Users cannot log
on |
Action: - Check whether any error messages were issued for the user request
and make sure that message IDs are included with the messages. If
a batch job produced the output, check that the job statement had
MSGLEVEL=(1,1) specified. If a TSO/E user had the problem, check that
the user profile had these options: PROFILE WTPMSG MSGID.
- If only one or a few users cannot log on, check that they are
using the current password. If no users can log on, do the rest of
this procedure.
- There might be a password synchronization problem, which you should
be able to recognize because the user's old password is either accepted
as correct or as expired. Enter a RACLINK LIST command on each system
to check the user's user ID association if that's what is being used
to synchronize passwords.
- If the database should have been updated by a command that was
issued on another system in the RACF® remote
sharing facility (RRSF) network, check the status of the connection
with a TARGET LIST on this system and the originating system. Also,
check the RRSFDATA profiles on the originating system.
- Check the system date in effect for the current system IPL. If
the wrong date is in effect, users who cannot log on might have the
REVOKE attribute in their user profiles. See z/OS Security Server RACF Security Administrator's Guide
for more information about the REVOKE attribute.
- If you are sharing your database with other systems, make sure
that all systems sharing the database are using the same password
authentication algorithm, and that there has not been a period of
time when the systems were using different algorithms.
The default
password authentication algorithm for the RACF component of the SecureWay Security Server is
the Data Encryption Standard (DES) algorithm. The default password
authentication algorithm for RACF on MVS™ beginning with RACF 2.1 is the (DES) algorithm, but for releases
previous to RACF 2.1 the default
is the masking algorithm. Make
sure that you have taken the correct steps to activate the algorithm
that you intend to use on each system sharing the database. See z/OS Security Server RACF System Programmer's Guide for
more information.
|
Users cannot log on
(continued)
|
- If you are using a PassTicket, make sure:
- The PTKTDATA class has been activated and a class profile exists.
- You do not try to use the same PassTicket more than once.
- The GMT clock on the evaluating computer is within the valid time
range.
For more information, see z/OS Security Server RACF Security Administrator's Guide.
- See Performing a preliminary search for a matching problem.
If you do not find a matching problem,
you need to collect problem information to report to IBM®, using the procedures in the remainder of
this list.
- Get a printed or online copy of the SMF records related
to the logon problem. You need it to analyze the problem or report
the problem to IBM.
- See Searching for a matching problem.
- See Reporting RACF problems to IBM.
|