z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Obtaining traces

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

When access to a resource is allowed (or denied) incorrectly, you can obtain more data about the problem with GTF trace. GTF trace must be activated to obtain trace output just before reproducing the problem.

To obtain a trace when access is incorrectly denied, do:
  1. To start GTF, enter this command: 
    START GTF,TRACE=SLIP
  2. Set this SLIP trap: 
    SLIP SET,IF,LPAEP=(ICHRFR00,0,0),ACTION=TRACE,JOBNAME=xxx,
     TRDATA=(STD,REGS,1R??,+100),END

    where xxx is the job name of a batch job or the user ID of an interactive user.

    This SLIP trap produces a GTF trace entry each time a RACROUTE macro is invoked (ICHRFR00 is the module called by RACROUTE). The trace entry contains the parameter list passed with the RACROUTE macro request.

  3. Use the START GTF command to trace the SVCs related to the RACHECK macro (equivalent to SVC 130) and RACDEF macro (equivalent to SVC 133). There is more than one way to do this. This is a suggestion only:
    1. On the master console, enter the START GTF command with TRACE=SVCP specified.
    2. When GTF prompts for trace-event keywords, specify SVC=(130,133).
  4. Run the job that has the access problem (or ask the user to attempt to gain access to the resource again) while GTF is on.
  5. Stop GTF after the job has ended or after the user has attempted access.
  6. Examine the GTF trace output. See z/OS MVS IPCS Commands for more information.
Parent topic: Collecting problem data

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014