Is it mandatory to have installed Netview for zOS to be able to execute take action command (for instance, to kill a CICS transaction) from the TEP or 3270UI?
I have implemented securing OMEGAMON for CICS on z/OS Take Action commands to execute requests from OMEGAMON TIVOLI MANAGER (TOM-3270UI). I have followed all steps showed in the OMEGAMON for CICS planning and customization v550 manual for this implementation. Once implemented this option, when I run a take action to kill a CICS transaction from 3270UI, the command was rejected and I got the following popup message:
KCP4021E: NO SECURITY DECISION COULD BE MADE I go on investigating my issue but as in my LPAR environment I haven't installed Netview for zOS software, will not it be that the origin of my issue?
Hi Alex, The issue has been solved. We had defined the resource names for the AIDK (KILL AIDS), ICEK (KILL ICES), RLIM, TRACE, and WTO Take Action commands but we hadn't done for the CEMT SET Take ACtion command.Once defined the profile KCP.smfid.cicsname.TAKEACTION.SET.CEMT.*, the take action commands were executed with success. Thanks.
Hi @ManuelPB According to documentation: Review messages KCP4025I, KCP4027I, and, if present, KCP4026I in the RKLVLOG output to determine why the SAF call did not succeed. Do you have any of these messages in tasks output - TOM,DS? Implementing security I believe you followed https://www.ibm.com/support/knowledgecenter/SSLSDR_5.5.0/com.ibm.omegamon_cics.doc_5.5.0/planning/kcpa3053.htm which means you have RTE_SECURITY_CLASS defined in RACF and used by Omegamon, have resource KCP.smfid.cicsname.TAKEACTION.** defined and are authorised to use it - ACCESS(READ) This should be enough to allow you to use takeaction commands.
Hi Ales, Thank you by your answer. Yes. I saw the messages you have mentioned. These messages appeared in RKVLOG of the OMEGAMON for CICS on z/OS Agent.
2019.060 12:16:31.95 (0000-E367E78B:kglhc1c.c,220,"InitAutoCmdAuthorDirectory") Automation command author ID security DISABLED. 2019.060 12:16:31.97 (0001-E367E78B:kglhc1c.c,223,"InitAutoCmdAuthorDirectory") Automation command author ID mapping DISABLED. 2019.060 12:16:31.97 (0002-E367E78B:kglhc1c.c,226,"InitAutoCmdAuthorDirectory") Automation command author ID TakeAction security DISABLED. 2019.060 12:16:31.98 KCP0005: AGENT KCPACT@S PTF UA95610 @ 14587570 ASSEMBLY 03/19/18 19:45 2019.060 12:16:31.99 KCP4025I: USER=PDMFEGO CLASS=$OMEG RESOURCE=KCP.DESA.CPRUE.TAKEACTION.KILL.TASK 2019.060 12:16:31.99 KCP4026I: RACROUTE AUTH REG15=00000004 SAFPRRET=00000004 SAFPRREA=00000000 SAFPSFRC=00000000 SAFPSFRS=00000000 2019.060 12:16:31.99 KCP4027I: USER=PDMFEGO RESULT: NO SECURITY DECISION COULD BE MADE 2019.060 12:16:32.01 (0000-E367E78B:kraaulog.cpp,475,"ctira_insert_log") KRAIRA002, Executed with status 8, Producer(Automation Command).
Exactly, I defined the RTE_SECURITY_CLASS ($OMEG) and the resources RACF were authorised as ACCESS(READ). On the other hand, I verified the message "Identify Manager security compatibility operation in effect" appeared in the TEMS RKVLOG. Ok. I will follow investigating the reason why my take action wasn't allowed once I understand the Netview for zOS software is not involved. Thank you.