IBM Security Z Security

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------

Hi Anji,

NOWARNINGRC is a special facility only for warnings. We do not have an equivalent for higher return codes. It also is not clear to me that such a thing would be particularly desirable in general. I think you really want to "half-suppress" these specific messages rather than anything that has RC 8. At least I would think that you would want to review a new kind of error when it occurred.

In CKRCARLA selected messages can be adjusted using OPTION MSGRC=(msgno,rc). This is a facility that only accepts certain messages--not all of them--and you need to consciously look at each eligible message and decide what return code you want for it... be that lower (say, 0) or higher (say, 12). CKFCOLL does not have this concept yet, but my thinking is that that might also be a viable path to get where you want if you are considering filing an RFE. I will say that building something like that for a few select messages would be a relatively easy thing to do.

Regards,

------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------

Original Message:
Sent: Thu October 29, 2020 11:50 AM
From: Anji Stephens
Subject: Full-size CKFREEZE return code 08

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------

Thank you Jeroen

------------------------------
Anji Stephens
------------------------------

Original Message:
Sent: Thu October 29, 2020 01:05 PM
From: Jeroen Tiggelman
Subject: Full-size CKFREEZE return code 08

Hi Anji,

NOWARNINGRC is a special facility only for warnings. We do not have an equivalent for higher return codes. It also is not clear to me that such a thing would be particularly desirable in general. I think you really want to "half-suppress" these specific messages rather than anything that has RC 8. At least I would think that you would want to review a new kind of error when it occurred.

In CKRCARLA selected messages can be adjusted using OPTION MSGRC=(msgno,rc). This is a facility that only accepts certain messages--not all of them--and you need to consciously look at each eligible message and decide what return code you want for it... be that lower (say, 0) or higher (say, 12). CKFCOLL does not have this concept yet, but my thinking is that that might also be a viable path to get where you want if you are considering filing an RFE. I will say that building something like that for a few select messages would be a relatively easy thing to do.

Regards,

------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft

Original Message:
Sent: Thu October 29, 2020 11:50 AM
From: Anji Stephens
Subject: Full-size CKFREEZE return code 08

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------

In addition to what Jeroen mentioned, CKFCOLL has an option to completely suppress certain messages. Disadvantage is that you don't known anymore if your CKFREEZE has errors or not. You could add e.g. the following: SUP=(347,062)

------------------------------
Guus Bonnes
------------------------------

Original Message:
Sent: Thu October 29, 2020 11:50 AM
From: Anji Stephens
Subject: Full-size CKFREEZE return code 08

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------

Thank you Guus

------------------------------
Anji Stephens
------------------------------

Original Message:
Sent: Fri October 30, 2020 04:34 AM
From: Guus Bonnes
Subject: Full-size CKFREEZE return code 08

In addition to what Jeroen mentioned, CKFCOLL has an option to completely suppress certain messages. Disadvantage is that you don't known anymore if your CKFREEZE has errors or not. You could add e.g. the following: SUP=(347,062)

------------------------------
Guus Bonnes

Original Message:
Sent: Thu October 29, 2020 11:50 AM
From: Anji Stephens
Subject: Full-size CKFREEZE return code 08

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------

Hi Anji, When I was a customer, I did exactly what Guus suggested;  I had a long list of message numbers that were suppressed from our daily builds of CKFREEZE.  As you observed, many of the RC=08 msgs do not impair your ability to use the CKFREEZE info for various reporting.  Operationally, we wanted to avoid RC=08 in our daily scheduled jobs, so we embraced the suppress for those msgs that we deemed not too consequential for our purposes.

Periodically (quarterly?) I used to run a manual CKFREEZE without the suppress msg=(nnn,...) statement,  and then sit down with the various sysprog teams and review them.  Some opinions consider that zSecure tends to really split hairs, others that it is merely reporting precisely what it finds (my personal opinion).   Only you can determine whether a specific error msg is important to you or not.

For daily security type reporting, I found my list to be adequate.  For a deep dive, OS audit, I would pay closer attention to them.

Simon

------------------------------
Simon Dodge
------------------------------

Original Message:
Sent: Thu October 29, 2020 11:50 AM
From: Anji Stephens
Subject: Full-size CKFREEZE return code 08

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------

Thank you Simon, that's good advice.

Regards,

------------------------------
Anji Stephens
------------------------------

Original Message:
Sent: Mon November 02, 2020 11:23 AM
From: Simon Dodge
Subject: Full-size CKFREEZE return code 08

Hi Anji, When I was a customer, I did exactly what Guus suggested;  I had a long list of message numbers that were suppressed from our daily builds of CKFREEZE.  As you observed, many of the RC=08 msgs do not impair your ability to use the CKFREEZE info for various reporting.  Operationally, we wanted to avoid RC=08 in our daily scheduled jobs, so we embraced the suppress for those msgs that we deemed not too consequential for our purposes.

Periodically (quarterly?) I used to run a manual CKFREEZE without the suppress msg=(nnn,...) statement,  and then sit down with the various sysprog teams and review them.  Some opinions consider that zSecure tends to really split hairs, others that it is merely reporting precisely what it finds (my personal opinion).   Only you can determine whether a specific error msg is important to you or not.

For daily security type reporting, I found my list to be adequate.  For a deep dive, OS audit, I would pay closer attention to them.

Simon

------------------------------
Simon Dodge

Original Message:
Sent: Thu October 29, 2020 11:50 AM
From: Anji Stephens
Subject: Full-size CKFREEZE return code 08

Hi,
We are running a daily job to produce a full-size CKFREEZE:
FOCUS=(ADMINRACF,AUDITRACF,VISUAL)
IO=Y,TCPIP=Y,DASD=Y,TAPE=N,SWCH=N,PATH=N,VTOC=Y,VVDS=Y,PDS=Y,CAT=Y,MCD=Y,BCD=Y,DMS=Y,ABR=Y,TMC=Y,RMM=Y,VMF=Y,UNIX=Y,
UNIXCLIENT=N,RECALL=Y,AUTOMOUNT=Y,UNIXACL=Y,SHARED=Y,OFFLINE=N,SMS=Y,STATS=N,IDR=N,CHECK=N,SCAN=Y,PARALLEL=PATH,
REPORT,KEY0,BYPASS,SIO,XMEM,XMDSN,DIAG,UID0,ENQ=Y,DDLIMIT=1536,IOTIMEOUT=60,PDSEBUFSIZE=150,SIGVER=N,XTIOT=Y,MOD=Y,
NJE=Y,CICS=Y,IMS=Y,MQ=Y,DB2=Y,DB2CAT=Y,DB2ADM,CKDS=Y,PKDS=Y,TKDS=Y,SYMKEYTEST=N,CF=Y,SERIALIZATION(ENQ(CKRDSN),FAIL)

Unfortunately, on a regular basis, this job ends with a return code 08 due to underlying system problems such as:

CKF0347 08 Duplicate pathname MNTE devices 31640 and 31643 FS name XXXX
mountpoint /u/yyyy

CKF0062 08 Connected catalog XXXXX  SYS1.CATALOG.yyyy not found on volumes processed

However, the CKFREEZE file is created and usable. 

Unfortunately, a return code 08 is not acceptable, and neither is suppressing these messages. 

Do you have any suggestions on how we can have this job ending with a return code other than 08, i.e. 00 or 04?

Is there a parameter such as NOWARNINGRC that deals with return code 08?

Thanks and regards,


------------------------------
Anji Stephens
------------------------------