E/CSA control blocks tocommunicate data collection criteria. The DLI calls anddatabases/segments determination is made at the time the DL/I call isperformed, by using information that is derived from the data collectionpolicy, which is created on the Guardium system. The audit data from theIMS Batch Data Collector to the agent is transported through the z/OSSystem Logger.

All IMS batch jobs that are controlled by an agent use the same z/OSSystem Logger log stream. This z/OS system log stream is unique to theagent, and only contains audited events from IMS Batch jobs.

IMS Online and Batch Data CollectorsThe IMS Online and Batch Data Collectors run as separate threads under

65

Page 70: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

the control of the agent address space (AUIASTC). The function of the datacollector is to read audited events from the z/OS System Logger logstream, and send the events to the Guardium system for storage by using aTCP/IP connection.

Each thread maintains its own persistent TCP/IP connection to theGuardium system.

SMF Data CollectorThe SMF Data Collector reads a subset of SMF records from SMF DUMPdata sets to determine if any data sets associated with audited IMS artifactswere read, written, deleted, or renamed. Security violations against thesedata sets can also be reported.

IMS artifact associated data set types include database data sets, databaseimage copy data sets, IMS log data sets (OLDS, SLDS and RLDS) andRECON data sets. The list of IMS artifact data sets to be monitored duringSMF data collection is derived from the data collection policy createdthrough the Guardium system.

As the processing of the SMF data sets is deferred, the data collectionpolicy in force at the time of the SMF data set READ will be the collectionpolicy used, not the data collection policy in effect when the SMF eventoccurred. The names of the SMF DUMP data sets to be read is based onone or more SMF data set MASK values supplied by the use of one ormore SMF_DSN_MASK keywords in the agent configuration file(AUICONFG). The data set names to that the SMF MASK refers reflects theSMF DUMP data sets that are created when offloading the SMF recordingdata sets, or a copy of these data sets containing a subset of SMF recordtypes that are created explicitly for the use of this product.

Because an agent can monitor SMF events from all LPARS within aSYSPLEX, all SMF data sets to be read must be accessible from the LPARon which the agent runs. The SMF Data Collector periodically queries thez/OS catalog for any new data set names that meet the SMF MASK value.When cataloged data sets are found, these data sets are dynamicallyallocated and read by the SMF Data Collector. Any auditable events thatare found are formatted, and sent to the Guardium system by using aTCP/IP connection.

The SMF Data Collector creates and maintains its own TCP/IP connectionto the Guardium system. The frequency that the SMF Data Collectorqueries the z/OS catalog is determined by the option you set whenconfiguring this product. The SMF Data Collector can be configured toaudit only a subset of events by use of available options when configuringthe agent and defining the IMS appliance through the Guardium userinterface. The SMF Data Collector is run as a started task under the controlof the agent. An example of the JCL for this started task can be found inthe SAUISAMP data set in the AUIFSTC member.

Note: InfoSphere Guardium S-TAP for IMS only reports audited events forSMF record types that are collected by SMF. If specific SMF record typesare not collected by your appliance or SMF recording data set dump utility,the event cannot be reported. Refer to the “IMS Logtypes and SMF recordtypes collected by InfoSphere Guardium S-TAP for IMS” on page 68 topicfor a list of SMF record types used by InfoSphere Guardium S-TAP forIMS.

66 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 71: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

IMS Archived Log Data CollectorThe IMS Archived Log Data Collector reads IMS Archived Log data sets(SLDS) and provides audit information about the following actions:v IMS user signon and signoffv IMS online region starts and stopsv Changes to the status of DBDs and PSBS within the IMS Online

environment

The list of IMS artifacts to be monitored during IMS Archived Logcollection is derived from the data collection policy you create, by usingthe Guardium system.

As the processing of the IMS Archived Log sets is deferred, the datacollection policy in force at the time that the IMS Archived Log data setsare read is the collection policy used (as opposed to the data collectionpolicy in effect when the IMS Archived Log event as written to the IMS logdata set).

The IMS Archived Log Collector periodically queries the DBRC RECONdata sets that are associated with an IMS that is defined to InfoSphereGuardium S-TAP for IMS on z/OS to determine if any new SLDS data setshave been created since the last RECON data set query. Any new data setsthat are found are dynamically allocated and read. Audited events are sentto the Guardium system by using a TCP/IP connection.

The IMS Archive Log Data Collector can be configured to audit only asubset of events, by using the options available when configuring the agentand defining the IMS appliance through the Guardium user interface. TheIMS Archived Log Data Collector is run as a started task under the controlof the agent. An example of the JCL for this started task can be found inthe SAUISAMP data set in the AUILSTC member.

InfoSphere Guardium S-TAP for IMS starts one AUILSTC task for each setof RECON data sets that is actively monitored with a data collection policy.v If an IMS data sharing environment with five IMS subsystems sharing a

single set of RECON data sets exists, only one AUILSTC task will bestarted.

v If two separate IMS subsystems by using two separate sets of RECONdata sets are being monitored, two separate AUILSTC tasks will bestarted.

Note: To collect events from the IMS archived logs, the DFSSLOGP(Primary Output SLDS) data set must be created and cataloged by yourIMS Log Archive Utility process (program DFSUARC0).

InfoSphere Guardium S-TAP for IMS dynamically starts and stops theappropriate number of AUILSTC tasks as required.

IMS Missing Log UtilityThe IMS Missing Log Utility analyzes IMS RECON data sets to confirm theexistence of SLDS/RLDS data sets. This function can be included orexcluded, as well as scheduled without regard to the execution cyclesetting for the AUILSTC task. This utility is run by a job or started task(see SAUISAMP member AUIMLOG for an example). It processes theRECON data sets of IMS systems with active policies audited by the agentand pointed to by the configuration member that is defined in theAUICONFG DD statement in the AUIMLOG JCL. The IMS RECON datasets are analyzed in search of IMS SLDS and RLDS data sets. If these are

Chapter 12. Reference information 67

Page 72: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

found, the z/OS appliance catalog is queried by using the SLDS/RLDSdata set name. If the SLDS/RLDS data set is not found, a missing logevent is sent to the Guardium system.

Note: The AUIMLOG utility must be run under the same USERID, and onthe same LPAR, as the AUIASTC task.

Common Storage Management UtilityInfoSphere Guardium S-TAP for IMS uses memory in E/CSA to provideinformation regarding active data collection policies to the IMS Batch andOnline Activity Monitors.

An InfoSphere Guardium S-TAP for IMS agent can be called to monitorIMS Online regions or DL/I batch jobs on many LPARS within a SYSPLEX.A started task is generated for execution on all LPARS of a SYSPLEX toread all active data collection policies from the VSAM repository and buildthe appropriate E/CSA control blocks. This started task is run when theInfoSphere Guardium S-TAP for IMS agent starts and stops, as well aswhen a change is made to the state of any collection policy. An example ofthe JCL for this started task can be found in the SAUISAMP data set in theAUIUSTC member.

The LPARs where the AUIUSTC task is run might be limited by adding theAUIU_EXCLUDE_LPAR keyword and LPAR names to the configurationfile, specified by the AUICONFG DD statement in the AUIASTC JCL.

VSAM RepositoryInfoSphere Guardium S-TAP for IMS requires the use of a repository tohold data processing checkpoint values.

Note: VSAM RLS (Record Locking) and Transactional VSAM are notrequired or supported for the use of this repository.

IMS Logtypes and SMF record types collected by InfoSphere GuardiumS-TAP for IMS

The tables in this section show the IMS log types and SMF records types anddescriptions that are collected by InfoSphere Guardium S-TAP for IMS.

Table 8. IMS Logtypes collected by InfoSphere Guardium S-TAP for IMS

Log typenumber IMS log type IMS log type description

06 IMS/VS Accounting Record X'06' IMS Online was started or stopped.

16 A /SIGN command was successfullycompleted.

A /SIGN command successfullycompleted.

20 A database was opened. A database was opened.

21 A database was closed. A database was closed.

4C DB/PSB Activity Activity related to database or PSBprocessing

59xx DEDB ADS OPEN Log record DEDB area data set was opened.

5922 DEDB ADS CLOSE Log record DEDB area data set was closed.

5923 DEDB ADS STATUS Log record DEDB area data set status waschanged.

68 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 73: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

SMF is used to obtain additional data set activity related to the monitored IMSdatabases and image copies.

Table 9. SMF record types and descriptions

SMF record Nnumber Type

00 IPL Record

14 INPUT or RDBACK Data Set Activity

15 OUTPUT, UPDATE, INOUT, or OUTIN Data Set Activity

17 Scratch Data Set Status

18 Rename Non-VSAM Data Set

30 Common Address Space Work/ Accounting Information

60 VSAM Volume Data Set Updated

61 ICF Catalog Entry Define

62 VSAM Component or Cluster Opened

65 ICF Delete Activity

66 ICF Alter Activity

80 RACF Operator Record

89 Usage Data

Note: When image copies are read, they are collected as SMF type 14. When imagecopies are written, they are collected as SMF type 15. Image copies are usuallysequential files, with some exceptions. If the image copy is opened as a VSAM file,the image copy is collected as SMF type 60.

Remember: InfoSphere Guardium S-TAP for IMS can only report events that arebeing collected by SMF. If any SMF record type in this table is not being collectedat your site, InfoSphere Guardium S-TAP for IMS cannot report that event.

Fields used for IMS policy pushdownThe following fields defined in the Guardium appliance Access Rule Definitionpanel are used by InfoSphere Guardium S-TAP for IMS to create policies and rules.The following information should be used as a guideline.

Table 10. Fields used for IMS Policy pushdown

Label Hover text

Service Name IMS names that this rule applies to (case sensitive)

ApplicationUser

INCLUDE /PSB or EXCLUDE /PSB

Database User INCLUDE/USERID or EXCLUDE/USERID

Object INCLUDE /read+update+delete+insert+data+image/DBNAME.SEGNAME or EXCLUDE/DBDNAME.SEGNAME

Service name/IMS NameRequired and must be fewer than or equal to eight characters.

Mixed case is allowed and field is case sensitive.

Wildcard characters are not allowed.

Chapter 12. Reference information 69

Page 74: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Application user/PSBMust be fewer than or equal to eight characters.

All typed characters should be folded to uppercase.

Supports % as a wildcard character. % matches zero or more characters.

Note: If the keyword EXCLUDE is used, at least one INCLUDE must alsobe specified.

Database user/User IDMust be fewer than or equal to eight characters.

All typed characters should be folded to uppercase.

Supports % as a wildcard character. % matches zero or more characters.

Note: If the keyword EXCLUDE is used, at least one INCLUDE must alsobe specified.

Object/Target DB/Segmentdatabase_name must be less than or eight characters.

segment_name must be less than or eight characters.

wildcard_pattern supports % as a wildcard character. % matches zero ormore characters.

All typed characters should be folded to uppercase.

Note: You must specify at least one INCLUDE with at least one DLI calltype. DBD and segment must also be specified.

70 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 75: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Chapter 13. Troubleshooting

Use the following topics to diagnose and correct problems that you experiencewith InfoSphere Guardium S-TAP for IMS.

Messages and codes for IBM InfoSphere Guardium S-TAP for IMS onz/OS

This information documents the messages and error codes issued by IBMInfoSphere Guardium S-TAP for IMS. Messages are presented in ascendingalphabetical and numerical order.

Error messages and codes: AUIAxxxxThe following information is about error messages and codes that begin withAUIA.

AUIA002I Terminating collector thread <id>.

Explanation: The thread collector with the specified<id> is terminating.

User response: No action is required.

AUIA003E Address Space <name> failed to startsuccessfully.

Explanation: An attempt by the agent to start thenamed support address space has failed.

User response: Check the named address space logsto identify why it was not able to start up. In mostcases, this may occur if an address space with thatname is already online, or if there was a JCL error orthere was an issue resolving the loopback address hostname. If further assistance is required, contact IBMSoftware Support.

AUIA004E Address Space <name> failed to stopsuccessfully within the timeout periodand was abandoned.

Explanation: The named address space did not stopwithin the time out period and was thereforeabandoned by the master address space.

User response: Check the named address space logsto identify why it did not terminate. If furtherassistance is needed, contact IBM technical support.

AUIA005I Starting address Space <name>.

Explanation: The agent has automatically started thesupport address named.

User response: This is an informational message only.

AUIA006I Address Space <name> startedsuccessfully.

Explanation: The agent has successfully started thesupport address space named.

User response: No action is required.

AUIA007I Stopping address Space <name>.

Explanation: The agent has automatically stopped thesupport address space named.

User response: No action is required.

AUIA008I Address Space <name> stoppedsuccessfully.

Explanation: The named address space hassuccessfully stopped.

User response: No action is required.

AUIA009E The address space <name> is not active.

Explanation: The named address space that the masteraddress space was attempting to control is not online.

User response: Correct and retry.

AUIA010E Address Space <name> is already active.

Explanation: This message indicates that the addressspace with the specified name is active already andwas expected to be. This message may occur whenstarting the BATCH (or SMF) collector if they arealready running.

User response: Verify that the address space is alreadyrunning. If the address space is not online and themessage occurs, contact IBM Software Support.

71

Page 76: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIA011W The database list was truncated becauseof potential storage shortage.

Explanation: An attempt to retrieve a list of databasesfailed because of memory shortage.

User response: Modify your filter to shorten the list ofreturned databases or increase the REGION size of theagent address space (AUIAxxxx).

AUIA012W The database and segment lists weretruncated because of potential storageshortage.

Explanation: An attempt to retrieve a list of databasesfailed because of memory shortage.

User response: Modify your filter to shorten the list ofreturned databases or increase the REGION size of theagent address space (AUIAxxxx).

AUIA013W Reusing agent record for agent withname 'agent-name'. Ignored active status.

Explanation: The repository already contained arecord for agent with name agent-name and the agentis reusing the old record after verifying that anotheragent with the same name is not already online. Thiserror is usually indicative of a failure of the previousagent during shutdown.

User response: Check the previous agent's logs forany errors.

AUIA015E IMS entry not found.

Explanation: The IMS entry cannot be located.

User response: Provide a valid IMS entry and retry.You might need to refresh the Guardium system panelbefore continuing.

AUIA016E Specified Log Stream <name> does notexist.

Explanation: The log stream with the name specifiedduring agent configuration does not exist.

User response: Verify that specified log Stream exists.If it exists and this message occurs, contact IBMSoftware Support.

AUIA017E Specified Spill Data set <name> does notexist.

Explanation: The Spill Data set with the namespecified during SMF Event collector configurationdoes not exist.

User response: Verify that specified Spill Data setexists. If it exists and this message occurs, contact IBMSoftware Support.

AUIA018E Problem encountered for <spill>,<problem area>: required <req>, received<res>.

Explanation: This spill data set <spill> could not bevalidated. The <problem area> with the parameters<req> and <res> gives additional details.

User response: Fix the issue in the <problem area>using the required <req> value. If necessary, contactIBM Software Support for additional help.

AUIA019E z/OS call failure for <spill>, <problemarea>: RC=<rc>, RSN=<rsn>.

Explanation: Attempt to validate the spill data setcaused an error with the z/OS services. A <problemarea> with return <rc> and reason <rsn> codes arereturned.

User response: Contact IBM Software Support.

AUIA020E IMS definition for ims-name cannot bedeleted because it is being used as asource for collection profile collectionprofile name.

Explanation: An IMS definition can only be deleted ifit is not being used to define a collection profile.

User response: Delete the associated collection profilebefore deleting the IMS definition.

AUIA021I MODIFY command <command text> sentto Address Space <name>.

Explanation: The MODIFY command <command text>sent to address space named.

User response: No action is required.

AUIA022I <Collector name> collector is disabled:interval is set to <value>.

Explanation: Named collector is disabled because theinterval value is less than or equal to zero.

User response: If this was not intentional, fix theinterval value and restart the agent address space.

AUIA023I <Collector name> collector is disabled:proc name for the collector addressspace has not been specified in theconfiguration.

Explanation: The specified collector is disabledbecause the procedure name for the collector addressspace has not been specified in the configuration.

User response: To enable this collector, specify theprocedure name for collector address space. If theprocedure name is specified and this message stilloccurs, contact IBM Software Support.

AUIA011W • AUIA023I

72 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 77: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIA024I <Collector name> collector is disabled:not configured.

Explanation: The specified collector is disabledbecause it has not been configured.

User response: To enable this collector, configure itusing the Guardium user interface. If the specifiedcollector is configured and the message still occurs,contact IBM Software Support.

AUIA025E The agent <name> for <host> has notbeen configured.

Explanation: The agent <name> for system <host> hasnot been configured properly.

User response: This error can occur during theaddition of a new IMS definition if the agent has notbeen configured before. Verify that the agent isconfigured. If the agent has been configured properlyand the message still occurs, contact IBM SoftwareSupport.

AUIA026E Problem encountered while validating<log stream>. Function:<func>,request:<req>, RC=<rc>, RSN=<rsn>.

Explanation: The Log Stream <log stream> could notbe validated. A problem function <func> and request<req> with return <rc> and reason <rsn> codes arereturned.

User response: This may occur during IMS Batchcollector configuring if there are any problems with theLog Stream. If the Log Stream is correct and themessage occurs, contact IBM Software Support.

AUIA027E Abend occurred while validating <logstream>. Abend code = <code>,RSN=<reason>.

Explanation: The Log Stream <log stream> validationfailed with abend code <code> and reason code<reason>.

User response: Contact IBM Software Support.

AUIA028S An agent with the name agent-name isalready online.

Explanation: An agent is already online and is usingthe specified agent name. Agent names must be uniqueper sysplex.

User response: Change the agent-name and restart theagent (or shut down the other agent).

AUIA029I collector collector is disabled: no AuditIMS Log Events are selected for IMSsource IMS.

Explanation: An Audit IMS Log Event must beselected for the IMS source IMS for the collector to beenabled.

User response: To enable the collector, select an AuditIMS Log Event for the IMS source.

AUIA030I collector collector started successfully.

Explanation: The specified collector started.

User response: No action is required.

AUIA031I collector collector stopped successfully.

Explanation: The specified collector stopped.

User response: No action is required.

AUIA032W Profile for IMS source NAME wasignored: IMS doesn't exist in therepository.

Explanation: An IMS source NAME specified in thepolicy definition does not exist in the repository.

System action: The policy is ignored.

User response: Correct the IMS source in the specifiedpolicy.

AUIA033I Attempting to establish link with theappliance.

Explanation: The agent is attempting to establish aconnection to one of the appliances specified in theagent configuration.

User response: No action is required.

AUIA034S An attempt to establish the link to theappliance failed.

Explanation: The agent could not establish aconnection to any of the appliances specified in theconfiguration.

User response: Contact your network administrator orIBM Software Support.

AUIA035W Link failed over to a secondaryappliance. [host=host, port=port]

Explanation: The agent lost connection to the primaryappliance and switched to the specified secondaryappliance.

User response: No action is required.

AUIA024I • AUIA035W

Chapter 13. Troubleshooting 73

Page 78: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIA036I Link to primary appliance established.[host=host, port=port]

Explanation: The agent has connected to the specifiedprimary appliance.

User response: No action is required.

AUIA037I Link to primary appliance restored.[host=host, port=port]

Explanation: The agent has reconnected to thespecified primary appliance.

User response: No action is required.

AUIA038S Link to the appliance lost.

Explanation: All attempts to connect to the appliancesspecified in the configuration have failed.

System action: Any new policies defined in theappliance will not be pushed down to the InfoSphereGuardium S-TAP for IMS agent.

User response: Verify network connectivity to theappliance. Contact your network administrator or IBMSoftware Support.

AUIA043I The Guardium policy reader threadstarted.

Explanation: The Guardium policy reader threadstarted.

User response: No action is required.

AUIA044I The guardium policy reader thread isterminating.

Explanation: The guardium policy reader thread isstopping.

User response: No action is required.

AUIA045I The guardium policy reader thread isterminating due to prior errors.

Explanation: The policy reader thread is stopping dueto previously reported errors.

User response: Check the previously issued messagesto determine why the policy reader is terminating.

AUIA046I Collection profile profile uninstalledsuccessfully.

Explanation: The specified collection profileuninstalled.

User response: No action is required.

AUIA047I Collection profile profile installedsuccessfully.

Explanation: The specified collection profile installed.

User response: No action is required.

AUIA048I auiu_taskname IS CONFIGURED TOSTART ONLY ON lpar-name.

Explanation: The configuration file pointed to by theAUICONFG DD statement contains anAUIU_EXCLUDE_LPAR statement which has the *ALLparameter supplied as the excluded LPAR name.

System action: The AUIUSTC task is scheduled onlyon the home LPAR where the agent is running.

User response: To schedule the AUIUSTC task foranother LPAR, remove or correct theAUIU_EXCLUDE_LPAR statement.

AUIA049W auiu_task_name is configured to not starton lpar_name but will be started onlpar_name because aui_agent_name runson lpar_name

Explanation: The AUIU_EXCLUDE_LPAR configurationparameter, found in the AUICONFG SAMPLIBmember, was used in an attempt to prevent the AUIUtask from executing on the LPAR named.

System action: The request to exclude this LPAR fromAUIU processing is ignored because the specified LPARis also where the agent is executing.

User response: Remove the LPAR name from theAUICONFG samplib member’s AUIU_EXCLUDE_LPARparameter. The change will be implemented at the nextrestart of the agent.

AUIA050W auiu_task_name is configured to not starton lpar_name but no such system exists.

Explanation: The specified lpar_name has beenincluded as part of the LPARS that are specified in theAUIU_EXCLUDE_LPAR configuration keyword. Thespecified lpar_name was not found in the list ofmembers of either the SYSJES or lpar_name XCF groups.

System action: Processing continues.

User response: This message might indicate that thelpar_name is not available or that there is an error inthe specified lpar_name.

AUIA051I auiu_task_name is configured to not starton lpar_name and will not be started onlpar_name.

Explanation: The AUIU_EXCLUDE_LPAR configuration,parameter found in the AUICONFG SAMPLIB member,was used in an attempt to prevent the AUIU task fromexecuting on the specified LPAR.

AUIA036I • AUIA051I

74 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 79: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

System action: An instance of the AUIU task is notrouted to the excluded LPAR.

User response: None.

AUIA052I Discovered <plex-name> system<system-name>.

Explanation: This LPAR name was found as amember of the XCF group when performing a z/OSIXCQUERY on the PLEXNAME of SYSJES XCFGROUPS.

System action: Processing continues

User response: No action is required.

Error messages and codes: AUIBxxxxThe following information is about error messages and codes that begin withAUIB.

AUIB300I CONNECTION TO z/OS SYSTEMlog_stream_type WAS SUCCESSFUL -LOG STREAM NAME: log_stream_name

Explanation: The connection to the log-stream name(log_stream_name) configured to process log_stream_typeevents completed successfully.

System action: Processing continues

User response: No action is required.

AUIB302I DRAIN REQUEST FOR typeLOGSTREAM HAS COMPLETED.LOGSTREAM: name.

Explanation: A DRAIN request, which reads all datafrom the z/OS log stream, has completed.

System action: The AUIASTC tasks prepare toterminate.

User response: No action is required.

AUIB305I DRAIN COMPLETE FOR LOG

STREAM log-stream name

Explanation: A DRAIN request used to flush read allexisting events from the log-stream-name indicated hascompleted successfully

System action: The log-stream reader thread will startthe termination phase.

User response: No action is required.

AUIB306E INVALID RECORD FOUND INlog-stream LOG STREAM -RECORDIMAGE SNAPPED TO AUI$NAP DD

Explanation: When reading DLI call audit recordsfrom the z/OS System log stream, a malformed auditrecord was encountered.

System action: Processing continues after writing aSNAP/DUMP of the offending record to the AUI$NAPDD.

User response: Forward the AUI$NAP output to IBMSoftware Support.

Error messages and codes: AUIFxxxxThe following information is about error messages and codes that begin withAUIF.

AUIF002I SMF log reader interval set to <n>seconds.

Explanation: The sub task that reads event data fromSMF log data sets is scheduled to perform every <n>seconds.

User response: No action is required.

AUIF003E Command <command> failed; intervalvalue must be between <lower-bound>and <upper-bound>.

Explanation: This message indicates that <command>such as:

/f AUIASTC,SET INTERVAL <number>

failed because of incorrect <number> value. Correctvalue must be between <lower-bound> and<upper-bound>.

User response: Use an interval value between<lower-bound> and <upper-bound>. If that does notresolve the issue, contact IBM Software Support.

AUIF501I NO NEW CATALOGED SMF DATASETS FOUND FOR SMF MASK:smf_mask_value

Explanation: When scanning the z/OS catalog for newdata sets that meet the indicated SMF mask value(smf_mask_value) and have not been processed by theproduct, it was determined that no z/OS data sets meetthat criteria.

System action: The process will continue to examineother SMF Mask values.

User response: No action is required..

AUIA052I • AUIF501I

Chapter 13. Troubleshooting 75

Page 80: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIF502I PROCESSING SMF DATA SET:smf_data_set_name

Explanation: Processing has started for a SMF dataset.

System action: Events will be obtained from the SMFdata set based on collection profile criteria.

User response: None.

AUIF503I PROCESSING COMPLETE FOR SMFDATA SET: smf_data_set_name

Explanation: Processing of the SMF data set hascompleted.

System action: Processing continues with othercandidate SMF data sets.

User response: No action is required.

AUIF505I SMF AUDITING IS DISABLED ATTHE AGENT LEVEL

Explanation: Auditing of SMF events has beendisabled at the agent level, as instructed by the settingschosen in the Guardium user interface.

System action: The auditing of events sourced fromSMF data sets is not performed.

User response: No action is required.

AUIF506I SMF AUDITING IS DISABLED ATTHE IMS LEVEL. IMS NAME: ims_name

Explanation: Auditing of SMF events has beendisabled at the IMS level for the IMS named (ims_name)by use of the Guardium interface and the IMS AuditingLevels editor.

System action: The auditing of events sourced fromSMF for the IMS named is not performed.

User response: If this is a desired action, then noresponse is needed. If SMF events should be auditedfor this IMS, then the IMS configuration should bemodified by using the Guardium interface and the IMSAuditing Levels to select any or all SMF events youwant to audit.

AUIF507E PROCESSING FAILED FOR SMF DATASET: data set name

Explanation: Processing failed during the reading ofthe data set, specified by name in the message text.

System action: The collection process terminates.

User response: Determine the cause of the failure andcorrect it by reviewing previously issued S-TAP andz/OS messages.

AUIF508I SCANNING RECON DATA SETS FORIMS ARTIFACT DATA SETS. RECON1:recon1_dsn RECON2: recon2_dsnRECON3: recon3_dsn

Explanation: The AUIFSTC task has started to scanthe RECON data sets looking for database data sets,Image copy data sets and optionally IMS SLDS to beaudited using SMF records.

System action: The RECON data sets are read usingthe specified DSN.

User response: No action is required.

AUIF502I • AUIF508I

76 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 81: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Error messages and codes: AUIGxxxxThe following information is about error messages and codes that begin withAUIG.

AUIG010S An unexpected error occurred(/path/to/file.c, linenum).

Explanation: An unknown and unexpected internalerror occurred in the product due to the specifiedtokens.

User response: Contact IBM Technical Support.

AUIG011S An unexpected error occurred withtoken "token1" (/path/to/file.c,linenum).

Explanation: An unknown and unexpected internalerror occurred in the product due to the specifiedtokens.

User response: Contact IBM Technical Support.

AUIG012S An unexpected error occurred withtokens "token1" and "token2"(/path/to/file.c,linenum).

Explanation: An unknown and unexpected internalerror occurred in the product due to the specifiedtokens.

User response: Contact IBM Software Support.

AUIG012E dataspace create returncode=return-code-hex,reason=reason-code-hex

Explanation: An attempt to create a data space forspill usage has failed. Spill capability might not beavailable.

User response: Examine the return code and reasoncode, and take appropriate action to ensure that dataspaces can be created.

AUIG013S An unexpected error occurred withtokens "token1", "token2", and "token3"(/path/to/file.c,linenum).

Explanation: An unknown and unexpected internalerror occurred in the product due to the specifiedtokens.

User response: Contact IBM Technical Support.

AUIG014S An unexpected error occurred withtokens "token1", "token2", "token3", and"token4" (/path/to/file.c,linenum).

Explanation: An unknown and unexpected internalerror occurred in the product due to the specifiedtokens.

User response: Contact IBM Technical Support

AUIG015E Failed to find host by name 'HOST' (RC= return-code, reason = hex-value).

Explanation: An attempt to resolve the givenhostname failed.

User response: Verify that the hostname is specifiedcorrectly and is resolvable. Contact IBM TechnicalSupport if hostname is correct and resolvable.

AUIG015W MALLOC: big alloc coming memory_sizefrom GDM Read Buffer

Explanation: More than 10,485,760 bytes was requiredin order to process collection policies pushed from theInfoSphere Guardium appliance.

System action: Processing continues.

User response: No action is required.

AUIG016E Failed to get socket option: option =X00000001, RC = return-code, reason =hex-value.

Explanation: An attempt to set a socket option failed.

User response: Contact IBM Technical Support.

AUIG017E Failed to set socket option: option =hex-value, level = hex-value, RC =return-code, reason = hex-value.

Explanation: An attempt to set a socket option failed.

User response: Contact IBM Technical Support

AUIG018E Failed to read data from socket:descriptor = number, address =hex-value; length = number, RC =return-code, reason = hex-value.

Explanation: An attempt to read data from a socketwas unsuccessful. This may happen if a peerdisconnects unexpectedly.

User response: If a peer has disconnected, thismessage can be ignored. If the peer is online and themessage occurs repeatedly, it may indicate an issuewith the network connection with the peer. ContactIBM Technical Support.

AUIG019E Failed write data to socket: descriptor =number, address = hex-value; length =number, RC = return-code, reason =hex-value.

Explanation: An attempt to write data to a socket was

AUIG010S • AUIG019E

Chapter 13. Troubleshooting 77

Page 82: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

unsuccessful. This may happen if a peer disconnectsunexpectedly.

User response: If a peer has disconnected, thismessage can be ignored. If the peer is online and themessage occurs repeatedly, it may indicate an issuewith the network connection with the peer. ContactIBM Technical Support.

AUIG045E Write failed, sd=bbbb desired write lenlength buffer at address, ret code xxxxreason 0xyyyyzzzz

Explanation: An attempt to read or write to a sockethas failed. This error might occur if InfoSphereGuardium S-TAP for IMS is connected to a peer that isoffline.

System action: The system attempts to reestablish theconnection to the peer in order to read or write thedata.

User response: Identify the cause of the failure byusing the z/OS UNIX System Services Messages and CodesSA23-2284-xx manual to look up the return and returncodes that are provided in the message text, where bbbbis an internal code, xxxx is the return code, andyyyyzzzz is the reason code. Use the reason code valuesuffix zzzz to determine the error code, as described inthe Reason codes (errnojrs) section of the z/OS UNIXSystem Services Messages and Codes SA23-2284-xxmanual.

AUIG050E Read failed ret code xxxx reason0xzzzzzzzz

Explanation: An attempt to read or write to a sockethas failed. This error might occur if InfoSphereGuardium S-TAP for IMS is connected to a peer that isoffline.

System action: The system attempts to reestablish theconnection to the peer in order to read or write thedata.

User response: Identify the cause of the failure byusing the z/OS USS Return Codes and Reason Codesto look up the return and reason codes that areprovided in the message text, where xxxx is the returncode and zzzzzzzz is the reason code.

AUIG201I Valid stage zero filter criteria found.

Explanation: The collection profile compilation processfound that the collection profile criteria will allow forStage zero filtering of IMS DLI events based onUSERIDs or PSB names.

System action: Processing continues.

User response: No action is required.

AUIG202I No valid stage zero filter criteria found.

Explanation: The collection profile compilation processfound that the collection profile criteria is notconducive to providing Stage Zero filtering for IMS DLIevents. The reasons may include:

v No USERIDS or PSBS were specified in the selectioncriteria.

v Multiple RULES were defined and differences in theUSERID and/or PSB specifications in each rule weredifferent.

System action: Processing continues without StageZero filtering capability.

User response: If Stage Zero filtering is desired, adjustthe USERID and PSB specifications in each rule to bethe same.

AUIGF120I Trace Settings: Compilation 0,Requested Runtime 0, ECSA Flag 32,Actual Runtime 0...

Explanation: This message is produced during thecompilation of a filter, using the policy information thatwas specified.

System action: Processing continues.

User response: No action is required.

AUIF202I No valid stage zero filter criteria found.

Explanation: This policy does not allow Stage 0filtering to occur.

System action: Processing continues.

User response: No action is required.

AUIG045E • AUIF202I

78 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 83: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Error messages and codes: AUIIxxxxThe following information is about error messages and codes that begin with AUII.

AUII017I S-TAP for V9.1 initialization completeusing RECON1 DSN: recon1_dsn

Explanation: InfoSphere Guardium S-TAP for IMS hasinitialized in the DLI/DBB batch job or IMS controlregion environment. For successful auditing to occur,the RECON1 DSN indicated in this message shouldmatch the RECON1 DSN associated with the IMSdefinition you have created.

User response: No action necessary.

AUII018E IBM InfoSphere Guardium S-TAP forIMS on z/OS initialization failed

Explanation: InfoSphere Guardium S-TAP for IMS wasunable to initialize in this IMS Control region. Themonitoring of IMS databases will not occur.

System action: IMS processing continues withoutauditing capabilities.

User response: Examine the JES log for othermessages to determine the reason for the initializationfailure.

AUII019E IBM InfoSphere Guardium S-TAP forIMS on z/OS termination failed

Explanation: InfoSphere Guardium S-TAP for IMS wasunable to terminate cleanly.

System action: The termination of the IMS onlineregion of DLI/DBB batch job step continues.

User response: This error indicates that anenvironmental error has occurred. Examine the JES logfor other AUI messages to determine the reason for thetermination failure.

AUII020E UNABLE TO FIND RECON1 DATASET NAME

Explanation: An attempt to find the RECON1 data setname used by the IMS Online control region orDLI/DBB batch job step has failed. The RECON1 dataset name is critical to the determination of thecollection profile used to audit IMS events.

System action: IMS processing continues without theIMS auditing feature.

User response: Determine why the RECON1 data setname is not available for this IMS control region orDLI/DBB batch job step. An in-stream RECON1 DDstatement must be present in the JCL, or a RECON1MDALIB member being present in the JOB/STEPLIBDD concatenation is required.

AUII021E BLDL FAILED FOR ACTION MODULEmodule_name

Explanation: An attempt to find a required processingmodule (module_name) has failed.

System action: IMS processing continues withoutauditing.

User response: Examine the STEPLIB/JOBLIB DDconcatenation to ensure the SAUIIMOD product dataset is included.

AUII022E INSUFFICENT STORAGE AVAILABLEFOR module_name ACTION MODULE(stg_type)

Explanation: An attempt to obtain storage for themodule named (module_name) has failed. The storagetype field (stg_type) indicates if the storage required is31bit or 24bit based.

System action: IMS processing continues without IMSauditing available.

User response: Increase the region size used by thejob step (REGION=).

AUII023E IMODULE DIRLOAD FAILED FORACTION MODULE module_name

Explanation: The DIRLOAD IMS service has failed.

System action: IMS processing continues withauditing.

User response: Determine the cause of the error fromthe IMS Messages and Codes manual and correct theerror. If necessary, contact IBM Software Support.

AUII024E Unable to locate IMS SCD address.

Explanation: An attempt to locate the IMS SCDduring product initialization has failed.

System action: IMS processing continues withoutauditing.

User response: Verify that you are attempting to runthe product using a supported IMS release. ContactIBM Software Support for further assistance.

AUII025E Unable to locate IMS SSCD Extensionaddress.

Explanation: An attempt to locate the IMS SSCDExtension address has failed.

System action: IMS processing continues withoutauditing.

User response: Verify that you are attempting to run

AUII017I • AUII025E

Chapter 13. Troubleshooting 79

Page 84: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

the product using a supported IMS release. ContactIBM Software Support for further assistance.

AUII026E UNABLE TO LOCATE THIS IMS SSCTADDRESS

Explanation: The IMS SCCT address cannot be locatedby the IMS S-TAP initialization process.

System action: IMS processing continues withoutauditing capabilities.

User response: Contact IBM Software Support.

AUII027E INSUFFICIENT STORAGE AVAILABLEFOR AUIPLOG CONTROL BLOCK

Explanation: An attempt to obtain E/CSA to hold theAUIPLOG module has failed.

System action: IMS processing continues withoutauditing.

User response: Investigate E/CSA usage on the LPAR.

AUII028E IMODULE LOAD OF ACTIONMODULE module_name FAILED

Explanation: An attempt to LOAD modulemodule_name using IMS services has failed.

System action: An attempt to LOAD modulemodule_name using IMS services has failed.

User response: Verify that the SAUIIMOD productdata set is available in the STEPLIB/JOBLIB data setconcatenation. Contact IBM Software Support forfurther assistance.

AUII029E DFSTCBTB LOCATE SERVICE CALLFAILED

Explanation: A call to the IMS DFSTCBTB service hasfailed.

System action: IMS processing continues withoutauditing.

User response: Contact IBM Software Support.

AUII031E STAP FOR IMS INTERNAL LOGICERROR (rc)

Explanation: InfoSphere Guardium S-TAP for IMSinitialization found a logic error.

System action: IMS processing continues withoutauditing.

User response: Contact IBM Software Support.

AUII038E ITASK CREATE FOR ACTIONMODULE module_name FAILED

Explanation: DA call to the DFSCIR IMS service tocreate an ITASK has failed.

System action: IMS processing continues withoutauditing.

User response: Contact IBM Software Support.

AUII040E ODBA LOAD OF DFSISSI0 FAILED

Explanation: An attempt to LOAD IMS moduleDFSISSI0 has failed.

System action: IMS processing with auditingcontinues. The product will be unable to determine thecorrect USERID for events driven from ODBA threads.

User response: Contact Software Support.

AUII041E ODBA HOOK POINT NOT FOUND(module_name)

Explanation: An attempt to locate a hook point in theindicated module (module_name) has failed.

System action: IMS processing with auditingcontinues. The product will be unable to determine thecorrect USERID for events driven from ODBA threads.An output DD: AUI$NAP is dynamically allocated toSYSOUT, and the area where the hook point was to belocated is snapped out to this AUI$NAP DD.

User response: Provide the AUI$NAP output to IBMSoftware Support.

AUII042E ODBA HOOK POINT NOT FOUND(module_name)

Explanation: An attempt to locate a hook point in theindicated module (module_name) has failed.

System action: IMS processing with auditingcontinues. The product will be unable to determine thecorrect USERID for events driven from ODBA threads.An output DD: AUI$NAP is dynamically allocated toSYSOUT, and the area where the hook point was to belocated is snapped out to this AUI$NAP DD.

User response: Provide the AUI$NAP output to IBMSoftware Support.

AUII042W ZIIP PROCESSOR NOT AVAILABLEON THIS LPAR

Explanation: The AUIZIIP DD statement has beenfound in the IMS Control Region JCL, which indicatesthat the zIIP processor should be considered for usewhen filtering DLI calls and writing to the z/OSSystem Logger. IMS STAP has determined that zIIPprocessing is not available on this LPAR.

AUII026E • AUII042W

80 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 85: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

System action: Processing continues exclusively usinggeneral processors.

User response: Remove the AUIZIIP DD statementand restart the IMS sub-system.

AUII043W THIS IMS IS NOT CONNECTED TOWORKLOAD MANAGER

Explanation: A request to process DLI call filteringand z/OS System Logger writes on a zIIP processor hasbeen rejected as the IMS sub-system is not connected tothe z/OS Workload Manager.

System action: Processing continues exclusively usinggeneral processors.

User response: No action is required.

AUII044E ZIIP PROCESSING REQUEST HASBEEN REJECTED

Explanation: A request to process DLI call filteringand z/OS System Logger writes on a zIIP processor hasbeen rejected.

System action: Processing continues exclusively usinggeneral processors.

User response: Review previously issued AUIImessages to determine the root cause of the requestrejection.

AUII046E NAME/TOKEN SERVICE service-nameSERVICE FAILED (name value)

Explanation: An attempt to drive the z/OSname/token service has failed.

System action: IMS processing continues withoutauditing.

User response: Contact IBM Software Support

AUII049E DEDB CALL ANALYSIS INIT FAILURERC = return code

Explanation: An attempt insert product code in theDEDB call analysis area has failed.

System action: IMS processing with DEDB eventauditing disabled. An output DD: AUI$NAP isdynamically allocated to SYSOUT, and the area wherethe code insertion was to be located is snapped out tothis AUI$NAP DD.

User response: Provide the AUI$NAP output to IBMSoftware Support.

AUII050I S-TAP FOR IMS AUDIT STATISTICS

Explanation: This message provides statisticsregarding the number of DLI events which have beenprocessed. This message is issued when:

v The number of DLI calls specified in the messagefrequency section of the Guardium client's IMS DataSet definition screen has been reached.

v The time specified in the AUII050I messagefrequency section of the Guardium client's IMS DataSet definition screen has elapsed.

v The collection profile for the IMS is made in active.

v The DLI/DBB batch job or IMS Online ControlRegion terminates.

The description of values are as follows:

DLI CALLS RECEIVEDThis value indicates the number of IMS DLIcalls which had the potential of being audited.This number may be more or less than thenumber of actual DLI calls performed as:

v DLI PATH calls which effect multiplesegments within a hierarchical path aretreated and counted as individual DLI calls.

v DLI calls types which are not included inany RULE of the active collection profile arenot counted as they are immediatelyrejected.

DLI CALLS AUDITEDThis value indicates the number of IMS DLIcalls which resulted in a DLI event beingwritten to the z/OS System Logger Log-streamfor transmittal to the Guardium Appliance.

IXGWRITE ERRORSThis value indicates the number of z/OSSystem Logger IXGWRITE calls which havefailed. One of more AUIJ304E messages willprecede the issuance of the AUII050I messageif the number of IXGWRITE errors is greaterthan zero. A non-zero value for the IXGWRITEERRORS and a zero value for the DLI CALLSLOST DUE TO IXGWRITE ERRORS section ofthis message indicates that the IXGWRITEerrors were subsequently retried and theIXGWRITE calls were then completedsuccessfully.

DLI CALLS LOST DUE TO IXGWRITE ERRORSA non-zero value in this section indicates thatDLI calls which were audited and either:

v Could not be placed into a log-stream databuffer (indicated by the issuance of messageAUIJ307A).

v Audited events already in the data buffercould not be written to the z/OS SystemLogger Log-Stream using the IXGWRITEcall and the collection profile for the IMShas been deactivated or the DLI/DBB batchjob or IMS Online Control region has beenterminated (indicated by the issuance ofmessage AUIJ304E).

System action: Processing continues.

AUII043W • AUII050I

Chapter 13. Troubleshooting 81

Page 86: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

User response: No action is required. This is aninformational message only.

AUII055I ZIIP PROCESSING HAS BEENREQUESTED FOR IMS STAP

Explanation: The AUIZIIP DD statement has beenfound in the IMS Control Region JCL, which indicatesthat the zIIP processor should be considered for usewhen filtering DLI calls and writing to the z/OSSystem Logger.

System action: IMS STAP attempts to create anenvironment to support zIIP processing.

User response: If this was not intended, remove theAUIZIIP DD statement and restart the IMS sub-system.

AUII056I ZIIP PROCESSING ENABLED FORIMS STAP

Explanation: The request for zIIP support for IMSSTAP and this IMS Control Region has been acted onand all initialization processes have completedsuccessfully.

System action: IMS STAP will schedule DLI callfiltering and writes to the z/OS System Logger as azIIP eligible enclave SRB.

User response: If this was not intended, remove theAUIZIIP DD statement and restart the IMS sub-system.

AUII057I processs_type PROCESSING FAILED RC:return_code RSN: reason_code

Explanation: The AUIZIIP DD statement has beenfound in the IMS Control Region JCL, which indicatesthat the zIIP processor should be considered for usewhen filtering DLI calls and writing to the z/OSSystem Logger. A process (process_type) used to enablezIIP processing has failed.

System action: The request to enable zIIP processingis rejected and general processor will be used.

User response: Review IBM supplied documentationfor the process which failed using the return andreason codes (return_code/reason_code) to determine thecause of the failure.

AUII058A STAP FOR IMS COMPONENT HASABENDED

Explanation: The S-TAP for IMS component hasabnormally ended, causing auditing to disable.

User response: Contact IBM Software Support

AUII120I NO COLLECTIONS ACTIVE FOR THISIMS INSTANCE

Explanation: Initialization has completed successfullyfor the IBM InfoSphere Guardium S-TAP for IMSproduct but no collections were found that pertain tothis batch job or IMS control region.

System action: Processing continues.

User response: No action is required.

AUII172I AUIprogram LOADED EXIT imsexitFROM DATA SET: data set name

Explanation: The AUIprogram named found anoccurrence of the imsexit later within theJOBLIB/STEPLIB concatenation, and has loaded it.

System action: The imsexit will be invoked with R13pointing to the save area originally provided by IMS, aswell as its own 512 byte work area, provided in theSXPLAWRK field of the IMS Standard User ExitParameter list, immediately following each execution ofAUIprogram.

User response: For the imsexit to run, no action isrequired. If the imsexit should not be run in thisenvironment, remove the data set from theJOBLIB/STEPLIB concatenation and restart the IMScontrol region or batch job.

AUII173E IMS RELEASE ims-vrl IS NOTSUPPORTED

Explanation: The IMS release being used is notsupport by this version of the product.

System action: IMS processing continues withoutauditing.

User response: Review supported IMS releases for therelease of this product.

AUII174E LOAD OF SERVICE MODULEmodule_name FAILED RC = return_code

Explanation: LOAD OF SERVICE MODULEmodule_name FAILED RC = return_code

User response: Ensure that the SAUIIMOD productdata set is included in the STEPLIB/JOBLIB DDconcatenation.

AUII175I NON_ZERO RC FROM EXIT exit_name:RC = return_code

Explanation: The exit_name indicated returned anon-zero return code value of return_code as specified.

System action: The return code value is returned toIMS.

User response: Correct the exit_name program if thenon-zero value was returned in error. Review the IMS

AUII055I • AUII175I

82 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 87: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Customization Guide or IMS Exit Routine Reference formore information.

AUII176E module_name service_type SERVICEERROR: RC: return_code RS: reason_code

Explanation: The service_type invoked by the specifiedmodule_name has failed.

System action: IMS processing continues withoutauditing.

User response: Review all subsequent AUI errormessages to diagnose the problem.

AUII177E module_name FOUND WITHRENT/REUS ATTRIBUTE IN NON_APFENVIRONMENT

Explanation: Program module_name had the

RENT/REUS attribute on in a non-APF-Authorizedenvironment. InfoSphere Guardium S-TAP for IMS isunable to load the program.

System action: Processing continues with the exitcascading feature disabled.

User response: Re-link the exit with the NOREUSEattribute.

AUII1778E DATA SET NAME: dsn

Explanation: This message is issued in conjunctionwith a previous message (for example, AUII176E) toindicate an associated data set.

User response: Check the log for the previouslyissued, associated message and take the action that isadvised in that message.

Error messages and codes: AUIJxxxxThe following information is about error messages and codes that begin with AUIJ.

AUIJ005W UNABLE TO LOAD MESSAGE TABLEtable_name RSN: reason_code WILL USEAUIMGENU

Explanation: An attempt to perform a z/OS LOAD ofthe message table named (table_name) failed. The reasonfor the failure is described in the reason code field(reason_code). The default U.S. English message tablewill be used. This message follows the AUI006Emessage.

System action: Processing continues while using theU.S. English message table.

User response: Determine and correct the cause of themessage table load failure.

AUIJ006E LOAD FAILED FOR MESSAGE TABLEtable_name RSN: reason_code

Explanation: A z/OS LOAD attempt failed for themessage table (table_name) indicated.

System action: If the table name is the U.S. Englishmessage table, (AUIMGENU) processing will terminate.Other table names will cause the product to attempt touse the U.S. English message table after issuing theAUIJ005W message continue processing.

User response: Determine and correct the cause of themessage table load failure.

AUIJ007E PROGRAM program_name IS NOTEXECUTING APF-AUTHORIZED

Explanation: The program specified requiresAPF-Authorization to perform its function.

System action: The program terminates.

User response: Ensure that all data sets includedwithin the STEPLIB DD concatenation of the JCL wherethis message appeared are APF authorized.

AUIJ008I ATTEMPTING TO CONNECT TO THEGUARDIUM S-TAP APPLIANCE

Explanation:

TCP/IP Addressip_address

PORT port–number

PING RATEping_rate

An attempt is being made to establish a connectionwith the Guardium S-TAP appliance using the namedTCP/IP address (ip_address) and PORT number(port_number).

PING RATE (ping_rate) indicates how often a messageis sent to the appliance to provide the appliance withconfirmation that the connection is active. The PINGSare sent at the rate indicated (ping_rate) which is shownin hour, minutes, and second (hh:mm:ss) format.

System action: The connection to the GuardiumS-TAP appliance is attempted.

User response: None.

AUIJ009E LOAD FAILED FOR MODULEmodule_name. R1: abend_code R15:reason_code

Explanation: An attempt to perform a z/OS LOAD ofthe named module (module_name) has failed

AUII176E • AUIJ009E

Chapter 13. Troubleshooting 83

Page 88: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

System action: The function terminates.

User response: Ensure that all required product datasets are included in the STEPLIB DD concatenation ofthe JCL where this message appeared. The value in R1(abend-code) indicates the ABEND code that would haveoccurred if the failure had not been trapped by theproduct. The value in R15 (reason_code) indicates thereason code associated with the abend. Documentationregarding the abend codes and possible resolutions canbe found in the IBM z/OS MVS™ System Code manual orequivalent.

AUIJ010E AGENT RECORD MISSING FROMREPOSITORY. AGENT NAME:agent_name

Explanation: An attempt to read an agent record fromthe repository failed as the record was not found. Thiscan occur if an agent record has been deleted throughthe use of the Guardium user interface while functionsare occurring that require information from the agentrecord.

System action: The request fails.

User response: Use the Guardium user interface toverify that the agent definition has been deleted.

AUIJ011I function_type CALL TO GUARDUIMS_TAP APPLIANCE SUCCESSFUL

Explanation: The function request (function_type) tothe Guardium S-TAP appliance completed successfully.This message usually follows the AUIJ008I messageindicating that the connection request has beeninitiated.

Function request values which may be displayed are:

INIT-DLIBConnection request from the tasks whichtransmits DLI/DBB batch events.

INIT-DLIOConnection request from the task whichtransmits IMS Online DLI events.

INIT_LOGConnection request from the task whichtransmits IMS Archive log events.

INIT-SMFConnection request from the task whichtransmits SMF events.

System action: Processing continues.

User response: None.

AUIJ012I NUMBER OF event_type EVENTS SENTTO APPLIANCE: counter

Explanation: This message is issued every 100,000events sent to the appliance or approximately every 18minutes. It provides a status of data being collectedand sent to the Guardium S-TAP appliance. The countprovided (counter) is the number of events since the lastmessage was issued. The type of events (event_type)may include DLIB (events captured from IMS DLI/DBBbatch jobs), DLIO (events captured from IMS Onlineregions) SMF (events captured from SMF auditing),IMSL (events captured from IMS archive logprocessing), and MLOG (missing IMS logs foundduring IMS Archive log processing).

System action: Processing continues.

User response: None.

AUIJ013E stap_call TO GUARDUIM S-TAPAPPLIANCE FAILED (call source) IPADDRESS: ip_address STAP_RC = rc1STAP_RS = rs1 GDM_RC = rc2 PB_RC =rc3 GDML_RC = rc4 GDML_RS = rs2

Explanation: The requested call (call_type) to theGuardium S-TAP appliance has failed. A non-zero valueGDM_RC field indicates an error.

System action: The process terminates.

User response: Determine the cause of the failure bychecking the return and reason code.

v If GDM_RC is not zero, one or more of the PB_RC,GDML_RC and GDML_RS will be set.

v If STAP_RC and STAP_RS are zero but GCM_RCand/or PB_RCis not zero, an internal error isindicated. Contact IBM Software Support.

v If STAP_RC and STAP_RS are not zero, contact IBMSoftware Support.

AUIJ014E OPEN FAILED FOR DD dd_name

Explanation: A z/OS OPEN of the data set(s)referenced by the DD named (dd_name) failed.

System action: Processing terminates.

User response: Examine the JES log for z/OS issuedIEA messages issued regarding this DD statement andtake appropriate action.

AUIJ015E THIS IMS RELEASE IS NOTSUPPORTED. IMS NAME: ims-nameVRL: ims_version

Explanation: The IMS named (ims-name) was found tobe of a release which is not supported by this versionof the product.

System action: Processing terminates.

User response: Review the software requirements

AUIJ010E • AUIJ015E

84 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 89: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

documented in this user's guide for a list of IMSreleases support by this version of the product.

AUIJ016E UNABLE TO INITIALIZE APPLIANCEINTERFACE

Explanation: An attempt to establish a connectionwith the appliance has failed.

System action: Processing terminates.

User response: This error is usually due to theTCP/IP address specified in the <appliance-server>parameter of the AUICONFG or other member used inthe AUICFG DD statement used to provide the agentwith configuration information being incorrect. Thiserror may also occur if the target of the TCP/IPaddress is unresponsive.

AUIJ017I PRIMARY STAP CONNECTIONRESTORED - SUCCESSFULLYCONNECTED TO IP ADDRESS:ip_address- PORT : port

Explanation: Multiple appliances are defined toInfoSphere Guardium S-TAP for IMS, and the primaryappliance (ip_address + port) was unavailable for someperiod of time. This message indicates that the primaryappliance has become available and is now being used.

System action: Processing continues sending data tothe primary appliance.

User response: No action is required.

AUIJ018W PREVIOUS STAP CONNECTIONFAILED - SUCCESSFULLYCONNECTED TO IP ADDRESS:ip_address - PORT : port

Explanation: Multiple appliances are defined to theIMS STAP the connection to the “active” appliance hasfailed. This message indicates that another secondaryappliance (ip_address + port) is now active.

System action: Processing continues sending data tothe secondary appliance.

User response: No action is required.

AUIJ019E STAP CONNECTION FAILED: NOCONNECTIONS AVAILABLE - IPADDRESS: ip-address - PORT : port

Explanation: The connection to the active appliance(ip_address + port) has failed and there are nosecondary appliances available for use.

AUIJ020I All EVENTS HAVE BEEN WRITTENFROM SPILL AREA TO APPLIANCE

Explanation: All audited events that were buffered tothe spill area have been sent to the appliance.

User response: None.

AUIJ021W EVENTS ARE BEING WRITTEN TOTHE SPILL AREA

Explanation: A connection to the appliance has beeninterrupted, and the spill area is being used to bufferaudited events until the appliance connection can bereestablished

System action: Processing continues. Audited eventsare buffered in the spill area.

User response: Investigate the cause of the applianceconnection interruption and correct.

AUIJ022W SPILL AREA IS FULL: EVENT DATA ISBEING LOST

Explanation: A connection to the appliance wasinterrupted. The spill area was being used to bufferaudited events until the appliance connection can bereestablished. The number of audited events that weregenerated exceeded the number that could be held inthe spill area.

System action: Processing continues. Audited eventsare discarded.

User response: Investigate the cause of the applianceconnection interruption and correct. Look for messageAUIJ024W, which is issued at task termination or whena connection is reestablished, for the number of lostevents.

AUIJ023E SPILL AREA IS NOT AVAILABLE

Explanation: An attempt to use the spill area to bufferaudited events is unsuccessful.

System action: Processing continues. Audited eventsare discarded.

User response: Specify a value of 1 through 1024 inthe SAUISAMP AUICONFG member <SPILL-SIZE>parameter. Review any z/OS error or warningmessages that might indicate why the spill areaallocation failed.

AUIJ024W NUMBER OF type EVENTS LOST count

Explanation: Attempts to buffer audited events in thespill area have failed. This message indicates the typeof audited events (DLIO, DLIB, SMF etc) which werelost (type), and the number that were lost (count).

System action: Processing continues. Audited eventsare discarded.

AUIJ016E • AUIJ024W

Chapter 13. Troubleshooting 85

Page 90: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

User response: Investigate the cause of the applianceconnection interruption and correct.

AUIJ042W ZIIP PROCESSING NOT AVAILABLEON THIS LPAR (type)

Explanation: A request to process data, using a zIIPenabled enclave, has failed because the WorkloadManager feature is not available.

System action: Processing continues, using GCPU(General Central Processor Unit) services.

User response: Remove the ZIIP_AGENT_DLI(Y)keyword from the configuration file that is in use, orchange the parameter from Y to N.

AUIJ044W ZIIP PROCESSING REQUEST HASBEEN REJECTED

Explanation: An attempt to create a zIIP enabledenclave has failed.

System action: Processing continues using GCPUservices.

User response: Determine the cause of the failure byreviewing previously issued AUIJ0331E messages andtake corrective action.

AUIJ055I ZIIP PROCESSING REQUESTED FORtype PROCESSING

Explanation: The use of a zIIP enabled enclave hasbeen requested by the use of the ZIIP_AGENT_DLI(Y)configuration file keyword.

System action: An attempt is made to create theenclave.

User response: No action is required.

AUIJ056I ZIIP PROCESSING ENABLED FORtype PROCESSING, ENCLAVE TOKEN:value

Explanation: A zIIP enabled enclave has beenrequested and successfully created.

System action: Processing continues.

User response: No action is required.

AUIJ057W ZIIP PROCESSING FOR type EVENTSHAS BEEN DISABLED DUE TOERRORS - PROCESSING WILLCONTINUE USING GCPU

Explanation: zIIP processing was requested, howeverdue to previously reported errors, this mode ofprocessing could not be enabled.

System action: Processing continues using GeneralCentral Processing Unit (GCPU) resources only.

User response: Review the processing log looking forerror and warning messages that were issued prior tothis message to help determine why zIIP processingcould not be initiated.

AUIJ201E VSAM ERROR ENCOUNTERED

Explanation:

FUNCTIONvsam_function

RPL/RECORD TYPErpl/record_value

R15 return_code

R0 reason_code

CSI-CALLfunction_call

SUBRTNpgm_routine

While accessing the VSAM repository, an internal logicerror was encountered.

System action: Processing terminates.

User response: There are no user actions available forthis failure. Contact IBM Software Support with thecontent of this message.

AUIJ202E VSAM ERROR ENCOUNTERED

Explanation: While accessing the VSAM repository, aninternal logic error was encountered.

FUNCTION:vsam_function

R15: return_code

ACBOFLGS:acboflag_value

CSI-CALL:function_call

SUBRTN:pgm_routine

System action: Processing terminates.

User response: There are no user actions available forthis failure. Contact IBM Software Support with thecontent of this message.

AUIJ203E VSAM ERROR ENCOUNTERED

Explanation: While accessing the VSAM repository, aninternal logic error was encountered.

FUNCTION:vsam_function

AUIJ042W • AUIJ203E

86 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 91: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

RPL/RECORD TYPErpl/record_value

FDBWD:rpl_fdbwd

OPTCD:rpl_optcd

CSI-CALL:function_call

SUBRTN:pgm_routine

System action: Processing terminates.

User response: There are no user actions available forthis failure. Contact IBM Software Support with thecontent of this message.

AUIJ250I AUDITING IMS EVENTS.COLLECTION PROFILE NAME:collection_profile_name IMS NAME:ims_name AGENT NAME: agent name

Explanation: The auditing of IMS events is proceededusing the collection profile named(collection_profile_name) which is associated with theIMS definition (ims_name). The agent name indicateswhich agent is processing the audited data.

System action: Auditing continues.

User response: No action is required.

AUIJ25IE COMPILED FILTER BUILD FAILED.COLLECTION PROFILE NAME :collection _profile_name RC: return_codeRSN: reason_code

Explanation: An attempt at building a compiled filterusing the collection profile named(collection_profile_name) failed.

System action: Processing terminates, auditing willnot be performed.

User response: Contact IBM Software Support.

AUIJ303W request_type REQUEST FOR LOGSTREAM log_stream_name FAILED -WILL CONTINUE TO RETRY

Explanation: A request (request_type) made to theindicated log stream (log_stream_name) has failed. Thisis a recoverable situation and the request will beretried.

System action: Processing will continue with therequest being retried.

User response: No action is required.

AUIJ304E IXGWRITE REQUEST FOR<log-stream-name> FAILED

Explanation: An attempt to write to the z/OS SystemLogger log-stream using the IXGWRITE function hasfailed.

System action: One occurrence of this message isissued once per error type (RC + RSN) within the eachissuance of message AUII050I. IXGWRITE callscontinues until the collection policy for the IMS systemis uninstalled, or the DLI/DBB batch job or IMS controlregion terminates.

User response: Examine the description of theIXGWRITE error using the RC and RSN codesprovided in the IBM z/OS MVS Programming:Assembler Services Reference, Vol. 2 (IAR-XCT) orequivalent, under the IXGWRITE Macro description,and take corrective action. The most common reasonfor the appearance of this message is the volume andthe rate (number of events per second) of DLI eventsexceeds the capacity of the current z/OS SystemLogger logstream definition.

AUIJ307A AUDITED EVENTS ARE BEING LOSTDUE TO IXGWRITE ERRORS AND/ORBUFFER SHORTAGES

Explanation: A number of attempts to write auditedevents to the z/OS System Logger Log-stream havefailed which has caused has resulted in available spacein the data buffers being exhausted. This has resultedin DLI events which are to be audited to be discarded.

System action: DLI events continue to be audited atattempts to write exiting data buffers to the z/OSSystem Logger Log-stream until. The number of DLIevents which were rejected are noted in subsequentAUII050I message.

User response: Review any AUIJ304E messages whichhave been issued to determine the cause of the z/OSSystem Logger Log-stream Write failures.

AUIJ330E REQUIRED DATA SET IS NOTCATALOGED. - TYPE: dsn_type, DSN:data_set_name

Explanation: The data set name indicated(data_set_name) was not found in the z/OS catalog.

System action: Processing terminates

User response: Specify the name of a cataloged dataset.

AUIJ331E service_name SERVICE FAILED - RC:return_code - RSN: reason_code

Explanation: A z/OS service (service_name) failedwhen executed.

System action: Processing terminates.

AUIJ250I • AUIJ331E

Chapter 13. Troubleshooting 87

Page 92: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

User response: Determine the cause of the failure byusing the return and reason codes provided. ContactIBM Software Support for additional assistance.

AUIJ332E DATA SET IS NOT VALID WITHINCONTEXT USED - TYPE: data_set_type,DSN: data_set_name, REASON: reason

Explanation: The data set indicated (data_set_name) isnot of a type valid for use where it is defined. Thereason for the rejection of this data set is found in theREASON field (reason).

System action: Processing terminates

User response: Specify a data set of the correct type.

AUIJ333E Service SERVICE FAILED for DATA SET:dsn - R15: return_code

Explanation: A z/OS LOCATE or OBTAIN servicefailed when it was run against the specified data setdsn.

System action: Processing terminates.

User response: Ensure that the data set names exists,and has not been migrated. Determine the cause of thefailure by examining the LOCATE/OBTAIN MACROreturn codes found in the IBM DFSMSdfp AdvancedServices manual. Contact IBM Software Support foradditional assistance

AUIJ356E CANNOT EDIT AN record_type(record_key) WITH AN ACTIVEPROFILE - PROFILE:collection_profile_name

Explanation: An attempt to edit an IMS or agentdefinition has been rejected as the modification of anIMS or agent definition is prohibited while the entityhas active profiles.

System action: The edit request is rejected.

User response: To edit an IMS definition, uninstall thecollection policy. For agents, you must uninstall allactive policies against all IMS definitions.

AUIJ357E CANNOT DELETE AN record_type(record_key) WITH AN ACTIVEPROFILE - PROFILE:collection_profile_name

Explanation: An attempt to delete an IMS or agentdefinition has been rejected because the deletion of anIMS or agent definition is prohibited while the entityhas active collections.

System action: The delete request is rejected.

User response: To delete an IMS definition, uninstallthe collection policy. For agents, you must uninstall allactive policies against all IMS definitions.

AUIJ400E INSUFFICIENT MEMORY - MODULENAME: program_name - MEMORYSEGMENT TYPE: seg_type

Explanation: An attempt at obtaining memory inprogram (module_name) has failed due to insufficientmemory being available.

System action: Processing terminates

User response: Increase the region size of the startedtask where this message appeared. Restart the startedtask and retry the request.

AUIJ401E MODULE module_name FAILEDDURING ATTACH of program_name -RETURN CODE: return_code

Explanation: An attempt to perform a z/OS ATTACHof the program_name by module module_name hasfailed.

System action: Processing terminates.

User response: Determine the cause of the failure byusing the return code (return_code) provided. Correctand restart the task that issued the message. ContactIBM Software Support for further assistance if need.

AUIJ402E CATALOG SERVICE REQUEST FAILED- MODULE NAME: module_name - RC:return_code RSN: reason_code

Explanation: An attempt use the catalog interface hasfailed.

System action: Processing terminates

User response: Contact IBM Software Support.

AUIJ403E DYNAMIC ALLOCATION FAILURE -FUNCTION : function_code - DSN:data-set-name - RC: return_code RSN:reason_code

Explanation: An attempt to issue a dynamic allocationfunction (function_code) using the data set nameindicated (data_set_name) has failed.

System action: Processing terminates.

User response: Using the return_code and reason_codedetermine the cause for the failure. Correct and retrythe request.

AUIJ404E DYNAMIC ALLOCATION FAILURE -FUNCTION: function_code -DDN:dd_name - RC: return_code RSN:reason_code

Explanation: An attempt to issue a dynamic allocationfunction (function_code) using the DD name indicated(dd_name) has failed.

System action: Processing terminates.

AUIJ332E • AUIJ404E

88 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 93: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

User response: Using the return_code and reason_codedetermine the cause for the failure. Correct and retrythe request.

AUIJ406W TOO MANY RULES SPECIFIED INPOLICY, REQUEST HAS BEENTRUNCATED. POLICY: policy_name.RULE LIMIT: max_number_ofrules_allowed

Explanation: Preprocessing of the rules associatedwith the indicated policy (policy_name) determined thatthe number of rules that were specified in the policyexceeded the rule limit of max_number_of rules_allowed.Allowing an excessive number of rules causes memoryconstraint and performance issues.

System action: The contents of subsequent rules arediscarded. Processing continues using all previous rulecontent.

User response: Review the rules that are included inthe policy, and edit the policy to combine the rulecontent where permissible. If the resulting policy stillrequires a greater number of rules than the rule limitpermits, contact IBM Software Support.

AUIJ407I number_of_datasets ADDED TO POLICYpolicy_name FILTER

Explanation: This message provides the number ofdata set names that are used as input when buildingthe compiled filter for SMF processing.

System action: Processing continues.

User response: No action is required.

AUIJ500I STARTING cycle_type CYCLE

Explanation: The task is starting the processing cyclespecified.

System action: Processing starts for the cyclespecified.

User response: No action is required.

AUIJ501I NO NEW CATALOGED SMF DATASETS FOUND FOR SMF MASK: -smf_mask_value

Explanation: The SMF processing cycle hasdetermined that no new, unprocessed data sets whichmeet the SMF mask value have been found.

System action: The task waits for the start of the nextcycle.

User response: No action is required.

AUIJ502I PROCESSING SMF DATA SET :smf_data_set_name

Explanation: The SMF processing cycle has found anew, unprocessed data set which met the SMF maskvalue, and is beginning to process it.

System action: The data set is read looking for SMFevents to report.

User response: No action is required.

AUIJ503I PROCESSING COMPLETE FOR SMFDATA SET: smf_data_set_name

Explanation: The SMF cycle has completed processingthe data set.

System action: Any other unprocessed SMF data setswill be processed; if not, others are found. The cycleterminates.

User response: No action is required.

AUIJ504I cycle_type CYCLE COMPLETE

Explanation: The cycle has completed.

System action: The task waits for the start of the nextcycle.

User response: No action is required.

AUIJ505I SMF AUDITING IS DISABLED ATTHE AGENT LEVEL

Explanation: No SMF events were selected to beaudited by this agent.

System action: The task waits for the start of the nextcycle.

User response: No action is required.

AUIJ506I SMF AUDITING IS DISABLED ATTHE IMS LEVEL - IMS NAME:ims_name

Explanation: No SMF events were selected to beaudited by the IMS indicated.

System action: Processing continues with any otherIMS systems with active collections. If none exist, theprocessing cycle completes.

User response: No action is required.

AUIJ520E NAME/TOKEN SERVICE service-nameSERVICE FAILED (name value)

Explanation: The name/token service failed.

System action: Processing terminates.

User response: Contact IBM Software Support.

AUIJ406W • AUIJ520E

Chapter 13. Troubleshooting 89

Page 94: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIJ521W CONTROL BLOCK AUIDCCOM NOTFOUND

Explanation: A critical E/CSA control block was notfound.

System action: Processing terminates.

User response: Contact Software Support.

AUIJ522E INSUFFICIENT E/CSA STORAGEAVAILABLE FOR control_blockCONTROL BLOCK

Explanation: Insufficient E/CSA storage was availableto hold the specified control block.

System action: Processing terminates.

User response: Determine the cause of the E/CSAshortage.

AUIJ523W NO AUDITED IMS SYSTEMS FOUND

Explanation: : No active collections were found on theLPAR.

System action: No audited events will be found.

User response: If this is expected, then no action isrequired. View the list of active collections using theGuardium User Interface to determine if any collectionsare active.

AUIJ600I NO NEW CATALOGED IMS LOGDATA SETS FOUND

Explanation: The IMS Archive Log processing cyclehas determined that no new, unprocessed data setshave been found.

System action: The task waits for the start of the nextcycle.

User response: No action is required.

AUIJ601I PROCESSING IMS LOG DATA SET :ims_log_data set_name

Explanation: The IMS Archive log processing cyclehas found a new, unprocessed data set and isbeginning to process it.

System action: The data set is read looking for IMSLog events to report.

User response: No action is required.

AUIJ602I PROCESSING COMPLETE FOR IMSLOG DATA SET : ims_log_data set_name

Explanation: The IMS Archive log cycle has completedprocessing the data set.

System action: Any other unprocessed IMS Log data

sets will be processed. If not others are found. Thecycle will terminate.

User response: No action is required.

AUIJ603I SCANNING RECON DATA SET FORIMS LOGS TO PROCESS - RECON1:recon1_dsn - RECON2: recon2_dsn -RECON3: recon3_dsn

Explanation: The IMS Archive log cycle is reading theRECON data sets to determine if any new, unprocesseddata sets exist which required processing.

System action: The RECON data sets are read usingnative VSAM services.

User response: No action is required.

AUIJ604E IMS RECORD MISSING: IMS NAME:ims_name

Explanation: A critical error has occurred where theIMS definition record is no longer found in therepository and is needed for further processing.

System action: Processing terminates.

User response: No action is required.

AUIJ605I RECON DATA SET SCANCCOMPLETE

Explanation: The RECON data sets have been read.This phase of processing is complete.

System action: Processing continues.

User response: No action is required.

AUIJ609I event_types ARE BEING EXCLUDED(excluded_by)

Explanation: If the excluded_by value is AGENT, thenthe reporting of event_types is excluded due to thespecification of certain configuration keywords. If theexcluded_by value is IMS, these events are excluded asdirected by the IMS definition.

System action: Occurrences of these event types arenot reported.

User response: If you want to view reports of thisevent type, review and modify the agent configurationfile (SMF_AUDIT_LEVELS or IMSL_AUDIT_LEVELSkeywords) or the Guardium system IMS definition,using the Auditing Levels tab.

AUIJ800E REQUIRED DD STATEMENT ISMISSING: dd-name

Explanation: A critical error has occurred due to amissing DD statement.

System action: Processing terminates.

AUIJ521W • AUIJ800E

90 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 95: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

User response: This may occur if a product JCL hasbeen edited and a DD statement has been deleted oromitted. If this is not the case, check for any dynamicallocation error messages. If none are present, or arenot user resolvable, contact IBM Software Support.

AUIJ850E VSAM function ERROR - DDN:dd_name - RC: return_code RSN:reason_code

Explanation: A critical error has occurred whenprocessing the VSAM repository

System action: Processing terminates.

User response: Contact IBM Software Support.

AUIJ860E VSAM FILE DEFINITION ERROR -DDN: dd_name - REASON:definition_error

Explanation: When validating the VSAM repository,an allocation definition error was found.

System action: Processing terminates.

User response: The VSAM repository requires specificvalues for the attribute, LRECL, key length and keyposition. Review the SAUISAMP product distributiondata set member AUISJ001 for the correct file definitionspecifications.

AUIJ999E AN INTERNAL LOGIC ERROR HASOCCURRED - MODULE: module_nameRSN: reason_code

Explanation: An internal logic error has occurred.

System action: Processing terminates

User response: Contact IBM Software Support.

Error messages and codes: AUILxxxxThe following information is about error messages and codes that begin withAUIL.

AUIL001S module-name: GETMAIN failed

Explanation: The module module-name could notobtain virtual storage

User response: Increase Region size.

AUIL002I Archive log reader interval set to <n>minutes.

Explanation: The Archive log reader is scheduled toprocess archive logs every <n> minutes.

User response: No action is required.

AUIL003E Command <command-text>failed; intervalvalue must be between <lower-bound>and <upper-bound>.

Explanation: This message indicates that <command>,such as: /f AUILSTC,SET INTERVAL number failedbecause of incorrect number value. Correct values mustbe between <lower-bound> and <upper-bound>.

User response: Use an interval value between<lower-bound> and <upper-bound>. If that does notresolve the issue, contact IBM Software Support.

AUIL005S module-name: NOT RUNNING APFAUTHORIZED

Explanation: The module module-name requires APFauthorization to execute.

User response: Ensure all load libraries for InfoSphereGuardium S-TAP for IMS are APF authorized.

AUIL008S module-name: xxxxxxxx DSN NOT A PDS

Explanation: The designated library must be a PDS.

User response: Check that the supplied DSN is a PDS.

AUIL600I NO NEW CATALOGED IMS LOGDATA SETS FOUND

Explanation: After examining the RECON data sets, ithas been determined that no new IMS SLDS data setswere found that have yet to be processed by theproduct.

User response: No action is required.

AUIL601I PROCESSING IMS LOG DATA SET:ims_log_data_set_name

Explanation: Processing has started for the IMS SLDSdata set indicated (ims_log_data_set_name)

System action: Processing continues.

User response: No action is required.

AUIL602I PROCESSING COMPLETE FOR IMSLOG DATA SET: ims_log_data_set_name

Explanation: Processing of the IMS SLDS data set hascompleted.

System action: Processing continues with othercandidate IMS SLDS data sets.

User response: No action is required.

AUIJ850E • AUIL602I

Chapter 13. Troubleshooting 91

Page 96: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIL603I SCANNING RECON DATA SETS FORIMS LOGS TO PROCESS. RECON1:recon1_dsn - RECON2: recon2_dsn -RECON3: recon3_dsn

Explanation: To determine the candidate IMS SLDSdata sets to be read, the IMS RECON data sets must bequeried. This message indicates that this query processhas started.

System action: Processing continues.

User response: No action is required.

AUIL604E IMS RECORD MISSING: IMS NAME:ims_name

Explanation: When attempting to determine certainproperties of the IMS named (ims_name) it wasdetermined that the IMS record required was not in theproduct repository.

System action: Processing terminates with a returncode of 8.

User response: Contact IBM Software Support.

AUIL605I RECON DATA SET SCAN COMPLETE

Explanation: This message follows the AUIL603Imessage and indicates that the scan of the RECON datasets is complete.

System action: Processing continues.

User response: No action is required.

AUIL606W RECON HAS NOCATDS SPECIFIED,TERMINATING PROCESS

Explanation: When examining the RECON data setsthe NOCATDS option was found to be on, meaningany log data sets found may not be cataloged.

System action: Processing terminates.

User response: The function that produces thismessage relies on the log data sets existing in the z/OScatalog or having been in the z/OS catalog at one time.Having the NOCATDS option on in the RECON datasets negates the validity of further processing.

AUIL607W THERE ARE NO ACTIVE IMSPOLICIES FOR AGENT agent_name

Explanation: A request to query the RECON data setsof IMS systems defined under the named agent foundthat there were no IMS systems audited by the agentwith an active profile. The function that produces thismessage relies on having at least one IMS system withan active collection policy.

System action: Processing terminates.

User response: Install a collection policy for an IMSunder of the control the agent.

Error messages and codes: AUIPxxxxThe following information is about error messages and codes that begin withAUIP.

AUIP001E A protobuf message schema violationwas detected; value value is not a validboolean value.

Explanation: The specified value is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP002E A protobuf message schema violationwas detected; value value is not a validdouble value.

Explanation: The specified value is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP003E A protobuf message schema violationwas detected; value value is not a validinteger value.

Explanation: The specified value is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP004E A protobuf message schema violationwas detected; required message messageproperty property is not present.

Explanation: The specified message property is notpresent.

User response: Contact your administrator or IBMSoftware Support

AUIP005E A protobuf message schema violationwas detected; required message messagesub-message submessage is not present.

Explanation: The specified message submessage is notpresent.

User response: Contact your administrator or IBMSoftware Support.

AUIL603I • AUIP005E

92 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 97: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIP006S A severe error occurred during protobufmessage parsing; an unknown exceptionoccurred.

Explanation: An error occurred while parsing aprotobuf message.

User response: Contact your administrator or IBMSoftware Support.

AUIP007E A protobuf message schema violationwas detected; property name property isinvalid.

Explanation: The specified property name is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP008E A protobuf message schema violationwas detected; property property valuevalue is invalid.

Explanation: The specified property value is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP009E A protobuf message schema violationwas detected; message name 'name' isinvalid.

Explanation: The specified message name is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP010E A protobuf message schema violationwas detected; message name name isinvalid (expected expected name).

Explanation: The specified message name is notvalued.

User response: Contact your administrator or IBMSoftware Support.

AUIP011E A protobuf message schema violationwas detected; value value is not a validbytes value.

Explanation: The specified value is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP012E A protobuf message schema violationwas detected; value value is not a validunsigned integer value.

Explanation: The specified value is not valid.

User response: Contact your administrator or IBMSoftware Support.

AUIP013E An error occurred while parsing itemtext: String is empty.

Explanation: A policy message contained an item fieldwith an empty value.

User response: Contact your administrator or IBMSoftware Support.

AUIP014E An error occurred while parsing itemtext: text.

Explanation: A policy message contained an item fieldwith a value text could not be parsed successfully.

User response: Contact your administrator or IBMSoftware Support.

AUIP015E Failed to send error message toappliance: host/port.

Explanation: The InfoSphere Guardium S-TAP for IMSagent was unable to send the error message to thespecified appliance.

User response: Contact your administrator or IBMSoftware Support.

AUIP016E Policy rule <rule> was ignored: IMSname is empty.

Explanation: The specified policy rule was ignoredbecause it does not apply to any IMS subsystem, or theIMS name is empty.

User response: Contact your administrator or IBMSoftware Support.

Error messages and codes: AUIRxxxxThe following information is about error messages and codes that begin withAUIR.

AUIR001E Incompatible repository version currentversion (expected: required version).

Explanation: The version of repository specified inconfiguration file is not supported by AUI agent.

User response: Check configuration file to verify thatthe specified repository is correct. If the repository isspecified correctly and the message occurs, contact IBMSoftware Support.

AUIP006S • AUIR001E

Chapter 13. Troubleshooting 93

Page 98: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIR002E The provided parameter 'value' is toolong; should be less than or equal tomaximum length characters.

Explanation: The value of the specified parameterexceeds the maximum length maximum length.

User response: Specify a shorter value that does notexceed the specified limit for the parameter.

AUIR003E Specified amount user groups, butmaximum number is limit.

Explanation: Too many groups were specified.

User response: Limit the number of groups to limit.

AUIR004E A maximum of maximum data sets areallowed for the names libs and a total of

libs-count were specified.

Explanation: The maximum number of data sets wasexceeded for the libs specified.

User response: Limit the number of data sets for thespecified libs to maximum.

AUIR006E The parameter parameter can't be empty.

Explanation: The parameter value must be specifiedin the agent configuration.

User response: Update agent configuration, or contactyour administrator.

Error messages and codes: AUITxxxxThe following information is about error messages and codes that begin withAUIT.

AUIT001E The specified user ID userid is notdefined or does not have an OMVSsegment defined.

Explanation: You specified a user ID that is notdefined or does not have an OMVS segment defined.

User response: InfoSphere Guardium S-TAP for IMSwas unable to authenticate the specified user. Eitherspecify a valid user ID, or if the user ID is valid, seeyour security administrator to have an OMVS segmentdefined for the user ID.

AUIT002I Cancelled request with ID = id and type= type.

Explanation: IBM InfoSphere Guardium S-TAP forIMS on z/OS cancelled the request identified in themessage.

User response: No action is required.

AUIT003E Unable to cancel request with ID = idand type = type.

Explanation: IBM InfoSphere Guardium S-TAP forIMS on z/OS was unable to cancel the requestidentified in the message.

User response: The job name or ID was not known,and the job could not be cancelled. Review the messagelog to determine the name and ID of the job that wassubmitted, and use native JES facilities to review andcancel the status of the job.

If you are not trying to cancel a z/OS job request,contact IBM Software Support.

AUIT004E A cancel request was received for anon-existent request (ID = id).

Explanation: You attempted to cancel a nonexistentrequest.

User response: Contact IBM Software Support.

AUIT005I Cancelling request with ID = id andtype = type.

Explanation: IBM InfoSphere Guardium S-TAP forIMS on z/OS is cancelling the request identified in themessage.

User response: No action is required.

AUIT006S The product is not properly configuredto authenticate users.

Explanation: InfoSphere Guardium S-TAP for IMS isnot properly configured to authenticate users.

User response: An error occurred while authenticatinga remote user request. The error code indicates that theinstallation configuration required to allow thisauthentication has not been completed. See “InfoSphereGuardium S-TAP for IMS agent” on page 3 for moreinformation about how to complete the requiredconfiguration.

AUIT007I Completed processing request with ID =id and type = type.

Explanation: InfoSphere Guardium S-TAP for IMScompleted processing the request identified in themessage.

User response: No action is required.

AUIR002E • AUIT007I

94 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 99: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIT008E The configuration file filename is invalid;the root element element is not<agent-config>.

Explanation: The configuration file identified in themessage is invalid.

User response: The contents of the specifiedconfiguration file are invalid. Correct the file contentsto specify <agent-config> as the root XML element.

AUIT010E An error occurred while opening theconfiguration file filename message text

Explanation: An error occurred while opening theconfiguration file identified in the message. Additionalerror information is also contained within the message.

User response: Use the specified message text todiagnose the error that occurred. Specify a validconfiguration file that is not in use by any otherprocess.

AUIT012I Performing discovery of availablelocations.

Explanation: The InfoSphere Guardium S-TAP for IMSagent is looking for available locations.

User response: No action is required.

AUIT013I InfoSphere Guardium S-TAP agent isterminating.

Explanation: The InfoSphere Guardium S-TAP for IMSagent is terminating.

User response: No action is required.

AUIT016I Discovered data sharing group groupname.

Explanation: The InfoSphere Guardium S-TAP for IMSagent has discovered the identified data sharing group.

User response: No action is required.

AUIT017I Discovered subsystem subsystem-id.

Explanation: The InfoSphere Guardium S-TAP for IMSagent has discovered the identified subsystem.

User response: No action is required.

AUIT018I The agent is ready to process requests.

Explanation: The agent is ready to process requests.

User response: No action is required.

AUIT019I InfoSphere Guardium S-TAP agentstarted.

Explanation: The InfoSphere Guardium S-TAP for IMSagent started.

User response: No action is required.

AUIT020I Starting the socket selector thread(thread thread id).

Explanation: The InfoSphere Guardium S-TAP for IMSagent is starting the identified socket selector thread.

User response: No action is required.

AUIT021I Processing request with ID = id andtype = type.

Explanation: The InfoSphere Guardium S-TAP for IMSagent is processing a request with the identified ID andtype.

User response: No action is required.

AUIT022I Reading request with ID = id and type =type.

Explanation: The InfoSphere Guardium S-TAP for IMSagent is reading a request with the identified ID andtype.

User response: No action is required.

AUIT023I Received shutdown request.

Explanation: The InfoSphere Guardium S-TAP for IMSagent has received a shutdown request.

User response: No action is required.

AUIT024I Request thread timed out waiting forwork.

Explanation: The InfoSphere Guardium S-TAP for IMSagent request thread has timed out waiting for work.

User response: No action is required.

AUIT025I The socket selector thread isterminating.

Explanation: The InfoSphere Guardium S-TAP for IMSagent socket selector thread is terminating.

User response: No action is required.

AUIT026E Location location name is not known tothe agent.

Explanation: The location name specified on areceived request does not match any IMS subsystem IDor data sharing group attachment name known to theagent.

AUIT008E • AUIT026E

Chapter 13. Troubleshooting 95

Page 100: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

User response: Ensure that a valid location is specifiedin the client. If a valid location is specified, ensure thatthe IMS subsystem is operational.

AUIT027S An invalid request type request-id wasreceived.

Explanation: The InfoSphere Guardium S-TAP for IMSagent received an invalid request type.

User response: Contact IBM Software Support.

AUIT028E An error occurred while authenticatinguser user-id error-text.

Explanation: An unexpected return code was returnedby the pthread_security_np() callable service.

User response: Ensure that the configuration requiredto use this service has been completed. See “InfoSphereGuardium S-TAP for IMS agent” on page 3 for moreinformation about the required configuration. Checkthe agent job log for additional messages which may begenerated.

AUIT029E Location location name has not beenconfigured for use with InfoSphereGuardium S-TAP for IMS.

Explanation: The specified location name isrecognized by the agent, but an error occurred whileaccessing the product control file for the location'sconfiguration information.

User response: Use sample job AUISJ001 to establishthe required configuration parameters.

AUIT031I Starting the command listener thread(thread thread-id).

Explanation: The InfoSphere Guardium S-TAP for IMSagent is starting the command listener thread.

User response: No action is required.

AUIT032I Received stop command: command-text.

Explanation: The InfoSphere Guardium S-TAP for IMSagent received a STOP command.

User response: No action is required.

AUIT033I Received modify command:command-text.

Explanation: The InfoSphere Guardium S-TAP for IMSagent received a MODIFY command.

User response: No action is required.

AUIT034S InfoSphere Guardium S-TAP agent isterminating due to hard stop request.

Explanation: InfoSphere Guardium S-TAP for IMSagent is terminating due to a user /MODIFY FORCEcommand.

User response: No action is required.

AUIT035E An error occurred while openingfile-name: message-text

Explanation: An error occurred while opening thespecified file and there is also error information in themessage.

User response: Use the specified message text todiagnose why the specified file could not be opened.

AUIT036E An error occurred while writingfile-name: message-text

Explanation: An error occurred while writing to thespecified file and there is also error information in themessage.

User response: Use the specified message text todiagnose why the specified file could not be written.

AUIT039W The request was cancelled.

Explanation: The request was cancelled due to a useror administrator request.

User response: No action is required.

AUIT040E An I/O abend Sabend-code-reason-codeoccurred on filename.

Explanation: An abend occurred while trying to writeto the identified file.

User response: Review the abend and reason codes todetermine the error that occurred while writing the file.

AUIT041I Authenticating user user-id.

Explanation: Authenticating a user with user IDuser-id.

User response: No action is required.

AUIT044E The connection to the server has beenlost.

Explanation: InfoSphere Guardium S-TAP for IMS isunable to communicate with the InfoSphere GuardiumS-TAP for IMS server.

User response: Resolve any network connectivityissues, then try logging in again.

AUIT027S • AUIT044E

96 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 101: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIT045E Subsystem ssid is not known to theagent

Explanation: The specified subsystem is not known tothe agent.

User response: Verify that the SSID represents a validsubsystem.

AUIT1027E Data set data set already exists.

Explanation: The specified data set already exists. Thedata set must be unique.

User response: Enter a unique data set name andretry.

Error messages and codes: AUIUxxxxThe following information is about error messages and codes that begin withAUIU.

AUIU1002I Migrate Utility for IBM InfoSphereGuardium S-TAP for IMS on z/OSstarted.

Explanation: The utility to migrate the configurationof an older version of the product to the currentproduct version has started.

User response: No action is required.

AUIU1003I Agent record agent-record was not foundin the repository.

Explanation: The agent-record that is specified couldnot be loaded from the repository. This can occur if theagent configuration specifies an agent name that is not

associated with the repository. Or, it can occur if anincorrect repository is being used with the agentconfiguration.

User response: Verify the agent name in the agentconfiguration, and verify that the repository DSN forthe agent is the correct repository DSN.

AUIU1004I SMF record was not found in therepository.

Explanation: There were no SMF records found in therepository.

User response: No action is required.

Error messages and codes: AUIXxxxxThe following information is about error messages and codes that begin withAUIX.

AUIX014E An XML schema violation was detected;value value is not a valid boolean value.

Explanation: An XML schema violation was detected;value value is not a valid boolean value.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX137E An XML schema violation was detected;value value is not a valid double value.

Explanation: An XML schema violation was detected;value value is not a valid double value.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX016E An XML schema violation was detected;value value is not a valid integer value.

Explanation: An XML schema violation was detected;value value is not a valid integer value.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX017E An XML syntax error was detected atoffset offset; expected expected-value,found found-value.

Explanation: An XML syntax error was detected atoffset offset; expected expected-value, found found-value.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX018E An XML schema violation was detected;required element element attributeattribute\" is not present.

Explanation: An XML schema violation was detected;required element element attribute attribute is notpresent.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX019E An XML schema violation was detected;required element element childchild-element is not present.

Explanation: An XML schema violation was detected;

AUIT045E • AUIX019E

Chapter 13. Troubleshooting 97

Page 102: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

required element element child child-element is notpresent.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX020E Memory allocation failed (number bytes).

Explanation: Memory allocation failed (number bytes).

User response: Contact IBM Software Support.

AUIX021E An XML schema violation was detected;element element child child-number haswrong type.

Explanation: An XML schema violation was detected;element element child child-number has wrong type.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX022E An XML syntax error was detected;character reference character-reference isinvalid.

Explanation: An XML syntax error was detected;character reference character-reference is invalid.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX023E An XML syntax error was detected;entity reference entity-reference is invalid.

Explanation: An XML syntax error was detected;entity reference entity-reference is invalid.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX024E An XML syntax error was detected;more than one element was found at theroot of the document.

Explanation: An XML syntax error was detected; morethan one element was found at the root of thedocument.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX025E An XML syntax error was detected; noelement was found at the root of thedocument.

Explanation: An XML syntax error was detected; noelement was found at the root of the document.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX026E An XML syntax error was detected; textwas found at the root of the document.

Explanation: An XML syntax error was detected; textwas found at the root of the document.

User response: Contact IBM Software Support.

AUIX027S A severe error occurred during XMLparsing; an unknown exceptionoccurred.

Explanation: A severe error occurred during XMLparsing; an unknown exception occurred.

User response: Contact IBM Software Support.

AUIX034S A severe error occurred duringcommand line processing; an unknownexception occurred.

Explanation: A severe error occurred duringcommand line processing; an unknown exceptionoccurred.

User response: Contact IBM Software Support.

AUIX035E The operation completed successfully.

Explanation: The operation completed successfully.

User response: No action is required.

AUIX036E The address family is not supported bythe protocol family ( socket-return-code).

Explanation: The address family is not supported bythe protocol family ( socket-return-code).

User response: Contact IBM Software Support.

AUIX037E The operation is still in progress(socket-return-code).

Explanation: The operation is still in progress(socket-return-code).

User response: Contact IBM Software Support.

AUIX038E Permission is denied (socket-return-code).

Explanation: Permission is denied (socket-return-code).

User response: Contact IBM Software Support.

AUIX020E • AUIX038E

98 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 103: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIX039E The network is down (socket-return-code).

Explanation: The network is down (socket-return-code).

User response: Contact IBM Software Support.

AUIX040E No buffer space is available(socket-return-code).

Explanation: No buffer space is available(socket-return-code).

User response: Contact IBM Software Support.

AUIX041E Too many sockets have been opened(socket-return-code).

Explanation: Too many sockets have been opened(socket-return-code).

User response: Contact IBM Software Support.

AUIX042E The protocol is not supported(socket-return-code).

Explanation: The protocol is not supported(socket-return-code).

User response: Contact IBM Software Support.

AUIX043E The WSAStartup routine was not called(socket-return-code).

Explanation: The WSAStartup routine was not called(socket-return-code).

User response: Contact IBM Software Support.

AUIX044E The protocol is the wrong type for thesocket (socket-return-code).

Explanation: The protocol is the wrong type for thesocket (socket-return-code).

User response: Contact IBM Software Support.

AUIX045E The socket type is not supported(socket-return-code).

Explanation: The socket type is not supported(socket-return-code).

User response: Contact IBM Software Support.

AUIX046E The destination network is unreachable(socket-return-code).

Explanation: The destination network is unreachable(socket-return-code).

User response: Specify the correct host name or IPaddress.

AUIX047E The socket handle is invalid(socket-return-code).

Explanation: The socket handle is invalid(socket-return-code).

User response: Contact IBM Software Support.

AUIX048E The address is already in use(socket-return-code).

Explanation: The address is already in use(socket-return-code).

User response: Contact IBM Software Support.

AUIX049E The function call was interrupted(socket-return-code

Explanation: The function call was interrupted(socket-return-code).

User response: Contact IBM Software Support.

AUIX050E The requested address is not available(socket-return-code).

Explanation: The requested address is not available(socket-return-code).

User response: Contact IBM Software Support.

AUIX051E The connection was aborted(socket-return-code).

Explanation: The connection was aborted(socket-return-code).

User response: Contact IBM Software Support.

AUIX052E The connection was refused by thepartner (socket-return-code).

Explanation: The connection was refused by thepartner (socket-return-code).

User response: Verify that the correct port numberwas specified, and that the partner application has beenstarted and is available.

AUIX053E The connection was reset by the partner(socket-return-code).

Explanation: The connection was reset by the partner(socket-return-code).

User response: The partner application ended thenetwork connection. If this is unexpected, diagnose thepartner application failure. Otherwise, no action isrequired.

AUIX039E • AUIX053E

Chapter 13. Troubleshooting 99

Page 104: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIX054E The network message is too long(socket-return-code).

Explanation: The network message is too long(socket-return-code).

User response: Contact IBM Software Support.

AUIX055E The network dropped the connectionwhen reset (socket-return-code).

Explanation: The network dropped the connectionwhen reset (socket-return-code

User response: Contact IBM Software Support.

AUIX056E An invalid parameter was specified(socket-return-code).

Explanation: An invalid parameter was specified(socket-return-code).

User response: Contact IBM Software Support.

AUIX057E The socket is not connected(socket-return-code).

Explanation: The socket is not connected(socket-return-code).

User response: Contact IBM Software Support.

AUIX058E The operation is not supported(socket-return-code).

Explanation: The operation is not supported(socket-return-code).

User response: Contact IBM Software Support.

AUIX059E The socket has been closed(socket-return-code).

Explanation: The socket has been closed(socket-return-code).

User response: Contact IBM Software Support.

AUIX060E The socket is already connected(socket-return-code).

Explanation: The socket is already connected(socket-return-code).

User response: Contact IBM Software Support.

AUIX061S An unknown error occurred(socket-return-code).

Explanation: An unknown error occurred(socket-return-code).

User response: Contact IBM Software Support.

AUIX062E A socket error occurred onsocket-operation: message-text.

Explanation: A socket error occurred.

User response: Use the specified message text todiagnose the error.

AUIX063E A socket select error occurred:message-text.

Explanation: A socket select error occurred.

User response: Use the specified message text todiagnose the error.

AUIX064E An XML schema violation was detected;expected root element element-expected,but found element-found instead.

Explanation: An XML schema violation was detected;expected root element element-expected , but foundelement-found instead.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX066E An XML schema violation was detected;element element value value is invalid.

Explanation: An XML schema violation was detected;element element value value is invalid.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX067E An XML schema violation was detected;element name element is invalid.

Explanation: An XML schema violation was detected;element name element is invalid.

User response: If the error occurred while reading theagent configuration file, correct the file contents.Otherwise, contact IBM Software Support.

AUIX068E An XML schema violation was detected;element name element-found is invalid(expected element-expected).

Explanation: An XML schema violation was detected;element name element-found is invalid (expectedelement-expected).

User response: Contact IBM Software Support.

AUIX054E • AUIX068E

100 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 105: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIX076E An XML schema violation was detected;element element attribute attribute valuevalue is invalid.

Explanation: An XML schema violation was detected;element element attribute attribute value value is invalid.

User response: Contact IBM Software Support.

AUIX085E A dynamic allocation error occurred:info code = info-code, error code =error-code.

Explanation: A dynamic allocation error occurred: infocode = info-code, error code = error-code.

User response: See the MVS Programming: AuthorizedAssembler Services Guide for more information about thespecified information and error codes.

AUIX086E A dynamic concatenation error occurred:info code = info-code, error code =error-code.

Explanation: A dynamic concatenation error occurred:info code = info-code, error code = error-code.

User response: See the MVS Programming: AuthorizedAssembler Services Guide for more information about thespecified information and error codes.

AUIX087E A dynamic free error occurred: info code= info-code, error code = error-code.

Explanation: A dynamic free error occurred: info code= info-code, error code = error-code.

User response: See the MVS Programming: AuthorizedAssembler Services Guide for more information about thespecified information and error codes.

AUIX088E An invalid dynamic allocationparameter was specified: code =parm-code.

Explanation: An invalid dynamic allocation parameterwas specified: code = parm-code.

User response: Contact IBM Software Support.

AUIX089E The specified user ID user-id andpassword are invalid.

Explanation: The specified user ID user-id andpassword are invalid.

User response: Correct the user ID and password andretry the operation.

AUIX090E The specified password for user IDuser-id has expired.

Explanation: The specified password for user IDuser-id has expired.

User response: Change your password, then retry theoperation.

AUIX091E Access for the specified user ID user-idhas been revoked.

Explanation: Access for the specified user ID user-idhas been revoked.

User response: Contact your security administrator toget your user ID reinstated.

AUIX092E An error occurred while performingauthentication: SAF RC = saf-return-code,RC = return-code, RSN = reason-code.

Explanation: An error occurred while performingauthentication: SAF RC = saf-return-code, RC =return-code, RSN = reason-code.

User response: Contact IBM Software Support.

AUIX093S An unexpected error occurred (file-name,line-number).

Explanation: An unexpected error occurred (file-name,line-number).

User response: Contact IBM Software Support.

AUIX094S An unexpected error occurred withtoken token, (file-name, line-number).

Explanation: An unexpected error occurred with tokentoken, (file-name, line-number).

User response: Contact IBM Software Support.

AUIX095S An unexpected error occurred withtokens token and token (file-name,line-number).

Explanation: An unexpected error occurred withtokens token and token (file-name, line-number).

User response: Contact IBM Software Support.

AUIX096S An unexpected error occurred withtokens token, token and token ( file-name,line-number).

Explanation: An unexpected error occurred withtokens token, token and token ( file-name, line-number).

User response: Contact IBM Software Support.

AUIX076E • AUIX096S

Chapter 13. Troubleshooting 101

Page 106: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIX097S An unexpected error occurred withtokens token, token, token, and token(file-name, line-number.

Explanation: An unexpected error occurred withtokens token, token, token, and token (file-name,line-number.

User response: Contact IBM Software Support.

AUIX098E A thread error occurred onthread-operation : message-text.

Explanation: A thread error occurred onthread-operation : message-text.

User response: Use the specified message text todiagnose the error.

AUIX101E An event error occurred onevent-operation : message-text.

Explanation: An event error occurred onevent-operation : message-text.

User response: Use the specified message text todiagnose the error.

AUIX104E A mutex error occurred onmutex-operation : message-text.

Explanation: A mutex error occurred onmutex-operation : message-text.

User response: Use the specified message text todiagnose the error.

AUIX109E A semaphore error occurred onsemaphore-operation : message-text.

Explanation: A semaphore error occurred onsemaphore-operation : message-text.

User response: Use the specified message text todiagnose the error.

AUIX110I The network connection has beendisconnected.

Explanation: The network connection has beendisconnected.

User response: No action is required.

AUIX114E A dynamic allocation query erroroccurred: info code = info-code, errorcode = error-code.

Explanation: A dynamic allocation query erroroccurred: info code = info-code, error code = error-code.

User response: See the MVS Programming: AuthorizedAssembler Services Guide for more information about thespecified info and error codes.

AUIX115E An input command error occurred on\"command-operation\": message-text.

Explanation: An input command error occurred on\"command-operation\": message-text.

User response: Contact IBM Customer Support.

AUIX116I Received input command: command-text.

Explanation: Received input command: command-text.

User response: No action is required.

AUIX117E Excessive data was encountered in theASN.1 data stream.

Explanation: Excessive data was encountered in theASN.1 data stream.

User response: Contact IBM Customer Support.

AUIX118E Insufficient data was encountered in theASN.1 data stream.

Explanation: Insufficient data was encountered in theASN.1 data stream.

User response: Contact IBM Customer Support.

AUIX119E An unsupported ASN.1 feature wasencountered.

Explanation: An unsupported ASN.1 feature wasencountered.

User response: Contact IBM Customer Support.

AUIX122I Build date component = date.

Explanation: Build date component = date.

User response: No action is required.

AUIX123W The action was cancelled.

Explanation: The action was cancelled.

User response: No action is required. The operationwas cancelled due to user or administrator request.

AUIX124S The task is not running APF-authorized.

Explanation: The task is not running APF-authorized.

User response: The InfoSphere Guardium S-TAP forIMS load library, and the load libraries for all of theIMS subsystems accessed, must be APF-authorized. SeeInfoSphere Guardium S-TAP for IMS agent for moreinformation about the required configuration steps.

AUIX097S • AUIX124S

102 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 107: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIX125E An error occurred while retrievingproduct configuration data: RC =return-code.

Explanation: An error occurred while retrievingproduct configuration data: RC = return-code.

User response: Ensure that a product control file hasbeen created and loaded using sample jobs AUISJ000and AUISJ001, and that it is allocated to theIMSPARMS DD.

AUIX126E A DLL error occurred on dll-operation :message-text

Explanation: A DLL error occurred on dll-operation :message-text

User response: Contact IBM Customer Support.

AUIX127S An error occurred while opening log filefile-name.

Explanation: An error occurred while opening log filefile-name.

User response: Contact IBM Customer Support.

AUIX128E An error occurred while submitting thejob: RC = return-code.

Explanation: An error occurred while submitting thejob: RC = return-code.

User response: Contact IBM Customer Support.

AUIX129I Job job-id was submitted.

Explanation: The specified job was submitted.

User response: No action is required.

AUIX130E An ICSF cryptographic error occurred:API = <api-call>, RC = <rc>, REASON =<reason>.

Explanation: An ICSF cryptographic error occurred at<api-call>.

User response: Contact your administrator or IBMSoftware Support.

AUIX131E A BSAFE cryptographic error occurred:API = <api-call>, RC = <rc>.

Explanation: An BSAFE cryptographic error occurredat <api-call>.

User response: Contact your administrator or IBMSoftware Support.

AUIX132E A shared memory error occurred on"service name": error message.

Explanation: This error may only occur in the primaryagent address space and when the error occurs, theprimary agent address space will shut down with a CCof 12. This startup error indicates that attempts tocreate a shared memory segment failed because of analready existing shared memory segment that neverbelonged to, or currently does not belong to, theprimary agent address space.

This message can occur in the secondary address spaceif the <id> elements in the ADS_SHM_ID andADS_LISTENER_PORT parameters do not match in theAUICONFG config member that is used by the agentprimary address space and the secondary addressspaces.

User response: Edit SAUISAMP member AUICONFG(or the customized AUICONFG) and specify the correct<id> elements in the ADS_SHM_ID andADS_LISTENER_PORT keywords.

AUIX133E An XML schema violation was detected;element element value value is invalid:expected min <min-value> and max <maxvalue>.

Explanation: The element-value given for element-nameis out of the range and must be within min-value andmax-value.

User response: Correct the value for the element-namein the configuration.

AUIX134E An XML schema violation was detected;element element attribute value valuevalue is invalid: expected min<minimum> and max <maximum>.

Explanation: The element attribute value is not valid.

User response: If the error occurred while reading theagent configuration file, update the configuration.Otherwise, contact IBM Software Support.

AUIX135E Data set [data set] is not cataloged.

Explanation: The data set specified in the messagetext has not been cataloged.

User response: Allocate the data set.

AUIX136E Invalid data set 'data set': Data set namemust not exceed 44 characters.

Explanation: MVS data sets cannot exceed 44characters.

User response: Correct the data set entry, then retry.

AUIX125E • AUIX136E

Chapter 13. Troubleshooting 103

Page 108: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIX137E Invalid data set {'data set'}: The segmentlength must be greater than 0 and lessthan or equal to 8.

Explanation: The specified data set name has one ormore segments that are not between 1 and 8 characters.

User response: Specify a data set where each segmentcontains more than 0 characters and 8 or fewercharacters.

AUIX138E Invalid data set 'name': The firstcharacter in each segment must bealphabetic (A-Z) or national (#, @, $).

Explanation: The data set name provided does not isnot a valid name and does not satisfy the MVS data setnaming requirements.

User response: Correct the data set name and tryagain.

AUIX139E Invalid data set '<data set>': Thenon-first characters in the segmentsmust be alphabetic (A-Z), numeric,national (#, @, $), or hyphen.

Explanation: The non-first characters in the segmentsmust be alphabetic (A-Z), numeric, national (#, @, $), orhyphen.

User response: Specify a data set where non-firstcharacters in the segments is alphabetic (A-Z), numeric,national (#, @, $), or hyphen.

AUIX140E Invalid data set '<data set>': Thenon-first characters in the SMFsegments must be alphabetic (A-Z),numeric, national (#, @, $), hyphen,asterisk (*) or percent (%).

Explanation: The non-first characters in the SMFsegments must be alphabetic (A-Z), numeric, national(#, @, $), hyphen, asterisk (*) or percent (%).

User response: Specify a data set where non-firstcharacters in the SMF segments is alphabetic (A-Z),numeric, national (#, @, $), hyphen, asterisk (*) orpercent (%).

AUIZ019E Data set 'data set' is not APF-authorized.

Explanation: The data set data set requires APFauthorization.

User response: Specified data set must beAPF-authorized. See Configuring InfoSphere GuardiumS-TAP for IMS for more information about the requiredconfiguration steps.

AUIX142E Invalid data set '<data set>': The firstcharacter in SMF segment must bealphabetic (A-Z) or national (#, @, $),asterisk (*) or percent (%).

Explanation: The first character in SMF segment mustbe alphabetic (A-Z) or national (#, @, $), asterisk (*) orpercent (%).

User response: Specify a data set where first characterin SMF segments must be alphabetic (A-Z) or national(#, @, $), asterisk (*) or percent (%).

AUIX137E • AUIX142E

104 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 109: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Error messages and codes: AUIYxxxxThe following information is about error messages and codes that begin withAUIY.

AUIY001E A callable services abend abend hasoccurred.

Explanation: This message indicates a callable serviceabend has occurred. Additional diagnostic informationmay be present in the message when applicable.

User response: Contact IBM Software Support.

AUIY002E GPRS number-number: hex-value hex-valuehex-value hex-value

Explanation: This message indicates an CSI abend hasoccurred. Additional diagnostic information may bepresent in the message when applicable.

User response: No action is required.

AUIY003E Active module not found.

Explanation: This message indicates a CSI abend hasoccurred. Additional diagnostic information may bepresent in the message when applicable.

User response: No action is required.

AUIY004E Active module = module-name, load point= hex-address, offset = hex-address

Explanation: This message indicates a CSI abend hasoccurred. Additional diagnostic information may bepresent in the message when applicable.

User response: No action is required.

AUIY005E PSW = string string

Explanation: This message indicates a CSI abend has

occurred. Additional diagnostic information may bepresent in the message when applicable.

User response: No action is required.

AUIY006E Callable service invocation failed withreturn code = return-code and reasoncode = reason-code

Explanation: A service requested by the serveraddress space has failed.

User response: View the JES log of the server addressspace to determine the data set name and reason forthe error. Contact IBM Software Support if you areunable to resolve the error.

AUIY007I Invoking callable service callable service.

Explanation: The specified callable service has beeninvoked successfully.

User response: No action is required.

AUIY008I Returned from callable serviceservice-name

Explanation: Returned from a callable service that isidentified in the message.

User response: No action is required.

AUIY009E Invalid data set mask: 'data set mask'.

Explanation: The specified data set mask is not valid.

User response: Enter a valid data set mask and retry.

Error messages and codes: AUIZxxxxThe following information is about error messages and codes that begin withAUIZ.

AUIZ002E dd-name DD has already been allocated.

Explanation: The dd-name DD needed for the task, hasbeen previously allocated.

System action: The task terminates with a return codeof 12.

User response: dd-name DD is dynamically allocated.Ensure that the dd-name DD is not present in the taskJCL. If the dd-name is not present in the JCL, contactIBM Software Support.

AUIZ003W Attached to existing shared memorysegment.

Explanation: This message corresponds to messageAUIZ008W. This message indicates that the memorysegment has been cleaned, and is being reused.

User response: No action is required.

AUIZ004S Shared memory segment keyverification failed ('key-value').

Explanation: Shared memory segment validationfailed. This usually implies that the shared memorysegment is owned by another product or system.

User response: Change shared memory segment idand restart the agent:

ADS_SHR_MEM_ID

AUIY001E • AUIZ004S

Chapter 13. Troubleshooting 105

Page 110: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIZ005S Shared memory segment eyecatcher'value' invalid.

Explanation: Shared memory segment validationfailed. This implies that the shared memory segment isowned by another product or system.

User response: Change shared memory segment IDand restart the agent:

ADS_SHR_MEM_ID

AUIZ007S The master address space failed torespond to a connect request.

Explanation: A secondary address space failed toconnect to the master address space.

User response: Check the listener-port in theaddress-space-manager-config section of theconfiguration and verify that it matches in bothAUICONFG and members of the primary addressspace and secondary address spaces.

AUIZ008W IBM InfoSphere Guardium S-TAP forIMS on z/OS agent failed to shut downproperly last time.

Explanation: When the agent is restarting, thepersistent memory object indicates that the agent wasabnormally cancelled or terminated without goingthrough the proper clean-up routines, for example,Estae processing. This message might also indicate thatanother instance of the agent is currently executing.

User response: Verify that there is only one instanceof this agent running.

AUIZ009S Attempts to attach to shared memorysegment segment key failed.

Explanation: This error message always occurs inconjunction with error message AUIX132E.

This startup error indicates that attempts to create ashared memory segment failed because of an alreadyexisting shared memory segment that never belongedto, or currently does not belong to, the primary agentaddress space.

This message can occur in the secondary address spaceif the <id> elements in the <address-space-manager-config> parameters of the AUICONFG config memberthat is used by the agent primary address space andthe secondary address spaces(s) do not match.

User response: Edit SAUISAMP member AUICONFG(or the customized AUICONFG) and specify a different<id> element in the <address-space-manager-config>section.

AUIZ010W Configuration value for '<parameter>' isset below the allowed minimum of<limit>.

Explanation: Configuration parameter is not valid:<parameter> should be not below the <limit>.

User response: Change the parameter to correspondto the requirements.

AUIZ011W Configuration value for '<parameter>' isset above the allowed maximum of<limit>.

Explanation: Configuration parameter is not valid:<parameter> should exceed the <limit>.

User response: Change the parameter to correspondto the requirements.

AUIZ012I Log-server: listening on port <port>.

Explanation: Identifies the port number that theLog-server is listening to.

User response: No action is required.

AUIZ013E Log-server: no available port was foundin the range <min-port>-<max-port>.

Explanation: No available port was found in specifiedrange. This usually implies that the range of ports isused by other installations or products.

User response: Contact IBM Software Support.

AUIZ014E Log-server: invalid data received fromclient sending_client_id (data_received).

Explanation: The log server received invalid data froma client location at the IP address identified bysending_client_id. The data received is logged (up to fourbytes). This usually occurs if the client is not anInfoSphere Guardium S-TAP for IMS-specific client, andis improperly connecting to a port that is being listenedto by the log server.

User response: Identify the client, based on IP addressand logged data, and figure out if it should beconnecting to that port. Modify the client port or theport range to which the InfoSphere Guardium S_TAPlog server is listening.

AUIZ020W Configuration parameter parameter-namewas ignored: duplicate value specifiedspecified-value.

Explanation: The specified configuration parameterparameter-name cannot contain a value that has alreadybeen specified for a related parameter.

User response: Fix the duplicate value specified-valueand restart the agent.

AUIZ005S • AUIZ020W

106 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 111: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIZ022E At least one active appliance is required.

Explanation: No appliances were specified in theagent configuration, or all specified appliances weredisabled.

User response: Check agent configuration and addenabled appliances to configuration.

AUIZ023E Duplicate appliance specified: host/port.

Explanation: Specified appliance (host/port) areduplicates of another appliance specified in theconfiguration.

User response: Update or remove duplicate appliancesin the agent configuration.

AUIZ024E Duplicate appliance priority specified:priority.

Explanation: Two or more appliances with duplicatepriority (priority) were specified.

User response: Update or remove appliances withduplicate priorities in the agent configuration.

AUIZ025E Spill size can't be zero if more than oneappliance is enabled.

Explanation: Spill size should be greater than zero iftwo or more active appliances are specified.

User response: Specify a valid spill size.

AUIZ027W Host name can't be resolved<host-name>.

Explanation: An attempt was made to determine theIP address of the host name that was indicated throughthe use of the z/OS getaddrinfo service. The attemptfailed.

System action: If the host name is not the local LPAR,processing continues. The TCP/IP address for anyevents that occur on this LPAR will not be sent to theappliance for reporting. If the host name is the localLPAR where the agent (AUIAstc task) is running, thelocal host name and IP address will be used for INTERand INTRA task communications.

User response: The z/OS network administrator mustverify that the LPAR name exists in the DNS table.

AUIZ028E Configuration parameter element-namevalue element-value is invalid: expectedmin value-min and max value-max.

Explanation: The element-value given for element-nameis out of the range and must be within min-value andmax-value.

User response: Correct the value for the element-namein the configuration.

AUIZ029E Property property-name not found inconfig.

Explanation: A required property property-name couldnot be loaded from the configuration file because it hasbeen incorrectly specified, specified multiple times, ornot specified at all.

User response: Update configuration file and addproperty-name with an appropriate value.

AUIZ030E Configuration parameter parameter-namevalue parameter-value is not valid longvalue.

Explanation: The configuration parameter identifiedby parameter-name contains an invalid value. Theexpected value should be of type long.

User response: Correct the configuration value.

AUIZ031E Configuration parameter parameter-namevalue parameter-value is not validunsigned long value.

Explanation: The configuration parameter identifiedby parameter-name contains an invalid value. Theexpected value should be of type unsigned long.

User response: Correct the configuration value.

AUIZ032E Configuration parameter parameter-namevalue parameter-value is not valid shortvalue.

Explanation: The configuration parameter identifiedby parameter-name contains an invalid value. Theexpected value should be of type short.

User response: Correct the configuration value.

AUIZ033E Configuration parameter parameter-namevalue parameter-value is not validunsigned short value.

Explanation: The configuration parameter identifiedby parameter-name contains an invalid value. Theexpected value should be of type unsigned short.

User response: Correct the configuration value.

AUIZ034E Configuration parameter parameter-namevalue parameter-value is not valid booleanvalue.

Explanation: The configuration parameter identifiedby parameter-name contains an invalid value. Theexpected value should be of type boolean.

User response: Correct the configuration value.

AUIZ022E • AUIZ034E

Chapter 13. Troubleshooting 107

Page 112: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

AUIZ035E Configuration parameter parameter-namevalue parameter-value is not valid doublevalue.

Explanation: The configuration parameter identifiedby parameter-name contains an invalid value. Theexpected value should be of type double.

User response: Correct the configuration value.

AUIZ036E Configuration parameter element-namevalue element-value length is invalid:expected min length-min and maxlength-max characters.

Explanation: The element-value given for element-nameis too long and its length must be within length-minand length-max.

User response: Correct the value for the element-namein the configuration file.

AUIZ039I Guardium policy processing started.

Explanation: The agent has received a policy messagefrom the appliance and has started to process it.

User response: No action is required.

AUIZ040I Guardium policy processing finished[active = <active>, installed =<installed>, uninstalled =<uninstalled>].

Explanation: The agent finished processing of policies.Additional information is provided about the list ofinstalled, uninstalled and active collections. Thespecified active collections are active in the repository,installed collections have been installed, anduninstalled collections have been uninstalled.

User response: No action is required.

AUIZ041I Guardium policy processing failed dueto prior errors.

Explanation: The Guardium policies could not beprocessed.

User response: Check the log for previous errors.

AUIZ041W Profile for IMS source ims_name wasignored: unknown IMS.

Explanation: The agent received an IMS policy fromthe InfoSphere Guardium appliance which does notrelate to this agent instance.

System action: The policy is ignored by this agent.

User response: No action is required.

AUIZ042W IMS artifact ims-name was ignored:incorrect IMS.

Explanation: During policy pushdown, an ims-namewas specified for one of the rules that does not exist inthe Guardium appliance.

User response: Contact IBM Software Support.

AUIZ043E XCF callable service invocation failed:function function-name, RC = nn, reasoncode = hhhhhhhh, AUIU proc name =proc-name, ADS_SHR_MEM ID = nn.

Explanation: An error occurred attempting to retrieveAUIU tokens from the CF.

User response: If the LPAR is not a sysplex member,no action is necessary. If the LPAR is a sysplex member,please contact IBM Software Support.

AUIZ044S Shared memory segment versionversion-found is not compatible withexpected expected-version.

Explanation: An attempt to attach to a sharedmemory segment failed because of version mismatch.This might indicate that the shared memory segmentthat is identified by ADS_SHR_MEM_ID is already inuse by an older version of the product, or anotherproduct.

User response: Verify and change theADS_SHR_MEM_ID that is specified in the agentconfiguration.

AUIZ045E One of AUICFG or AUICONFG DDmust be allocated.

Explanation: The address space requires either anAUICFG DD or an AUICONFG DD to be specified inthe JCL.

User response: Update the JCL for the address spaceto include an AUICFG or an AUICONFG DD.

AUIZ045S Shared memory segment version value_1is not compatible; expected value_2.

Explanation: An attempt was made to connect to ashared memory segment. The connection wasunsuccessful.

System action: The task terminates with a return codeof 12.

User response: This error can occur in the agent task(AUIASTC) when more than one agent is running on asysplex, and the ADS_SHM_ID andADS_LISTENER_PORT keywords have not beenspecified in the AUICONFG configuration file. This canalso occur in the SMF (AUIFSTC) or IMS LOG(AUILSTC) tasks if the ADS_SHM_ID and

AUIZ035E • AUIZ045S

108 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 113: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

ADS_LISTENER_PORT keywords have been specifiedin the AUICONFG file for the agent, but the sameAUICONFG file was not specified, or was incorrectlyspecified for the AUIFSTC and/or AUILSTC tasks.Review “Running more than one agent in a SYSPLEX”on page 47.

AUIZ046E module-name callable service invocationfailed: RC = return-code, reason code =reason-code.

Explanation: Invocation of the specified module faileddue to the specified return-code and reason-code.

User response: Contact IBM Software Support.

AUIZ050E Specified Log Stream 'xxx.xxx.xxx' doesnot exist

Explanation: The z/OS log stream name that wasspecified in the LOG_STREAM_DLIO or LOG_STREAM_DLIBAUICONFG DD input stream does not exist.

System action: The agent address space terminates.

User response: Correct the log stream name that youprovided, or customize and run the AUILSTRx LogStream definition jobs that are located in theSAUISAMP product data set.

AUIZ053E Logging subsystem failed to initializesuccessfully.

Explanation: This error can occur for several reasons.It is preceded by the specific occurrence that caused thelogging subsystem to fail during initialization.

User response: Review previously issued errormessages to determine the cause of the logging failure.

AUIZ054E The Batch DLI log Stream and OnlineDLI log stream names must be different.

Explanation: The log stream name specified forLOG_STREAM_DLIO and LOG_STREAM_DLIB mustbe different.

User response: Specify different log streams for batchand online in the agent configuration.

AUIZ056E Shared memory segment ID segment_idowned by agent agent_name and cannotbe attached.

Explanation: The shared memory segment that wasidentified by the <id> parameter within theaddress-space-manager-config section of the agentconfiguration file is already used by the specified agent,agent_name.

System action: The agent terminates because it isunable to use the shared memory segment.

User response: To avoid a collision with other agents

running on the LPAR, change or include the <id> valuein the address-space-manager_config section of theagent configuration file.

AUIZ057E A configuration syntax error wasdetected at line <number>; expected"<token1>", found "<token2>".

Explanation: An invalid value was found in theAUICONFG file and the indicated line.

System action: Processing terminates.

User response: Review the "Configuring theInfoSphere Guardium S-TAP for IMS agent" section ofthis user's guide for information about permissibleconfiguration values. Correct the syntax error andrestart the agent.

AUIZ046E • AUIZ057E

Chapter 13. Troubleshooting 109

Page 114: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

110 IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 User's Guide

Page 115: IBM InfoSphere Guardium S-TAP for IMS on z/OS V9.1 … · Upgrading from V9.0 to V9.1 in exploitation mode 10 ... The keyword and parameter formatting convention is now used by the

Index

Aaddress spaces

starting 52stopping 52

agent 2auditing IMS data set access 41changing the name of the SMF

address space JCL 41changing the retention period of

incomplete SMF event 41changing the types of events audited

using SMF records 41configuration keywords

controlling the frequency of SMFz/OS catalog queries 41

required configurationkeywords 41

configuring 23, 34customizing 23disabling SMF auditing at the agent

level 41overview 3security 35starting the agent 34stopping the agent 34

APF authorizationfor libraries 7

auditingconfiguration keywords 41disabling IMS SLDS 45events 44IMS data set access 43setting up environment 37

AUIEMAC1 edit macrovariables 14

Cchanges and enhancements to this

version 1common load modules

copying 40Common Memory Management address

space JCL namechanging 46

Common Storage Management Utility 2components

Guardium system 2configuration keywords

specifying multiple SMF data setmasks 42

Ddata collection 55data collection monitors

described 65DBRC RECON data sets

security 7DD DUMMY statement

excluding auditing 55DLI calls

capturing 37

Eedit macro AUIEMAC1 14

Ffiltering stages

stage 0 filtering 57

GGuardium 2Guardium system

configuring multiple Guardiumsystems 48

IIMS archived log data sets 57IMS cataloged procedures

customizing 37IMS DLI calls 55IMS Policy pushdown 69InfoSphere Guardium S-TAP for IMS

overview 1

installationhardware and software

requirements 5sample library members 51

LLOAD library

APF authorizing 7

Mmapping policies to a collection

profile 59messages and codes 71Messages and codes 71

Ppolicy pushdown 59

Ssample library members 51security 7

DBRC RECON data sets 7OMVS segment 7

SMF dump data sets 55stage 1 filtering 57stage 2 filtering 57

Uupgrading from V9.0 to V9.1

compatibility mode 10exploitation mode 10

ZzIIP

auditing functions 39using 39

111