EZD1280I applname client CONNECTION
ATTEMPT FROM USER userid AT IP ADDRESS ip_addr
FAILED REASON CODE reason Explanation The Advisor received a connection request at the
specified IP address at the specified IP address from an Agent or
load balancer with the specified user ID. Authorization for connection
to the Advisor failed for the specified user ID.
In the message
text: - applname
- The name of the application that received the connection request.
Possible values are:
- LBADV for the z/OS® Load
Balancing Advisor (Advisor).
- The job name of the Advisor, if it is configured for subplexing.
- client
- The type of client that attempted to connect to the Advisor. Possible
values are:
- AGENT for the z/OS Load
Balancing Agent
- LB for a load balancer or ADNR connection
- userid
- The user ID of the load balancer or Load Balancing Agent that
is requesting access to the Advisor. If the user ID is not obtained
from AT-TLS, the value is UNKNOWN.
- ip_addr
- The IP address of the load balancer or Load Balancing Agent.
- reason
- A code that explains the failure. Possible values are:
- 1
- The Advisor TCP/IP stack is not configured for Application Transparent
Transport Layer Security (AT-TLS), and the Advisor configuration file
did not allow connections from this client. The TTLS option in the
TCP/IP profile TCPCONFIG statement enables the stack for AT-TLS.
- 2
- There is not a usable AT-TLS policy for this connection, and the
Advisor configuration file did not allow connections from this client.
For example, the policy agent is not active, or the AT-TLS policy
for this connection specifies the wrong port.
- 3
- The AT-TLS policy defined for this onnection does not enable AT-TLS,
and the Advisor configuration file did not allow connections from
this client. In the policy, the TTLSGroupAction statement is not
configured with TTLSEnabled set to ON.
- 4
- The AT-TLS policy that is defined for this connection does not
define the Advisor as a controlling application, and the Advisor configuration
file did not allow connections from this client. In the policy,
the TTLSEnvironmentAdvancedParms parameter is not configured with
ApplicationControlled set to On for the Advisor.
- 5
- The AT-TLS handshake failed for this connection, and the Advisor
configuration file did not allow connections from this client.
- 6
- System authorization facility (SAF) authorization failed for this
connection. The SERVAUTH class profile EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname (for
a load balancer connection) or EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname (for
an Agent connection) exists but the user is not authorized to use
this profile. The system does not use the Advisor configuration file
because the user is not authorized to use the SERVAUTH class profile.
- 7
- The Advisor was unable to obtain storage for processing an AT-TLS
connection request, and the Advisor configuration file did not allow
connections from this client.
- 8
- The Advisor call to the SIOCTTLSCTL IOCTL failed unexpectedly,
and the Advisor configuration file did not allow connections from
this client.
- 9
- System authorization facility (SAF) authorization failed for this
connection, and the Advisor configuration file did not allow connections
from this client. The SERVAUTH class profile EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname (for
a load balancer connection) or EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname (for
an Agent connection) is not protected by SAF.
System action The system continues processing. The client
that attempted to connect to the Advisor might continue to attempt
to connect.
Operator response If you are not using AT-TLS for this connection,
save the Advisor syslogd file and contact the system programmer.
If
you are using AT-TLS for this connection, take the action appropriate
for the reason as follows: - reason
- action
- 2
- Start the Policy Agent if it is not already started. If the AT-TLS
policy for the Advisor connections has changed, refresh the Policy
Agent. If the problem is not corrected, save the Advisor syslogd
file, the AT-TLS syslogd file, and the policy agent syslogd file,
then contact the system programmer.
- 7
- If the storage problem cannot be corrected, save the Advisor syslogd
file. If a dump was not created, take a dump of the Advisor address
space, then contact the system programmer.
- All other reasons
- Save the system console, the Advisor syslogd file, the AT-TLS
syslogd file, and the policy agent syslogd file, then contact the
system programmer.
See z/OS Communications Server: IP Diagnosis Guide for information about collecting diagnostic
data.
System programmer response If you are not using AT-TLS, examine
the Advisor syslogd file for errors. Correct the configuration file
as needed. See z/OS Communications Server: IP Configuration
Reference for information about configuring the Advisor and Agent and ADNR
application.
If you are using AT-TLS for this connection,
take action appropriate for the reason as follows: - 1
- Activate AT-TLS with the TCPCONFIG TTLS configuration statement.
Either correct and resubmit the original TCP/IP profile or submit
a VARY TCPIP,,OBEYFILE command. See the information about the TCPCONFIG statement in z/OS Communications Server: IP Configuration
Reference for more information about the TTLS parameter.
- 2
- If the Policy Agent is active and has been refreshed since the
last change to the AT-TLS policy, examine the system console, the
Advisor syslogd file, the AT-TLS syslogd file, and the policy agent
syslogd file for errors. Correct the AT-TLS policy for this connection.
See the information about diagnosing AT-TLS problems in z/OS Communications Server: IP Diagnosis Guide and Policy Agent and policy
applications in z/OS Communications Server: IP Configuration
Reference. Refresh the Policy Agent after changing
the policy.
- 3
- Change the AT-TLS policy for this connection in the TTLSGroupAction
statement to TTLSEnabled On. See the information about Policy Agent and policy applications in z/OS Communications Server: IP Configuration
Reference. Refresh the Policy Agent after changing
the policy.
- 4
- Change the AT-TLS policy for this connection in the TTLSEnvironmentAdvancedParms
statement to ApplicationControlled On for the server (Advisor).
See the information about Policy Agent and policy
applications in z/OS Communications Server: IP Configuration
Reference. Refresh the Policy Agent after changing
the policy.
- 5
- Correct the TLS handshake parameters in the AT-TLS policy for
this connection.
- See the information about Policy Agent and
policy applications in z/OS Communications Server: IP Configuration
Reference. Refresh the Policy Agent after changing
the policy. For example,
- Ensure that the HandshakeTimeout value for the Advisor policy
is sufficient (for example, 30 seconds)
- Ensure that the HandshakeRole value for the Advisor is ServerWithClientAuth
or Server.
- Ensure that the HandshakeRole value for the Agent and load balancers
is Client.
- 6
- Ensure that the user ID has at least read access to the correct
SERVAUTH class profile (EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname for
a load balancer connection, EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname for
an Agent connection). For more information, see z/OS Security Server RACF Command Language Reference .
- 7
- If the storage problem cannot be corrected, contact IBM® software support services with all supporting
documentation. The application syslogd file is the minimum diagnostic
data that should be provided. See z/OS Communications Server: IP Diagnosis Guide for information about collecting diagnostic
data.
- 8
- Examine the system console, the Advisor syslogd file, the AT-TLS
syslogd file, and the policy agent syslogd file for errors. Ensure
that the certificate is correct. For more information, see z/OS Security Server RACF Command Language Reference. If the problem is not corrected, contact
IBM software support services
with all supporting documentation. See z/OS Communications Server: IP Diagnosis Guide for information about collecting diagnostic
data.
- 9
- Define and permit the LBACCESS and AGENTACCESS profiles on each
system where the Advisor can run. Ensure that the user ID has at
least read access to the correct SERVAUTH class profile (EZB.LBA.LBACCESS.sysname.tcpsysplexgroupname for
a load balancer connection, EZB.LBA.AGENTACCESS.sysname.tcpsysplexgroupname for
an Agent connection). See the z/OS Security Server RACF Command Language Reference for information about the RDEFINE (Define
General Resource Profile).
User response
Problem determination
Source z/OS Communications
Server TCP/IP: Load Balancing Advisor
Module
Routing code
Descriptor code
Example EZD1280I LBADV AGENT CONNECTION ATTEMPT FROM USER AGENT1 AT IP ADDRESS 192.10.1.1 FAILED REASON CODE 6
|