IBM Security Z Security

When we are running batch jobs issuing commands and we forget to issue the CKXLOGID command, we get a lot of "No Ticket Identifier" in the output of the job.  When we are in zSecure we are prompted for ticket information, so not much of a chance to see the "No Ticket Identifier" message.

Is that message customizable, can the text be changed by the customer?

Right now we are only running with C4RMAIN, so only commands that go through Command Verifier are being processed by Command Logger.   Is there a way that if the RACF commands are submitted from batch without a ticket, can the message be suppressed?   Typically if you are using batch to make changes, it could be hundreds of thousands of changes.  I may not want to see all those messages because I forgot the CKXLOGID command at the top of my job.


------------------------------
Linnea Sullivan
------------------------------

As a work-around you could permit the user IDs that use the batch interface UPDATE to C4R.*.=CKXLOG, because access to these profiles is interpreted as:

NONE
This control is not active for the terminal user. The command is not logged through CKXLOG.

READ
The command as optionally modified and approved by zSecure Command Verifier is logged through CKXLOG. If no ticket information is present, or if the CKXLOG server is not active, a warning message is issued.

UPDATE
The command as optionally modified and approved by zSecure Command Verifier is logged through CKXLOG. Warning messages about missing ticket information or an inactive CKXLOG server are suppressed.

CONTROL
Same as UPDATE.


See last page of pdf.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Wed March 25, 2020 03:53 PM
From: Linnea Sullivan
Subject: Command Logger Message for No Ticket

When we are running batch jobs issuing commands and we forget to issue the CKXLOGID command, we get a lot of "No Ticket Identifier" in the output of the job.  When we are in zSecure we are prompted for ticket information, so not much of a chance to see the "No Ticket Identifier" message.

Is that message customizable, can the text be changed by the customer?

Right now we are only running with C4RMAIN, so only commands that go through Command Verifier are being processed by Command Logger.   Is there a way that if the RACF commands are submitted from batch without a ticket, can the message be suppressed?   Typically if you are using batch to make changes, it could be hundreds of thousands of changes.  I may not want to see all those messages because I forgot the CKXLOGID command at the top of my job.


------------------------------
Linnea Sullivan
------------------------------

Original Message------

As a work-around you could permit the user IDs that use the batch interface UPDATE to C4R.*.=CKXLOG, because access to these profiles is interpreted as:

NONE
This control is not active for the terminal user. The command is not logged through CKXLOG.

READ
The command as optionally modified and approved by zSecure Command Verifier is logged through CKXLOG. If no ticket information is present, or if the CKXLOG server is not active, a warning message is issued.

UPDATE
The command as optionally modified and approved by zSecure Command Verifier is logged through CKXLOG. Warning messages about missing ticket information or an inactive CKXLOG server are suppressed.

CONTROL
Same as UPDATE.


See last page of pdf.

------------------------------
Rob van Hoboken
------------------------------