When attempting to register a new RACF directory on eTrust Admin server, the eTrust DSI process (secv3) immediately has an ABEND on the mainframe. (Connect failed with error: 15, SIGCNCL)

Document ID : KB000055453
Last Modified Date : 14/02/2018
Show Technical Document Details

DESCRIPTION:


Further Symptoms:


  1. When eTrust Admin was trying to register a new RACF directory, the secv3 process has an ABEND on mainframe:
    STC00557  BPXP010I THREAD 08340F4000000001, IN PROCESS 16777253, WAS
              TERMINATED BY SIGNAL SIGCNCL, SENT FROM THREAD
              0833F56000000004, IN PROCESS 16777253, UID 0.
    STC00557  IEF450I SECV3 - ABEND=S422 U0000 REASON=000001A0 
              ...
    STC00557  $HASP395 SECV3    ENDED
  2. Then, eTrust Admin receives an alert:
    Connect Failed with error: 15. Please re-check your value, 
    and make sure DSI is running on your RACF system and re-try 

Cause:


This issue usually is due to eTrust DSI not getting APF authorization.


Confirm:


To further confirm the cause, please:


Start with confirming, whether the last eTrust DSI operation is LDAPVFYC before the ABEND:

  1. switch eTrust DSI debug flag to 'debug 65535' in <HFS dir>/si.conf
  2. restart eTrust DSI and reproduce the issue
  3. open the generated '<HFS dir>/siv3.stderr.log' file
  4. check if the last operation of eTrust DSI is LDAPVFYC. for example:

    +++LDAPVFYC("etrafcadm",<hidden>,NULL,"9B23A9B5",NULL,NULL,NULL,NULL)

    if LDAPVFYC is indeed the last operation before the ABEND is, then confirm whether eTrust DSI gets correct APF authorization:

    1. In USS, go to eTrust DSI installation directory
    2. Issue 'ls -lE'
    3. Check if any eTrust DSI executable module lacks 'a' and 'p' flags.

      The executable modules are lib*.dll, rmtauthz and rmttso. Lacking the flag means APF authorization is missed

SOLUTION:

Run './permitsi' in USS to do APF authorization for eTrust DSI.
As a correct result, the output of 'ls -lE' would be:

drwxrwxrw-        2 OMVSKERN OMVSDGRP    8192 Oct  5 01:16 certs
-rwxrwxrwx  ap--  1 OMVSKERN OMVSDGRP 4521984 Oct  5 01:15 libcrypto.dll
-rwxrwxrwx  ap--  1 OMVSKERN OMVSDGRP  348160 Oct  5 01:15 libetcer.dll
-rwxrwxrwx  ap--  1 OMVSKERN OMVSDGRP  688128 Oct  5 01:15 libocspc.dll
-rwxrwxrwx  ap--  1 OMVSKERN OMVSDGRP  966656 Oct  5 01:15 libssl.dll
-rwxrwxrwx  ----  1 OMVSKERN OMVSDGRP      95 Oct  5 01:15 permitsi
-rwxrwxrwx  ap--  1 OMVSKERN OMVSDGRP  589824 Oct  5 01:15 rmtauthz
-rwxrwxrwx  ap--  1 OMVSKERN OMVSDGRP   98304 Oct  5 01:15 rmttso
-rw-rw-rw-  ----  1 OMVSKERN OMVSDGRP      30 Oct  5 01:14 si.conf
-rw-rw-rw-  ----  1 OMVSKERN OMVSDGRP     314 Oct  5 01:14 si.env
-rwxrw-rw-  ----  1 OMVSKERN OMVSDGRP       0 Oct  5 21:02 siv3.stderr.log
-rwxrw-rw-  ----  1 OMVSKERN OMVSDGRP       0 Oct  5 20:32 siv3.stdout.log

All eTrust DSI modules get 'a' and 'p' flags.

Other Relevant Information

  • To switch on eTrust DSI full logging mode, please edit si.conf and set the debug parameter to 'debug 65535'.
  • eTrust DSI requires APF authorization in order to make RACROUTE VERIFY calls;
  • LDAPVFYC is actually an invocation of RACROUTE VERIFY ENVIRON=CREATE operation.