IBM 2.1.1 Security zSecure, 1.11.2 Security zSecure Manager Messages Guide
Security zSecure 2.1.1 and Security zSecure Manager 1.11.2 are a collection of products that improve the efficiency and maintainability of the mainframe security environment. These products can be used alone or in conjunction with the other zSecure products. These products provide security, monitoring, auditing and alerting functionality on both the z/OS and z/VM platforms.
PDF
Download
Document
Advertisement
Advertisement
Security zSecure Version 2.1.1 Messages Guide SC27-6549-00 Security zSecure Version 2.1.1 Messages Guide SC27-6549-00 Note Before using this information and the product it supports, read the information in “Notices” on page 473. March 2015 This edition applies to version 2, release 1, modification 1 of IBM Security zSecure products and version 1, release 11, modification 2 of IBM Security zSecure Manager for RACF z/VM (product number 5655-T13), and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 1998, 2015. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this publication . . . . . . . . v Intended audience . . . . . . . What this publication contains . . . Access to publications and terminology Related documentation. . . . . . Accessibility . . . . . . . . . Technical training. . . . . . . . Support information . . . . . . . Statement of Good Security Practices . . . . . . v . . . . . v . . . . . v . . . . . ix . . . . . x . . . . . x . . . . . x . . . . . x Chapter 1. Introduction . . . . . . . . 1 Release information . . . . . . Overview of the zSecure products . zSecure message types . . . . . . . . . . . . . . . . . . . . . 1 . 1 . 2 Chapter 2. CKF Messages . . . . . . . 5 Messages Messages Messages Messages Messages Messages Messages Messages from from from from from from from from 0 to 99 . . 100 to 199. 200 to 299. 300 to 399. 400 to 599. 700 to 799. 800 to 899. 900 to 999. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . 16 . 26 . 34 . 42 . 49 . 51 . 51 . . . . . . . Chapter 3. CKG messages . . . . . . 59 Messages Messages Messages Messages Messages Messages Messages from from from from from from from 100 400 500 600 700 800 900 to to to to to to to 199. 499. 599. 699. 799. 899. 999. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 62 64 68 76 81 81 Chapter 4. CKN messages . . . . . . 89 Messages Messages Messages Messages Messages from from from from from 0 to 99 . . . . . . . . . . . 89 100 to 199. . . . . . . . . . 99 200 to 299 . . . . . . . . . 109 600 to 899 . . . . . . . . . 111 900 to 999 . . . . . . . . . 112 Chapter 5. CKR messages . . . . . . 115 Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages from from from from from from from from from from from from 0 to 99 . . 100 to 199 . 200 to 299 . 300 to 399 . 400 to 499 . 500 to 599 . 600 to 699 . 700 to 799 . 800 to 899 . 900 to 999 . 1000 to 1099 1100 to 1199 . . . . . . . . . . . . © Copyright IBM Corp. 1998, 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 127 138 148 159 169 180 190 196 198 209 218 Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages Messages from from from from from from from from from from from from from from from 1200 1300 1400 1500 1600 1700 1800 1900 2200 2300 2400 2500 2600 2700 2800 to to to to to to to to to to to to to to to 1299 1399 1499 1599 1699 1799 1899 1999 2299 2399 2499 2599 2699 2799 2899 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 239 249 259 263 263 272 272 280 283 295 305 309 312 312 Chapter 6. CKV messages . . . . . . 315 Messages Messages Messages Messages Messages Messages Messages from 0 to 99 . from100 to 199 from 200 to 299 from 300 to 399 from 400 to 499 from 700 to 799 from 800 to 899 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 318 320 320 322 322 323 Chapter 7. CKX messages . . . . . . 325 Messages from 0 to 99 . . Messages from 800 to 899 . Messages from 900 to 999 . . . . . . . . . . . . . . . . . . . . . . . 325 . 327 . 327 Chapter 8. CQT messages . . . . . . 331 Messages from 0 to 99 . . Messages from 100 to 199 . Messages from 900 to 999 . . . . . . . . . . . . . . . . . . . . . . . 331 . 338 . 344 Chapter 9. C2P messages . . . . . . 347 Messages from Messages from alerts) . . . Messages from alerts) . . . Messages from alerts) . . . 0 to 999 (zSecure started task) . 1000 to 1999 (Predefined RACF . . . . . . . . . . . . 2000 to 2999 (Predefined ACF2 . . . . . . . . . . . . 4000 to 6999 (Installation defined . . . . . . . . . . . . . 347 . 381 . 389 . 394 iii Chapter 10. C2R messages . . . . . 395 Chapter 11. C2RU messages . . . . . 405 Chapter 12. C2RW messages. . . . . 411 Chapter 13. C2X messages . . . . . 413 Chapter 14. C4R messages . . . . . 425 Messages Messages Messages Messages Messages Messages Messages from from from from from from from 0 to 399 . 400 to 499 500 to 599 600 to 699 700 to 799 800 to 899 900 to 999 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 425 429 436 442 446 446 Chapter 15. BB messages . . . . . . 449 Chapter 16. B8R messages . . . . . 451 Chapter 17. ICH and IRR messages 463 Chapter 18. Other error messages . . 465 C errors . iv . . . Messages Guide . . . . . . . . . . . 465 LC errors . . EPR errors . . . . . . . . . . . . . . . . . . . . . . . . . . 465 . 465 Appendix. Support for problem solving . . . . . . . . . . . . . . 467 Searching knowledge bases . . . . . . . . . Available technical resources . . . . . . . Searching with support tools . . . . . . . Searching tips . . . . . . . . . . . . Obtaining fixes . . . . . . . . . . . . . Registering with IBM Software Support . . . . Receiving weekly support updates . . . . . . Contacting IBM Software Support . . . . . . Determining the business impact . . . . . . Describing problems and gathering information Submitting problems . . . . . . . . . . 467 467 467 467 467 468 468 469 470 470 470 Notices . . . . . . . . . . . . . . 473 Trademarks . . . . . . . . . . . . . . 475 Index . . . . . . . . . . . . . . . 477 About this publication This guide contains the messages and return codes that you might receive when using the IBM® Security zSecure™ 2.1.1 products. It provides explanations for these messages and errors. The information in this guide that applies to zSecure Manager for RACF® z/VM® applies to version 1.11.2 of that product. Intended audience This guide is intended for the system administrators responsible for managing and troubleshooting the zSecure products. Readers must be familiar with the zSecure product concepts and commands. What this publication contains This guide includes the following information: v An introduction to the zSecure products and a description of what each product does v Lists of the messages and errors and their severity levels v An explanation for each individual message v Support information Access to publications and terminology This section provides: v A list of publications in the “IBM Security zSecure Manager for RACF z/VM library” and the “IBM Security zSecure library” on page vi. v Links to “Online publications” on page ix. v A link to the “IBM Terminology website” on page ix. IBM Security zSecure Manager for RACF z/VM library The following documents are available in the IBM Security zSecure Manager for RACF z/VM library: v IBM Security zSecure Manager for RACF z/VM Release Information For each product release, the Release Information topics provide information about new features and enhancements, incompatibility warnings, and documentation update information. You can obtain the most current version of the Release Information at http://www.ibm.com/support/knowledgecenter/ SSQQGJ_1.11.2/com.ibm.zsecurevm.doc_1.11.2/welcome.html. v IBM Security zSecure Manager for RACF z/VM: Installation and Deployment Guide, SC27-4363 Provides information about installing, configuring, and deploying the product. v IBM Security zSecure Manager for RACF z/VM User Reference Manual, LC27-4364 Describes how to use the product interface and the RACF administration and audit functions. The manual provides reference information for the CARLa command language and the SELECT/LIST fields. It also provides troubleshooting resources and instructions for using the zSecure Collect component. This publication is available only to licensed users. © Copyright IBM Corp. 1998, 2015 v v IBM Security zSecure CARLa Command Reference, LC27-6548 Provides both general and advanced user reference information about the CARLa Auditing and Reporting Language (CARLa). CARLa is a programming language that is used to create security administrative and audit reports with zSecure. The CARLa Command Reference also provides detailed information about the NEWLIST fields for selecting data and creating zSecure reports. This publication is available only to licensed users. v IBM Security zSecure Messages Guide, SC27-6549 Provides a message reference for all IBM Security zSecure components. This guide describes the message types associated with each product or feature, and lists all IBM Security zSecure product messages and errors along with their severity levels sorted by message type. This guide also provides an explanation and any additional support information for each message. v IBM Security zSecure Manager for RACF z/VM Documentation CD, LCD8-2726 Supplies the IBM Security zSecure documentation, which contains the licensed and unlicensed product documentation. The IBM Security zSecure: Documentation CD is available only to licensed users. v Program Directory for IBM Security zSecure Manager for RACF z/VM, GI11-7865 The Program Directory for IBM Security zSecure Manager for RACF z/VM is intended for the systems programmer responsible for installing, configuring, and deploying the product. It contains information about the materials and procedures associated with installing the software. The Program Directory is provided with the product tape. You can also download the latest copy from the IBM Knowledge Center available at http://www.ibm.com/support/ knowledgecenter/SSQQGJ_1.11.2/com.ibm.zsecurevm.doc_1.11.2/welcome.html. IBM Security zSecure library The following documents are available online in the IBM Security zSecure library: v IBM Security zSecure Release information For each product release, the release information topics provide information about new features and enhancements, incompatibility warnings, and documentation update information for the IBM Security zSecure products. You can obtain the most current version of the release information at http://www.ibm.com/support/knowledgecenter/SS2RWS_2.1.1/ com.ibm.zsecure.doc_2.1.1/welcome.html. v IBM Security zSecure CARLa-Driven Components Installation and Deployment Guide, SC27-5638 Provides information about installing and configuring the following IBM Security zSecure components: – IBM Security zSecure Admin – IBM Security zSecure Audit for RACF, CA-ACF2, and CA-Top Secret – IBM Security zSecure Alert for RACF and ACF2 – IBM Security zSecure Visual for RACF – IBM Security zSecure Adapters for QRadar SIEM for RACF, CA-ACF2, and CA-Top Secret v IBM Security zSecure Admin and Audit for RACF Getting Started, GI13-2324 Provides a hands-on guide introducing IBM Security zSecure Admin and IBM Security zSecure Audit product features and user instructions for performing standard tasks and procedures. This manual is intended to help new users vi Messages Guide develop both a working knowledge of the basic IBM Security zSecure Admin and Audit for RACF system functionality and the ability to explore the other product features that are available. v IBM Security zSecure Admin and Audit for RACF User Reference Manual, LC27-5639 Describes the product features for IBM Security zSecure Admin and IBM Security zSecure Audit. Includes user instructions to run the features from ISPF panels, RACF administration and audit user documentation with both general and advanced user reference material for the CARLa command language and the SELECT/LIST fields. This manual also provides troubleshooting resources and instructions for installing the zSecure Collect for z/OS component. This publication is only available to licensed users. v IBM Security zSecure Audit for ACF2 Getting Started, GI13-2325 Describes the IBM Security zSecure Audit for ACF2 product features and provides user instructions for performing standard tasks and procedures such as analyzing Logon IDs, Rules, and Global System Options, and running reports. The manual also includes a list of common terms for those not familiar with ACF2 terminology. v IBM Security zSecure Audit for ACF2 User Reference Manual, LC27-5640 Explains how to use IBM Security zSecure Audit for ACF2 for mainframe security and monitoring. For new users, the guide provides an overview and conceptual information about using ACF2 and accessing functionality from the ISPF panels. For advanced users, the manual provides detailed reference information including message and return code lists, troubleshooting tips, information about using zSecure Collect for z/OS, and details about user interface setup. This publication is only available to licensed users. v IBM Security zSecure Audit for Top Secret User Reference Manual, LC27-5641 Describes the IBM Security zSecure Audit for Top Secret product features and provides user instructions for performing standard tasks and procedures. v IBM Security zSecure CARLa Command Reference, LC27-6533 Provides both general and advanced user reference information about the CARLa Auditing and Reporting Language (CARLa). CARLa is a programming language that is used to create security administrative and audit reports with zSecure. The CARLa Command Reference also provides detailed information about the NEWLIST fields for selecting data and creating zSecure reports. This publication is available only to licensed users. v IBM Security zSecure Alert User Reference Manual, SC27-5642 Explains how to configure, use, and troubleshoot IBM Security zSecure Alert, a real-time monitor for z/OS® systems protected with the Security Server (RACF) or CA-ACF2. v IBM Security zSecure Command Verifier User Guide, SC27-5648 Explains how to install and use IBM Security zSecure Command Verifier to protect RACF mainframe security by enforcing RACF policies as RACF commands are entered. v IBM Security zSecure CICS Toolkit User Guide, SC27-5649 Explains how to install and use IBM Security zSecure CICS Toolkit to provide RACF administration capabilities from the CICS® environment. v IBM Security zSecure Messages Guide, SC27-5643 Provides a message reference for all IBM Security zSecure components. This guide describes the message types associated with each product or feature, and lists all IBM Security zSecure product messages and errors along with their About this publication vii severity levels sorted by message type. This guide also provides an explanation and any additional support information for each message. v IBM Security zSecure Quick Reference, SC27-5646 This booklet summarizes the commands and parameters for the following IBM Security zSecure Suite components: Admin, Audit, Alert, Collect, and Command Verifier. Obsolete commands are omitted. v IBM Security zSecure Visual Client Manual, SC27-5647 Explains how to set up and use the IBM Security zSecure Visual Client to perform RACF administrative tasks from the Windows-based GUI. v IBM Security zSecure Documentation CD, LCD8-2726 v v v v viii Messages Guide Supplies the IBM Security zSecure documentation, which contains the licensed and unlicensed product documentation. The IBM Security zSecure: Documentation CD is available only to licensed users. Program Directory for IBM Security zSecure Suite: CARLa-driven components, GI13-2277 This program directory is intended for the system programmer responsible for program installation and maintenance. It contains information concerning the material and procedures associated with the installation of IBM Security zSecure CARLa-Driven Components: Admin, Audit, Visual, Alert, and the IBM Security zSecure Adapters for QRadar SIEM. Program directories are provided with the product tapes. You can also download the latest copy from the IBM Security zSecure documentation website at http://www.ibm.com/support/ knowledgecenter/SS2RWS_2.1.1/com.ibm.zsecure.doc_2.1.1/welcome.html. Program Directory for IBM Security zSecure CICS Toolkit, GI13-2282 This program directory is intended for the system programmer responsible for program installation and maintenance. It contains information concerning the material and procedures associated with the installation of IBM Security zSecure CICS Toolkit. Program directories are provided with the product tapes. You can also download the latest copy from the IBM Security zSecure documentation website at http://www.ibm.com/support/knowledgecenter/SS2RWS_2.1.1/ com.ibm.zsecure.doc_2.1.1/welcome.html. Program Directory for IBM Security zSecure Command Verifier, GI13-2284 This program directory is intended for the system programmer responsible for program installation and maintenance. It contains information concerning the material and procedures associated with the installation of IBM Security zSecure Command Verifier. Program directories are provided with the product tapes. You can also download the latest copy from the IBM Security zSecure documentation website at http://www.ibm.com/support/knowledgecenter/SS2RWS_2.1.1/ com.ibm.zsecure.doc_2.1.1/welcome.html. Program Directory for IBM Security zSecure Admin RACF-Offline, GI13-2278 This program directory is intended for the system programmer responsible for program installation and maintenance. It contains information concerning the material and procedures associated with the installation of the IBM Security zSecure Admin RACF-Offline component of IBM Security zSecure Admin. Program directories are provided with the product tapes. You can also download the latest copy from the IBM Security zSecure documentation website at http://www.ibm.com/support/knowledgecenter/SS2RWS_2.1.1/ com.ibm.zsecure.doc_2.1.1/welcome.html. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security zSecure Manager for RACF z/VM library The product documentation site (http://www.ibm.com/support/ knowledgecenter/SSQQGJ_1.11.2/com.ibm.zsecurevm.doc_1.11.2/ welcome.html) displays the welcome page and navigation for the library. IBM Security zSecure library The product documentation site (http://www.ibm.com/support/ knowledgecenter/SS2RWS_2.1.1/com.ibm.zsecure.doc_2.1.1/welcome.html) displays the welcome page and navigation for the library. IBM Security Systems Documentation Central IBM Security Systems Documentation Central provides an alphabetical list of all IBM Security Systems product libraries and links to the online documentation for specific versions of each product. IBM Publications Center The IBM Publications Center site (http://www.ibm.com/e-business/ linkweb/publications/servlet/pbi.wss) offers customized search functions to help you find all the IBM publications you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at http://www.ibm.com/ software/globalization/terminology. Related documentation If you are using IBM Security zSecure products in a RACF environment, you can find more information about RACF and the types of events that can be reported using zSecure Admin and Audit in several IBM manuals. For information about the RACF commands, and the implications of the various keywords, see the RACF Command Language Reference and the RACF Security Administrator's Guide. You can find information about the various types of events that are recorded by RACF in the RACF Auditor's Guide. To access manuals in the z/OS online library, see http://www.ibm.com/systems/z/os/zos/bkserv/. Table 1. z/OS manuals in z/OS online library Manual Title Order Number z/OS Security Server RACF Command Language Reference SA23-2292 z/OS Security Server RACF Security Administrator's Guide SA23-2289 z/OS Security Server RACF Auditor's Guide SA23-2290 z/OS Security Server RACF System Programmer's Guide SA23-2287 z/OS MVS System Commands SA23-2292 z/OS Communications Server IP Configuration Reference SC27-3651 ® z/Architecture Principles of Operation SA22–7832 You can find more information about ACF2 and the types of events that can be reported using zSecure Audit for ACF2 in the CA-ACF2 documentation. About this publication ix For information about Top Secret, see the CA-Top Secret for z/OS documentation. For information about z/VM, see the IBM Knowledge Center at http://www.ibm.com/support/knowledgecenter/SSB27U/welcome. Also see http://www.vm.ibm.com/library for more information about z/VM. Table 2. Further information about RACF administration, auditing, programming, and commands for z/VM Manual Order Number z/VM RACF Security Server Command Language Reference SC24-6213 z/VM RACF Security Server Security Administrator's Guide SC24-6218 z/VM RACF Security Server Auditor's Guide SC24-6212 z/VM RACF Security Server System Programmer's Guide SC24-6219 ISPF Quick Start Guide for VM V2R3 GI13-3554 For information about incompatibilities, see the Incompatibility section under Release Information on the documentation website for your product at: v For z/OS: http://www.ibm.com/support/knowledgecenter/SS2RWS_2.1.1/ com.ibm.zsecure.doc_2.1.1/welcome.html v For z/VM: http://www.ibm.com/support/knowledgecenter/SSQQGJ_1.11.2/ com.ibm.zsecurevm.doc_1.11.2/welcome.html Accessibility Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Technical training For technical training information, see the following IBM Education website at http://www.ibm.com/software/tivoli/education. Support information IBM Support provides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at http://www.ibm.com/software/support/probsub.html. Statement of Good Security Practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES x Messages Guide NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. About this publication xi xii Messages Guide Chapter 1. Introduction The IBM Security zSecure suite is a collection of products that improve the efficiency and maintainability of the mainframe security environment. These products can be used alone or in conjunction with the other zSecure products. The main products are zSecure Admin and zSecure Audit. The IBM Security zSecure products provide security, monitoring, auditing and alerting functionality on both the z/OS and z/VM platforms. zSecure messages are usually categorized by a three-character prefix to identify the associated programs or components. For example, the CKF prefix identifies messages issued by the zSecure Collect for z/OS component, and CKG messages are issued by the CKGRACF program. This guide is organized by message prefixes that are associated with their programs or components. The following sections provide release information for zSecure 2.1.1 and zSecure Manager for RACF z/VM1.11.2, an overview of the zSecure products, and the types of messages that can be generated. Release information The zSecure Release information topics include details on new features and enhancements, incompatibility warnings, and documentation update information. You can download the latest version of the release information for IBM Security zSecure 2.1.1 at: http://www.ibm.com/support/knowledgecenter/SS2RWS_2.1.1/ com.ibm.zsecure.doc_2.1.1/welcome.html. You can download the latest version of the release information for zSecure Manager for RACF z/VM 1.11.2 at: http://www.ibm.com/support/ knowledgecenter/SSQQGJ_1.11.2/com.ibm.zsecurevm.doc_1.11.2/welcome.html. Overview of the zSecure products The IBM Security zSecure suite includes the following products. zSecure Admin Provides a user-friendly layer in the form of an ISPF interface on top of RACF which enables security administration, user management and compliance management on the mainframe. It allows you to enter and process administrative commands more quickly, generate custom reports, and thoroughly clean up databases. Additionally, zSecure Admin provides administration authority in a more granular fashion so that users are only granted the specific amount of administration authority required for their job. zSecure Audit Compliance and audit solution that enables you to automatically analyze and report on security events and detect security exposures. It provides standard and customized reports that warn of policy exceptions or violations. This component is available for RACF, ACF2, and Top Secret. zSecure Alert Mainframe audit solution that enables you to detect and report security © Copyright IBM Corp. 1998, 2015 1 events and exposures on z/OS, DB2®, UNIX, RACF, ACF2, and Top Secret. IBM Security zSecure Alert is a real-time monitor, issuing alerts for security-related system events at the time they occur. zSecure Command Verifier Mainframe policy enforcement solution adds granular controls for RACF to help prevent errors and noncompliant commands. This product runs in the background to verify your RACF commands against company policies and procedures. If the command does not comply with the policy, it is blocked or fixed. It can run independently from the other zSecure components. zSecure Visual zSecure Visual client is a Windows-based graphical user interface for RACF administration. Using the Visual Server product establishes a secure connection directly with RACF to enable decentralized administration from a Windows environment. zSecure CICS Toolkit This component enables you to do most RACF administration from a CICS environment instead of TSO. zSecure Adapters for QRadar SIEM This component enables you to collect mainframe security data and send it to the IBM Security QRadar® SIEM product to get an enterprise-wide view. zSecure Manager for RACF z/VM This product simplifies the process of managing mainframe security and enables you to quickly identify and fix problems in RACF on z/VM. It automates recurring and time-consuming security tasks. zSecure message types zSecure messages are categorized by an alphanumeric prefix. Each prefix refers to the zSecure product function which the messages in that category are associated with. The following table lists the available zSecure message prefixes, their related functions, and the products that can display these messages: Table 3. zSecure product messages Message Prefix Function 2 Messages Guide Product Reference CKF zSecure Collect for z/OS IBM Security zSecure Admin, Chapter 2, “CKF (CKFCOLL) IBM Security zSecure Audit, Messages,” on page 5 IBM Security zSecure Alert, IBM Security zSecure Adapters for QRadar SIEM CKG CKGRACF program IBM Security zSecure Admin, IBM Security zSecure Visual Chapter 3, “CKG messages,” on page 59, CKN zSecure Server (network IBM Security zSecure Admin, node) IBM Security zSecure Audit, IBM Security zSecure Visual Chapter 4, “CKN messages,” on page 89 Table 3. zSecure product messages (continued) Message Prefix Function Product Reference CKR CKRCARLA program IBM Security zSecure Admin, Chapter 5, “CKR IBM Security zSecure Audit, messages,” on page 115 IBM Security zSecure Visual, IBM Security zSecure Alert, IBM Security zSecure Manager for RACF z/VM, IBM Security zSecure Adapters for QRadar SIEM CKV zSecure Collect for z/VM (CKVCOLL) IBM Security zSecure Manager Chapter 6, “CKV for RACF z/VM messages,” on page 315 CKX TSO execution utility program CKX or zSecure Command Execution Utility IBM Security zSecure Admin, Chapter 7, “CKX IBM Security zSecure Manager messages,” on page for RACF z/VM 325 CQT Module CQTPMSGE IBM Security zSecure CICS Toolkit C2P IBM Security zSecure Alert or zSecure Alert address space, Predefined RACF IBM Security zSecure Admin alert, Predefined ACF2 alert, Installation defined alert, or zSecure RACF Access Monitor C2R NLS table processor C2RIMENU, XSLT stylesheet, or the installation customization REXX exec C2REUPDR IBM Security zSecure Chapter 10, “C2R messages,” on page 395 C2RU User interface IBM Security zSecure Visual Client Chapter 11, “C2RU messages,” on page 405 IBM Security zSecure Visual Server Chapter 12, “C2RW messages,” on page 411 IBM Security zSecure Admin, IBM Security zSecure Audit, IBM Security zSecure Alert Chapter 13, “C2X messages,” on page 413 IBM Security zSecure Command Verifier Chapter 14, “C4R messages,” on page 425 C2RW C2X zSecure RACF Exit Activator component C2XACTV C4R Chapter 8, “CQT messages,” on page 331 Chapter 9, “C2P messages,” on page 347 BB BBRACF component IBM Security zSecure Visual Chapter 15, “BB messages,” on page 449 B8R Security zSecure Admin RACF-Offline functions IBM Security zSecure Admin Chapter 16, “B8R messages,” on page 451 RACF Chapter 17, “ICH and IRR messages,” on page 463 ICH and IRR Chapter 1. Introduction 3 Table 3. zSecure product messages (continued) Message Prefix Function C Product Reference IBM Security zSecure Visual Client Chapter 18, “Other error messages,” on page 465 LC Communication layer between the client user interface and the c2ragent component IBM Security zSecure Visual Client Chapter 18, “Other error messages,” on page 465 EPR IBM Security zSecure Visual Communication layer Client between the c2ragent component and the server. Found also in the log-files called cesys and ceaud in the directory: ApplicationDirectory\ Servers\ServerName. Files cesys0..cesys9 and ceaud..ceaud9 are previous log-files. Chapter 18, “Other error messages,” on page 465 The following chapters of this guide provide a listing of each message prefix along with a detailed explanation and possible solutions. 4 Messages Guide Chapter 2. CKF Messages zSecure Collect is a component of these products: v zSecure Admin v zSecure Audit v zSecure Alert v zSecure Adapters for QRadar SIEM v zSecure Manager for RACF z/VM zSecure Collect gathers system data and stores that data in CKFREEZE data sets. It issues messages with the CKF prefix for the z/OS products and the CKV prefix for the z/VM product. For example, if you are using zSecure Admin and Audit you might see message number of CKF970I. The same message issued by zSecure Manager for RACF z/VM has the number CKV970I. zSecure Collect messages for all products are documented. zSecure Collect messages shared between the z/OS and z/VM platforms are documented in this section. zSecure Collect messages specific to the z/VM product are documented in Chapter 6, “CKV messages,” on page 315. Each message number has the form CKFnnnI or CKVnnnI where nnn is the message number. In addition to the message identifier, the program also issues a severity code. This code is derived from the program completion code that indicates the highest severity code encountered. Note: The return code from the program is normally set to the maximum value of the return codes from any messages. If NOWARNINGRC is coded, the 04 return code from the program is reset to 00. The severity code can contain any of the following values: 00 Normal message, giving status or summary information. 04 Unusual condition found that may or may not result in missing information. 08 Unusual condition found that causes information that was requested to be missing. Subsequent processing may be impacted. 12 Unexpected condition during zSecure Collect processing. 16 Syntax error in command input or entitlement problem. 24 Internal error or other unexpected and unsupported condition in zSecure Collect detected. 28 Internal error or other unexpected and unsupported condition in zSecure Collect detected. A user abend will be issued to protect your system and force a dump. In the rest of this section, all error messages are listed with an explanation and possible actions to take. Messages are included in subsections, grouped by the hundred message-numbers. To locate documentation for a specific message, search this documentation for the message number, CKF970I or CKV970I, for example. Messages from 0 to 99 © Copyright IBM Corp. 1998, 2015 5 CKF000I • CKF007I Control block name omitted, because of reason CKF000I Explanation: This message is issued if the program fails to find an OS control block. This is not necessarily a problem, rather it notes the absence of some information which might have been useful, but which may not be available in your OS version at all. The name of the control block is given by name, the control block ID. The exact nature of the failure is given by reason, which may be: invalid block ID The control block ID is not found in its proper place. protection exception A protection exception occurred during the walk through the pointer chain leading to the control block. invalid length A protection exception occurred during access to the last-to-be-used byte of the control block. nil pointer The pointer to the control block was found to contain binary zeros. This message may very well occur after conversion to a new release of the OS. The resulting CKFREEZE file may still be usable for your purposes. Problems indicated with missing control block names include the following: STGS RMF™ is not active EDT device type information not retrieved IODN LCU and device number table missing (also RMF) IOCH Channel information missing (also RMF) LPBT Logical Path Block Table missing (SRM SP4) RCVT No RACF in system SSVT This may be seen if RMM is not active Severity: 04 CKF001I No generic unit name for devclass unit dev devtype devtype Explanation: This message indicates that your OS could not give a generic unit name for the device on address dev, and the device type (given as 8 hex digits) is also not available in the hardcoded device table in zSecure Collect. The device class is devclass. This is not a problem; it just warns you to expect question marks in the unit name fields. Severity: 04 6 Messages Guide CKF002I LOCATE return code rc on type data set datasetname Explanation: This message indicates that the data set datasetname (which is supposed to be a type data set) could not be found by the LOCATE service of MVS™. The return code returned by the service is rc. The volume will be left blank or zero in the CKFREEZE file. Severity: 04 CKF003I DEVTYPE RC nonzero for unit dev Explanation: The DEVTYPE SVC used to collect information on unit dev returned a nonzero return code. This may cause the device type record in the CKFREEZE file to be unusable. Severity: 04 CKF004I Closed PDSE dev volume dsname read decnum bytes in decnum members Explanation: This informational message indicates the amount of data read from the indicated PDSE. It is issued only if the INFO option was selected. Severity: 00 CKF005I Please ignore CMD rejects Explanation: This message is displayed on the operator console to warn the operator that no action should be taken on the burst of IOS000I or IEA000I messages specifying a CMD reject on 3350 DASD devices. It is removed immediately after the program has finished processing the 3350 range of devices. It is displayed during authorized operation only. CKF006I CVAFDIR type error, R15=rc, CVSTAT=code on device dev volume volume Explanation: During access to the VTOC index, the CVAFDIR type (READ or RLSE) service returned a nonzero return code rc accompanied by CVAF return code code. See the appropriate IBM manual for the meaning of these codes. If the type of access was READ, the VTOC was read completely without taking into account the used DSCB map in the VTOC index. Severity: 12 CKF007I Task is not APF authorized - only non-protected information can be collected Explanation: This message alerts you to the fact that the program could not obtain authorization. For additional information, see the section Authorized or unauthorized? in the zSecure Collect documentation CKF008I • CKF018I available in the user reference manual for your zSecure product. Severity: 00 CKF008I Number of DASD devices interrogated: nn Explanation: This message gives the number of devices that have been allocated and interrogated. CKF014I DASD Device dev online but not ready Explanation: This message indicates the device number dev was included in the configuration because it was online, but could not be interrogated because it was not ready. Instead of scheduling an I/O request, zSecure Collect has skipped the device. This may result in incomplete information for your purpose. Severity: 04 Severity: 00 CKF015I CKF009I Number of DSCB entries copied: nn SYSEVENT DONTSWAP failed, return code hex rc Explanation: This message gives the number of Data Set Control Blocks copied from VTOCs to the CKFREEZE file. It is somewhat larger than the number of data sets on the interrogated devices, because some extents are described in separate DSCBs for the same data set. Note that only used DSCBs are copied. Explanation: This message indicates that zSecure Collect failed to make itself nonswappable. As a result, no authorized I/Os can be scheduled and no cache size information and device level cache disablement information will be collected for 3880 devices. Neither will guaranteed device path I/O be used to eliminate WAITs. Severity: 00 Severity: 08 CKF010I Number of VVDS datasets processed: nn Explanation: This message gives the number of VVDS data sets for which an OPEN was attempted. Generally, this number is smaller than the number of DASD devices interrogated, because not every volume needs to have a VVDS. Severity: 00 CKF011I Number of NVR/VVR entries copied: nn Explanation: This messages gives the number of VVRs (VSAM volume records) and NVRs (non-VSAM volume records) copied to the CKFREEZE file. The number of VVRs is roughly two times the number of VSAM data sets on the processed volumes. NVRs are associated with SMS managed non-VSAM data sets. Severity: 00 CKF012I Non-4K block size for VVDS not supported - volume volume Explanation: This message indicates a VVDS was encountered on volume volume with a block size other than 4KB. This is not supported by this release of zSecure Collect. The VVDS has a 4KB block size if it has been made automatically on 3330/3350/3380/3390 DASD with at least DFP 1.0 through DFP 3.3. If you encounter this message, then the VVDS information for the specified volume will not be read, and you will only see component names mentioned in the VTOC, not the cluster names. CKF016I Unsupported control block level hexnum for volume dsname Explanation: This message indicates that a control block of an unsupported layout was returned by Directory Entry Services for the indicated PDSE. If control block is "DESB", checksum and IDR processing are skipped for the remainder of the PDSE; if it is "SMDE", processing is skipped for a single member only. Severity: 08 CKF017I Path ch to type device dev volume not operational Explanation: This message indicates that the installed physical channel (pre-XA) or channel path (XA) ch to the selected online and ready device number dev with volume serial volume was not operational. If this is not your normal working configuration, then you are measuring a reduced configuration with a higher contention than normal. Alternatively this may point at running MVS/370 under VM. Severity: 04 CKF018I parameter Parameter invalid in non-XA system. Explanation: The parameter specified is not applicable to pre-XA systems. Severity: 12 Severity: 12 Chapter 2. CKF Messages 7 CKF019I • CKF027I CKF019I BFLHFCHN invalid for type device dev volser; VTOC processing skipped Explanation: The forward chain pointer of next buffer list (BFLHFCHN) is not valid; i.e. no (more) VTOC information could be obtained for device dev. Severity: 12 CKF020I Path information not gotten for unsupported device type type, device dev volume Explanation: This message indicates that you requested configuration information for a device type type, which is not currently supported by zSecure Collect. Requests for support for other DASD types than 3350, 3380, 3390, and compatibles should be directed to IBM Software Support. Severity: 08 CKF021I Storage director IDs unavailable for type device dev volume because unauthorized Explanation: This message indicates that physical storage director IDs for device number dev with volume serial volume can only be extracted by authorized programs because its device type is type. The result is missing storage director information which may prevent an automatic deduction of the configuration. CKF024I Explanation: This message indicates that after bs tries zSecure Collect still did not succeed in scheduling I/O along all paths to a device. This message only occurs if you specified or implied WAIT=NO and PATH=YES. The resulting CKFREEZE information will be incomplete. Severity: 08 CKF025I Storage director ID not returned by IOS for path ch to type device dev volume Explanation: This message indicates that the IOS version you have fails to return the complete sense information needed to find the storage director ID. The failure occurred on path ch to device number dev with volume serial volume. The device type is type. This message is issued for only one path, because zSecure Collect assumes the same failure will occur on the other paths to the device, and does not attempt I/O on these paths. Severity: 08 CKF026I String controller ID not returned by IOS for path ch to type device dev volume Explanation: This message indicates that the controller ID was not found in its proper place. This message is not issued if the storage director ID is also missing. Currently no software level is known which omits only controller information. Because of redundancy of information, you will probably not notice any effect on the reports. Severity: 08 8 Messages Guide Unexpected IOS return code rc hex, CSW status hhhh sense ssss on path ch to cccc/mm for type/mm device dev volume Explanation: This message indicates an unexpected error during EXCP processing. The IOS return codes are documented in the IBM debugging handbooks (IOB/IOSB) and in the appropriate DFP manuals. The cccc/mm and type/mm are the control unit type / model and unit type / model, respectively, as returned by the SenseId CCW. The resulting CKFREEZE file will probably be incomplete. Severity: 12 CKF026I Severity: 08 CKF023I Path information still incomplete after bn bs-try bursts on type device dev volume: missing at least path ch Explanation: This message indicates that after bn bursts of bs tries with a 0.5 second WAIT interval between the bursts, zSecure Collect still did not succeed in scheduling I/O along all paths to a device. This may happen on very busy shared DASD systems and on very empty pre-XA systems that do not have channel rotation. The number of bursts, burst size, and inter-burst wait time can be adjusted by the appropriate BURSTxxxx parameters. Severity: 08 CKF022I Path information still incomplete after bs tries on type device dev volume: missing at least path ch Unexpected IOS return code rc hex, CSW status hhhh sense ssss on path ch to 3350 device dev volume Explanation: This message indicates an unexpected error during EXCP processing. The IOS return codes are documented in the IBM debugging handbooks (IOB/IOSB) and in the appropriate DFP manuals. The resulting CKFREEZE file will probably be incomplete. Severity: 12 CKF027I Invalid DSCB FMTID=X'xx' on type device dev volser CCHHR=0000000000 DSN=dsname Explanation: The VTOC for the indicated volume contained an invalid DSCB, with format X'xx'. The only valid types are X'F0' .. X'F6'. The DSCB record is CKF028I • CKF036I included in the CKFREEZE file, but will not used. The dsname reported is the data set name field (key area) of the DSCB in error. This has no consequences for MVS if the DSCB is not in use according to the space map. Severity: 04 CKF028I SVC 99 RC=n DAIRFAIL code xxxx xxxx on dev volser Explanation: The device/volser may be absent. This message will be followed by an IKJ-message on the problem. The error occurred in dynamic allocation or unallocation of a VTOC or data set for device dev. This message has continuation lines detailing the individual text units contents after SVC 99 (DYNALLOC) completion. Severity: 08 CKF029I CKF032I Explanation: This message indicates that records were truncated on output. You might try increasing the record length, if problems arise. However, for most purposes the information needed is located at the beginning of the BCS records, and these truncated records therefore do not usually present a problem. Severity: 08 CKF033I Module IGG019X1 missing, no configuration info for 3350 devices possible Explanation: This message indicates that the appendage IGG019X1 could not be found. Severity: 08 DASD Device dev online, but not mounted CKF034I Explanation: Device dev was not mounted public, storage or private, zSecure Collect does not attempt to allocate the VTOC and VVDS data sets. Severity: 04 CKF030I Number of record(s) truncated: nn OPEN abend xxx-rc on device dev volume volser for dsname Explanation: The data set named dsname could not be opened for input on device dev. The VTOC is indicated with ** VTOC volser **. If the error occurs for a VTOC, both the VTOC and the VVDS for the volume will be missing. If the error occurs for a VVDS, the VTOC information has been read properly. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 [ Before MONITOR interval ] CKFCOLL used ss.t CPU seconds, ss elapsed seconds, and collected m.kkk MB (m.kkk MB/s) Written rectotal records to ddname volume dsname Region requested r,rrrKB, granted g,ggg+g,gggKB max used in jobstep u,uuu+u,uuuuKB Explanation: This message details the TCB time used as well as the wall clock time. In addition, the amount of data collected (written to the CKFREEZE file) is summarized as well as the effective data rate. The effective data rate will be misleadingly low if CHECK=Y was specified, since that is a data reduction function. If MONITOR has been requested, then this message is issued twice, once before the monitoring starts, and once at the end of the program. The message at the end of the program also shows the region requested, granted, and used, both below and above the 16MB line. Severity: 00 CKFCOLL runs on sid with osname oslevel DFSMS release JES2 release CPU model model CKF035I CKF031I site-specific identification string running on where CPU-id CPUid Explanation: This messages gives the number of PDS (Partition Data Set) directories copied to the CKFREEZE file. CKF031I Last record written: ID=hh, contents start hexstring CKF031I Explanation: zSecure Collect abended while running on the indicated system (SMF id) and operating system release levels, under the focus and Products ids shown, on the CPU indicated, after writing the indicated record (this line is omitted if no records had been written yet). Severity: 00 Number of PDS directories processed: nn Severity: 00 CKF036I Information omitted for devn volser, SAF READ access required on FACILITY STGADMIN.IFG.READVTOC.volser if non-APF Explanation: This message indicates that an attempt to read the VTOC resulted in an system abend 300, reason code 6, which means that name hiding was active, and you were not allowed to read the VTOC. In a RACF Chapter 2. CKF Messages 9 CKF037I • CKF046I system, name hiding is activated with the command SETROPTS MLNAMES. If name hiding is active, a SAF resource check is done against the resource name indicated. Severity: 04 CKF042I Number of BCS records copied: nn Explanation: This messages gives the number of BCS (Basic Catalog Structure) records copied to the CKFREEZE file. Severity: 00 CKF037I Unexpected abend condition dev devn volser during action CKF043I VVDS information not collected, catalogs cannot be dumped fast Explanation: This message indicates that an abend occurred during EXCP for a channel program attempting to perform the action indicated. Contact IBM Software Support if this message occurs to see if this can be prevented. Explanation: This message is issued if the VVDS data sets could not be accessed, but catalog processing was requested. zSecure Collect requires VVDS access to dump catalogs. Severity: 12 Severity: 00 CKF038I Unexpected abend during allocate of dsn Explanation: This message indicates a failure to allocate (and possibly perform an automatic recall of) a VSAM cluster. An abend was encountered. The cluster will be skipped. If you think the program should have succeeded, contact IBM Software Support. Severity: 08 CKF039I Running OS version DFSMS version JESn version VTAM version secp version RMF version TSO version HSM version [ under VM/version release ] Explanation: This message indicates release levels or status of the software that zSecure Collect extracts information from. Instead of a version number, the keyword inactive, active, or unknown may be present to indicate respectively that the product is installed but not active, active but release could not be obtained, or control blocks present but of unsupported layout. secp is the detected security product, it can be RACF, ACF2, or TSS. Severity: 00 CKF044I Name of master catalog not found in CAXWA. Abend 913-0C may result for unconnected catalogs Explanation: This message indicates that the master catalog name or volume serial could not be determined. Consequently, it is impossible to determine which catalogs are connected. zSecure Collect will try to open all catalogs it encounters on the disks processed. This will result in abend 913-0C for each unconnected catalog. Severity: 12 CKF045I Master catalog volume volume not selected. Abend 913-0C may result for unconnected catalogs Explanation: This message indicates that the master catalog was not found on any of the disk volumes processed. Hence no user catalog connector information is accumulated by zSecure Collect. zSecure Collect will try to open all catalogs it encounters on the disks processed. This will result in abend 913-0C for each unconnected catalog. Severity: 08 CKF040I Unexpected abend during LISTCAT of dsn Explanation: This message indicates a failure to locate a VSAM cluster name in the catalog; an abend was encountered. The cluster will be skipped. If you think the program should have found it, contact IBM Software Support. Severity: 08 CKF046I Explanation: This message indicates that normal VSAM processing was selected for this cluster because it has a multi-volume index component that is needed because of NOIMBED. Severity: 00 CKF041I Number of catalogs processed: nn Explanation: This message gives the number of ICF and HSM catalogs for which an OPEN was attempted. Severity: 00 10 Messages Guide Slowdown mode invoked because noimbed and multi-volume index for dsname CKF047I • CKF053I CKF047I Data collection started on date time for node nodename sysname sysname sid smfid netid netid on a manufacturer typemodel model [ MVSCP conguration id xx ] [ logical partition LPARname ] [ virtual machine userid ] [ at sysid ] [ sysplex name ] Explanation: This message indicates the timestamp marking the start of data collection. It can be used to find the proper zSecure Collect SYSPRINT output when presented with a specific CKFREEZE file. In addition, the various system identifiers are listed: the JES2 node name, the GRS system name, the SMF id, the VTAM® netid, and the processor type. The processor specifications are those returned by the CSRSI service. On older machines where that service is not yet available the type is the internal hexadecimal representation (devtype/model); for VM systems the real model byte is displayed if running APF authorized, otherwise it is FF. On the second line, optional configuration information may be present to indicate the MVSCP configuration id, the Logical Partition name, the VM virtual machine user ID, the VM system ID (as would be displayed in the lower right corner under CMS), and the SYSPLEX name. Severity: 08 CKF051I Explanation: This message indicates an unexpected I/O failure on the indicated device and address. The return code is the EXCP return code in hex. Severity: 12 CKF051I ACB OPEN failed for type dev volser componentname rc=nn, code=nn cluster clustername Explanation: This message indicates a failure to open the VSAM data set indicated and gives the return code and reason code. The type can be BCS for an ICF catalog, MCD for HSM MCDS, BCD for HSM BCDS, and RMM for the DFSMS RMM control data set. ACB OPENs for ICF catalogs are attempted only if the catalog has been defined with NOIMBED, if it has more than 16 extents on a pre-DFP V3 system, or if the run is unauthorized in a pre-DFP V3 system. Severity: 08 CKF049I Internal error CKFCCHH RC=16 Explanation: Contact IBM Software Support. Severity: 24 CKF050I TTT Conversion fails on reltrk DEBNMEXT=nnn on dev volser Explanation: This message indicates a failure to convert the indicated relative track number to an absolute cylinder and head address. The requested track will not be read. Generally this means that the internal structure of a data set was not understood properly, for example, because of a new version of the software maintaining that data set. Contact IBM Software Support. (ECKD) EXCP failed on ddname, Address CKFB: address, rc nnx, CSW=hhhhhhhhhhhhhh, IOBSEEK=address device dev volser Explanation: This message indicates an unexpected ECKD™ I/O failure on the indicated device and address. The return code is the EXCP return code in hex. Severity: 12 CKF051I Severity: 00 CKF048I EXCP failed on ddname, RC=hh, IOBSEEK=address device dev volser Multiple track read EXCP failed on ddname, Number of reads hhhh, Address CKFB: address, rc nnx, CSW=hhhhhhhhhhhhhh, IOBSEEK=address device dev volser Explanation: This message indicates an unexpected multitrack read I/O failure on the indicated device and address. The return code is the EXCP return code in hex. Severity: 12 CKF052I Slowdown mode invoked because noimbed and index on volume for catname Explanation: This message indicates that the requested ICF, HSM, or RMM catalog dump will be tried with VSAM, because the faster EXCP mode does not support NOIMBED with the index on a different volume than the data component. Severity: 00 CKF053I Slowdown mode invoked because not APF-authorized, data set volume catname Explanation: This message indicates that the requested catalog dump will be tried with VSAM, because the faster EXCP mode requires APF authorization that is not present. ALTER authority is required to read ICF catalogs without APF authorization on DFP systems below version 3. For DFP version 3 APF authorization is required to read ICF catalogs anyway and message CKF064I will be issued. READ authority is needed to read HSM catalogs. Severity: 00 Chapter 2. CKF Messages 11 CKF054I • CKF064I CKF054I Data set catname CA at rel track tt missing nn CIs in sequence set record Explanation: This message indicates that the number of CIs described by the index sequence set record was not the number of CIs per CA. If the error message is reproducible, perform EXAMINE on the data set. If no strange things are found, contact IBM Software Support. Severity: 00 CKF055I CKF059I Explanation: This message indicates that for some reason the index was not read successfully. Consequently, the NOIMBED data set cannot be processed. Severity: 08 CKF060I ACB OPEN type abend xxx-nn (explanation) for dev volume componentname of catalogname Explanation: This message indicates an abend during an attempt to open the ICF, RMM, or HSM catalog indicated. Slowdown mode invoked because more extents than EXCP supports (abend 013-E4) for vol cluster Severity: 12 CKF061I Severity: 04 CKF062I Severity: 00 Severity: 08 type abend xxx-nn (explanation) on dev volser dsname VVDS can only be accessed with APF authorization Explanation: In DFP V3 systems, APF authorization is required to read the VVDS. Explanation: The maximum number of extents supported by an EXCP OPEN depends on the DFSMS release. This is reflected in the job log as an abend 013-E4 (or in older releases, 213-20). The CKF030I message is suppressed in this case. The abend is intercepted, and slowdown mode is invoked for this release. CKF057I VVDS space map extension at RBA hexnum ignored - expecting hexnum Explanation: zSecure Collect expects the space map chain to occur in order in the VVDS. Severity: 08 CKF056I NOIMBED not supported, data set catname on volser skipped Connected catalog catname not found on volumes processed Explanation: The master catalog processed contained a connector entry for catalog catname. However, the catalog was not found on the volumes processed. Catalog information may be incomplete. CKF063I Unexpected error: Master cat BCS not found on mastercat volume. Abend 913-0C may occur Explanation: A nonrecoverable abend occurred opening data set dsname for input on device dev. If the error occurs for a VTOC, the VTOC and all data sets on the volume will be missing. If the error occurs for a VVDS, the VTOC information has been read properly. For information on the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Explanation: This message indicates that for some reason the master catalog was not found on the volume it was supposed to reside on. Consequently, it cannot be determined whether user catalogs are connected or not. Abend 913-0C results from trying to open an unconnected catalog if bypass-password processing is not being used. Severity: 08 Severity: 08 CKF058I Unexpected physical record length decnum in imbedded SSR with index blksize decnum for catname Explanation: This message indicates that a physical record (i.e. block) was read from the imbedded index track with a block size different from the block size indicated in the information in the VVR. Results will be unpredictable. Severity: 12 12 Messages Guide CKF064I Catalog cannot be dumped without APF authorization - catname Explanation: On a DFP version 3 or higher system, APF authorization is required to dump ICF catalogs. Severity: 08 CKF065I • CKF074I CKF065I Slowdown mode invoked because primary data VVR not obtained for datacomponent Explanation: To read VSAM data sets in EXCP mode, zSecure Collect needs the VSAM Volume Record (VVR) residing in the VVDS. This message is issued if the VVR of the data component was not encountered. Severity: 00 CKF066I Slowdown mode invoked because noimbed and primary index VVR not obtained for datacomponent Explanation: To read VSAM data sets with the NOIMBED attribute in EXCP mode, zSecure Collect needs the VSAM Volume Record (VVR) of the index residing in the VVDS. This message is issued if the VVR of the index component was not encountered. Severity: 00 record (rlen) points beyond the end of the used bytes in a control interval. Severity: 08 CKF069I Slowdown mode invoked for multi-volume cluster dsname Explanation: This message indicates that normal VSAM processing was selected for this cluster because it has a multi-volume data component. Severity: 00 CKF070I type abend xxx-nn (explanation) on dev volume dataset Explanation: This message indicates a nonrecoverable abend occurred during OPEN of the indicated PDS(E). For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF067I Data set datacomponent error at CI num in CA at rel trk nnn type key Explanation: Where key is the current record key (a data set name), and type can be one of the following error types: last segment missing - record skipped For a spanned record, the last segment was not found in the control area. The record will not be copied to CKFREEZE. CKF071I Explanation: This message indicates an unexpected condition; I/O was being attempted against an empty data set. Contact IBM Software Support. The message is suppressible. Severity: 24 CKF072I orphan inner segment skipped A spanned record intermediate segment was encountered, but the first segment for the record was not found in the control area. The segment will be discarded. Internal error IOBEXCP DEBNMEXT=0 Unexpected IOCINFO return code rc reason code rr (decimal) Explanation: This message indicates that the IOCINFO service issued an unexpected return code. Results are unpredictable. Severity: 08 updated during copy A spanned record was encountered, but the segments did not have the same update count. This can happen if the record was updated between read instructions to the control area. The record may appear garbled in the CKFREEZE file. orphan last segment skipped The last segment of a spanned record was encountered, but the first segment for the record was not found in the control area. The segment will be discarded. CKF073I Dynamic configuration change occurred, UCB scan restarted - file may contain duplicate records Explanation: This message indicates that the UCBSCAN service indicated a configuration change while scanning all UCBs. The scan will be restarted, but this may make the CKFREEZE file unusable if your application does not support duplicate information. In this case, you will have to rerun zSecure Collect. Severity: 04 Severity: 04 CKF074I CKF068I Cat rlen=xxxx (RDF=xxxxxx) at CI offset xxxx > used CI xxxxxx of CA at reltrk nnnnn in datacomponent Explanation: The record length field in a catalog Unexpected UCBSCAN return code rc reason code rr (decimal) Explanation: This message indicates that the UCBSCAN service issued an unexpected return code. Severity: 12 Chapter 2. CKF Messages 13 CKF075I • CKF087I CKF075I Unexpected EDTINFO return code rc reason code rr (decimal) for dev volume devtype devtype Explanation: This message indicates that the EDTINFO service issued an unexpected return code while trying to obtain the generic device type for a device. The field will be filled with a default value. Severity: 04 CKF076I CKF082I Explanation: This message indicates that the IXCQUERY service abended. The XCF sysplex record will be missing from the file. Severity: 04 CKF083I Unexpected UCBSCAN return code rc reason code rr (decimal) on dev volume Explanation: This message indicates that the UCBSCAN service issued an unexpected return code when trying to obtain the last path used mask. Unexpected IXCQUERY type abend xxx-nn (explanation) Extent size discrepancy size DEBNMTRK=num on dev volser Explanation: There is an unexpected difference in the low order two bytes of the number of tracks in an extent. The software uses DEBNMTRK (which may be too small). Contact IBM Software Support. Severity: 20 Severity: 12 CKF084I CKF077I Unexpected UCBSCAN return code rc reason code rr (decimal) on dev volume Explanation: This message indicates that the UCBSCAN service issued an unexpected return code while trying to pin and obtain the address of a UCB. The intended authorized I/O function will not be performed. Explanation: Contact IBM Software Support. Severity: 24 CKF085I Severity: 12 CKF078I Unexpected UCBPIN UNPIN rc rc reason code rr (decimal) on dev volume Explanation: This message indicates that the UCBPIN service issued an unexpected return code while trying to unpin an UCB after an authorized I/O operation. Severity: 12 CKF080I Unexpected IXCQUERY return code rc reason code rr (decimal) Explanation: This message indicates that the IXCQUERY service issued an unexpected return code. The XCF sysplex record will be missing from the file. Severity: 04 CKF081I Unexpected IXCQUERY return code rc reason code rr (decimal) Explanation: This message indicates that the IXCQUERY service issued an unexpected return code. The XCF sysplex record will be missing from the file. Severity: 04 14 Messages Guide Internal error CKFCCHH RC=20 on dev volser TTT conversion result CCC HHHH cccc hhhh not in extent cccc hhhh - cccc hhhh for reltrk on dev volser Extent nn range cccc hhhh - cccc hhhh start reltrk size trks Explanation: This message indicates a failure to convert the indicated relative track number to an absolute cylinder and head address. The requested track will not be read. Generally this means that the internal structure of a data set was not understood properly, for example, because of a new version of the software maintaining that data set. Contact IBM Software Support. Severity: 08 CKF086I Member mem rel trk trk Rrec not in dev volser dsn size trks trk Explanation: This message indicates that a PDS directory entry points to a member start (relative track and record number) beyond the end of the data set. A possible cause might be that the data set was truncated during a copy or restore operation. Severity: 04 CKF087I Missing EOF in member mem rel trk trk Rrec in dev volser dsn size trks trk Explanation: This message indicates that the last member physically present in a partitioned data set was truncated before it's End Of File marker. The member starts at the indicated relative track and record number. A possible cause might be that the data set was truncated during a copy or restore operation. There will be no checksum for this member. CKF088I • CKF097I Severity: 08 Severity: 04 CKF088I Missing n out of total members in dev volser dsn size trks trk Explanation: This message indicates that a Partitioned Data Set directory referred to members not physically present in the data set. A possible cause might be that the data set was truncated during a copy or restore operation. CKF093I Unexpected block prefix "ttttttt" at rel track nnn Rnn of ABR vol dataset Explanation: This message indicates that an ABR track read contained an unexpected block prefix. The current relative track number and physical record number are shown in decimal. Severity: 08 Severity: 04 CKF094I CKF089I Unexpected DMS subfile name name at record nnn of DMSU volume datasetname Explanation: The data set indicated by the DMSUNL= keyword contains an unknown subfile name. The data set is not read any further. Severity: 08 CKF090I type abend xxx-nn (explanation) on dev volume dataset Explanation: This message indicates a nonrecoverable abend occurred during OPEN of the indicated TMC. For information on the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF091I TRKCALC for dsname gives RC=nn decimal Explanation: The calculation of the number of blocks per track for the TMC, VMF or ACF failed with the indicated return code. As a consequence, no blocks will be read. Severity: 08 CKF092I Opened type dev volume dataset, num by/bl num bl/tr num rc/bl num trk Explanation: This message indicates that the type data set (TMC for CA1, VMF for CA-TLMS, or ABR for FDR/ABR) has just been opened, and shows the characteristics used for reading the TMC/VMF. It is issued only if the INFO option was specified. Severity: 00 CKF093I Unexpected block length nnn at rel track nnn Rnn of type vol dataset Explanation: This message indicates that a track read contained an unexpected block size. The remainder of the track is skipped. The current relative track number and physical record number are shown in decimal. The type can be TMC, VMF, or ABR. Closed type dev volume dataset, read nnn tracks, copied nnn type and nnnn DSNB records Explanation: This informational message indicates that the TMC/VMF/ABR data set was closed and shows the number of volume and data set records that were copied to CKFREEZE. It is issued only if the INFO option was specified. Severity: 00 CKF095I Unsupported type blocksize nnn lrecl nnn for volume dataset Explanation: For type equal to TMC this message indicates that the indicated data set had a record size (lrecl) different from 200 and 340 (CA1 5.0). For type equal to VMF this message indicates that the record size was different from 500. For type equal to ABR this indicates that the block size was smaller than 32 bytes. Severity: 08 CKF096I type abend xxx-nn (explanation) on type dev volume dataset Explanation: This message indicates a nonrecoverable abend occurred during OPEN of the indicated type data set (DMSU for DMSUNL, PDSE for PDS/E directory, or PDSM for DMS AUTHLIB). For information on the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF097I Opened type dev volume dataset, blksz nnnn, lrecl nnnn lasttrk nnnnn Explanation: This message indicates that the indicated type data set (DMSU for DMSUNL, PDSE for PDS/E directory, or PDSM for DMS AUTHLIB) has just been opened, and shows the block size, record length, and last relative track number (decimal). It is issued only if the INFO option was specified. Severity: 00 Chapter 2. CKF Messages 15 CKF098I • CKF108I CKF098I Unexpected record length n at record nnn of DMSU volume dataset Explanation: A record length smaller than 9 was encountered, this is not supported for a DMS unload (each record is expected to start with the 8 byte subfile name). The remainder of the data set will be skipped. Severity: 08 nnnn RACFENCD records Explanation: This informational message indicates that the DMStype data set (DMSU for DMSUNL, PDSE for PDS/E directory, or PDSM for DMS AUTHLIB) was closed and shows the number of records read as well as the number of data set and RACF profile records that were copied to CKFREEZE. It is issued only if the INFO option was specified. Severity: 00 CKF099I Closed type dev volume dataset read nnn records, copied nnn DSNINDEX and Messages from 100 to 199 CKF100I Missing PDS directory end in dev vol dsn Explanation: This message indicates that a data set that was supposed to have a Partitioned Data Set organization did not have a proper PDS directory (i.e. ending in a record with a key of high values). Possible causes are that the data set is not a PDS at all, or that the data set was truncated before the end of the PDS directory by a failed copy or restore operation. Severity: 08 CKF101I Severity: 00 CKF104I Closed IX dev volume catname index incore decnum bytes - indexname Explanation: This informational message summarizes the number of bytes that were read from the catalog index component prior to closing. It is issued only if the INFO option was selected. Severity: 00 Unexpected return code nn dec during LISTCAT of dsn Explanation: This message indicates a failure to locate a VSAM cluster name in the catalog. The cluster will be skipped. If you think the program should have found it, contact IBM Software Support. Severity: 08 CKF105I Opened type dev volser catname size num trk datacomponent Explanation: This informational message contains the number of tracks in the data component of the type data set (see CKF102I) that has just been opened successfully. It is issued only if the INFO option was selected. Severity: 00 CKF102I type catname on volume BLK decnum CISZ decnum, CASZ decnum byte, num CI/CA, num bl/CA, numtr/CA, nn bl/trk, nn bl/CI Explanation: This informational message gives the control interval size, the number of bytes, blocks, and tracks in a control area, and the number of blocks per track and blocks per control intervals for the specified type VSAM data set (BCS for catalog, MCD for HSM migration Control Data set, BCD for HSM Backup Control Data set, RMM for DFSMS RMM control data set) immediately before it is opened. It is issued only if the INFO option is selected. Severity: 00 CKF103I No imbed - index indexname on volume BLK decnum CISZ decnum Explanation: This message indicates that the index component about to be opened has the NOIMBED attribute, which makes it necessary to process the index. The message indicates the index component data set name, as well as the physical block size and CI size. It is issued only if the INFO option is selected. 16 Messages Guide CKF106I Master catalog is catname Explanation: This informational message indicates the name of the master catalog. It is issued only if the INFO option was selected. Severity: 00 CKF107I Opened ACB dev volume cluster component dsname Explanation: This informational message indicates the successful opening of the ACB for the indicated VSAM data set. It is issued only if the INFO option was selected. Severity: 00 CKF108I Closed ACB dev volume cluster read decnum, copied decnum records datacomponent Explanation: This informational message shows the number of records read and copied from the indicated CKF109I • CKF119I VSAM data set. It is issued only if the INFO option was selected. Severity: 00 Severity: 00 CKF115I CKF109I Opened dsntype dev volume dsname [ alloc size nn trk ] Explanation: This informational message indicates the successful opening of the PDS(E) indicated, and, for a PDS, the size of the data set in tracks. It is issued only if the INFO option was selected. Severity: 00 CKF110I Explanation: This informational message indicates the number of directory tracks and blocks read from the indicated PDS. It is issued only if the INFO option was selected. Severity: 00 Closed type dev volume catname read num trks, num records, copied decnum/decnum non/spanned records Explanation: This informational message summarizes the number of tracks and records (both non-spanned and spanned) that were read and copied from the data component of the type data set (see CKF102I) prior to closing. It is issued only if the INFO option was selected. Severity: 00 Severity: 00 CKF111I Explanation: This informational message summarizes the number of tracks and records that were read from the VVDS prior to closing. It is issued only if the INFO option was selected. CKF116I Closed PDS dev volume dsname read decnum trks, copied decnum dir blks, scanned decnum byte in decnum members Closed SYS1.VVDS.Vvolume read num tracks, copied decnum NVR/VVRs Scheduler allocated decnum I/O executors Explanation: This informational message shows the amount of parallelism introduced by the PARALLEL parameter or its default. It is issued only if the REPORT or INFO option was selected or defaulted. Severity: 00 CKF117I CP response truncated for command "command": response Explanation: This message indicates that the response to the specified CP command issued while running under VM did not fit into the return area. The first 5 lines of the response are displayed. As a result, information collected by the command may be missing from the CKFREEZE file. Severity: 12 CKF112I Opened VTOC dev volume size decnum tracks Explanation: This informational message indicates the successful opening of the VTOC for the indicated volume. It is issued only if the INFO option was selected. Severity: 00 CKF113I Closed VTOC dev volume read num tracks, copied decnum DSCBs Explanation: This informational message summarizes the number of tracks and records that were read from the VTOC prior to closing. It is issued only if the INFO option was selected. Severity: 00 CKF114I Opened SYS1.VVDS.Vvolume size decnum tracks, nnn blk/trk CKF118I CP return code nn on command "command": response Explanation: This message indicates the nonzero return code returned by CP on the specified command issued while running under VM. As a result, information collected by the command will be missing from the CKFREEZE file. Severity: 12 CKF119I Q Vnnnn returns data for nnnn possibly unsupported VM release Explanation: While running an XA release of MVS under VM, the QUERY VIRTUAL command issued by zSecure Collect unexpectedly returned information from a different device. The information is not processed. Severity: 12 Explanation: This informational message indicates the successful opening of the indicated VVDS and the number of 4KB blocks per track. It is issued only if the INFO option was selected. Chapter 2. CKF Messages 17 CKF120I • CKF129I CKF120I Unexpected IOS rc xx x, CSW stat xxxx sns xxxx id cccc/mm dddd/mm v/r=vv/rr dev dev volser during CCWname Explanation: This message indicates a failed I/O operation of the type CCWname on the indicated device. The Channel Status Word and the first 2 bytes of the sense code are shown in hexadecimal, together with the hexadecimal controller type cccc and model mm and device type dddd and model mm, as returned by the Sense Id, and the Virtual and Physical controller type returned by the ReadDeviceCharacteristics. The latter are needed to determine the exact device type and mode of 3990 models and RAMAC devices. Check for a possible hardware defect. More diagnostic information might be available in a directly subsequent message CKF144I. Severity: 08 CKF121I Unexpected nil name pointer in product Explanation: This message has two forms. the first shows the name of a pointer that was unexpectedly found to be zero during access to a control block chain with cross memory services in an address space for the specified product (HSM, JES2, JES3, RMM, TLMS). CKF124I Explanation: This informational message is issued to indicate that the SMS subsystem is not defined on the system. Severity: 00 CKF125I Unexpected null ASID for product Explanation: The second form of this message shows that the Address Space Id was unexpectedly found to be zero during access to a control block chain with cross memory services in an address space for the specified product (HSM, JES2, JES3, RMM, TLMS). Severity: 04 CKF122I Number of TAPE devices interrogated: nnn Explanation: This message, shown if TAPE=YES was specified or implied, shows the number of tape devices that were interrogated. Severity: 00 CKF123I Severity: 04 CKF126I SMS IEFSSREQ RC=nn (decimal) for request SSSA1TYP=nn (decimal) Explanation: This message indicates the failure of a SMS subsystem request. The requested SMS information will be missing from the CKFREEZE file. Severity: 08 CKF127I SMS return code SSOBRETN=nn (decimal) reason code SSSARSN=nnn (decimal) for request SSSA1TYP=nn (decimal) Explanation: This message indicates the failure of a SMS information request. The requested SMS information will be missing from the CKFREEZE file. Severity: 08 CKF128I SMS returned reason code SSSARSN=nnn (decimal) and messages for request SSSA1TYP=nn (decimal): messages Explanation: This message indicates the possible failure of a SMS information request. Informational or error messages returned by SMS follow this message. The requested SMS information may be missing from the CKFREEZE file. Severity: 04 Q V mmm query for device nnnn returns data for nnnn - possibly unsupported VM release Explanation: While running a non-XA release of MVS under VM, the QUERY VIRTUAL command issued by zSecure Collect to the VM device number mmm on behalf of the nnnn device number in MVS, unexpectedly returned information from a different device. The information is not processed. Severity: 12 18 SMS is inactive Explanation: This informational message is issued to indicate that the SMS subsystem is defined, but inactive. No SMS information will be present in the CKFREEZE file. Severity: 04 CKF121I Non-SMS system Messages Guide CKF129I Unexpected SMS call type abend xxx-nn (explanation) for request SSSA1TYP=nn (decimal) Explanation: This message indicates the abend issued during a SMS information request. The requested SMS information will be missing from the CKFREEZE file. Severity: 08 CKF130I • CKF141I CKF130I SMS type name configuration description Explanation: This informational message indicates that the complex of type type and name name has SMS active and shows the comment (description) field of the active configuration. Severity: 00 CKF131I LCU selection not possible Explanation: This message indicates that a LCU selection was given but no LCU information could be found in the system. The run is aborted. Possible reasons include: RMF was not active, running under a VM system, or an unsupported RMF release. Severity: 12 CKF136I CLOSE abend xxx-rc on device dev volume volser for dsname Explanation: The data set named dsname could not be closed on device dev. The VTOC is indicated with ** VTOC volser **. For information on the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF137I ACB CLOSE failed for type dev volume datacomp rc=nn code=code cluster dsname Explanation: The VSAM data set data component datacomp could not be closed. See the appropriate DFP manual for the meaning of the codes. Severity: 08 CKF132I Tape management system CA1 v.r.nl Explanation: This message indicates that CA1 was found to be active on the system, and shows the release in the form version.release.newsletter Severity: 00 CKF133I FOCUS must precede parameters selecting additional information to be collected Explanation: This message is issued if FOCUS was not the first parameter, and you specified a parameter that is not allowed under each focus before the FOCUS parameter. Move the FOCUS parameter in front. Severity: 12 CKF134I Command not valid in current FOCUS name Explanation: This message indicates that a feature was requested that is invalid under the current focus combination. You can look up the command name in the index and read the restrictions. Severity: 12 CKF135I site-specific identification string Runs on where CPU-id, source file ddname volser dsn Explanation: This message shows the site-specific identification string, CPU-id, and relevant product numbers and names. Severity: 00 CKF138I GET RPL type dev volume datacomponent rc=nn reason=nnnn after nnnn records Explanation: This messages indicates an unexpected return code and reason code (in decimal) from the VSAM GET macro after the indicated number of records. Severity: 08 CKF139I TRKCALC for SYS1.VVDS.Vvolume gives RC=nn decimal Explanation: The calculation of the number of blocks per track for the VVDS failed with the indicated return code. As a consequence, the space map will not be used and all tracks of the VVDS will be read. Severity: 08 CKF140I Number of RACFENCD records copied: nnnn Explanation: This message indicates the number of records copied from the RACFENCD subfiles of DMS DMSFILES and unloaded DMSFILES data sets. The RACFENCD subfile gives the relation between data set names of archived or backed-up data sets and the corresponding RACF profiles with an encoded name. Severity: 00 CKF141I Number of DSNINDEX records copied: nnnn Explanation: This message indicates the number of records copied from the RACFENCD subfiles of DMS DMSFILES and unloaded DMSFILES data sets. It includes all archived and backed-up data sets. Severity: 00 Chapter 2. CKF Messages 19 CKF142I • CKF153I CKF142I Number of MCD records copied: nnnnn Explanation: This message indicates the number of records copied from HSM Migration Control Data sets. It is shown if the number is nonzero. Severity: 00 Severity: 00 CKF148I DMS records at level v.r.m Explanation: This message indicates the highest DMS release number encountered in a DMSFILES record. Severity: 00 CKF143I Number of BCD records copied: nnnnn Explanation: This message indicates the number of records copied from HSM Backup Control Data sets. It is shown if the number is nonzero. Severity: 00 CKF144I original rc nnx sense xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx Explanation: This message occurs optionally behind message CKF120I or CKF051I. It indicates the original EXCP return code and sense code associated with a failing channel program, for example, a Unit Check. Check for a hardware defect or failure. If you cannot find one, contact IBM Software Support to report these messages and to determine whether they can be prevented. CKFREEZE LRECL=nnn must at least be 23472, use half/full track as BLKSIZE and set LRECL 4 less, or use LRECL=X, RECFM=VBS Number of SWCH devices interrogated: nnn Explanation: This message, shown if SWCH=YES was specified or implied, shows the number of ESCON directors that were interrogated. Severity: 00 CKF150I type abend xxx-nn (explanation) on dev volser dsname Explanation: This message indicates that the OPEN for a DMSFILES data set failed with the indicated abend code. No information will be present in the CKFREEZE file from this data set. Severity: 08 CKF151I Severity: 00 CKF145I CKF149I TRKCALC for dsname gives RC=nn decimal Explanation: The calculation of the number of blocks per track for the DMSFILES data set failed with the indicated return code. As a consequence, no blocks will be read. Severity: 08 Explanation: This message indicates that the CKFREEZE file has an insufficient maximum record length. Check your JCL, if you did not specify a LRECL, check the BLKSIZE. If you did not specify either, try specifying BLKSIZE. If this does not work, try specifying both. If you specified both and SMS is active, contact your site's storage administrator how you can prevent the ACS routines from providing an insufficient overriding LRECL. Explanation: This message indicates that a DMSFILES data set has just been opened, and shows the characteristics used for reading the DMSFILES data set. It is issued only if the INFO option was specified. Severity: 12 Severity: 00 CKF146I Number of TMC volume records copied: nnnn Explanation: This message indicates the number of volume records copied from the CA1 TMC (Tape Management Catalog). Severity: 00 CKF147I Number of DSNB records copied: nnnn Explanation: This message indicates the number of secondary data set records (Data Set Name Blocks) copied from the CA1 TMC (Tape Management Catalog). 20 Messages Guide CKF152I CKF153I Opened DMSF dev volume dataset, nnn by/bl nn bl/tr nnn by/tr nnnn trk Dataset has unsupported DMSFILES format - volser dsname Explanation: This message indicates that the data set indicated does not conform to the supported layout of a DMSFILES data set. Specifically, the control record does not contain a correct control block id. The data set is not processed any further. Severity: 08 CKF154I • CKF163I CKF154I Dataset expects blksize nnnn but is nnnn for volser dsname Explanation: The message indicates that the DMSFILES data set contains a physical block size in the DMS control record that differs from the physical block size in the format 1 DSCB in the VTOC. The data set is not processed any further. Severity: 08 CKF155I Unexpected block length nnn at rel track nnn Rnn of DMSF vol dataset Explanation: This message indicates that a DMSFILES track read contained an unexpected block size. The remainder of the data set is skipped. Severity: 08 CKF156I DMSFILES error: reference to RBA xxxxxxxx and length nnnnn points beyond last rel track nnnn Explanation: This message indicates an error during read of a DMSFILES data set. An index entry or file control block points to a block at a Relative Byte Address (hexadecimal) and with a length (decimal) that would extend beyond the last used track of the data set as shown in the F1 DSCB (last relative track number in decimal). The blocks beyond the last used track will not be read. Severity: 08 CKF157I DMSFILES error: missing nnnn bytes at the end of logical block at RBA xxxxxxxx Explanation: This message indicates that zSecure Collect expected additional bytes to complete a logical block when end-of-file processing was entered. Severity: 08 CKF158I DMSFILES error: found BLK RBA xxxxxxxx but unexpected subfile name rel trk nnn Rnn Explanation: This message indicates that a block, pointed to by the DSNINDEX or RACFENCD index was read at the specified RBA, but it contained records of a different subfile than DSNINDEX and RACFENCD. The current relative track number and physical record number are shown in decimal. Severity: 08 CKF159I DMSFILES error: found IND RBA xxxxxxxx but unexpected subfile name rel trk nnn Rnn Explanation: This message indicates that an index block, pointed to by the DSNINDEX or RACFENCD FCB was read at the specified RBA, but it contained the index of a different subfile than DSNINDEX and RACFENCD. The current relative track number and physical record number are shown in decimal. Severity: 08 CKF160I DMSFILES error: found RBA xxxxxxxx but not a BLK or IND prefix, at rel trk nnn Rnn Explanation: This message indicates that a block, pointed to by the DSNINDEX or RACFENCD FCB or index was read at the specified RBA, but it did not contain a BLK or IND prefix. The current relative track number and physical record number are shown in decimal. Severity: 08 CKF161I DMSFILES error: RBA xxxxxxxx not found on block boundary, at RBA xxxxxxxx rel trk nnn Rnn Explanation: This message indicates that the starting RBA of a logical block, pointed to by the DSNINDEX or RACFENCD FCB or index was not found on a physical block boundary. The current RBA, relative track number, and physical record number are shown in decimal. Severity: 08 CKF162I DMSFILES error: missed block(s) starting at RBA xxxxxxxx Explanation: This message indicates that zSecure Collect expected additional information starting at the specified RBA (pointed to by DSNINDEX or RACFENCD FCB or index) when end-of-file processing was entered. Severity: 08 CKF163I Closed DMSF dev volume dataset, read nnn tracks, copied nnn DSNINDEX and nnnn RACFENCD records Explanation: This informational message indicates that the DMSFILES data set was closed and shows the number of data set and RACF profile records that were copied to CKFREEZE. It is issued only if the INFO option was specified. Severity: 00 Chapter 2. CKF Messages 21 CKF164I • CKF172I CKF164I DMSFILES error: name subfile not found in FCBs CKF169I Volume [excluded or] not mounted for requested data set volume dsname Explanation: This message indicates that zSecure Collect failed to find the specified subfile definition in the File Control Blocks. Information from the subfile will be missing from the CKFREEZE file. Explanation: This message indicates that you requested an action for a data set, but the volume was not mounted or excluded by your SELECT and EXCLUDE commands. Severity: 08 Severity: 08 CKF165I DMSFILES error: no or invalid IND/BLK RBA in FCBs CKF170I Restore not successful for requested data set on volume volume dsname Explanation: This message indicates that zSecure Collect failed to find valid RBAs in the DSNINDEX and RACFENCD File Control Blocks. No information from this DMSFILES data set will be copied to the CKFREEZE file. Explanation: This message indicates that you requested an action for a data set, but the OPEN attempt was not successful. This text of the message can only occur if RESTORE=YES (same as RECALL=YES) was specified or implied. Severity: 08 Severity: 08 CKF166I Message number to be suppressed must be in range 0..999 Explanation: The form of the message suppression command SUPMSG and its aliases is a list of decimal numbers separated by commas and enclosed in parentheses, or a single number. It may not be left blank. CKF170I RESTORE=NO and requested data set not on volume volume dsname Explanation: This form of the message indicates that you requested an action for a data set, but the data set was not found in the VTOC, and RESTORE=NO was specified or implied. Severity: 08 Severity: 12 CKF171I CKF167I Volume not mounted for expected data set volume dsname Explanation: This message indicates that zSecure Collect wants to extract information from the indicated data set, but the volume was not mounted. Severity: 04 Restore not successful for expected data set on any volume - dsname Explanation: This message indicates that zSecure Collect wants to extract information from the indicated data set, but the ALLOCATE attempt was not successful. This text of the message can only occur if RESTORE=YES was specified or implied. Severity: 04 CKF168I Restore not successful for expected data set on volume volume dsname CKF171I RESTORE=NO and expected data set not on any volume dsname Explanation: This message indicates that zSecure Collect wants to extract information from the indicated data set, but the OPEN attempt was not successful. This text of the message can only occur if RESTORE=YES or RECALL=YES was specified or implied. Explanation: This form of the message indicates that zSecure Collect wants to extract information from the indicated data set, but the data set was not found in any VTOC, and RESTORE=NO (same as RECALL=NO) was specified or implied. Severity: 04 Severity: 04 CKF168I RESTORE=NO and expected data set not on volume volume dsname Explanation: This form of the message indicates that zSecure Collect wants to extract information from the indicated data set, but the data set was not found in the VTOC, and RESTORE=NO (same as RECALL=NO) was specified or implied. Severity: 04 22 Messages Guide CKF172I Restore not successful for requested data set on any [included] volume dsname Explanation: This message indicates that you requested an action for a data set, but the data set was not found on the volume or the volume was not included by your SELECT and EXCLUDE statements. This text of the message can only occur if RESTORE=NO was specified or implied. CKF172I • CKF178I Severity: 08 Severity: 08 CKF172I RESTORE=NO and expected data set not on any [included] volume dsname CKF176I RESTORE=NO and requested VSAM data set not on volume volume dsname Explanation: This form of the message indicates that you requested an action for a VSAM data set, but the data set was not found in any VTOC included by your SELECT and EXCLUDE statements, and RESTORE=NO was specified or implied. Explanation: This form of the message indicates that you requested an action for a VSAM data set, but the data set was not found in the VTOC, and RESTORE=NO (same as RECALL=NO) was specified or implied. Severity: 08 Severity: 08 CKF173I Volume not mounted for expected VSAM data set volume dsname Explanation: This message indicates that zSecure Collect wants to extract information from the indicated VSAM data set, but the volume was not mounted. Severity: 04 CKF174I Restore not successful for expected VSAM data set on volume volume dsname Explanation: This message indicates that zSecure Collect wants to extract information from the indicated VSAM data set, but the OPEN attempt was not successful. This text of the message can only occur if RESTORE=YES (same as RECALL=YES) was specified or implied. Severity: 04 CKF177I Restore not successful for expected VSAM data set on any volume - dsname Explanation: This message indicates that zSecure Collect wants to extract information from the indicated VSAM data set, but the ALLOCATE attempt was not successful. This text of the message can only occur if RESTORE=YES was specified or implied. Severity: 04 CKF177I RESTORE=NO and expected VSAM data set not on any volume dsname Explanation: This form of the message indicates that zSecure Collect wants to extract information from the indicated VSAM data set, but the data set was not found in any VTOC, and RESTORE=NO was specified or implied. Severity: 04 CKF174I RESTORE=NO and expected VSAM data set not on volume volume dsname Explanation: This form of the message indicates that zSecure Collect wants to extract information from the indicated VSAM data set, but the data set was not found in the VTOC, and RESTORE=NO (same as RECALL=NO) was specified or implied. Severity: 04 CKF175I Volume [excluded or] not mounted for requested VSAM data set volume dsname Explanation: This message indicates that you requested an action for a VSAM data set, but the volume was not mounted or excluded by your SELECT and EXCLUDE commands. Severity: 08 CKF176I Restore not successful for requested VSAM data set on volume volume dsname Explanation: This message indicates that you requested an action for a VSAM data set, but the OPEN attempt was not successful. This text of the message can only occur if RESTORE=YES (same as RECALL=YES) was specified or implied. CKF178I Restore not successful for requested VSAM data set on any [included] volume - dsname Explanation: This message indicates that you requested an action for a VSAM data set, but the ALLOCATE attempt was not successful or the volume was not included by your SELECT and EXCLUDE statements. This text of the message can only occur if RESTORE=YES (same as RECALL=YES) was specified or implied. Severity: 08 CKF178I RESTORE=NO and expected VSAM data set not on any [included] volume dsname Explanation: This form of the message indicates that you requested an action for a VSAM data set, but the data set was not found in any VTOC included by your SELECT and EXCLUDE statements, and RESTORE=NO (same as RECALL=NO) was specified or implied. Severity: 08 Chapter 2. CKF Messages 23 CKF179I • CKF187I CKF179I FAIL][,VOLSER][,UNIT]) Unsupported MPFT level xx Explanation: This message indicates that a newer control block layout was encountered than currently supported for the Message Processing Facility. Information on message suppression will be missing from the CKFREEZE file. Contact IBM Software Support. Explanation: This message lists the basic options (options that are not a combination of others) that are currently in effect. Severity: 00 CKF183I Severity: 08 CKF180I Device dev volume has no VTOC Explanation: This message indicates that the indicated volume had no VTOC at the time of the last IPL or VARY command. Processing is skipped for this volume. Device dev volume CP-formatted VTOC not supported Explanation: This message indicates that the volume has the VTOC in a position as for a CP-formatted volume (for use by VM). Processing is skipped for this volume (the VTOC will not be dumped). Severity: 04 Severity: 04 CKF184I CKF181I Device dev volume has VTOC on track 0 record n - not supported Explanation: This message indicates that the indicated volume had a VTOC on track 0 at the indicated record. This format is not recognized by zSecure Collect. Processing is skipped for this volume (the VTOC will not be dumped). Severity: 04 CKF182I 24 Explanation: This message indicates that the volume has the VTOC in a position as for an AIX-formatted volume (for use by AIX/ESA®). Processing is skipped for this volume (the VTOC will not be dumped). Severity: 04 CKF185I Options for this run are: FOCUS=(focus) IO=Y/N,TCPIP=Y/N, DASD=Y/N, TAPE=Y/N, SWCH=Y/N, PATH=Y/N, VTOC=Y/N, VVDS=Y/N, PDS=Y/N, CAT=Y/N/MCAT, MCD=Y/N, BCD=Y/N, DMS=Y/N, ABR=Y/N, TMC=Y/N, RMM=Y/N, VMF=Y/N, UNIX=Y/N [,UNIXCLIENT=Y/N] RECALL=Y/N [,AUTOMOUNT=Y/N, UNIXACL=Y/N], SHARED=Y/N, OFFLINE=Y/N, SMS=Y/N, STATS=Y/N, IDR=Y/N, CHECK=Y/N, SCAN=Y/N, PARALLEL=NONE/PATHGROUP/PATH [,NO]REPORT[,ALLRECS] [,WAIT=Y/N[,BURSTS=num, BURSTWAIT=num,BURSTSIZE=num ]] [,[NO]KEY0, [NO]BYPASS, [NO]SIO, [NO]XMEM, [NO]XMDSN, [NO]DIAG, [NO]UID0[,UNCONNECTED] [,SLOWDOWN] [,FREE] [,MONITOR=num] [,INTERVAL=num]], ENQ=Y/N, DDLIMIT=num, IOTIMEOUT=nn, PDSEBUFSIZE=num, SIGVER=Y/N, XTIOT=Y/N, MOD=Y/N, NJE=Y/N, CICS=Y/N, IMS=Y/N, MQ=Y/N, DB2=Y/N, DB2CAT=Y/N, [NO]DB2ADM, TKDS=Y/N, SERIALIZATION(NOENQ| ENQ(SYSDSN/CKRDSN/ SYSDSN,CKRDSN) [,WAIT[,MAXWAIT(nn)]|, Messages Guide Device dev volume AIX-formatted VTOC not supported Error reading rel trk nnn in dev volume dsname directory Explanation: This message indicates that an I/O error occurred while processing a track in a PDS directory. Severity: 08 CKF185I Error reading rel trk nnn in dev volume dsname(member) Explanation: This message indicates that an I/O error occurred while processing a track in a PDS member. Severity: 08 CKF186I Unexpected CSVAPF return code xxxxxxxx hex, reason code xxxxxxxx hex Explanation: This message indicates that the CSVAPF service returned an unexpected return code. Contact IBM Software Support. Severity: 08 CKF187I Unexpected CSVDYNL return code xxxxxxxx hex, reason code xxxxxxxx hex Explanation: This message indicates that the CSVDYNL service returned an unexpected return code. Contact IBM Software Support. Severity: 08 CKF188I • CKF196I CKF188I Unexpected CSVDYNL return data Explanation: This message indicates that the CSVDYNL service returned unexpected data (no sets at all). Contact IBM Software Support. Severity: 08 CKF189I Exit same ptr for module1 and module2 ASID=aaaa tag=xx and ASID=bbbb tag=yy Explanation: This message indicates that two module major names were found that both claimed to reside at the same address. Only one of the names will be the 'official' name in the CKFREEZE file. Severity: 04 Shared Memory Objects which zSecure refers to as XSHR objects, and Common Memory Objects which zSecure refers to as XCOM objects. As a result of this error, it is likely that information about Shared or Common memory objects will be missing from the CKFREEZE file. User response: This error might be caused by running zSecure on an operating system that is not supported, or by recent maintenance to the operating system which might have affected IARV64. It might also be caused by a memory corruption. For further information about the error, refer to the return codes for IARV64, which are documented in the MVS Programming: Authorized Assembler Services Reference manuals, SA23-1371 to SA23-1375. If the problem persists, contact IBM Software Support. Severity: 08 CKF190I Slowdown mode invoked because VVDS volser has no index for bcsname Explanation: An error was found in the VVDS (it will show up on an IDCAMS DIAGNOSE). This error made it impossible to use fast I/O routines. Slowdown mode was invoked instead. NOCLOSE only valid in PARM string Explanation: This message indicates that the NOCLOSE parameter does not work unless present in the parameter string. Severity: 16 CKF192I NODCBE only valid in PARM string Explanation: This message indicates that the NODCBE parameter does not work unless present in the parameter string. Severity: 16 CKF193I NODUMP only valid in PARM string Explanation: This message indicates that the NODUMP parameter does not work unless present in the parameter string. Severity: 16 CKF194I tttt abend xxx-nn (description) in IARV64 REQUEST=LIST processing. xxxx info missing Explanation: An abend occurred while processing an IARV64 REQUEST=LIST macro . In the message, v tttt will be either System or User, that is, the type of abend Severity: 00 CKF191I CKF195I Unexpected return code hhhhhhhh from IARV64 REQUEST=LIST for xxxx memory Explanation: An IARV64 REQUEST=LIST macro failed with return code hhhhhhhh. In the message, xxxx can be either XSHR or XCOM. IARV64 REQUEST=LIST is used to retrieve information about 64-bit memory objects. There are two types of memory objects for which CKFCOLL will request information. These are v description describes the abend v xxxx will be either XSHR or XCOM. IARV64 REQUEST=LIST is used to retrieve information about 64-bit memory objects. There are two types of memory objects for which CKFCOLL will request information. These are Shared Memory Objects which zSecure refers to as XSHR objects, and Common Memory Objects which zSecure refers to as XCOM objects. As a result of this error, it is likely that information about Shared or Common memory objects will be missing from the CKFREEZE file. User response: This error might be caused by running zSecure on an operating system that is not supported, or by recent maintenance to that operating system, which might have affected IARV64. It might also be caused by a memory corruption. For further information about the error, refer to the return codes for IARV64 documented in the series of manuals "MVS Programming: Authorized Assembler Services Reference SA23-1371 to SA23-1375". If the problem remains, contact IBM Software Support. Severity: 08 CKF196I Unexpected IXCCPLX processing type abend xxx-nn (explanation) Explanation: This message indicates that an abend occurred while processing the IXCCPLX. The couple data set definition records will be missing from the file. Severity: 04 Chapter 2. CKF Messages 25 CKF197I • CKF209I CKF197I Unexpected type abend xxx-nn (explanation) during IEEQEMCS Explanation: This message indicates that an unexpected abend condition was encountered while executing IEEQEMCS. This may be accompanied by a system dump. Information on EMCS consoles will be missing from the CKFREEZE file. Contact IBM Software Support. Severity: 12 CKF198I Unexpected IEEQEMCS RC=nn RSN=nn Explanation: This message indicates that an unexpected return code and reason code was returned by the IEEQEMCS service. Information on EMCS consoles will be missing from the CKFREEZE file. Contact IBM Software Support. Severity: 12 CKF199I Unsupported UCM level xx Explanation: This message indicates that a newer control block layout was encountered than currently supported for analyzing consoles. Information on consoles will be missing from the CKFREEZE file. Contact IBM Software Support. Severity: 08 Messages from 200 to 299 CKF200I OBTAIN return code rc on type data set volser datasetname Explanation: This message indicates that the data set datasetname (which is supposed to be a type data set) could not be found by the OBTAIN service of MVS. The return code returned by the service is rc. Severity: 00 CKF201I Access denied to one or more APF authorized features - adjust FOCUS or drop APF authorization Explanation: This message indicates that the user has insufficient authority on the proper resource. He either has to change the requested function, obtain a READ permit to the proper CKF.focus resource, or drop APF authorization (for example, by adding a non-authorized STEPLIB). Explanation: This message indicates the ESM return code and reason code returned in the first two fullwords of the RACROUTE REQUEST=AUTH parameter list by SAF. Generally, the meaning is explained in additional messages, or, for return code 8, in an ICH408I message issued by RACF in the job log. This message is mainly for debugging purposes. The meanings of the reason codes are documented in the ESM documentation. Severity: 12 CKF206I ESM not installed, no authorization check possible Explanation: This message indicates that no resource access control is present on the system, as indicated by return code 24 on the RACSTAT macro. All operations requested will be allowed. Severity: 00 Severity: 12 CKF207I CKF202I Resource profile does not permit use of FOCUS=AUDIT* - class CKF.AUDIT Explanation: This message indicates that the user has insufficient authority on the indicated resource (SAF return code 8). AUDIT* means either AUDITACF2, AUDITRACF or AUDITTSS. Severity: 12 CKF204I Explanation: This message indicates that no resource access control is active on the system. All operations requested will be allowed. Severity: 00 CKF208I Resource not defined - class profile ESM inactive, no authorization check possible SAF class class not defined in CDT, no authorization check possible Explanation: This message indicates that the indicated profile cannot be found (RACF return code 4 while class is active). Message CKF211I will follow. Explanation: This message indicates that the resource class indicated is not defined in the SAF Class Descriptor Table. All operations requested will be allowed. Severity: 00 Severity: 00 CKF205I 26 ESM return code nnnnnnnn hex, reason code nnnnnnnn hex class profile Messages Guide CKF209I SAF class class not active, no authorization check possible CKF210I • CKF227I Explanation: This message indicates that protection for the resource class indicated has not been activated on the system. This message will be followed by message CKF210I or CKF214I indicating the focus for which an authorization check was requested. Severity: 00 CKF216I Resource profile does not permit use of FOCUS=ADMIN* - class CKF.ADMIN Explanation: This message indicates that the user has insufficient authority on the indicated resource (SAF return code 8). Severity: 12 CKF210I Authorization checking for class class must be active to use FOCUS=focus Explanation: This message explains that zSecure Collect does not collect protected auditing information specifically requested by FOCUS=focus for a user unless this is specifically allowed by a security resource. The focus can be ALERT*, AUDIT*, or QRADAR*. To be able to check the resource, the indicated class must be activated. Severity: 12 CKF221I Unexpected CSVDYNEX return code nnn reason code nnn (decimal) Explanation: This message is issued if the CSVDYNEX LIST service fails. The return codes are documented in your MVS system in the macro CSVEXRET. If the return code is 8 and the reason code 2052 decimal, then this means that the caller was not APF-authorized and did not have a READ permit on FACILITY CSVDYNEX.LIST. Severity: 04 CKF211I Resource profile must be present to use FOCUS=AUDIT* - class CKF.AUDIT CKF222I RMF not active or running under VM LCU selection invalid Explanation: This message explains that zSecure Collect will refuse to collect auditing information specifically requested by FOCUS=AUDIT* for a user unless this is specifically allowed by a security resource. To be able to check the resource, a profile must be defined that covers the resource. Explanation: This message is issued if the RMF control blocks used for LCU processing cannot be found. This can be caused by a system without RMF or under a VM release that does not allow service processor diagnose instructions. Severity: 12 Severity: 16 CKF214I Authorization checking for class class must be active to use FOCUS=focus Explanation: This message explains that zSecure Collect. will refuse to collect protected auditing information specifically requested by FOCUS=focus for a user unless this is specifically allowed by a security resource. To be able to check the resource, the indicated class must be activated. The focus can be ADMIN* or VISUAL. CKF225I Explanation: This message is issued if the SCANSVC parameter contains a list entry with a value that is not in the range 0 though 255. Severity: 12 CKF226I Severity: 12 CKF215I Resource profile must be present to use FOCUS=ADMIN* - class CKF.ADMIN Explanation: This message explains that zSecure Collect will refuse to collect auditing information specifically requested by any of the ADMIN* FOCUS specifications for a user unless this is specifically allowed by a security resource. To be able to check the resource, a profile must be defined that covers the resource. Severity: 12 SVC number to scan for must be in range 0..255 Number of RMM control records copied: nnn Explanation: This message, shown if RMM=YES was specified or implied, shows the number of records copied from the RMM control data set. Severity: 00 CKF227I Disk data records checked: nnn MB in nnn members Explanation: This message, shown if CHECK=YES was specified or implied, shows the number of megabytes of data that were read and summarized by the checksum algorithms, as well as the number of PDS members that contained this data. Severity: 00 Chapter 2. CKF Messages 27 CKF228I • CKF243I CKF228I Unsupported IDENTIFY IDR data in dev volume dsname(member) Explanation: This message indicates that the format of IDENTIFY IDR data for the specified load library member could not be recognized. PTF level information may be missing or incomplete for this member. User response: When specifying parameters for data collection, include the PARM= parameter specification in the CKFCOLL batch JCL. Severity: 04 CKF229I PDS dirblk key/data len kk/nnn instead of 8/256 for dev volume dsname rel track nnnn Explanation: This message indicates that the format of a directory block for the specified load library member was not supported. The rest of the track is skipped. Possibly the data set has DSORG=PO but no initialized directory. Severity: 08 CKF230I CKF234I Explanation: This message is shown if I/O was done to a track but nothing was found on the track. This is not a normal situation, contact IBM Software Support. Severity: 08 CKF235I Explanation: This message, shown if VMF=YES was specified or implied, shows the number of volume base records copies from the TLMS volume master file. MON msg nnn: text Explanation: This message is shown during MONITOR processing. The number nnn corresponds to a proper zSecure Collect message. See the appropriate CKFnnnI message for an explanation. Severity: 08 CKF236I CKFCMON internal error on text Explanation: This message is shown during MONITOR processing. Contact IBM Software Support. Severity: 24 CKF237I Number of TLMS base records copied: nnn No valid data found on track nnn type abend xxx-nn (explanation) during ERBSMFI processing Explanation: This message is shown if ERBSMFI, the RMF interface module was abnormally terminated during MONITOR processing. Contact IBM Software Support if you cannot find an obvious cause. Severity: 08 Severity: 00 CKF238I CKF231I Number of TLMS data set cells copied: nnn Explanation: This message, shown if VMF=YES was specified or implied, shows the number of data set records copied from the TLMS volume master file. Severity: 00 CKF232I Explanation: This message, shown if ABR=YES was specified or implied, shows the number of records copied from the ABR archive control file. Severity: 00 CKF233I Unexpected CSRSI return code xxxxxxxx Explanation: This message indicates that the CSRSI service returned an unexpected return code. As a result, less CPU detail information will be dumped. Severity: 00 28 Explanation: The MONITOR or INTERVAL parameter was specified as a number of minutes greater than 1440. Both parameters must be less than 1 day. Severity: 12 CKF242I Number of ABR archive records copied: nnn Messages Guide parm must be less than 1440 (1 day) Dynamic exit info omitted, SAF READ access required on FACILITY class entity CSVDYNEX.LIST if non-APF Explanation: This message is issued if the CSVDYNEX LIST service fails. The CSVDYNEX return code was 8 and the reason code 2052 decimal. This is documented in your MVS system in the macro CSVEXRET. It means that the caller was not APF-authorized and did not have a READ permit on FACILITY CSVDYNEX.LIST. Severity: 04 CKF243I Resource profile must be present to use FOCUS=QRADAR* - class CKF.QRADAR Explanation: This message explains that zSecure Collect does not collect auditing information specifically requested by any of the QRADAR* FOCUS specifications for a user unless this is specifically CKF244I • CKF253I allowed by a security resource. To be able to check the resource, a profile must be defined that covers the resource. The check for CKF.QRADAR is not done if an AUDIT* focus is also specified or implied. Severity: 12 and the library apparently is not physically present on the volser. The sensitivity report produced by zSecure Audit for RACF will properly show this, and there is no reason to assume any reports will be invalidated by this condition. Severity: 04 CKF244I Resource profile does not permit use of FOCUS=QRADAR* - class CKF.QRADAR Explanation: This message indicates that the user has insufficient authority on the indicated recourse (SAF return code 8). The check for CKF.QRADAR is not done if an AUDIT* focus is also specified or implied. In that case, a permit on CKF.AUDIT is also sufficient. Severity: 12 CKF245I Unexpected block length nnn at rel track nnn Rnn of type vol dataset Explanation: This message indicates that a track read contained an unexpected block size. The remainder of the track is skipped. The current relative track number and physical record number are shown in decimal. The type can be TMC or VMF. This message is only issued for a TMC or VMF when the block length reported is an integer multiple of the record length, so that the block would have been valid for a last block; however, this was not the last block. Severity: 08 CKF246I Empty tracks in CA not skipped, more than 32 blocks in CI - nn blk/CI cluster dsname Explanation: This message indicates that the internal I/O optimization algorithm could not finish processing because it only supports 32 physical blocks per control interval. Instead, it will always read all tracks of a control area, even if some tracks are empty. This slightly reduces the I/O performance, it does not indicate any loss of data. Invalid index record header for catname on volser Explanation: This message occurs if the vertical pointer mask conflicts with the number of CI pointers. CKF248I Severity: 04 CKF250I OPEN abend 213-04 on device dev volume volser for dsname Explanation: The data set named dsname could not be opened for input on device dev. zSecure Collect issues this message (instead of CKR030I) when it was looking for an APF library the user did not explicitly indicate, Skipping VSAM extent slack n trk of extentsize at rel trk nnn in vol dsname Explanation: This message indicates that a VSAM data set had slack space at the end of an extent. It was skipped. If you want, you can reallocate the data set to reclaim wasted space and get rid of this message. If the message persists even after reallocation, contact IBM Software Support. Severity: 00 CKF251I Slowdown mode invoked for vol dsname Explanation: This message indicates that a VSAM data set will be read with the slower method, but no more specific error message as to the reason is available. Severity: 00 Open failed for ACF2 Unload file ddname Explanation: This message indicates that the ACF2 Unload file mentioned could not be opened. Severity: 00 CKF253I Severity: 08 Empty tracks in CA not skipped, more than 2048 blocks in CA - nnn blk/CA cluster dsname Explanation: This message indicates that the internal I/O optimization algorithm could not finish processing because it only supports 2048 physical blocks per control area. Instead, it always reads all tracks of a control area, even if some tracks are empty. This slightly reduces the I/O performance; it does not indicate any loss of data. Consider reviewing whether the data set should be reblocked, because more than 2048 blocks per CA means that it has an extremely inefficient blocking factor. CKF252I Severity: 04 CKF247I CKF249I type abend xxx-nn (explanation) on dev volser dsname Explanation: An abend that could not be handled by the OPEN abend exit occurred during opening of the data set dsname on the volume and device indicated. Severity: 08 Chapter 2. CKF Messages 29 CKF254I • CKF267I CKF254I type abend xxx-nn (explanation) on dev volser dsname Explanation: An abend that could not be handled by the OPEN abend exit occurred during opening of the data set dsname on the volume and non-DASD device indicated. Severity: 08 CKF255I type abend xxx-nn (explanation) on dev volser dsname Explanation: An abend that could not be handled by the OPEN abend exit occurred during opening of the DASD catalog index dsname on the volume and device indicated. Severity: 08 CKF256I Slowdown mode invoked because Extended Format vol dsname Explanation: This message indicates that a VSAM data set will be read with the slower method, because it is an Extended Format data set. Severity: 00 CKF257I RACROUTE type abend xxx-nn (explanation) Explanation: An unexpected RACROUTE abend occurred. Severity: 08 CKF258I STATUS=ACCESS not allowed for this user (system abend 047) Explanation: The current non-APF run of zSecure Collect does not run under a logon ID that is authorized to do RACROUTE STATUS=ACCESS calls. This can be remedied by using the NOAPFCHK keyword on a SAFDEF record that describes the zSecure Collect environment: INSERT SAFDEF.apf PROGRAM(CKFCOLL) RB(CKFCOLL) NOAPFCHK RACROUTE (REQUEST=AUTH,CLASS=DATASET, STATUS=ACCESS) CKF260I UCBSCAN does not return device hhhh volser Explanation: This message indicates that the UCBSCAN service did not return information for the indicated device. The intended authorized I/O function will not be performed. This may be due to a dynamic change during the zSecure Collect run. If this error recurs in another run, contact IBM Software Support. Severity: 12 CKF261I Corrupted length found while reading IX on dev volser dsname Explanation: While reading the index of the data set mentioned conflicting length specifications were found. This is usually indicative of a corrupted data set. Further processing for this data set will be skipped. Severity: 08 CKF262I Not a cluster or component name -- dsn Explanation: This message indicates that a name was passed as if it were a VSAM cluster or data component name, but it is neither a cluster name nor a data component name. Severity: 08 CKF263I Unexpected return code nn dec during LISTCAT VOL of dsn Explanation: This message indicates a failure to locate a VSAM data component name in the catalog. The component will be skipped. If you think the program should have found it, contact IBM Software Support. Severity: 08 CKF264I Unexpected type abend xxx-nn (explanation) during LISTCAT VOL of dsn Explanation: This message indicates an a failure to locate a VSAM data component name in the catalog; an abend was encountered. The component will be skipped. If you think the program should have found it, contact IBM Software Support. Severity: 08 Severity: 00 CKF267I CKF259I No storage available for I/O buffer Explanation: zSecure Collect did not have enough storage available to create an I/O buffer of adequate size. This will result in program termination. Allocate a larger region for the zSecure Collect run to avoid this problem. Severity: 12 30 Messages Guide Unexpected eye catcher eye catcher for program object header of volume dsname(member) Explanation: The indicated program object has an unknown layout. Checksum and IDR processing are skipped for this member. Severity: 08 CKF268I • CKF277I CKF268I Program object header length hexnum larger than blocksize hexnum for volume dsname(member) Explanation: Checksum and IDR processing for PDSEs requires the complete header of a program object to be present within the first block read. If this is not the case, processing is skipped. Severity: 08 CKF269I Unsupported program object level hexnum for volume dsname(member) Explanation: The indicated program object has an unknown layout. Checksum and IDR processing are skipped for this member. CKF273I ddname volser dsname(member) - problem description Explanation: The program encountered an unexpected condition while processing the IDRDATA of a program object. If problem description indicates that the IDRDATA was truncated, it turned out that the program object contained more IDRDATA than the amount buffered (as governed by the PDSEBUFSIZE parameter). In this case, the IDRDATA written to the CKFREEZE will be incomplete for the indicated member. Any other value of problem description indicates an unknown layout of the program object, in which case all IDRDATA information for this member will be missing from the CKFREEZE. Severity: 04 Severity: 08 CKF274I CKF270I PDSE processing requires BPAM Explanation: NOBSAMBPAM has been specified in the PARM string, specifying that the program should not use BPAM. However, checksum processing and IDR processing for PDSEs require BPAM. This processing will be skipped for all PDSEs. Explanation: The indicated program object does not actually contain anything in binder class B_TEXT. Checksum processing is completed really fast for this member. This informational message is issued only if the INFO option was selected. Severity: 00 Severity: 08 CKF271I ddname volser dsname(member) has code size 0 NOBSAMBPAM only valid in PARM string Explanation: This message indicates that the NOBSAMBPAM parameter does not work unless present in the parameter string. CKF275I PDSE buffer size decnum must lie between 1 and 1024 Explanation: The PDSEBUFSIZE parameter accepts only values in the range of 1 to 1024, inclusive. Severity: 16 Severity: 16 CKF276I CKF272I RACSTAT unexpected RC. CLASS='class' SAFRC=safrc RACFRC=racfrc RSNCODE=rsn Explanation: While retrieving the dynamic class descriptor table from the system using RACROUTE REQUEST=STAT calls, the program received a return code indicating an error. zSecure Collect will stop processing the dynamic CDT. To determine the cause of the error, you can look up the return codes in the Security Server RACF RACROUTE Macro Reference. Note that if the error occurs halfway through processing the CDT (class will be other than all blanks) zSecure Collect will store part of the CDT in the CKFREEZE file. This partial dynamic CDT will be used by zSecure Admin and Audit. If the error happens before any class setting is returned (which is more probable) zSecure Collect does not store the dynamic CDT at all. In that case, zSecure Admin and Audit will use the static CDT for processing. CKFREEZE file could not be opened Explanation: The program failed to open the CKFREEZE file. Verify that a CKFREEZE DD statement is present, and that the allocation parameters are correct. Severity: 12 CKF277I Device dev volser does not respond within nn seconds during CCW opcode Explanation: This message indicates that a missing interrupt was detected for I/O of the indicated type. If this was the first I/O (SenseId) to the device during an APF authorized run, no attempt will be made to dynamically allocate the volume with SVC 99, and the run will continue without hanging. If the run was not APF authorized, or if this was not the SenseId I/O, then the run may hang in subsequent processing performed by the operating system. Severity: 08 Severity: 04 Chapter 2. CKF Messages 31 CKF278I • CKF288I CKF278I Device dev volser has stopped responding within nn seconds on ddname during CCW opcode Explanation: This message indicates that a missing interrupt was detected for a track read of an already open data set. The run will attempt to recover, but probably the data set close will hang as well. Severity: 08 CKF279A Respond 'U' to terminate hang test on volume VOLUME Explanation: This WTOR on the operator console indicates that the DEBUGHANGVOLUME parameter was used to test error recovery behavior. CKF280I Unexpected returncode rc in IFAEDLIS call, no enable information dumped. Explanation: No information on the enablement of products and features on this system could be collected because the call to the IFAEDLIS service failed. The return codes are documented on your MVS system in macro IFAEDIDF. CKF284I Explanation: This message explains that zSecure Collect does not collect auditing information specifically requested by any of the TCIM* FOCUS specifications for a user unless this is specifically allowed by a security resource. To be able to check the resource, a profile must be defined that covers the resource. The check for CKF.TCIM is not be done if an AUDIT* focus is also specified or implied. Severity: 12 CKF285I ACF2 resident resource rules are not processed. Explanation: Since the program is not running APF, it cannot access information in fetch protected storage. Severity: 00 CKF282I Resource profile must be present to use FOCUS=ALERT - CLASS CKF.ALERT Resource profile does not permit use of FOCUS=TCIM* - class CKF.TCIM Explanation: This message indicates that the user has insufficient authority on the indicated recourse (SAF return code 8). The check for CKF.TCIM is not done if an AUDIT* focus is also specified or implied. In that case, a permit on CKF.AUDIT is also sufficient. Severity: 12 CKF286I Severity: 08 CKF281I Resource profile must be present to use FOCUS=TCIM* - class CKF.TCIM Resource profile must be present to use FOCUS=VISUAL - class CKF.VISUAL Explanation: This message explains that zSecure Collect will refuse to collect auditing information specifically requested by FOCUS=VISUAL for a user unless this is specifically allowed by a security resource. To be able to check the resource, a profile must be defined that covers the resource. The check for CKF.VISUAL will not be done if FOCUS=ADMINRACF is also specified or implied. Severity: 12 CKF287I Resource profile does not permit use of FOCUS=VISUAL - class CKF.VISUAL Explanation: This message explains that zSecure Collect will refuse to collect auditing information specifically requested by any of the ALERT* FOCUS specifications for a user unless this is specifically allowed by a security resource. To be able to check the resource, a profile must be defined that covers the resource. The check for CKF.ALERT will not be done if an AUDIT* focus is also specified or implied. Explanation: This message indicates that the user has insufficient authority on the indicated resource (SAF return code 8). The check for CKF.VISUAL will not be done if FOCUS=ADMINRACF is also specified or implied. In that case a permit on CKF.ADMIN is also sufficient. Severity: 12 Severity: 12 CKF283I Resource profile does not permit use of FOCUS=ALERT - class CKF.ALERT Explanation: This message indicates that the user has insufficient authority on the indicated resource (SAF return code 8). The check for CKF.ALERT will not be done if an AUDIT* is also specified or implied. In that case a permit on CKF.AUDIT is also sufficient. Severity: 12 CKF288I Explanation: This message indicates that the STORAGEGC parameter does not work unless present in the parameter string. Operator response: When specifying the STORAGEGC parameter, include the ALLOCATE command in the PARM= parameter in the batch JCL. Severity: 16 32 Messages Guide STORAGEGC only valid in PARM string CKF289I • CKF297I CKF289I Entry point address not in extent for control block module[/module] Explanation: When examining an LPDE or CDE control block describing the indicated in-storage module, it was found that the module's entry point is outside the storage range where the module allegedly resides. This condition is most likely a by-product of front-ending. Since in this situation there is no way to determine where the module resides, the information regarding this routine that is written to the CKFREEZE will be incomplete. CKF294I Symbol symbol was unknown, treated as empty. [ IF result: result ] Explanation: The tested symbol could not be found in the Static System Symbol table, nor was it SMFID. For the purposes of resolving the IF statement, it is considered to contain an empty string. The IF statement evaluated to result (either true or false). When syntax or entitlement errors have been found earlier in the run, the latter part of the message is not shown, since the correct evaluation of the IF cannot be guaranteed. Severity: 00 Severity: 04 CKF295I CKF290I LICENSE must precede FOCUS and licensed parameters Explanation: This message indicates that a specification of the LICENSE data set name must precede any use of a licensed parameter or the FOCUS keyword. Note that this keyword is now deprecated and no longer functional. Severity: 12 CKF291I SERIALIZATION options option1 and option2 are mutually exclusive Explanation: You cannot both WAIT and FAIL if the ENQ request cannot be immediately satisfied. Neither can you request that the program issue an ENQ and not issue an ENQ (NOENQ) at the same time. Severity: 16 CKF292I Unsupported value nn for MAXWAIT: not in the range 1..59 Explanation: SERIALIZATION=(MAXWAIT) supports only values in the range of 1 through 59, inclusive. Severity: 16 CKF293I Program not authorized. Disabled APF serialization options UNIT, VOLSER, ENQ(SYSDSN), and MAXWAIT Explanation: SERIALIZATION was specified with at least one of the following parameters: UNIT, VOLSER, ENQ(SYSDSN), or MAXWAIT. Having dynamic allocation wait until the unit or volser becomes available requires APF authorization. The same is true for requesting an ENQ on QNAME SYSDSN, and for specifying a maximum time to wait until the ENQ request can be specified. Because the program lacks this authorization, it will not wait for units or volsers, will not request ENQs on SYSDSN, and will ignore the specified value for MAXWAIT. Severity: 04 IF statements might not evaluate correctly Explanation: This message is preceded by a CKF000I message, indicating an error addressing the symt control block (Static System Symbol table). This table could not be read completely. IF statements in the input might not be correctly resolved. If this error occurs consistently, contact IBM Software Support. This error is only issued when IF statements are present in the input, and can be suppressed. Severity: 08 CKF296I Symbol symbol resolved to "value". IF result: result Explanation: The tested symbol was found to have value value. The IF statement evaluated to result (either true or false). This message is not issued if syntax or entitlement errors have been found earlier in the run, since the correct evaluation of the IF cannot be guaranteed. Severity: 00 CKF297I Number of allocations: static sss dynamic nnn, freed fff, max allowed mmm due to TIOT SIZE(ss) Explanation: This message indicates how many static DDName allocations were present, how many SVC 99 calls were made for dynamic allocations, and how many files were freed individually to make room because the maximum was about to be reached. The maximum is determined by the TIOT SIZE() parameter in PARMLIB member ALLOCxx (this determines the physical number of bytes available for DDnames, it varies depending on the number of (candidate) volsers per DDname), and to a much lesser extent by the actual DYNAMNBR which determines how many unused files may be around. zSecure Collect always deallocates files it frees, so that it does not create additional not-in-use DDnames. The relation between TIOT SIZE and the number of DDnames is approximately as follows: v SIZE(16) means 819 ddnames v SIZE(32) means 1635 ddnames Chapter 2. CKF Messages 33 CKF298I • CKF307I v SIZE(64) means 3273 ddnames For more details on TIOT SIZE, see the ALLOCxx parmlib member in the z/OS MVS Initialization and Tuning Reference. Severity: 00 CKF298I Need DDname slot, [premature free of ddname [vol] dsn | nothing to free] Explanation: This message warns of imminent problems because of unsufficient TIOT size. If the message indicates that a file was deallocated (premature free of ddname [vol]), then it would have been better to leave the file allocated (because of performance and because of serialization with another program, such as DFHSM). If the message indicates "nothing to free," this run or subsequent runs of zSecure Collect might easily fail (the headroom is less than 10 files) with a message like IKJ56866I FILE ddname ALLOCATED NOT DATA SET, CONCURRENT ALLOCATIONS EXCEEDED. Find message 297 at the end of the SYSPRINT for the overall picture. Severity: 04 CKF299I Need DDname slot, freeing ddname Explanation: This message is issued in response to an INFO request and reflects normal reuse of a DD name (TIOT) slot. Severity: 04 Messages from 300 to 399 CKF300I BPX1GMN failed rc=hexrc reason=reason Explanation: This message indicates that an error occurred during the execution of BPX1GMN. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF301I BPX1OPD failed rc=hexrc reason=reason for 'path' depth depth Explanation: This message indicates that an error occurred during the execution of BPX1OPD. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF302I BPX1RD2 failed rc=hexrc reason=reason path 'path' Explanation: This message indicates that an error occurred during the execution of BPX1RD2. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. For debugging purposes a hex dump of the UIO control block is printed. This area is mapped by the BPXYFUIO macro, and described in the UNIX System Services Assembler Callable Services manual. Severity: 08 CKF303I Severity: 08 CKF304I BPX1CHD failed rc=hexrc reason=reason for .. before path Explanation: This message indicates that an error occurred during the execution of BPX1CHD. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF305I BPX1CHD failed rc=hexrc reason=reason for 'path' depth depth Explanation: This message indicates that an error occurred during the execution of BPX1CHD. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF306I Unexpected current depth depth for dirdepth 'path' Explanation: This message indicates that the directory mentioned, at nesting level dirdepth was scheduled to be read. However, the current nesting level is different from the one needed. Contact IBM Software Support. Severity: 08 BPX1CLD failed rc=hexrc reason=reason path 'path' Explanation: This message indicates that an error occurred during the execution of BPX1CLD. The reason 34 code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Messages Guide CKF307I Number of Unix directory entries copied: nn from nn directories in nn file systems CKF308I • CKF319I Explanation: This message, shown if UNIX=Y was specified or implied, shows the number of Unix directories read and dumped by zSecure Collect. Severity: 00 CKF308I OMVS is inactive CKF313I Explanation: This informational message indicates that an extra mountpoint control block is needed for the reading of the contents of the target directory on device. It is issued only if the INFO option was selected. Explanation: This informational message indicates that UNIX System Services is not active on this system. Severity: 00 Severity: 00 CKF314I CKF309I BPX1RDX failed rc=hexrc reason=reason on 'path' Explanation: This message indicates that an error occurred during the execution of BPX1RDX. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF310I BPX1RDL failed rc=hexrc reason=reason on 'path' Explanation: This message indicates that an error occurred during the execution of BPX1RDL. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF311I BPX1GMN failed retval=retval rc=rc reason=reason for device number Explanation: This message indicates that an error occurred during the execution of BPX1GMN for the indicated device. The reason code consists of two halfwords; the first is the reason code qualifier, the second the reason code. The return code and reason code together describe the problem that occurred and are documented in the UNIX System Services Messages and Codes manual. CKF312I Symlink crosses automount point 'mountpoint' for 'target': Explanation: This informational message indicates that while processing the symlink to target, an automountpoint was passed. This message is issued only if the INFO option is selected. Severity: 00 DIRSRCH (x) not allowed on directory 'target' Explanation: zSecure Collect was not allowed to search the target directory. No information on the contents of this directory will be dumped. Severity: 00 CKF315I OPENDIR (r) not allowed on directory 'target' Explanation: zSecure Collect was not allowed to open the target directory. No information on the contents of this directory will be dumped. Severity: 00 CKF316I type abend xxx-nn (explanation) during Unix processing Explanation: This message indicates that a nonrecoverable abend occurred during Unix processing. The Unix File System information might not be complete. For information on the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF317I Internal error: no MNTP for 'directory' Explanation: Contact IBM Software Support. Severity: 24 CKF318I Severity: 08 Extra MNTE needed for device device of 'target' CATALOG OBTAIN return code hex rc probably failed automount of 'target' Explanation: An error occurred during the CATALOG OBTAIN for the target directory. No information on the contents of this directory will be dumped. Severity: 00 CKF319I Automount attempted for 'target' Explanation: This informational message indicates that an automount for the directory mentioned will be attempted. It is issued only if the INFO option was selected. Severity: 00 Chapter 2. CKF Messages 35 CKF320I • CKF330I CKF320I type abend xxx-nn (explanation) during geteuid - unable to perform UNIX=Y processing Explanation: This message indicates that a nonrecoverable abend occurred during geteuid processing. No Unix File System information will be dumped. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Switched to effective UID 0 Explanation: This informational message indicates that a seteuid 0 call was successful. It is issued only if the INFO option was selected. CKF322I Switched to effective UID uid Explanation: This informational message indicates that a seteuid uid call was successful. It is issued only if the INFO option was selected. Severity: 00 CKF323I Severity: 00 Severity: 00 Explanation: This message indicates that an error occurred during the execution of the seteuid 0 command. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. UNIX information will be dumped only partially. Severity: 00 Seteuid uid failed rc=hexrc reason=reason Explanation: This message indicates that an error occurred during the execution of the seteuid uid command. This can mean that zSecure Collect will continue running under an effective UID of 0. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 08 CKF325I AUTOMOUNT=N and directory not mounted 'target' Explanation: This informational message indicates that contents of directory target will not be dumped because the directory is not mounted and AUTOMOUNT=NO was specified. Severity: 00 36 Messages Guide Postpone dir device device for 'target' Explanation: This informational message indicates that the reading of the target directory on device is postponed. It is issued only if the INFO option was selected. Severity: 00 CKF330I Severity: 04 CKF324I Start on DIRP path depth depth Explanation: This informational message indicates that zSecure Collect starts reading the mentioned directory at nesting level depth. It is issued only if the INFO option was selected. CKF329I Seteuid 0 failed rc=hexrc reason=reason Schedule link DIRP target Explanation: This informational message indicates that the directory specified in target is scheduled to be read. It is issued only if the DEBUG option was enabled. CKF328I Severity: 00 Schedule MNTE device number DIRP path Explanation: This informational message indicates that the directory mounted on the indicated path is scheduled to be read. It is issued only if the INFO option was selected. CKF327I Severity: 08 CKF321I CKF326I type abend xxx-nn (explanation) during LOAD of exit exit from device volume ddname Explanation: This message indicates that a nonrecoverable abend occurred during a LOAD of the indicated exit. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF330I type abend xxx-nn (explanation) returned by LOAD of exit exit from device Explanation: This message indicates that the LOAD of exit has recovered from an abend. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF331I • CKF340I CKF331I type abend xxx-nn (explanation) during DELETE of exit exit from device volume ddname Explanation: This message indicates that a nonrecoverable abend occurred during a DELETE of the indicated exit. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF336I Unexpected DESERV return_code_description reason_code_description Explanation: A call to Directory Entry Services returned the indicated unexpected error. All checksum and IDR processing for the offending PDSE is skipped. Specify the INFO option to capture enough information in SYSPRINT to determine which PDSE caused the problem. Severity: 08 CKF332I BPX1PCT: List aggregates failed. RC=rc reason=reason Explanation: This message indicates that an error occurred during the execution of the BPX1PCT "List Attached Aggregate Names" function. This is not necessarily wrong. This message can for instance also be generated on systems that do not have the zFS file system running. The reason code given consists of two half words. The first is the reason code qualifier. The second is the reason code as described in the UNIX System Services Messages and Codes manual. Severity: 04 CKF337I Task is not APF authorized, but APF authorization needed Explanation: This message alerts you to the fact that the program could not obtain authorization while the APF keyword was specified, indicating that authorization is considered essential. The resulting CKFREEZE only contains a zSecure Collect identification record. For additional information, see the section Authorized or unauthorized? in the zSecure Collect documentation available in the user reference manual for your zSecure product. Severity: 12 CKF333I BPX1PCT: List aggregate status failed. RC=rc reason=reason Explanation: This message indicates that an error occurred during the execution of the BPX1PCT "List Aggregate Status" function. The reason code given consists of two halfwords. The first is the reason code qualifier. The second is the reason code as described in the UNIX System Services Messages and Codes manual. CKF338I Number of UNIX ACL records copied: num access ACLs, num directory default ACLs, num file default ACLs Explanation: This message, shown if UNIXACL=Y was specified or implied, shows the number of UNIX ACL records dumped by zSecure Collect. Severity: 00 Severity: 08 CKF339I CKF334I BPX1PCT: List file systems failed. RC=rc reason=reason BPX1PIO failed rc=hexrc reason=reason for type type on 'path' Explanation: This message indicates that an error occurred during the execution of the BPX1PCT "List File System Names" function. The reason code given consists of two halfwords. The first is the reason code qualifier. The second is the reason code as described in the UNIX System Services Messages and Codes manual. Explanation: This messages indicates that an error occurred during the execution of BPX1PIO. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Messages and Codes manual. The type shown can be 1 for an access ACL, 2 for a file model ACL or 3 for a directory model ACL. Severity: 08 Severity: 08 CKF335I BPX1PCT: List file system status failed. RC=rc reason=reason Explanation: This message indicates that an error occurred during the execution of the BPX1PCT "List File System Status" function. The reason code given consists of two halfwords. The first is the reason code qualifier. The second is the reason code as described in the UNIX System Services Messages and Codes manual. CKF340I DIRP for MNTP device device mountpoint Explanation: This informational message indicates that the directory on the mountpoint and device mentioned will be read. It is issued only if the INFO option was selected. Severity: 00 Severity: 08 Chapter 2. CKF Messages 37 CKF341I • CKF351I CKF341I Empty pathname MNTE for device device FS name file_system_name Explanation: This message indicates that the w_getmntent (BPX1GMN) service returned an empty pathname (MNTENTMOUNTPOINT). This can occur if the user running zSecure Collect lacks search authorization to one or more of the directories in the mount point, or if the file system is mounted asynchronously. A mount point entry is written, but the device is not processed further. A UNIX mount report generated from the resulting CKFREEZE will show the mount point empty for the reported file system. A UNIX file report does not show the file system at all. Severity: 04 CKF342I Schedule DIRP target depth depth Explanation: This informational message indicates that the target directory mentioned at nesting level depth is scheduled to be read. It is issued only if the INFO option was selected. CKF347I Explanation: This message indicates that a second device device2 is mounted at the same mount point as an earlier device device1. The second device for the indicated file system is not processed. zSecure Audit may flag this condition again with message CKR1064. Severity: 08 CKF348I Successful cd .. to depth depth Explanation: This informational message indicates that a successful directory switch upwards to nesting level depth has been done. It is issued only if the INFO option was selected. Duplicate MNTE for device device mountpoint mountpoint Explanation: This message indicates that the mount entry for the indicated device was found twice. It is processed only once. zSecure Audit may flag this condition again with message CKR1064. Severity: 04 CKF349I Severity: 00 CKF343I Duplicate pathname MNTE devices device1 and device2 FS name file_system_name mountpoint mountpoint BPX1LST failed rc=hexrc reason=reason for 'pathname' depth depth Explanation: The lstat() call for the indicated pathname failed. The reason code consists of two halfwords. The first is the reason code qualifier, the second the reason code as described in the UNIX System Services Message and Codes manual. The directory is not processed. Severity: 08 Severity: 00 CKF350I CKF344I Successful cd target depth depth Explanation: This informational message indicates that a successful directory switch to target on nesting level depth has been done. It is issued only if the INFO option was selected. Severity: 00 CKF345I Success opendir 'target' Explanation: This informational message indicates that a successful directory open on target was performed. It is issued only if the INFO option was selected. Explanation: The lstat() call for the indicated mount point returned another device number than was seen when the file system dump was scheduled. This is not properly supported. The zSecure report will show the old device number and mount information that was associated with the old device number, together with the files associated with the new device number. If this is a recurring problem, contact IBM Software Support. Severity: 08 CKF351I Severity: 00 CKF346I Perform closedir 'target' Explanation: This informational message indicates that a close on the target directory will be performed. It is issued only if the INFO option was selected. Severity: 00 Messages Guide Device number dev assigned to 'mountpoint' Explanation: This informational message indicates that a mount point was encountered that was not present in the mount point table at the start of the zSecure Collect run, and was not seen in its parent directory either. This typically happens when a symlink crosses an automount point into an unmounted directory. This message is only issued if the INFO option was selected. Severity: 00 38 Device number olddev changed to newdev during run for 'mountpoint' CKF352I • CKF362I CKF352I The ZFS file system has not been started. Explanation: This message indicates that no valid ZFS system was found. Therefore, no data on ZFS file systems and aggregates is dumped. Severity: 00 CKF353I PC LPA not in common storage, but at address target ASID address space ID Explanation: The Latent Parameter Address passed to a PC (Program Call) routine is not in common storage. The value of the Latent Parameter will not be dumped. Severity: 00 CKF354I type abend xxx-nn (explanation) during WRTAGGR processing Explanation: This message indicates that a nonrecoverable abend occurred during ZFS Aggregate processing. Information on ZFS Aggregates might not be complete. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF355I BPX1PIO returned a returnedtype ACL corrected to a requestedtype ACL Explanation: The ACL returned by the w_pioctl service (BPX1PIO) did not match the requested ACL type. This might, for example, occur if your z/OS image does not have the service for IBM APAR OW57201 applied. zSecure Collect attempts to correct this error by setting the ACL type to the requested type in the record before writing it to the CKFREEZE file. This may prevent zSecure from issuing CKR1761. The types shown can be access, fdefault, or default for an access ACL, file model ACL or directory model ACL, respectively. Severity: 04 CKF356I No READ access to data set volser dsn Explanation: This message indicates that the user does not have read access to the indicated non-VSAM data set, and hence it will be skipped for processing. Severity: 04 CKF357I Task terminating due to EXIT request Explanation: During input parsing an EXIT statement was read. The program terminates with the return code specified on the EXIT statement. This message has a severity equal to the value specified in the RC parameter of the EXIT statement. Severity: variable CKF358I RC should be a number between 0 and 99 Explanation: The RC keyword of the EXIT command was specified, but did not fall in the supported range. Numbers below zero and above 99 are not supported. Severity: 16 CKF359I Unable to dump master catalog, see other messages Explanation: The program terminates without having dumped the master catalog as requested. For the cause, look back for DAIRFAIL messages, for instance IKJ56866I FILE ddname ALLOCATED NOT DATA SET, CONCURRENT ALLOCATIONS EXCEEDED. Also look for CKF297I at the bottom to see if the number of DDnames might be the problem. Occurrence of CKF298I may also point to a TIOT size problem. Severity: 08 CKF360I Slowdown mode invoked because of RLS for volume dsname Explanation: Normal VSAM processing was used instead of faster EXCP processing for the specified VSAM cluster because it has Record Level Sharing (RLS). Severity: 00 CKF361I Signature verification action for volser dsn(mem) Explanation: Signature verification was requested by the SIGVER=YES parameter and the module named in the library either failed verification (action=fails) or passed verification (action=success). User response: If the verification failed, look for operator messages ICH44x or run a newlist type=smf report and select on type=80, event=86(1:7) to obtain additional information about the failure. Some possible causes for failure are: v The module has a bad signature. v The module has no signature but the RACF profile for the program requires a signature. v The module has a valid signature but the certificate chain is not valid. Severity: 00 CKF362I SIGVER=YES is invalid on a system that does not support signature verification Explanation: Signature verification, requested by the SIGVER=YES parameter, cannot be performed on the Chapter 2. CKF Messages 39 CKF372I • CKF384I current system because the system on which CKFCOLL is running does not support signature verification. Severity: 00 User response: Remove the SIGVER=YES parameter and rerun the CKFCOLL job. CKF379I Severity: 12 Explanation: This message indicates a failure to locate data set names matching the indicated prefix in the catalog; an abend was encountered. This CHECK statement will be ignored. If you think the program should have found data sets, contact IBM Software Support. CKF372I Running an unsupported version vv.rr.mm of z/OS, results are unpredictable - please upgrade Explanation: This message indicates that zSecure is being run on an operating system level that it is not supported on. The results are unpredictable. Upgrade zSecure to the proper version. Severity: 12 CKF380I Severity: 04 CKF375I Unexpected IEFPRMLB result, RC hexrc RSN hexreason Explanation: The IEFPRMLB service unexpectedly returned the indicated return and reason codes. This can result in missing information about parmlib concatenations activated after IPL. Contact IBM Software Support. Parmlib data set dsname not found on volume volume Explanation: The parmlib data set indicated was not found on the volume where it was expected. No attempt is made to restore it, and further processing for this data set is skipped. Severity: 04 CKF377I Exactly one DD/DDPREF/DSN/ DSNPREF keyword should be specified Explanation: A CHECK= statement was read, which did not specify YES/NO, and did not contain a single keyword DD, DDPREF, DSN or DSNPREF. Fix your command parameters, and retry the job. Severity: 12 CKF378I TCP/IP stack configuration data cannot be collected on OS_level Explanation: zSecure Collect can only collect TCP/IP stack configuration data for systems running z/OS V1R11 or higher. User response: If you are running zSecure on a z/OS system that is V1R10 or lower, you can prevent this message by making sure that the zSecure Collect TCPIP parameter is set to NO in the zSecure Collect invocation. For information about setting this parameter, see "zSecure Collect for z/OS" in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. 40 Messages Guide Unexpected return code nn dec during LISTCAT of DSNPREF=dsnpref Explanation: : This message indicates a failure to locate data set names matching the indicated prefix in the catalog. This CHECK statement will be ignored. If you think the program should have found data sets, contact IBM Software Support. Severity: 12 CKF381I Severity: 08 CKF376I Unexpected abend during LISTCAT of DSNPREF=dsnpref No matching data sets for CHECK statement Explanation: No data sets were found that matched the statement indicated. If you think the program should have found data sets, contact IBM Software Support. Severity: 08 CKF382I DD/DDPREF do not support DSORG= Explanation: Additional DSORG selection is not supported in combination with the DD and DDPREF keywords on the CHECK statement. Fix your command parameters, and retry the job. Severity: 12 CKF383I DD ddname concatenations with tape data sets are not supported Explanation: The ddname indicated is a concatenation that contains at least one tape data set. This is not supported. Split the concatenation in such a way that each DD statement contains either a concatenation of DASD data sets, or a single tape data set, and retry the job. Severity: 12 CKF384I DD ddname checksum of a single member is not supported Explanation: The indicated ddname contains the allocation of a single member of a PDS(E). This is not supported. Remove the member specification from the allocation statement, and retry the job. A checksum will CKF385I • CKF395I be computed for all members of the PDS(E) and as well as for the data set in its entirety. CKF390I Severity: 12 CKF385I Using SAF class class for resource checks Explanation: The resource class indicated is the one previously configured in the Site module, see Appendix A: The Site module in IBM Security zSecure CARLa-Driven Components: Installation and Deployment Guide. Explanation: This message indicates failure to disconnect from a successfully connected SMF log stream. Contact IBM Software Support. Severity: 04 CKF391I Severity: 00 CKF386I IFAQUERY return area too small. Omitted nnn log stream records. Explanation: Even after passing the required length in a second call, there is still not sufficient space to store the SMF log stream data. Contact IBM Software Support. Unexpected IXGCONN disconnect RC xxxxxxxx hex reason yyyyyyyy hex for stream name type abend code-reason (explanation) during IXGCONN connect for stream name Explanation: This message indicates failure to connect to an SMF log stream. Data set names backing this log stream will be missing from sensitive data and trust analysis reports. Contact IBM Software Support if you cannot resolve the abend. Severity: 08 Severity: 08 CKF392I CKF387I Unexpected return code from IFAQUERY. SMF log stream information is not collected. rc=hhhhhhhhhhh hex rsn=hhhhhhhhhhh hex Explanation: Failure to obtain SMF log stream data. Contact IBM Software Support. Explanation: This message indicates the log stream data set name format is not recognized and hence not further analyzed. Data set names backing this log stream will be missing from sensitive data and trust analysis reports. Contact IBM Software Support. Severity: 08 Severity: 12 CKF388I Unexpected log stream DSN format dsname for stream name Unexpected IXGQUERY RC xxxxxxxx hex reason yyyyyyyy hex; data sets will be missing for stream name. Explanation: This message indicates failure to obtain information from a successfully connected SMF log stream. Data set names backing this log stream will be missing from sensitive data and trust analysis reports. Please contact IBM Software Support. CKF393I Unexpected RC nn dec during LISTCAT of "level" for stream name Explanation: This message indicates a failure trying to find any VSAM cluster names for log stream data sets. Data set names backing this log stream will be missing from sensitive data and trust analysis reports. Contact IBM Software Support. Severity: 08 Severity: 08 CKF394I CKF389I Unexpected IXGQUERY RC xxxxxxxx hex reason yyyyyyyy hex; data sets will be missing for stream name. Explanation: This message indicates failure to obtain information from a successfully connected SMF log stream. Data set names backing this log stream will be missing from sensitive data and trust analysis reports. Please contact IBM Software Support. Severity: 08 type abend code-reason (explanation) during LISTCAT of "level" for stream name Explanation: This message indicates a failure while trying to find VSAM cluster names for log stream data sets. Data set names backing this log stream will be missing from sensitive data and trust analysis reports. Contact IBM Software Support if you cannot resolve the abend. Severity: 08 CKF395I An unexpected return code was received from IEFSSREQ SSI=54. Subsys=jjjj, R15=nn, SSOBRETN=ss. Explanation: An IEFSSREQ request type 54 for subsystem jjjj ended with nn for Register 15 and ss for Chapter 2. CKF Messages 41 CKF399I • CKF541I the SSOBRETN field, where: v jjjj is the name of the subsystem that is queried. v nn is the value of R15 returned from IEFSSREQ. v ss is the value of the SSOBRETN field returned by IEFSSREQ. If this error occurs, a record containing the results of the IEFSSREQ SSI=54 has not been written to the CKFREEZE data set. If you are running z/OS version 1.8 or later, this error can also result in additional errors related to JES2 exit processing. In order to process these exits, the zSecure Collect program CKFCOLL must know whether JES2 dynamic exits are supported. Normally, the call to IEFSSREQ returns information about the JES2 level which is used to determine whether the JES2 dynamic exits are supported. If this information is not returned, CKFCOLL might not be able to determine whether JES2 dynamic exits are supported and so might produce errors when processing the exits. User response: This error might be caused by running zSecure on an operating system that is not supported, or by recent maintenance to that operating system that might have affected the IEFSSREQ service. For further information about the error, see the documented return code values for IEFSSREQ and SSOBRETN in z/OS MVS Using the Subsystem Interface SA38-0679. If you cannot resolve the problem, contact IBM Customer Support. Severity: 08 CKF399I Could not action amount of storage to read TCP/IP stack name configuration Explanation: If action=obtain, zSecure Collect does not have enough storage available to read the configuration data of TCP/IP stack name. Allocate a larger region for the zSecure Collect run to avoid this problem. If action=release, zSecure could not release the storage used to read the TCP/IP stack. An internal processing problem might have occurred. Severity: 08 Messages from 400 to 599 CKF4xxI message 3. Click Communications server. Explanation: These messages are issued as the result of debugging commands that are not described in this manual. 4. Expand IP Sockets Application Programming Interface Guide and Reference > Appendixes > Appendix B. socket call error return codes > Additional return codes. Severity: 00 5. Click Sockets extended ERRNOs. CKF500I 6. Locate the explanation for the corresponding decimal value in the list of error codes. INDD, OUTDD, and ERRDD only valid in PARM string type "value" at ddname line number Explanation: The INDD, OUTDD, and ERRDD parameters can be used only as calling parameters (the PARM keyword in JCL), and cannot be used as commands in an input file. You can also look up the error codes in the Communications Server IP Sockets Application Programming Interface Guide and Reference (SC27-3660). Severity: 08 CKF540I Severity: 16 Address space data not collected for swapped ASID asid jobname Explanation: This message is triggered by a failure at the EZASMI call with function GETIBMOPT, where xxxxxxxx is the return code and the yyyyyyyy indicates the error number. Explanation: This message is issued if the indicated address space is swapped out and data from the address space cannot be obtained. The information from this address space is missing from the CKFREEZE data set. zSecure reports created using this CKFREEZE data set might be incomplete. This especially applies if the indicated address space is running (sub)system-type tasks. User response: Complete these steps: Severity: 04 1. Convert the hexadecimal value that is supplied as the ERRNO return code from hexadecimal format to decimal format. For example, hexadecimal value ERRNO=000027EA converts to decimal value 10218. CKF541I 2. Go to the z/OS information center for your version of z/OS. Explanation: This diagnostic message is issued if a failure occurs during an OPEN of the data sets CKF501I 42 TCP/IP stack images cannot be retrieved. GETIBMOPT: RC=xxxxxxxx ERRNO:yyyyyyyy Messages Guide OPEN ERROR abend code for DDNAME CKFDS001 CKF542I • CKF550I obtained from the STEPLIB of the MQ QMGR region. These data sets are used for preloading required connection modules. The program continues, but might fail later. User response: Inspect the abend code for indications about the cause of the error. Severity: 08 CKF542I Could not connect to MQ QMGR because not authorized to access: QMGR-name Explanation: The user running the CKFCOLL program does not have sufficient authorizations to connect to the indicated QMGR. This is usually controlled by profile QMGR-name.BATCH in the MQCONN resource class. User response: Ensure that the user running CKFCOLL has the required authorizations. Severity: 08 CKF543I Could not connect to MQ QMGR because connection modules not available: QMGR-name Explanation: During setup of the connection to the MQ QMGR, several modules are dynamically loaded from STEPLIB or linklist. The required modules could not be located. The program continues with the next MQ region. CKF546I Explanation: During setup of the connection to the MQ QMGR, several modules are dynamically loaded from STEPLIB or linklist. The CKFCOLL program attempts to preload these modules from the STEPLIB of the MQ QMGR region. Preloading failed for the indicated module. The program continues, but might fail later if the module cannot be located using some other means. Severity: 08 CKF547I Could not connect to MQ QMGR because QMGR not available for connection: QMGR-name Explanation: During setup of the connection to the MQ QMGR, MQ reported that the QMGR is not available. This is probably due to a failure to complete initialization of the QMGR, for example, because it is waiting for the DB2 subsystem for its queue-sharing group. The program continues with the next MQ region. Severity: 08 MQ QMGR QMGR-name does not have steplibs. No modules preloaded. Explanation: During setup of the connection to the MQ QMGR, several modules are dynamically loaded from STEPLIB or linklist. The CKFCOLL program attempts to preload these modules from the STEPLIB of the MQ QMGR region. Because the indicated QMGR region does not have a STEPLIB DD-statement, preloading is not attempted. The program continues, but might fail later if the connection modules cannot be located later. Severity: 0 CKF548I Severity: 08 CKF544I Error preloading module-name for MQ QMGR QMGR-name CKFWMQ will use the following steplibs for MQ QMGR QMGR-name Steplib data sets used: DSN=QMGR-steplib-datasetname Explanation: This diagnostic message is issued either because DEBUG was requested, or because the preloading of required modules failed. Severity: 0 CKF549I MQ QMGR steplib allocation error. QMGR-name Explanation: An error occurred during allocation of the data sets currently allocated to the STEPLIB ddname of the indicated QMGR. Inspect accompanying messages to analyze the cause of the failure. Severity: 08 CKF545I Could not connect to MQ QMGR QMGR-name, RC=retcode-reascode Explanation: The CKFCOLL program could not connect to the indicated QMGR. The program continues with the next MQ region. User response: Check the hexadecimal reason code for additional information. Reason codes can be found in WebSphere MQ for z/OS: Messages and Codes. CKF550I The MQ information is requested for QMGR QMGR-name Explanation: This diagnostic message is issued because DEBUG was requested. It indicates progress in collecting MQ-related information. Severity: 0 Severity: 08 Chapter 2. CKF Messages 43 CKF551I • CKF561I CKF551I MQ action QMGR QMGR-name RC=retcode-reascode Explanation: This diagnostic message is issued if a step fails in the process to obtain information from the MQ QMGR region. Inspect the reason code to analyze the cause of the error. MQ reason codes can be found in WebSphere MQ for z/OS: Messages and Codes. Severity: 08 CKF552I Cannot access address space jobname ASID asid - ALESERV rc=retcode Explanation: The CKFCOLL program was not able to access the job's private region. This can occur if the MQ=YES option is requested. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 04 CKF553I POINT RPL type dev volume datacomponent rc=nn reason=nnnn Explanation: This messages indicates an unexpected return code and reason code (in decimal) from the VSAM POINT macro. IFAQUERY return area too small. Omitted SMF Flood policy records. Explanation: A second call was issued to pass the required length needed to store the SMF flood policy data, but the space is not sufficient to store the data. Contact IBM Software Support. Severity: 8 CKF555I Unexpected return code from IFAQUERY. SMF flood policy information will be missing. rc=hhhhhhhhhhh hex rsn=hhhhhhhhhhh hex Explanation: zCollect was not able to access the job's private region. This can occur if the CICS=YES zCollect option is requested. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 00 CKF558I abend during MQ data collection ASID asid jobname Explanation: This message indicates that an unexpected condition occurred while trying to collect information from the indicated MQ address space. User response: Check whether the jobname is of a supported MQ subsystem and release. If it is, see the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support. Severity: 08 abend during MQ data collection jobname Explanation: This message indicates that an unexpected condition occurred while trying to collect information from the indicated MQ address space. User response: Check whether the jobname is of a supported MQ subsystem and release. If it is, see the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support. CKF560I Number of CICS regions interrogated: nnn Transactions: nnn Programs: nnn Explanation: This is an informational message showing the total number of CICS regions that were processed and the total number of transactions and programs that were found. Severity: 00 Severity: 12 Unsupported MQ release release for ASID asid jobname. Assume SYSP length = 256 Explanation: The release of MQ is not recognized. The length of the SYSP control block generated by this release of MQ is unknown. A length of 256 bytes is assumed. If this value is incorrect, additional message CKF559I might be issued. 44 Cannot access address space jobname ASID asid - ALESERVE rc=rc Severity: 08 Explanation: The SMF flood policy data could not be returned because the available space is too small. Contact IBM Software Support. CKF556I CKF557I CKF559I Severity: 8 CKF554I Severity: 04 Messages Guide CKF561I Number of IMS regions interrogated: nnn Transactions: nnn PSBs: nnn Explanation: This is an informational message showing the total number of IMS regions that were processed and the total number of transactions and PSBs that were found. Severity: 00 CKF562I • CKF569I CKF562I CS Resolver data cannot be collected on OS_level Explanation: If you are running zSecure on z/OS V1R12 or lower, you can prevent this message by ensuring that the zSecure Collect TCPIP parameter is set to NO. For information about setting this parameter, see "zSecure Collect for z/OS" in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Severity: 00 CKF563I Resolver NMI error UNIX error Explanation: This message is triggered by a failure at the EZBREIFR call. User response: Look up the EZBREIFR service return code and reason code in the Communications Server IP Programmer’s Guide and Reference (SC27-3659). Severity: 08 CKF564I Could not action amount of storage to read CS Resolver configuration Severity: 08 BPX1PCT Query Config Option failed Return Value=nn Return Code=nn Reason Code=nn Explanation: This message indicates that an error occurred during the execution of the BPX1PCT "Query Config" function. This function is used to determine the zFS sysplex status. The specified reason code consists of two half words. The first is the reason code qualifier. The second is the reason code as described in UNIX System Services Messages and Codes. If this message occurs, the value of SYSPLEX_MODE is blank. Severity: 04 CKF566I Severity: 04 CKF567I Nil pointer trying to access id from jobname Explanation: This message indicates that an unexpected condition occurred while trying to create a CKFREEZE record from a storage control block. The id indicates the kind of control block that was being accessed. User response: Check whether the jobname is of a supported subsystem and release. If it is, see the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 Explanation: If action=obtain, zSecure Collect does not have enough storage available to read the configuration data of the CS Resolver. Allocate a larger region for a zSecure Collect run to avoid this problem. If action=release, zSecure could not release the storage that is used to read the CS Resolver configuration. An internal processing problem might have occurred. CKF565I is causing collection errors, contact IBM Software Support. Unable to determine if DSN dsn is RLS controlled. LISTCAT return code rc Explanation: This message indicates that CKFCOLL was unable to determine if the dsn data set is controlled by RLS. zSecure determines if RLS is active by issuing the LISTCAT command for a data set and checking if "RLS in use" is displayed in the output. CKF568I abend accessing jobname ASID asid Explanation: This message indicates that an unexpected condition occurred while trying to determine if the indicated address space is a CICS address space, and if so, find relevant CICS region information. User response: Check whether the jobname is of a supported subsystem and release. If it is, see the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 CKF569I abend trying to access id from jobname Explanation: This message indicates that an unexpected condition occurred while trying to create a CKFREEZE record from a storage control block. The id indicates the kind of control block that was being accessed. User response: Check whether the jobname is of a supported subsystem and release. If it is, see the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 User response: If the data set is RLS controlled and it Chapter 2. CKF Messages 45 CKF570I • CKF576I CKF570I Number of DB2 regions interrogated: nn Explanation: This summary message indicates the number of DB2 regions that were processed during the zCollect run. Severity: 00 CKF571I User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 Error loading module xxxxxxx DB2 system table unload terminated for DB2 subsystem yyyy release zzzz Steplib data sets used: DSN=aaa.aaaa CKF574I RACROUTE VERIFY CREATE error RACF RC (hex) xxxxxxx RACF reason (hex) yyyyyyyy DB2 table unload terminated for DB2 subsystem zzzz Explanation: zSecure Collect received an error when attempting to load a DB2 module. The process of unloading the DB2 system catalog tables was terminated for each of the DB2 subsystems associated with this DB2 release. Explanation: zSecure Collect received an error when it issued "RACROUTE VERIFY CREATE." The unloading of the DB2 system catalog tables was terminated for the specified DB2 subsystem. User response: See the Electronic Support Web site for possible maintenance associated with this message. User response: Use the return code and reason code to determine why the RACROUTE failed. If you cannot correct the problem, contact IBM Software Support. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. CKF575I Severity: 08 CKF572I Error allocating the DB2 steplib libraries. DB2 system table unload terminated for DB2 subsystem yyyy release zzzz Steplib data sets used: DSN: yyyy.yyyy Explanation: zSecure Collect received an error when attempting to allocate the specified DB2 steplib data sets. The process of unloading of the DB2 system catalog tables was terminated for each of the DB2 subsystems associated with this DB2 release. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. DB2 unload error. SYSADM userid xxxxxxxx greater than 8 characters in length. Processing of DB2 system yyyy terminated. Explanation: The installation SYSADM user ID for the specified DB2 subsystem is greater than eight characters. A user ID greater than eight characters might be a role-based SYSADM user ID. Processing for the specified DB2 subsystem was terminated because zSecure was unable to unload the DB2 system catalog tables. 46 Messages Guide ATTACH failed for DSNUTILB RC=xxxxx DB2 system table unload terminated for DB2 subsystem yyyy release zzzzz Steplib data sets used: DSN: aaaa.aaaa Explanation: zSecure Collect received an error while attempting to start DSNUTILB to unload the DB2 system catalog tables. Further processing of the DB2 system catalog tables was terminated for the specified DB2 subsystem. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 CKF576I Severity: 08 CKF573I Severity: 08 Unexpected xxxxx during ATTACH of DSNUTILB to UNLOAD DB2 tables Explanation: zSecure Collect received an error during the ATTACH to DSNUTILB to unload the DB2 system catalog tables. Further processing of the DB2 system catalog tables was terminated. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 CKF577I • CKF586I CKF577I OPEN ERROR xxxxx for DDNAME CKFDS001 Explanation: zSecure Collect received an error while opening the DB2 steplib data sets. See message CKF572I for further information on the allocated DB2 steplib data sets. Further processing of the DB2 system catalog tables was terminated. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 CKF578I System Services Messages and Codes manual. User response: Review the specified reason code in UNIX System Services Messages and Codes. Severity: 08 CKF582I Explanation: This informational message shows the number of TKDS records copied to the CKFREEZE data set. Severity: 00 CKF583I nnn records processed from table tablename for DB2 subsystem subsys Explanation: This informational message shows the total number of records that were processed from a DB2 catalog table. Severity: 00 Number of TKDS token/cert records copied: decnum type abend xxx-nn (explanation) accessing JES2, ASID asid Explanation: This message indicates that a nonrecoverable abend occurred while accessing data in the JES2 address space. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF579I Number of MQ regions interrogated: number Explanation: This is an informational message showing the total number of MQ regions that were processed. Severity: 00 CKF580I Error unloading the DB2 table aaaaaaaa for DB2 subsystem yyyy Steplib data sets used: DSN: yyyy.yyyy Explanation: zSecure Collect received an error when attempting to unload the DB2 table. See the DSNPRT DD if it is allocated for error messages associated with this DB2 unload. User response: Review the messages in DSNPRT to resolve the problems unloading the DB2 table. If the error was caused by a B37/D37 error on DSNOUT, see "DB2 table unloads" in the User Reference Manual for information on how to allocate DSNOUT in the collect JCL. CKF584I Explanation: This message indicates that a nonrecoverable abend occurred while accessing data in the JES2 PSO data space. For information about the common abend codes, see the zSecure Collect documentation in the user reference manual for your zSecure product. Severity: 08 CKF585I BPX1SYC: Determine system configuration options failed. RC=rc reason=reason Explanation: An error occurred during the execution of the BPX1SYC "Determine system configuration options" function. The reason code consists of two halfwords. The first is the reason code qualifier. The second is the reason code as described in the UNIX Cannot access address space JES2, ASID asid - ALESERV rc=rc Explanation: The CKFCOLL program was not able to access the JES2 private region. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming: Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 08 CKF586I Severity: 08 CKF581I type abend xxx-nn (explanation) accessing JES2 PSO, ASID asid Cannot access data space for JES2 PSO, ASID asid - ALESERV rc=rc Explanation: The CKFCOLL program was not able to access JES2 PSO data space. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming: Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 08 Chapter 2. CKF Messages 47 CKF587I • CKF599I CKF587I Cannot access OMVS kernel address space jobname ASID asid - ALESERV rc=rc Explanation: zSecure Collect was not able to access the private region of the OMVS kernel job while zSecure Collect gathered information about UNIX processes. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming: Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 08 CKF588I Abend accessing OMVS kernel address space jobname ASID asid User response: Check whether the jobname is an OMVS kernel task. If it is, see Electronic Support website for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support. Severity: 08 Process information not found in OMVS kernel address space jobname ASID asid Explanation: This message indicates that a control block that contains information about UNIX processes was not found. User response: Check whether the jobname is an OMVS kernel task. If it is, see Electronic Support website for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support. Cannot access address space jobname ASID asid - ALESERV rc=rc Explanation: zCollect could not access the job's private region while collecting the information about address space active jobs. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 08 CKF592I Explanation: This message indicates that an unexpected condition occurred while trying to determine an OMVS kernel address space, and if so, find relevant information about UNIX processes. CKF589I CKF591I Abend accessing jobname ASID asid Explanation: This message indicates that an unexpected condition occurred while trying to collect the information about address space active jobs. User response: See the Electronic Support website for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support. Severity: 08 CKF593...CKF596 message Explanation: These messages are issued as the result of debugging commands that are not described in this manual. Severity: 00 CKF597I Cannot access address space jobname ASID asid - ALESERV rc=retcode Explanation: zCollect was not able to obtain data from the job's private region. Return codes for the ALESERV ADD macro are documented in z/OS MVS Programming Authorized Assembler Services Reference, Vol. 1 in the z/OS information center. Severity: 00 Severity: 08 CKF598I CKF590I Process information table in OMVS kernel address space jobname ASID asid is empty Explanation: This message indicates that a control block that contains information about UNIX processes was found but it contains no process information or has an unsupported layout. JFCBs not collected for swapped ASID asid jobname=jobname Explanation: This message is issued if the indicated address space is swapped out and data about allocated data sets cannot be obtained. The information from this address space is missing from the CKFREEZE data set. zSecure reports created using this CKFREEZE data set might be incomplete. User response: Check whether the jobname is an OMVS kernel task. If it is, see Electronic Support website for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support. Severity: 04 Severity: 08 Explanation: This message indicates a failure while trying to obtain allocated data set information for the indicated jobname in address space asid. CKF599I Severity: 08 48 Messages Guide Abend abend info during access ASID asid jobname=jobname CKF700I • CKF712I Messages from 700 to 799 CKF700I Internal error: CKFALLOC called in invalid state Explanation: This message indicates a serious internal error. User abend 700 will be issued. Contact IBM Software Support. Severity: 24 Severity: 24 CKF707I Internal error: PDS on wrong IOXC Explanation: This message indicates a serious internal error. The PDS will be skipped. Contact IBM Software Support. Severity: 24 CKF701I CKFAXCP: data areas too large, on dev volume - user abend 701 CKF708I CKFSCHED Internal error: hung I/O executor Explanation: This message indicates an internal error: the data areas requested by the channel program passed to the I/O driver are too large. User abend 701 will be issued. Contact IBM Software Support. Explanation: This message indicates a serious internal error. A user abend 708 will be issued. Contact IBM Software Support. Severity: 28 Severity: 24 CKF702I I/O routine type abend xxx-nn (explanation)on dev volume - user abend 702 Explanation: This message indicates an internal error: the data areas requested by the channel program passed to the I/O driver are too large. User abend 702 will be issued. Contact IBM Software Support. Severity: 28 CKF703I CKF709I Explanation: This message indicates a serious internal error. User abend 709 will be issued. Contact IBM Software Support. Severity: 24 CKF710I CKFCAT called in invalid state Explanation: This message indicates a serious internal error. User abend 703 will be issued. Contact IBM Software Support. Internal error: CKFVTOC called in invalid state Internal error: CKFVVDS called in invalid state Explanation: This message indicates a serious internal error. User abend 710 will be issued. Contact IBM Software Support. Severity: 24 Severity: 24 CKF711I CKF704I Internal error: BCS bcsvol on IOXC ioxcvol-key Explanation: This message indicates a serious internal error. The catalog will be skipped. Contact IBM Software Support. Severity: 24 FREEMAIN for 4K SQA at address xxxxxxxx failed with return code nn hex after I/O on dev volume- user abend 711 Explanation: This message indicates that zSecure Collect failed to free its 4KB SQA area at the specified address. To prevent further SQA pollution, the program issues a user abend 711. Contact IBM Software Support. Severity: 28 CKF705I Internal error: CKFPATH called in invalid state Explanation: This message indicates a serious internal error. User abend 705 will be issued. Contact IBM Software Support. Severity: 24 CKF706I CKFPDS(E) called in invalid state CKF712I Unexpected GETMAIN return code nn hex Explanation: This message indicates that zSecure Collect failed to obtain a page-aligned work area for the VM DIAGNOSE buffers. No diagnose will be issued. Contact IBM Software Support. Severity: 24 Explanation: This message indicates a serious internal error. User abend 706 will be issued. Contact IBM Software Support. Chapter 2. CKF Messages 49 CKF713I • CKF726I CKF713I Unexpected PGSER/PGFIX return code nnn hex Explanation: This message indicates that an unexpected return code was encountered for the PGFIX (non-XA) or PGSER (XA) service. Contact IBM Software Support. Severity: 24 CKF714I Unexpected PGSER/PGFREE return code nnn hex Severity: 24 Explanation: This message indicates that an unexpected abend was encountered during VM diagnose processing. VM information may be missing. Contact IBM Software Support. Severity: 24 CKF716I Severity: 24 CKFAXVM internal error: AXVM pointer xxxxxxx at address xxxxxxxx invalid Internal error: type on wrong IOXC Explanation: This message indicates a serious internal error. The indicated type of data set (DMSU for DMSUNL, PDSE for PDS/E directory, or PDSM for AUTHLIB) will be skipped. Contact IBM Software Support. Severity: 24 CKF722I CKFAXVM recovered from unexpected type abend xxx-nn (explanation) CKFDSN called in invalid state Explanation: This message indicates a serious internal error. User abend 720 will be issued. Contact IBM Software Support. CKF721I Explanation: This message indicates that an unexpected return code was encountered for the PGFREE (non-XA) or PGSER (XA) service. Contact IBM Software Support. CKF715I CKF720I CKFDMSF called in invalid state Explanation: This message indicates a serious internal error. User abend 722 will be issued. Contact IBM Software Support. Severity: 24 CKF723I Internal error: type on wrong IOXC Explanation: This message indicates a serious internal error. The data set of type type will be skipped. The type can be DMSF for DMSFILES. Contact IBM Software Support. Severity: 24 Explanation: Contact IBM Software Support. Severity: 24 CKF717I CKFCAT invalid VSAM data set type type Explanation: This message indicates a serious internal error. Contact IBM Software Support. CKFTMC called in invalid state Explanation: This message indicates a serious internal error. User abend 718 will be issued. Contact IBM Software Support. Internal error: type on wrong IOXC Explanation: This message indicates a serious internal error. The type data set (TMC/VMF/ABR) will be skipped. Contact IBM Software Support. Severity: 24 50 CKF724I Missing CBVER RESET after proc Explanation: This message indicates a serious internal error. Contact IBM Software Support. CKF725I Internal error: unexpected concatenation after type device volume dataset Explanation: This message indicates a serious internal error. Contact IBM Software Support. Severity: 24 Severity: 24 CKF719I CBVER RESET missed for ID=cccc at CBVER ID=cccc Severity: 24 Severity: 24 CKF718I CKF724I Messages Guide CKF726I Internal error: ADDDD called for concatenation with tape Explanation: This message indicates a serious internal error. Contact IBM Software Support. Severity: 24 CKF729I • CKF911I CKF729I function NMI call error TCP/IP tcpipstackname RC rc RSN reasoncode Explanation: This message indicates that the NMI request failed with an unexpected return code (rc). 2. Select z/OS Communications Server -> IP Programmer's Guide and Reference. Return codes are documented in Network management interfaces. Severity: 08 User response: Check the explanation of the return code: 1. See the z/OS Internet Library for the version of z/OS that you are using and click the z/OS version under z/OS Information Centers. Messages from 800 to 899 CKF874I RECFM=V(BS) RDW hex exceeds LRECL=lrecl at record n ddname volser dsname Explanation: This message indicates invalid record contents for a RECFM=V(B)(S) data set. The record descriptor word does not match the DCB parameters. The Record Descriptor Word (RDW) is shown in hexadecimal. The first 2 bytes are the record length including the RDW. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Explanation: This message indicates invalid block contents for a RECFM=V(B)(S) data set. The block descriptor word does not match the DCB parameters. The Block Descriptor Word (BDW) is shown in hexadecimal. The first 2 bytes are the block length including the BDW, unless the high order bit is on, in which case it can be a large block 4 byte length. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Severity: 04 Severity: 04 CKF875I RECFM=V(BS) BDW hex exceeds BLKSIZE=blksize at record n ddname volser dsname Messages from 900 to 999 CKF900I debug message Explanation: This debug message is only relevant for IBM Software Support and is not present in any Generally Available version of the software. DEBUG or because of a failed SVC99 where DAIRFAIL did not return a message text. It has continuation lines detailing the individual text units contents after SVC 99 (DYNALLOC) completion. Severity: 00 Severity: 00 CKF910I CKF906I Type abend xxx-nn (explanation) reading REAL storage identifier Explanation: This error message indicates that an abend occurred during an attempt to obtain information from real storage. If the identifier is LST, this indicates that one of the Linkage Second Tables could not be read (in its entirety). Program Call reports based on this data will not be complete. Severity: 04 CKF907I DYNALLOC trace: SVC 99 return code nn - meaning Explanation: This message is issued because of HLLENQ status report identifier Explanation: These messages are issued in response to DEBUG. Severity: 00 CKF911I service RC=rc hex RSN=rsn hex [for qname-scope rname]: explanation Explanation: A call to the indicated service (either ENQ or ISGENQ) did not complete with RC=0. This message does not necessarily indicate a need for action, for example, an APF authorized program can issue an ENQ against the unauthorized QNAME CKRDSN. Hence, this message should be considered informational only. Chapter 2. CKF Messages 51 CKF912I • CKF925I Severity: 00 CKF912I CKF914I STIMERM error: explanation Explanation: Contact IBM Software Support. Multiple HLLQENQ ACTION=xxx,ID=id calls without an intervening HLLQDEQ ID=id or HLLQDEQ ALL are not supported Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKF913I Serialization could not obtain all ENQs Explanation: The program could not obtain ENQs on all requested resources, and cannot continue. The resource for which no ENQ could be obtained has been identified in a preceding message CKF911I. Severity: 16 CKF913I Serialization encountered a serious error Explanation: The program attempted to obtain ENQs on all requested resources, but encountered an unexpected condition. The run cannot continue. Look for a preceding message CKF911I to identify the exact cause of the failure. Serialization has obtained all ENQs Explanation: The program successfully obtained ENQs for all requested resources. Severity: 00 CKF913I Serialization starts waiting for ENQs Explanation: The program attempted to obtain ENQs on all requested resources, but not all resources were immediately available. The program will wait for the remaining resources to become available. Look for a preceding message CKF911I to identify the resources that were not immediately available. Severity: 16 Serialization WAIT timed out Explanation: The program attempted to obtain ENQs on all requested resources, but not all resources were immediately available. After waiting for the number of minutes specified on the MAXWAIT subparameter of the SERIALIZATION command, one or more required resources were still unavailable. The program gives up and aborts the run. Look for a preceding message CKF911I to identify the unavailable resources. Severity: 16 Severity: 24 CKF923I Messages Guide Input from a TSO/E terminal is not supported - DD ddname Explanation: Input from a TSO/E terminal in line mode is not supported. Severity: 20 CKF924I DD ddname DSN dsn invalid block size: blksize Explanation: After ddname has successfully been opened (using OPEN), its DCB must indicate a positive block size unless ddname is a DUMMY device. Severity: 16 CKF925I Member member DDname ddname DSname dsn Problem description Explanation: The program received a non-zero return code from the FIND SVC when trying to locate the indicated member. The problem description on the second line gives the exact nature of the problem. Severity: 08 52 Record with negative length length directed to ddname behind record recno Explanation: An invalid record was passed to the output routine. An empty record has been written instead. Contact IBM Software Support. Severity: 04 CKF913I UNIX write record nn failed RC nn [meaning] reason qqqq rrrrx [meaning] file ddname path Explanation: This message indicates that a BPX1WRV call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. CKF919I Severity: 16 CKF913I CKF915I CKF931I or CKV931I • CKF963I or CKV963I CKF931I or CKV931I proc: Buffer overrun destinationlength sourcelength:data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. Severity: 16 Severity: 24 CKF942I or CKV942I Environment mismatch for product code code Explanation: This message indicates that while code for the product code identified was installed, it is not running in its proper environment. For instance, some product codes are limited to UNIX tasks under z/OS, some to non-UNIX tasks under z/OS, and some to z/VM. CKF948I or CKV948I Enablement information corrupt for product code code Explanation: This message shows a problem with product installation or entitlement. User response: Contact your system programmer to verify successful installation. Severity: 16 Severity: 00 CKF949I or CKV949I Product code code installed and non-APF registration limit exceeded CKF944I or CKV944I UNIX type close RC nn [meaning] reason qqq rrrr x [meaning] file ddname path Explanation: This message is issued for products that are installed but cannot be registered because the MVS limit for product registration by non-APF programs has been exceeded. Explanation: This message indicates that a BPX1CLO call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes, the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. Severity: 00 CKF950I or CKV950I Code not installed here for product code code The type can be "wronly"or "rdonly." Explanation: This indicates that you are attempting to run functionality for a product that is not installed here. Severity: 16 Severity: 16 CKF945I or CKV945I UNIX action failed RC nn [meaning] reason qqq rrrr x [meaning] file ddname path CKF955I or CKV955I program task heap STORAGE REQUEST ERROR: SIZE NOT POSITIVE Explanation: This message indicates that a BPX1OPN or BPX1FCT call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. The action can be wronly open, fcntl filetag, or rdonly open. Severity: 16 CKF947I or CKV947I Reading filedesc off failed RC nn [meaning] reason qqqq rrrr x [meaning] file ddname path Severity: 16 CKF963I or CKV963I Ambiguous name "value" Explanation: This message indicates that an ambiguous abbreviation was entered, i.e. two or more different keywords could be meant by the abbreviated value. Specify the keyword intended in more detail. Severity: 16 Explanation: This message indicates that a BPX1RED (UNIX read) call failed with the indicated return code in decimal and the reason code split into reason code Chapter 2. CKF Messages 53 CKF964I or CKV964I • CKF976I or CKV976I CKF964I or CKV964I MEMBER NAME REQUIRED FOR WRITES TO PDS(E) DATA SET dsn Explanation: This message indicates that a member name is required, but not specified, for the indicated data set. Severity: 16 CKF967I or CKV967I RECFM=F INVALID FOR LRECL=X,RECFM=VBS PREFERRED DATA SET dsn Explanation: This message indicates that a RECFM=F data set was encountered on a file that is to receive variable spanned unlimited length records by preference. Although downward compatibility is maintained to non-spanned and limited-record length records, the code cannot write RECFM=F records. Severity: 16 CKF972I or CKV972I Enablement information missing for product Explanation: This message indicates that the product cannot run because the load module is not complete. User response: Contact your system programmer to complete installation of the product. Severity: 16 CKF973I or CKV973I IBM Security product code code disabled or not installed Explanation: This indicates that you are attempting to run functionality for a product that is not installed here, or it is disabled for this system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKF968I or CKV968I IFAEDDRG failed RC nn decimal Explanation: This message indicates that an attempt to register a previously registered product failed. User response: Contact IBM Software Support. Severity: 16 CKF969I or CKV969I I/O error for dsn: description Explanation: This message indicates that an I/O error occurred during normal QSAM or BSAM input processing for dsn. Operation will be continued, but an abend or other error message may follow because of the information missing due to the I/O error. Severity: 08 CKF970I or CKV970I program task heap FREE STORAGE ERROR: message Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. CKF974I or CKV974I IBM Security product disabled or not installed here for requested focus Explanation: Either the product is not installed here, or the requested focus is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKF975I or CKV975I IBM Security product disabled or not installed Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 Severity: 16 CKF976I or CKV976I Code or enablement for product product or feature is missing CKF971I or CKV971I Maximum length for this field is len at file line n Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. Explanation: The input contains a multiple-line string that is too long. The maximum length for the string is indicated in the message. Severity: 16 54 Messages Guide User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKF976I or CKV976I • CKF984I or CKV984I CKF976I or CKV976I IBM Security product or feature disabled or not installed here CKF980I Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. Explanation: This error message indicates that an 05D abend occurred during an attempt to obtain the specified field through cross-memory services. This means the address space was swapped out. CKFCOLL does not currently cause swap-in of other address spaces (to prevent bogging down the system with swap-in requests). Usually production systems have the address spaces that CKFCOLL wants to see defined as nonswappable. So you will most often see this message on test systems, or on production systems for test-subsystems (for example, test DB2). For the purpose of auditing PC calls, it useful to know that the PC call is also unavailable to the user while the address space is swapped out. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKF977I or CKV977I Installed PRODUCT OWNER('IBM CORP') ID(id) NAME('name') FEATURE('feature') VER(version) REL(release) MOD(modification) [ Product action RC rc decimal ] Explanation: This message is issued in response to DEBUG for products that are installed. The action can be "registration" or "status." The return code is for IFAEDREG or IFAEDSTA, respectively, which are documented in MVS Programming: Product Registration. No continuation line is shown if product registration does not apply (for example, because of CKF979I). Omitted fieldname because address space jobname swapped out Severity: 04 CKF981I or CKV981I Invalid type "value" Explanation: This message indicates that the text value is not a valid value in the context type. Severity: 16 Severity: 00 CKF982I or CKV982I Internal error: unknown error code at ddname line number CKF978I or CKV978I Product code code has been disabled in PARMLIB Explanation: The input parser error routine encountered an invalid error code. Contact IBM Software Support. Explanation: This message is issued in response to DEBUG for products that have been disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name by an entry in IFAPRDxx in your z/OS PARMLIB. User response: Run the product somewhere else, or ask your system programmer for enablement. Severity: 00 CKF979I or CKV979I Product code code implied by other Explanation: This message is issued in response to DEBUG for products that are not being registered because their entitlement is implied by a more encompassing entitlement. Severity: 00 CKF980I Severity: 16 CKF983I or CKV983I Expecting list separator/terminator instead of type"value" at ddname line number Explanation: This message indicates that the input parser expected a list separator or terminator for the current list (this can for instance be a comma, blank, or end-of-line, depending on the context). Instead, it encountered the indicated token type type(and text value, if available). The input parser skips all input until it encounters a valid list separator or terminator for the current list. Severity: 16 CKF984I or CKV984I Invalid type list element type type "value" at ddname line number Type abend xxx-nn (explanation) trying to access fieldname in jobname Explanation: This error message indicates that an abend occurred during an attempt to obtain the specified field through cross-memory services. A common cause has its own message text with the same message number. Explanation: This message indicates that the input parser expected a list element of the specified type, but found a token of a type not supported as a list element in this context. If available, the offending text value is also listed in the message. The input parser skips all input until it encounters a valid list separator or terminator for the current list. Severity: 04 Severity: 16 Chapter 2. CKF Messages 55 CKF985I or CKV985I • CKF998I or CKV998I CKF985I or CKV985I Required list element/parameter "value" missing at ddname line number Explanation: This message indicates that the input parser detected a missing required parameter or element in the list at the indicated line. CKF991I or CKV991I ESTAE return code rc Explanation: This message indicates that the program failed to establish an abend exit linkage. Severity: 04 CKF993I or CKV993I DIAGNOSTIC DUMP SUPPRESSED FOR program TASK taskname type ABEND xxx Severity: 16 CKF986I or CKV986I Duplicate parameter value at ddname line number Explanation: This message indicates that the input parser detected a duplicate occurrence of the parameter or list element value at the indicated line. Severity: 16 CKF987I or CKV987I Syntax error: type1 expected instead of type2 at "value" on ddname line number Explanation: This message indicates that the input parser expected a specific token type type1 in the current context. Instead of this, it found the token type type2 (at the text value, if available) on the indicated input line. Severity: 16 CKF988I or CKV988I Syntax error: "c" expected instead of type at "value" on ddname line number Explanation: This message indicates that the input parser expected a specific character "c" (presumably a delimiter) in the current context. Instead of this, it found the token type type (at the text value, if available) on the indicated input line. Explanation: This message indicates that the program abend exit did not attempt to make a diagnostic summary dump. This is done to prevent recursive abend conditions involving the print file. The task name is PROGRAM for the main task or for the only task in a program. For a multi-tasking program, program might identify one of the subtasks. CKF995I or CKV995I LRECL INVALID; NOT OVERRULED FOR PARTITIONED DATA SET Explanation: This message indicates that the print file open routine detected an invalid record length for the output file. This would have been overruled with a correct length for a Physical Sequential data set, but this is not done for Partitioned Data Sets to prevent making any existing PDS members inaccessible. Subsequent 013 or 002 abnormal ends (abends) can result from the invalid record length. CKF996I or CKV979I MFREE: NO LENGTH FOUND IN BLOCK FOR STACK name Explanation: This message indicates an internal stack error. It will be followed by a user abend 16. Contact IBM Software Support. Severity: 04 Severity: 16 CKF989I or CKV989I Unexpected type ["value"] [for element] at ddname line number CKF989I Skipping to EOL at unexpected type ["value"] at ddname line number Explanation: This message indicates that the input parser expected one of a number of specific token types, but found a different token type instead. If available, the offending text value and the element for which it is read are also listed in the message. The parser will either continue with the next token, or skip directly to the end of the line. Severity: 12 CKF997I or CKV997I STACK ERROR - ELEMENT POPPED IS NOT ON TOP OF STACK name Explanation: This message indicates an internal stack error. It will be followed by a user abend 16. Contact IBM Software Support. Severity: 16 CKF998I or CKV998I STACK OVERFLOW FOR STACK tasklevel stackname IN program Explanation: This message indicates an internal stack error. It is followed by a user abend 16. Contact IBM Software Support. Severity: 16 56 Messages Guide CKF999I or CKV999I CKF999I or CKV999I STORAGE SHORTAGE FOR TASK taskname HEAP heapname IN program - INCREASE REGION Explanation: This message indicates that the program needs more storage. If the heap name is LOWHEAP, then the request is for storage below the 16MB line. User response: Look in message CKF034I to determine what region was requested and what was granted to the job step. Increase the REGION value on the JOB or STEP card. It can also be beneficial to use the STORAGEGC command, though this will increase CPU usage. If the problem heap was LOWHEAP, there was not enough storage available below the line. Increasing the REGION might still help, if there was not enough storage above the line so that LOWHEAP storage was used instead. If there is a true storage shortage below the line, you could reduce I/O parallelism with the PARALLEL option or force the immediate freeing of allocations with the FREE option. Severity: 16 Chapter 2. CKF Messages 57 58 Messages Guide Chapter 3. CKG messages This chapter describes messages issued by the CKGRACF program on the mainframe. The CKGRACF program is part of zSecure Admin. It is used for handling Queued commands (like temporary access), revoke or resume schedules, User data fields and various other functions that require updating RACF profiles. This program is also used by zSecure Visual. The CKG messages have a message prefix in the form CKGnnnI where nnn is the message number. The message identifier is followed by a severity code. The program returns as completion code the highest severity code encountered. The general meaning of the CKGRACF message numbers is as follows: 100-399 400-499 500-599 600-699 700-799 800-899 900-999 Normal message, giving status or summary information. Debugging messages due to a DEBUG command Normal message, giving status or summary information. Error condition during execution. Error during the parsing of input, before any command is executed. Messages issued by architectural subcomponents. Messages issued by architectural subcomponents. The general meaning of the CKGRACF severity codes and hence of the completion code is as follows: 00 Normal message, giving status or summary information. 04 Warning: a condition occurred which may cause the command to have an unexpected effect. For example, a queued command was executed that applied the default password, but the default password had changed during the queuing period. 08 Error condition found during processing. For example, a profile could not be found, or access was denied. 12 Syntax error in command input, or an invalid format of USR data in the RACF database. 16 Entitlement problem or invalid or unsupported files connected to CKGRACF. 20 Unsupported condition found in RACF database, or installation error. 24 Internal error or other unexpected and unsupported condition in CKGRACF detected. Messages are included in subsections, grouped by the hundred message-numbers. Messages from 100 to 199 CKG100I Contents of CKRSITE module: contents Explanation: This message is printed as the result of a SHOW CKRSITE command. contents displays the relevant portions of the CKRSITE module. Severity: 00 © Copyright IBM Corp. 1998, 2015 CKG101I Authority requirement for user user is setting Explanation: This message is printed as the result of an AUTHORITY LIST command. It displays the multiple-authority requirement for user user. 59 CKG102I • CKG115I no further commands will be executed. The command is listed in the previous CKG106I message. Severity: 00 CKG102I Authority requirement for user user is the system default (setting) Explanation: This message is printed as the result of an AUTHORITY LIST command. It displays the system-wide default multiple-authority requirement, which applies to user user. Severity: 00 CKG103I CKG109I Please enter new [default] password for user user Explanation: This message prompts to enter a new password or new default password for user user. Severity: 00 field is value Explanation: This message is printed as the result of a FIELD LIST command. It displays the value of the indicated field. Severity: 00 CKG104I Severity: 00 CKG110I Please reenter new [default] password for user user Explanation: This message prompts to reenter a new password or new default password for user user. Severity: 00 No userdata elements with index 'index' found Explanation: This message is printed as the result of a USRDATA LIST command. It indicates the USR field did not contain entries with the indicated index. Severity: 00 CKG111I Highest result code was value Explanation: This message is issued after the command processing; it lists the highest command result code of the command stream executed. Each command with a result code other than zero (which indicates success) will have issued message CKG107I. Severity: value CKG105I Userdata with index 'index' is 'value' Explanation: This message is printed as the result of a USRDATA LIST command. It displays the USRDATA part of one USR entry with the indicated index. Severity: 00 CKG106I Starting command: command Explanation: This message is printed at the start of each command. It displays the next command to be executed. Severity: 00 CKG107I Command ended with result code code Explanation: This message is issued at the end of a command if it did not end successfully. It displays the command's result code. This result code is the same as documented as CKX return code under Chapter 7, “CKX messages,” on page 325. The command is listed in the previous CKG106I message. Severity: code CKG108I Serious command error; terminating CKGRACF Explanation: This message is issued at the end of a command if ended with a result code larger than 8, which indicates a serious processing, RACF, or internal error. CKGRACF command processing is terminated; 60 Messages Guide CKG112I No CKGRACF-reserved userdata entries found Explanation: This message indicates that the LIST command did not find any CKGRACF-reserved USR entries. Severity: 00 CKG113I Default password phrase set by author at date time Explanation: This message indicates a default password phrase was set for the target user. It includes the user who issued the command and the date and time the default value was set. The default password phrase is not included in the message. Severity: 00 CKG115I Default password set by author at date time Explanation: This message indicates a default password was set for the target user. It includes the user who caused the setting to be made, and the date and time it was set. The default password is not included in the message. Severity: 00 CKG116I • CKG129I CKG116I Scheduled type action for schedule on date by user on date time Reason: reason Deleted by user on date time Delete reason: reason Explanation: This message is printed by the LIST command and lists a single scheduled revoke/resume action. The optional run-on messages indicate the revoke/resume reason, and, for a wiped action, the user that wiped the scheduled action. Severity: 00 CKG117I --- Overall revoke/resume status --Revoke from date Resume from date Explanation: This message is printed by the LIST command. It is printed after the scheduled actions; the run-on messages list the overall revoke/resume schedule for the user. Severity: 00 CKG118I Stopped due to attention Explanation: This message indicates that CKGRACF was stopped due to an attention. It will only be issued at the end of the command during which the ATTN key was pressed; commands will not be stopped halfway through. Severity: 00 CKG119I ALTUSER RESUME command was overridden by the scheduled revoke status. Severity: 0 CKG122I User user left status after wipe Explanation: This message indicates that a USER SCHEDULE WIPE command for scheduled actions that applied to past dates did not cause the indicated user's revoke status to be changed; it was left status (revoked or resumed). This may be because the overall schedule has not changed, or because a previous ALTUSER REVOKE or ALTUSER RESUME command agrees with the changed overall schedule. Severity: 00 CKG123I User user left revoked after wipe, resumed due to RESUME Explanation: This message indicates that a USER SCHEDULE WIPE command for scheduled actions that applied to past dates did not cause the indicated user's revoke status to be changed; it was left revoked. However, a subsequent RESUME subcommand in the same USER command will set the user's revoke status to resumed. Severity: 00 CKG126I Command request has been queued Only PERMIT/CONNECT/REMOVE/ DELDSD/RDELETE allowed for ASK/REQ Explanation: This message indicates that a USER REQUEST command for a multiple-authority user ID was queued. The command must be approved by another user before it will be executed. Explanation: The only supported commands for ASK/REQ (and thus queuing) are PERMIT/ CONNECT/REMOVE/DELDSD/RDELETE. This message is issued if another RACF command is given. Severity: 00 Severity: 08 CKG120I User user not resumed due to scheduled actions Explanation: This message indicates that a USER RESUME command for the indicated user did not resume the user ID, since the scheduled actions for the user indicate the user should be revoked. If the user really should be resumed, use the USER SCHEDULE command to alter the scheduled revoke/resume actions. Severity: 08 CKG127I Failed to lock profile class profile Explanation: Locking of the specified target profile failed. No profile data can be read; the command can not be executed. Severity: 08 CKG128I Error in handling of queued command Explanation: An error occurred while trying to process the next stage of a queued command. Severity: 08 CKG121I User user set to status after wipe Explanation: This message indicates that a USER SCHEDULE WIPE command for scheduled actions that applied to past dates caused the indicated user's revoke status to be changed to status (revoked or resumed). This may be due to a changed overall schedule, or because a previous ALTUSER REVOKE or CKG129I Failed to store command Explanation: Writing a queued command failed. This error can have multiple causes, for example, the profile cannot be written to or the USRDATA field in the profile is full. Chapter 3. CKG messages 61 CKG130I • CKG406I command did not find any CKGRACF created queued command entries in the profile being listed. Severity: 08 CKG130I Failed to unlock profile class profile Explanation: The specified target profile could not be freed. Other programs will not be able to use this profile if it is not unlocked. Severity: 12 CKG131I Error in handling of queued command Explanation: An error occurred while trying to process the next stage of a queued command. CKG133I No CKGRACF queued command entries found Explanation: This message indicates that the LIST No CKGRACF schedule data entries found Explanation: This message indicates that the LIST command did not find any CKGRACF created schedule entries in the profile being listed. Severity: 00 CKG135I Severity: 08 CKG132I Severity: 00 parameter only valid in PARM string Explanation: The parameter NOCLOSE, NODUMP or TEXTPIPE is only valid in the parameter string, not in an included file. Severity: 12 Messages from 400 to 499 CKG400I message CKG404I Explanation: Results from a variety of debugging commands not described in this manual. Severity: 00 CKG401I Request=audit: SAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value Explanation: This message is due to a DEBUG SAFRC command and indicates the SAF and RACROUTE result and reason codes for a RACROUTE REQUEST=AUDIT call. All values are in hexadecimal. Severity: 00 CKG402I Checking for level access to class resource Explanation: This message is due to a DEBUG RACHECK command and indicates the resource name and access level that will be checked. Request=extract,user: SAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value Explanation: This message is due to a DEBUG SAFRC command and indicates the SAF and RACROUTE result and reason codes for a RACROUTE REQUEST=EXTRACT call for a user profile. All values are in hexadecimal. Severity: 00 CKG405I Request=extract,owner: SAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value Explanation: This message is due to a DEBUG SAFRC command and indicates the SAF and RACROUTE result and reason codes for a RACROUTE REQUEST=EXTRACT call that attempted to find the profile's owner. All values are in hexadecimal. Severity: 00 Severity: 00 CKG406I CKG403I Request=type: SAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value Explanation: This message is due to a DEBUG SAFRC command and indicates the SAF and RACROUTE result and reason codes for a RACROUTE REQUEST= type call. All values are in hexadecimal. Severity: 00 Explanation: This message is due to a DEBUG SAFRC command and indicates the SAF and RACROUTE result and reason codes for a RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT call that attempted to encrypt a password. All values are in hexadecimal. Severity: 00 62 Messages Guide Request=extract,encrypt: SAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value CKG407I • CKG422I CKG407I ICHEINTY type RC (hex) value; reason (hex) value (explanation) Explanation: This message is due to a DEBUG ICHEINTY command and indicates the ICHEINTY result and reason codes and a short explanation for a failed ICHEINTY call that attempted to read a profile. All values are in hexadecimal. This message immediately follows CKG661I, which indicates the class and profile name. Severity: 00 CKG408I ICHEINTY CKGIWRT write RC (hex) value; reason (hex) value (explanation) CKG416I Explanation: This message is issued when DEBUG RACHECK is activated, and contains the matching profile for the RACHECK. Severity: 00 CKG417I Severity: 00 CKG418I Severity: 00 CKG419I ICHEINTY type delete RC (hex) value; reason (hex) value (explanation) Explanation: This message is due to a DEBUG ICHEINTY command and indicates the ICHEINTY result and reason codes and a short explanation for a failed ICHEINTY call that attempted to delete a profile. All values are in hexadecimal. This message immediately follows CKG663I, which indicates the class and profile name. Severity: 00 CKG410I Request=verify,create: RAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value Explanation: This message is issued when DEBUG SAFRC is active. Severity: 00 CKG411I Request=verify,delete: RAF RC (hex) value; RACF RC (hex) value; RACF reason (hex) value Explanation: This message is issued when DEBUG SAFRC is active. Severity: 00 CKG415I Checking access for id on class profile Explanation: This message indicates that the access of a user or group on a resource is being checked. Severity: 00 user is [not] resource OWNER Explanation: This message indicates that a user is [not] the owner of the resource indicated by the preceding CKG415I message. Explanation: This message is due to a DEBUG ICHEINTY command and indicates the ICHEINTY result and reason codes and a short explanation for a failed ICHEINTY call that attempted to write to a profile. All values are in hexadecimal. This message immediately follows CKG662I, which indicates the class and profile name. CKG409I RACF profile: class profile user is [not] resource HLQ Explanation: This message indicates that a user ID is [not] equal to the HLQ of the resource indicated by the preceding CKG415I message. Severity: 00 user is user attribute Explanation: This message indicates that a user is SPECIAL, OPERATIONS, or AUDITOR. Severity: 00 CKG420I user is not SPECIAL(, OPERATIONS, or AUDITOR) Explanation: This message indicates that a user is not SPECIAL. If read access to the resource was asked, the message also indicates that the user is not OPERATIONS or AUDITOR. The resource is indicated by the preceding CKG415I message. Severity: 00 CKG421I user is group attribute in group in the resource group owner chain Explanation: This message indicates that a user is GROUP SPECIAL, GROUP OPERATIONS, or GROUP AUDITOR in a group in the resource group owner chain. The resource is indicated by the preceding CKG415I message. Severity: 00 CKG422I user is not GROUP SPECIAL(, GROUP OPERATIONS, or GROUP AUDITOR) in the resource group owner chain Explanation: This message indicates that a user is not GROUP SPECIAL in any group in the resource group owner chain. If read access to the resource was asked, the message also indicates that the user is not GROUP OPERATIONS or GROUP AUDITOR in any group in the resource group owner chain. The resource is Chapter 3. CKG messages 63 CKG423I • CKG510I indicated by the preceding CKG415I message. Severity: 00 CKG423I user is group attribute in group in the resource HLQ group owner chain Explanation: This message indicates that a user is GROUP SPECIAL, GROUP OPERATIONS, or GROUP AUDITOR in a group in the resource HLQ group owner chain. The resource is indicated by the preceding CKG415I message. in the resource HLQ group owner chain Explanation: This message indicates that a user is not GROUP SPECIAL in any group in the resource HLQ group owner chain. If read access to the resource was asked, the message also indicates that the user is not GROUP OPERATIONS or GROUP AUDITOR in any group in the resource HLQ group owner chain. The resource is indicated by the preceding CKG415I message. Severity: 00 Severity: 00 CKG424I user is not GROUP SPECIAL(, GROUP OPERATIONS, or GROUP AUDITOR) Messages from 500 to 599 CKG500I Connect revoke/resume is not supported in combination with UNTIL/FOR/LEN Explanation: The REVOKE, NOREVOKE, RESUME, and NORESUME parameters are not allowed on a CONNECT command for temporary commands (commands with UNTIL/LEN/FOR specified). Severity: 08 CKG501I Unable to read connect information class not a valid class for command Explanation: You tried to specify USER/GROUP/ CONNECT for a command command. Severity: 12 CKG503I class profile profile for command not found Severity: 08 class profile profile for command not found Explanation: The profile for the command command could not be found, because it was not (properly) specified. Severity: 08 64 Messages Guide CMD subcommand not supported Explanation: The RACF command you specified for CMD is not supported. Severity: 12 CMD subcommand parsing error Explanation: The syntax of the RACF command given to CMD was incorrect. Check the syntax of the command. Severity: 12 CKG508I Explanation: The profile for the command command could not be found, because it was not (properly) specified. For fully qualified generics, check that you specified generic. CKG504I Severity: 12 CKG507I Severity: 08 Failed to parse queued command Explanation: An already stored queued command could not be parsed during reading. It was changed after queuing. CKG506I Explanation: CKGRACF was unable to read the connect information of a connect profile. Maybe this profile was garbled. CKG502I CKG505I Internal error in IKJPARS Explanation: An error occurred during parsing of the specified RACF command. Check the syntax of the command. Severity: 20 CKG509I Could not prompt for parameters Explanation: The RACF command given to CMD needs further input, which could not be given in a noninteractive session. Severity: 12 CKG510I ATTN pressed Explanation: The ATTN key was pressed during the parsing of the specified RACF command. CKG511I • CKG573I Severity: 12 CKG511I CKG517I Unknown RACF parse error Explanation: An error was issued during parsing of the RACF command that is unknown to either the parser or CKGRACF. Only one userid supported for CONNECT/REMOVE Explanation: The user ID parameter of a CONNECT or REMOVE command can only have one user ID specified. Issue multiple CMD commands. Severity: 12 Severity: 20 CKG518I CKG512I FROM not allowed for UNTIL/FOR/LEN Explanation: The FROM parameters on the PERMIT command are not supported for temporary commands (commands with UNTIL/LEN/FOR specified). Request the reverse commands yourself through CMD AT. UNTIL/FOR/LEN only allowed with PERMIT/CONNECT/REMOVE, and not with command Explanation: The only supported commands for UNTIL/FOR/LEN are PERMIT/CONNECT/REMOVE. Severity: 12 Severity: 12 CKG530I CKG513I WHEN is not supported with UNTIL/FOR/LEN Explanation: Modifying the conditional access list of a profile is not supported for temporary commands (commands with UNTIL/LEN/FOR specified). Request the reverse commands yourself through CMD AT. CKG514I RESET not allowed for UNTIL/FOR/LEN Explanation: Resetting the access list is not allowed for temporary commands (commands with UNTIL/LEN/FOR specified). Issue the reverse commands through extra CMD commands. Severity: 12 CKG515I Only one ID supported for UNTIL/FOR/LEN Explanation: The ID() parameter for the PERMIT command can only have one ID specified for temporary commands (commands with UNTIL/LEN/FOR specified). Issue multiple CMD commands. Severity: 12 Specified ID id not USER or GROUP Explanation: The user ID specified on the ACCESS command was neither a user nor a group. The syntax is CKGRACF ACCESS <id> <class> <resource>. Severity: 08 CKG570I Class class is not active Explanation: The requested ACCESS is undecided, because the class is not active. Most applications allow access in this case. Severity: 00 CKG571I Class class is not defined to RACF Explanation: The requested ACCESS is undecided, because the class is not defined in the class descriptor table. Most applications allow access in this case. Severity: 00 Severity: 12 CKG516I Explanation: An occurrence of INDD, OUTDD, or ERRDD was encountered outside of a PARM string. CKG569I Severity: 12 INDD, OUTDD, and ERRDD only valid in the parameter string. Access EXECUTE only allowed for classes DATASET and PROGRAM Explanation: The access level of EXECUTE for the PERMIT command is only allowed with the classes DATASET and PROGRAM. CKG572I RACF is inactive Explanation: The requested ACCESS is undecided, because RACF is not active. Most applications allow access in this case. Severity: 00 Severity: 08 CKG573I RACF is inactive and class class is not active Explanation: The requested ACCESS is undecided, because RACF is not active and the class is also inactive. Most applications allow access in this case. Chapter 3. CKG messages 65 CKG574I • CKG585I Severity: 00 CKG574I CKG581I RACF is not installed, or has an insufficient level Explanation: The requested ACCESS is undecided, because RACF was not installed or is not at a sufficient level to support the CKGRACF query. Most applications allow access in this case. Severity: 00 CKG575I Unsupported STAT return code. SAF (hex) nn; RACF (hex) nn Explanation: The requested ACCESS is undecided. A RACSTAT call was done for the class, but the return code has no built-in interpretation. Most applications allow access in this case. Severity: 00 CKG576I Current status: status Explanation: This message is printed in case of an abend. During command processing, it may be followed by message CKG952I. status gives a rough indication of the program's activity at the time of the abend. Severity: 00 CKG577I Current command: command Explanation: This message is printed in case of an abend, if the abend occurs during command processing. It follows message CKG951I. command indicates the current command being processed. Severity: 00 CKG578I class profile contains a TVTOC Explanation: The ACCESS command issued this unexpected response. Severity: 00 CKG579I class profile can contain a TVTOC, but currently does not Explanation: The ACCESS command issued this unexpected response. [ New | Default ] password phrase prepared for RRSF propagation Explanation: This message notifies the user that CKGRACF concluded that a password synchronization package was in control and required password phrases to be passed in clear text. The only commands that can be synchronized are PWSET PHRASE and PWSET PASSWORD. Password phrases in queued PWSET PHRASE commands are two-way encrypted (hashed) with a fixed key. When such a command is being completed, its password phrase is decrypted and then sent as clear text with ENCRYPT=YES. Severity: 00 CKG582I type has level access to class profile Explanation: This is a response to the ACCESS command. The user or group (type) has access level level to the specified profile in class class. Severity: 00 CKG583I class profile is unprotected, protectall in warning mode Explanation: This is a response to the ACCESS command. The user or group can access the data set freely because there is no generic profile for the specified resource and RACF operates in PROTECTALL(WARNING) mode. A warning message will be issued, but access will be allowed. There is one exception: if there is a discrete data set profile, the resource might in fact be protected. The current ACCESS command does not support discrete data set profiles. Severity: 00 CKG584I class profile is protected by protectall fail mode Explanation: This is a response to the ACCESS command. The user or group cannot access the data set because there is no generic profile for the specified resource and RACF operates in PROTECTALL(FAIL) mode. There is one exception: if there is a discrete data set profile, the resource might in fact be accessible. The current ACCESS command does not support discrete data set profiles. Severity: 00 Severity: 00 CKG585I CKG580I class profile does not contain a TVTOC Explanation: The ACCESS command issued this unexpected response. Severity: 00 66 Messages Guide class profile is unprotected because of noprotectall Explanation: This is a response to the ACCESS command. The user or group can access the data set freely because there is no generic profile for the specified resource and RACF operates in NOPROTECTALL mode. There is one exception: if there is a discrete data set profile, the resource might in CKG586I • CKG599I fact be protected. The current ACCESS command does not support discrete data set profiles. Severity: 00 CKG586I class profile protection undecided by SAF, application decides Explanation: The requested ACCESS is undecided. The class is active but no matching profile was found. Some applications allow access in this case, some do not. Severity: 00 CKG587I type is not authorized to class profile Explanation: This is a response to the ACCESS command. The user or group cannot access the resource. Severity: 00 CKG588I type is not authorized to use volume volser Explanation: This is a response to the ACCESS command. The user or group cannot access the resource. Severity: 00 CKG589I type is not authorized to use class profile Explanation: This is a response to the ACCESS command. The user or group (type) cannot access the resource. type is not authorized to open non-cataloged dataset Explanation: This is a response to the ACCESS command. The user or group (type) cannot access the resource because of the CATDSNS setting. CKG591I Severity: 00 CKG594I type is not authorized when system is in tranquil state Explanation: This is a response to the ACCESS command. The user or group (type) cannot access the resource because the system is in MLQUIET tranquilized state. CKG595I type has EXECUTE access to class profile Explanation: This is a response to the ACCESS command. Generally you will not see this message. Severity: 00 class profile required seclabel missing Explanation: This is a response to the ACCESS command. The user or group (type) cannot access the resource because either the resource or the user has a seclabel and the other does not. Severity: 00 CKG596I REQUEST=VERIFY was failed by exit Explanation: This is a response to the ACCESS command. Access checking failed because a site exit prevented a security environment to be established for CKGRACF. Severity: 00 type has been revoked Explanation: This is a response to the ACCESS command. Access checking failed because a security environment cannot to be established for CKGRACF. This happens because the user is currently revoked. Severity: 00 type has insufficient or no seclabel Explanation: This is a response to the ACCESS command. Access checking fails because a security environment cannot to be established for CKGRACF. This happens because the user seclabel is missing or insufficient. Severity: 00 CKG599I CKG592I class profile seclabel cannot be dominated by user Explanation: This is a response to the ACCESS command. The user or group (type) cannot access the resource because the resource has a seclabel that is not dominated by the user. CKG598I Severity: 00 class profile seclabel not dominated by user Explanation: This is a response to the ACCESS command. The user or group (type) cannot access the resource because the resource has a seclabel that is not dominated by the user. CKG597I Severity: 00 CKG590I CKG593I Unsupported AUTH return code: SAF RC (hex) nn; RACF RC (hex) nn; RACF reason (hex) nn; Class class; Profile profile Explanation: This is a response to the ACCESS command. It is a catchall message for SAF and RACF return codes that are not interpreted into text messages by CKGRACF. Chapter 3. CKG messages 67 CKG600I • CKG610I Severity: 00 Messages from 600 to 699 CKG600I Profile class profile not found Explanation: The indicated profile was specified as the target of the current command, but does not exist. The current command cannot be performed. Use DEBUG RACROUTE to view the RACROUTE return codes; message CKG404I (for USER profiles) or CKG405I (for all other profile types) indicates the RACROUTE,request=EXTRACT return codes. command will not be executed. To determine the cause of this message, you can use the "Show CKGRACF command flow" in SETUP TRACE when in IBM Security zSecure Admin and Audit for RACF, or use the CKGRACF DEBUG command directly. This will show the access checks that are performed, so that you can examine the situation, and possibly request additional authorities. Severity: 08 Severity: 08 CKG606I CKG601I Owner of profile class profile (ID=owner) not found Access to userdata failed for class profile and index 'index' for command at file line n Explanation: The owner of the indicated profile is owner; this is neither a user ID nor a group ID. This indicates an error in the RACF database; run the VERIFY PERMIT command. Explanation: Access to the USR entries with the indicated index of the target profile class profile for the command at input file file, line n, was denied. The USRDATA command will not be executed. Severity: 04 Severity: 08 CKG602I Profile class profile leads to owner loop Explanation: The owner of the indicated profile is a group whose owner tree leads to a loop. This indicates an error in the RACF database; run the VERIFY GROUPTREE command. Severity: 20 CKG607I type password occurs in password history Explanation: The new password or new default password specified by type occurs in the user's password history. No new password or default password will be set. Severity: 08 CKG603I Scope profile too long for class profile Explanation: The scope resource name for the indicated profile cannot be constructed, since it would be over 255 characters. The scope check for the indicated profile will always fail. This can be solved by simplifying the group tree structure in your RACF database. Severity: 08 CKG608I Open failed for imbedded member member of file ddname dataset dsname Explanation: This message indicates that an INCLUDE or IMBED command was given for a member, but the member could not be opened in the data set allocated to the file. Review the job log for a MVS/DFP message or abend code. Severity: 12 CKG604I Access access to command resource class resource denied for command at file line n CKG609I Open failed for imbedded file ddname dataset dsname Explanation: Access to the command at input file file, line n, required access access to the command resource resource. Access was denied; the command will not be executed. Explanation: This message indicates that an INCLUDE or IMBED command was given for a file, but the file could not be opened. Review the job log for a message or abend code. Severity: 08 Severity: 12 CKG605I Profile class profile not in scope for command at file line n Explanation: Access to the target profile class profile for the command at input file file, line n, was denied after both the SCP profiles had been checked. The 68 Messages Guide CKG610I action action for field failed Explanation: This message indicates that an action for field failed for the FIELD command. Severity: 08 CKG611I • CKG620I CKG611I PWCONVERT command refused - user not SPECIAL Explanation: This message indicates that a PWCONVERT command was not executed, since the user did not have SPECIAL authority. Severity: 08 phrase. If this fails, message CKG618I is issued. Severity: 00 CKG617I Prompting for default [ password | password phrase] failed Explanation: This message indicates that a PWCONVERT command for target user user was not executed, since the target user's current password was not hashed. Explanation: This message indicates that a USER PWDEFAULT PROMPT command or a USER PWDEFAULT PROMPT PHRASE command was issued. CKGRACF tried to prompt for a default password or password phrase, but this failed. This might be due to the user's profile settings, for example, PROFILE NOPROMPT. The USER command is not executed. Severity: 08 Severity: 08 CKG612I CKG613I Password for user user is not hashed Could not convert password for user user Explanation: This message indicates that a PWCONVERT command for target user user was not executed, since the target user's de-hashed password could not be encrypted using the installation's encryption method. This may be due to the installation's password-encryption exit ICHDEX01 or ICHDEX11. Use DEBUG SAFRC to view the RACROUTE return codes; message CKG406I i indicates the RACROUTE encryption return codes. CKG618I Prompting for [ password | password phrase] failed Explanation: This message indicates that a USER PWSET PROMPT command or a USER PWSET DEFAULT command was issued and no default password or password phrase was found. CKGRACF tried to prompt for a password or password phrase, but this failed. This might be due to the user's profile settings, for example, PROFILE NOPROMPT. The USER command is not executed. Severity: 08 Severity: 08 CKG619I CKG614I RDELETE command refused - user not SPECIAL Explanation: This message indicates that an RDELETE command was not executed, since the user did not have SPECIAL authority. Severity: 08 CKG615I Command action invalid for user user with 'authority' requirement; command at file line n Explanation: This message indicates that a USER command was used with a queued-command action invalid for user with multiple-authority requirement authority. Severity: 08 CKG616I No default [ password | password phrase] found - prompting Explanation: This message indicates that a USER PWSET DEFAULT command or a USER PWSET DEFAULT PHRASE command was issued and no default password or password phrase was found. (This can be due to a USER PWDEFAULT DELETE command in the same USER command.) CKGRACF tries to prompt for a new password or password Could not read previous [ password | password phrase] Explanation: This message indicates that a USER PWSET PREVIOUS command or a USER PWSET PREVIOUS PHRASE command was issued, but the previous password or password phrase could not be read because, for example, the previous password phrase was created when KDFAES was not in effect. The USER command is not executed. Severity: 08 CKG620I Requested command was already in queue Explanation: This message indicates that a USER command was used with the REQUEST option, but that the requested command was already in the target command queue. The previously queued command must be completed, denied, or withdrawn before the request can be allowed. Remember that the target profile for CONNECT and REMOVE is the GROUP profile, not the USER profile. Severity: 08 Chapter 3. CKG messages 69 CKG620 • CKG631I CKG620 Requested/asked command was already in queue Explanation: This message indicates that a USER command was used with the REQUEST or ASK option, but that the requested command was already in the target command queue. The previously queued command must be completed, denied, or withdrawn before the request can be allowed. Remember that the target profile for CONNECT and REMOVE is the GROUP profile, not the USER profile. Command not found in queue Explanation: This message indicates that a USER command was used with the WITHDRAW, SECOND, or COMPLETE option, but that the requested command was not found in the user's command queue or had already been made inactive. Passwords are not identical - prompting again Explanation: This message indicates that the passwords entered and reentered at the prompt do not match. Another attempt will be made to prompt for a password. Enter an empty password twice to exit the prompting. Severity: 00 CKG627I Severity: 08 CKG621I CKG626I Reason does not fit in USRDATA; truncated Explanation: This message indicates that the reason field specified with a USER SCHEDULE command to be queued does not fit in the USRDATA repeat-group. The part of the reason that does fit will be included; the rest will be lost. This message can only occur if the active or backup RACF database is non-restructured. Severity: 04 Severity: 08 CKG628I CKG622I Could not replace userdata with index 'index': old data not found Action 'requested-action' not allowed; last action 'action'; authority 'setting' Explanation: This message indicates that a USRDATA REPLACE command failed for USR entries with the indicated index; there was no entry with the old value. Explanation: This message indicates that the queued-command action requested-action was specified. This action is not allowed after the indicated previous action for a user ID with multiple-authority requirement setting. Severity: 08 Severity: 08 CKG623I type password not allowed by password rules CKG629I Action 'requested-action' not allowed; you performed 'action' Explanation: This message indicates that a new password or new default password indicated by type failed to match any of the system's password rules. The new password or new default password will not be used. Explanation: This message indicates that the queued-command action requested-action was specified. This action is not allowed because the user performed the earlier action indicated. Each queued-command command action must be performed by a different user. Severity: 08 Severity: 08 CKG624I ABEND in PWDX exit - suppressed from now on Explanation: This message indicates an abend occurred during the call to the installation's new-password exit ICHPWX01. The exit will not be called again during the current run of CKGRACF. CKG630I Action not allowed; command has expired Explanation: This message indicates a queued-command action was specified that is not allowed because the queued command has expired. Severity: 08 Severity: 08 CKG631I CKG625I Could not prompt for password Explanation: This message indicates that a prompt to enter or reenter a new password failed. This can be due to the user's profile settings (for example, PROFILE NOPROMPT). Severity: 08 70 Messages Guide Unknown CKGRACF-reserved entry with index 'index' Explanation: This message indicates the LIST command encountered an unknown CKGRACF-reserved USR entry with the indicated index. This may be due to settings not made by CKGRACF, or due to settings made with a newer CKGRACF release during, for example, a trial install. CKG632I • CKG641I These entries can be deleted using WIPE UNDEFINED. Severity: 08 Severity: 08 CKG637I CKG632I Could not delete userdata elements with index 'index'. Explanation: This message indicates the USRDATA command could not delete an USR entry elements with the indicated index. Either no such elements could be found, or the specified USRDATA value for the USR entry did not match. Severity: 08 CKG633I Explanation: This message indicates that the field with the indicated description to be displayed, replaced or deleted was not available. If this message is not printed as the result of a FIELD command, it indicates an internal error condition; contact IBM Software Support. Severity: 08 CKG638I Access to schedule 'schedule' denied for command at file line n Explanation: Access to the indicated schedule was denied for the USER SCHEDULE command. Field 'description' not available. Values for field 'description' do not match Explanation: This message indicates that the field with the indicated description to be replaced or deleted does not match the value supplied. It is issued as a result of the FIELD command. Severity: 08 Severity: 08 CKG639I CKG634I Authority setting has a wrong format Explanation: This message indicates that a multiple-authority setting was encountered that has a wrong format. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use AUTHORITY DELETE or WIPE AUTHORITY to delete the multiple-authority setting from the target user ID; if the error occurs again, contact IBM Software Support. Severity: 12 CKG635I Explanation: This message indicates that a default-password or default-password-phrase setting was encountered that has a wrong format. This might indicate a defect in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use the USER PWDEFAULT DELETE [PASSWORD | PHRASE] command to delete the incorrect setting from the target user ID. If the message refers to a password setting, you can also try to use the WIPE DEFAULTPW subcommand to delete the default password for the user ID. If the error occurs again, contact IBM Software Support. Severity: 12 CKG636I Explanation: This message indicates that a queued command was encountered that has a wrong format. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE QUEUE to delete the queued commands from the target user ID; if the error occurs again, contact IBM Software Support. Severity: 12 CKG640I Default [ password | password-phrase ] setting has a wrong format Wrong length size specified for field 'description' Queued command has a wrong format Could not encrypt type password for user user Explanation: This message indicates that a USER command for target user user was not executed, since the new password or new default password (indicated by type) could not be encrypted using the installation's encryption method. This may be due to the installation's password-encryption exit ICHDEX01 or ICHDEX11. Use DEBUG SAFRC to view the RACROUTE return codes; message CKG406I indicates the RACROUTE encryption return codes. Severity: 08 CKG641I type password not allowed by new-password exit Explanation: This message indicates that a new password or new default password indicated by type was not allowed by the installation's new-password exit ICHPWX01. The new password or new default password will not be used. Severity: 08 Explanation: This message indicates that the value specified for the field with the indicated description to be replaced or deleted had the wrong size indicated. The reference for the FIELD command specifies the size that must be used. Chapter 3. CKG messages 71 CKG642I • CKG651I CKG642I Scheduled action has a wrong format Explanation: This message indicates that a scheduled revoke/resume action was encountered that has a wrong format. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE SCHEDULE to delete the scheduled actions from the target user ID; if the error occurs again, contact IBM Software Support. Severity: 12 CKG643I Press enter twice for no action Explanation: This message does not indicate an error. It is printed before a password is prompted, and indicates that password prompting can be ended by pressing Enter twice. CKG647I Explanation: An unexpected return code was returned by ICHEINTY. Contact IBM Software Support. Severity: 08 CKG648I No password entered Explanation: This message indicates that two empty passwords were entered at the prompt. This ends prompting; since no password was entered, the USER command will not be executed. Severity: 08 CKG645I Previous [ password | password phrase] changed during queuing Explanation: This warning message indicates that, during the execution of a queued USER PWSET PREVIOUS command, it was discovered that the previous password or password phrase was changed while the command was queued. The USER command uses the value of the previous password or password phrase from the time that the command was requested and first queued. Severity: 04 Password change will not be sent to package partner nodes Explanation: This warning indicates that the changes made will not be available in RACF nodes synchronized by the indicated subsystems - the only commands that will be synchronized are PWSET PASSWORD and PWSET PHRASE. Severity: 04 CKG649I Severity: 00 CKG644I Field "field" is read only type password prepared for RRSF propagation Explanation: This messages notifies the user that CKGRACF concluded that a password synchronization package was in control that required passwords to be passed in clear text. The only commands that can be synchronized are PWSET PASSWORD and PWSET PHRASE. Passwords in queued PWSET PASSWORD commands are two-way encrypted (hashed) with a fixed key. When such a command is being completed, its password is decrypted and then sent as clear text with ENCRYPT=YES. Severity: 00 CKG650I Encountered timestamp from future date Explanation: This message indicates that a queued command contained a timestamp from a future date. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE QUEUE to delete the queued commands from the user ID; if the error occurs again, contact IBM Software Support. Severity: 12 CKG646I Default [ password | password phrase] changed during queuing Explanation: This warning message indicates that, during the execution of a queued USER PWSET DEFAULT, USER PWRESET, or USER PHRESET command, it was discovered that the default password or password phrase was changed or deleted while the command was queued. The USER command will use the value of the default password or password phrase from the time that the command was requested and first queued. Severity: 04 72 Messages Guide CKG651I Encountered unknown queued-command code Explanation: This message indicates that a queued command contained unknown data. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE QUEUE to delete the queued commands from the user ID; if the error occurs again, contact IBM Software Support. Severity: 12 CKG652I • CKG662I CKG652I Encountered unknown queued-command status Explanation: This message indicates that a queued command contained an unknown status flag. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE QUEUE to delete the queued commands from the user ID; if the error occurs again, contact IBM Software Support. Severity: 12 CKG653I No default [ password | password phrase] available Severity: 08 Password in queued command two-way encrypted with unknown method A PWDX change requires a PASSWORD change in the same FIELD command Explanation: When a FIELD command with action ADD, SET, or REPLACE specifies a PWDX field, the same command must specify a PASSWORD field as well. Severity: 12 CKG657I A PHRASEX change requires a PHRASE change in the same FIELD command Explanation: When a FIELD command with action ADD, SET, or REPLACE specifies a PHRASEX field, the same command must specify a PHRASE field as well. Severity: 12 CKG658I Severity: 24 Field field is not allowed because KDFAES is not supported on this system Explanation: This system does not support KDFAES. Therefore, fields PWDX and PHRASEX cannot occur in FIELD commands. PWSET option option not allowed - use NOPROTECTED first Explanation: The USER PWSET command cannot be used to change the password or password phrase of a protected user. Use the USER userid PWSET NOPROTECTED command to remove the protected status of the target user ID before changing the password or password phrase of the user. Severity: 08 Could not read profile data from class profile Explanation: This message indicates that (part of) the indicated profile could not be read. The profile exists but may lack a specific segment. For example, a BINDPW field is addressed but the profile does not have a PROXY segment. Use DEBUG ICHEINTY to view more detailed information. Severity: 08 CKG662I Severity: 12 IRRSPW00: SAF RC (hex) safrc; RACF RC (hex) racfrc; RACF reason (hex) racfreas Explanation: There was an error in callable service IRRSPW00. Contact IBM Software Support. CKG661I Explanation: This message indicates that a queued command contained unusable data. This may indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE QUEUE to delete the queued commands from the user ID; if the error occurs again, contact IBM Software Support. CKG656I CKG659I CKG660I Explanation: A USER PWRESET or USER PHRESET command failed because no default password or password phrase was available. This can be due to a PWDEFAULT DELETE subcommand in the same USER command, or because no default password or password phrase is set for the target user. CKG654I Severity: 12 Could not write profile data to class profile Explanation: This message indicates that the indicated profile could not be updated. This may be because the target profile does not exist, or because the profile has become too large due to many CKGRACF USRDATA entries. Use DEBUG ICHEINTY to view more detailed information. If the profile is too large, consider running a WIPE command possibly followed by re-adding still relevant commands. For information, see the WIPE command documentation in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. If this message is issued for more than one profile, or if it reoccurs on a regular basis, the period during which CKGRACF keeps expired commands in the profiles for auditing purposes might be too long. This setting can be verified with the SHOW CKRSITE command. For information on the SHOW command, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. For information on changing the value for the CKRSITE Keep Command parameter, see the IBM Security zSecure CARLa-Driven Components: Installation and Deployment Guide. Chapter 3. CKG messages 73 CKG663I • CKG675I Severity: 08 CKG663I CKG669I Could not delete profile class profile [ vol(volser) ] Explanation: This message indicates that the indicated profile could not be deleted. This may be because the target profile does not exist. Use DEBUG ICHEINTY to view more detailed information. CKG664I Explanation: This message indicates that an internal error occurred. Note the procedure name and, if present, the reason, and contact IBM Software Support. Severity: 24 CKG670I Severity: 08 Profile class profile not found Explanation: This message indicates that the indicated profile could not be found. Probably the profile does exist; you may have made a typing error. Use DEBUG ICHEINTY to view more detailed information. Internal error in procedure name; reason: reason Access to racfdata failed for class prefix and index index for command command Explanation: A racfdata profile does not allow the user to specify a certain RACF parameter or value. The index indicates the parameter. For information on the indices, refer to the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Severity: 08 Severity: 08 CKG671I CKG665I Unable to determine CKGAUTH for class and index "profile" for command Explanation: The internal multiple authority requirement for the specified profile could not be determined. Severity: 00 CKG666I Explanation: Occurs when multiple identical commands have to be deleted, for example, due to expiration. Severity: 04 CKG672I Unable to execute timed temporary command because UNTIL date is already past Explanation: A temporary command was scheduled for a time period from AT date to UNTIL date, but was not executed before the UNTIL date passed. This command can not be executed anymore, and will be forcibly expired. Severity: 08 Command already deleted Scheduled event already deleted. Explanation: This message indicates that a duplicate scheduled event has been deleted. Severity: 04 CKG673I IMBED parameters FILEDESC/PATH mutually exclusive with DD/MEM Explanation: This message indicates that a FILEDESC/PATH parameter has been used in conjunction with a DD/MM parameter. Severity: 12 CKG667I RACF command execution failed Explanation: A queued command could not be executed during a REFRESH. This could mean that a temporary command will not be undone! Check the profile manually for the failed command. Severity: 08 CKG674I Answer to question Qnn hashed with unknown function Explanation: The answer to question Qnn has an unknown format because it has been hashed with an unknown function Severity: 08 CKG668I Unable to reverse command command Explanation: The indicated command was to be issued temporarily. However, an attempt to reverse the meaning of the command has failed. Reversal may have to be done manually. Severity: 08 74 Messages Guide CKG675I Question Qnn is question Explanation: This message shows question nn. Severity: 00 CKG676I • CKG689I CKG676I Authentication by questions failed CKG684I Explanation: Some answers are wrong. Severity: 08 CKG677I [ New | Default ] password phrase contains more than 2 consecutive characters that are identical. Explanation: The password phrase must not contain more than 2 consecutive characters that are identical. Authentication by questions succeeded Severity: 08 Explanation: All answers are right. CKG685I Severity: 00 CKG678I Could not list question Qnn Explanation: Question nn cannot be listed because it does not exist. [ New | Default ] password phrase must contain at least 2 alphabetic characters. Explanation: The password phrase must contain at least 2 alphabetic characters, for example, A - Z or a - z. Severity: 08 Severity: 04 CKG686I CKG679I Could not delete question Qnn Explanation: Question nn cannot be deleted because it does not exist. Severity: 08 [ New | Default ] password phrase must contain at least 2 non-alphabetic characters. Explanation: The password phrase must contain at least 2 non-alphabetic characters, for example, numerics, punctuation, or special characters. Severity: 08 CKG680I Could not verify question Qnn Explanation: Question nn cannot be verified because it does not exist. CKG687I Severity: 08 Explanation: The password phrase must not contain the user ID as sequential uppercase or sequential lowercase characters. CKG681I User or group profile profile not found Explanation: The user or group profile profile does not exist. Severity: 04 CKG682I Password phrase change will not be sent to package partner nodes. Explanation: This message indicates that the changes made will not be available in RACF nodes synchronized by the indicated subsystems. The only commands that will be synchronized are PWSET PHRASE and PWSET PASSWORD. Severity: 08 CKG688I Password phrase has fewer than minimum characters Explanation: The password phrase must have at least 9 characters when the new-password-phrase exit (ICHPWX11) is present. The password phrase must have at least 14 characters when ICHPWX11 is not present. ABEND in new-password-phrase exit suppressed from now on. Explanation: An abend occurred during the call to the installation’s new-password-phrase exit ICHPWX11. The exit will not be called again during the current run of CKGRACF. Severity: 08 CKG689I Severity: 04 CKG683I [ New | Default ] password phrase contains the user ID. Password phrase in queued command two-way encrypted with unknown method. Explanation: A queued command contains unusable data. This might indicate a bug in CKGRACF or that the USR field of the target user ID was altered by a different, incompatible command. Try to use WIPE QUEUE to delete the queued commands from the user ID. If the error occurs again, contact IBM Software Support. Severity: 12 Severity: 08 Chapter 3. CKG messages 75 CKG690I • CKG701I CKG690I Could not encrypt [ New | Default ] password phrase for user user. Explanation: A USER command for target user user was not executed, since the new password phrase could not be encrypted. Use DEBUG SAFRC to view the RACROUTE return codes; message CKG406I indicates the RACROUTE encryption return codes. Severity: 08 CKG691I [ New | Default ] password phrase occurs in password phrase history. Explanation: The new password phrase occurs in the password phrase history of the user. No new password phrase will be set. Severity: 08 CKG692I [ New | Default ] password phrase not allowed by new-password-phrase exit. Explanation: A new password phrase was not allowed by the installation’s new-password-phrase exit ICHPWX11. The new password phrase will not be used. Severity: 08 CKG693I RACLINK ID(userid) UNDEFINE(node.id) failed - no association found Explanation: A user ID association between user userid on the local node and user id on node node was not found in the userid profile. Consequently, the specified association was not undefined. Severity: 08 CKG695I There is no server active with SERVERTOKEN=name Explanation: An attempt was made to access the zSecure Server with SERVERTOKEN=name, but an active server with the specified server token was not located. User response: Verify that the server token is correct in SETUP RUN when running the ISPF user interface. If the token is correct, ensure that the server is still running. Restart the server if it is not running. Severity: 0 CKG696I Client connection to server failed RC=decnum Explanation: An attempt to access the zSecure Server failed with the indicated return code. If one or more fields were specified that required server access, these fields could not be verified. Return code values: 2 See the prior server-error CKN message. The message is prefixed by the ZSECSYS name of the server. 4 Did not all fit in buffer 8 Unsupported function 12 Caller not authorized as client 16 Parameters not valid User response: Look for CKN* server messages before this message and follow their guidance. For return codes greater than 2, restart the server to see whether the problem disappears. Severity: 00 CKG694I [NOPASSWORD | NOPHRASE] option not allowed - add a [PHRASE | PASSWORD] first or use PROTECTED Explanation: The USER PWSET NOPASSWORD command or the USER PWSET NOPHRASE command would create a user without a password and without a phrase. User response: Either assign a value to the other field or make the user protected using the USER PWSET userid PROTECTED command. CKG697I Default password phrase can only be set when using the KDFAES algorithm. Explanation: The PWDEFAULT PHRASE subcommand is only supported if the KDFAES password hashing algorithm is used. You can change the current password algorithm using the SETROPTS PASSWORD(ALGORITHM(KDFAES)). Severity: 08 Severity: 08 Messages from 700 to 799 CKG700I Expected decimal value instead of type "value" at file line number Explanation: This message indicates that a non-decimal value was encountered where a decimal value was expected. Severity: 12 76 Messages Guide CKG701I Value value (decimal) too large Explanation: This message indicates that a value was read that is too large to fit in the field. value indicates the value read after conversion to decimal. Severity: 12 CKG702I • CKG713I CKG702I Value value (decimal) less than minimum minimum Explanation: This message indicates that a value was read that is less than the indicated minimum value for the field. value indicates the value read after conversion to decimal. Severity: 12 CKG708I Keywords 'keyword one' and 'keyword two' are mutually exclusive at file line number Explanation: This message indicates that two keywords were encountered that are both valid options for the current command, but that are mutually exclusive. The indicated position is that of the second keyword. Severity: 12 CKG703I Value value (decimal) larger than maximum maximum CKG709I Class 'class' not allowed at file line number Explanation: This message indicates that a value was read that is larger than the indicated maximum value for the field. value indicates the value read after conversion to decimal. Explanation: This message indicates that a class was specified that is not allowed with the current command. Severity: 12 Severity: 12 CKG704I Error during 'character' conversion of string string Explanation: This message indicates an error during the conversion of a string from binary, decimal, or hexadecimal. character indicates the type of conversion attempted; if omitted, an abend occurred during conversion. Severity: 12 CKG705I CKG710I Explanation: This message indicates that a user or group ID was specified that is not valid, since it is more than 8 characters long. Severity: 12 CKG711I Invalid conversion character 'character' Explanation: This message indicates that a quoted string was followed by a conversion character not supported by the current command. The only conversion characters supported for the current command are ' X' (convert from hexadecimal) and 'C' (keep case as-is). 'string' is not a valid user/groupid, size > 8 Invalid profile type 'character' Explanation: This message indicates that an invalid conversion character was specified with the RDELETE or USRDATA command. Valid conversion characters for either command are 'D' (discrete) and 'G' (generic). Valid conversion characters for the RDELETE command only are 'C' (keep case as-is) and 'X' (convert from hexadecimal). Severity: 12 Severity: 12 CKG712I CKG706I String with length length is longer than expected size size Interval value larger than SETROPTS maximum maximum Explanation: This message indicates that a string was read with the indicated length. The string is too large to fit in the field, which has a maximum size of size. Explanation: This message indicates that an interval was specified with the USER command that is larger than the system-defined maximum set by the SETROPTS PASSWORD(INTERVAL) command. Severity: 12 Severity: 12 CKG707I Keyword 'keyword' not allowed at file line number Explanation: This message indicates that a keyword was encountered that was recognized as a valid option for the current command, but is not allowed at the current position. CKG713I Keyword 'keyword' not allowed in batch or APPC mode Explanation: The keyword specified is not allowed in batch mode. Severity: 12 Severity: 12 Chapter 3. CKG messages 77 CKG714I • CKG726I CKG714I PWDEFAULT default option 'PROMPT' not allowed in batch or APPC mode Explanation: The default option of the USER PWDEFAULT command is not allowed in batch mode. Severity: 12 CKG715I CNG* USRNM values are reserved Explanation: The USRDATA command was specified with an index value starting with CNG. These indexes are reserved for use by CKGRACF and cannot be accessed using the USRDATA command. CKGRACF settings can be listed using the LIST command. Severity: 12 CKG716I Start-date must be earlier than end-date Explanation: In the USER SCHEDULE command, the start-date specified must be earlier than the end-date specified. Severity: 08 invalid date would be to specify February 29 in a non-leap year. Severity: 12 CKG721I Discrete dataset profiles not allowed Explanation: You specified the "D" conversion character for a data set profile with the USRDATA command. The USR field of discrete data set profiles is not supported by CKGRACF. Severity: 12 CKG722I Password value must be specified for password request Explanation: You specified the USER PWSET PASSWORD or USER PWDEFAULT PASSWORD command for a request. In this case, you must specify a password value between parentheses after the PASSWORD option, for example, PASSWORD(SECRET). The password value is only optional for an action other than REQUEST. Severity: 12 CKG717I Left margin cannot exceed right margin Explanation: In the MARGINS(x,y) command, x (the left margin) cannot exceed y (the right margin). Severity: 12 CKG718I CKGRACF terminated due to input errors Explanation: Previous messages indicate an error in the program parameters or command input file. CKGRACF does not perform any command if the input is not syntactically correct. Correct the errors and run the program again. Severity: 12 CKG719I Schedule date must be today or in the future Severity: 12 Invalid date 'date' Explanation: The specified date has an invalid format or contains an invalid date. Dates must have the format 01jan2000 (ISO-date) or 2001/365 (Julian date). An 78 Only option QUEUE or TAG allowed with CLASS class Explanation: For all classes except USER, only the options QUEUE and TAG are allowed with the LIST command. The QUEUE option will be the default for these classes. Severity: 12 CKG724I No command specified for CMD Explanation: The CMD command could not find any RACF command in its command-line. Severity: 12 Explanation: You specified a past schedule date with a USER SCHEDULE REQUEST command. Requested schedule dates must be today or lie in the future. Note that a date entered in an invalid format may cause this message to be issued, since it is read as zero (01JAN1900). CKG720I CKG723I Messages Guide CKG725I Start-date cannot be earlier than today Explanation: You specified an AT date on a CMD command that was already past. Severity: 08 CKG726I No active commands specified, CKGRACF terminated Explanation: You didn't specify any active commands on input to CKGRACF. Non-active commands are DEBUG, INCLUDE and SUPPRESS. Severity: 12 CKG727I • CKG738I CKG727I At least one option is required for the command command Explanation: The command command requires at least one option, which isn't provided. Severity: 12 CKG728I PWNO* keywords require an additional keyword Explanation: This message is issued when PWNOEXIT, PWNOHIST or PWNORULE are defined as the only keywords on a USER command. These keywords require another keyword (for example, PWSET) to be effective and useful. Severity: 12 CKG733I Field field not supported on z/OS v.r and below - field ignored Explanation: The field field in the USER profile is not supported on z/OS version v release r and below. Reading or setting this field using the CKGRACF FIELD command is ignored. Severity: 04 CKG734I Password string longer than 8 bytes Explanation: The password entered on a CKGRACF USER PWDEFAULT or CKGRACF USER PWSET command is longer than 8 bytes. RACF only supports passwords with a length smaller or equal to 8 bytes. Choose a shorter password. Severity: 12 CKG729I Date value 'value' 2-digit year is ambiguous CKG735I CKGRACF does not run under CMS Explanation: This suppressible message indicates that a 2-digit year was encountered. By default, this is not allowed to prevent any year-2000 related confusion. In case this is a problem for backward compatibility, the message can be suppressed. In this case the 2-digit years are all interpreted as lying in the 20th century (i.e. they are prefixed with 19, being backward compatible). Explanation: CKGRACF only runs under z/OS. If this message is shown under z/OS, contact IBM Software Support. Severity: 12 Explanation: The multiple-authority requirement set in the CKRSITE module is set to the unknown value value. This indicates an error in installation. CKG730I Date 'date' is beyond the year 2069 Explanation: This message is issued when a date beyond the year 2069 has been encountered. Such a late date probably results from a typo. Severity: 20 CKG736I Severity: 20 CKG737I Severity: 04 CKG731I Question identifier expected Explanation: The word, if any, after a QUESTION action (SET, VERIFY, LIST, or DELETE) must be a question identifier Qnn, where nn is a nonnegative integer below 100. Password phrase value must be specified for password phrase request. Explanation: You specified the USER PWSET PHRASE command for a request. In this case, you must specify a password phrase value between parentheses after the PHRASE option, for example, PHRASE('This is a secret'). The password phrase value is only optional for an action other than REQUEST. Queued command expiration time (value) larger than auditing period (value) Explanation: The queued-command expiration time and the auditing period set in the CKRSITE module are in conflict. This indicates an error in installation. Severity: 20 CKG738I Severity: 12 CKG732I Invalid multiple-authority requirement value explanation; RACROUTE REQUEST=STAT returned with SAFRC=safrc RACFRC=racfrc RSNCODE=rsncode Explanation: The RACROUTE REQUEST=STAT call to determine whether the class set in the CKRSITE module is available, indicates that RACF or the class is not available. explanation contains a human-readable explanation of the return codes shown in the message (in hex). Severity: 20 Severity: 12 Chapter 3. CKG messages 79 CKG739I • CKG749I CKG739I RACF >= 1.8 required Explanation: A RACF version before 1.8 is active. CKGRACF requires RACF version 1.8 or later. Severity: 20 CKG740I CKGRACF must run APF-authorized Explanation: CKGRACF must run APF-authorized. This can be caused, for example, by not including CKGRACF in the TSO authorized command list (AUTHCMD) in PARMLIB member IKJTSOxx. You can activate changes to this member without an IPL by using the TSO PARMLIB command. For more information on the PARMLIB command, see the TSO/E System Programming Command Reference. Severity: 20 CKG745I Password phrase must be enclosed in single quotes. Explanation: There must be single quotes around the password phrase value in the PWSET PHRASE option, as in PHRASE('This is a secret'). If a single quotation mark is intended to be part of the password phrase, you must use two single quotation marks together for each single quotation mark, as in PHRASE('This is a ''quoted'' secret'). Severity: 12 CKG746I Password phrase has more than maximum characters. Explanation: A password phrase can have at most maximum characters. Severity: 12 CKG741I No ACEE could be found from TCB or ASXB Explanation: CKGRACF could not find an ACEE for the current user. Severity: 20 CKG747I Password phrase has fewer than minimum characters Explanation: A password phrase must have at least minimum characters. Severity: 12 CKG742I Neither CKGPRINT nor SYSTERM allocated and no TSO; CKGRACF terminated CKG748I UNDEF parameter must be '(NODE_NAME.USERID)' Explanation: This message is printed when CKGPRINT and SYSTERM are not allocated. In this case, CKGRACF is unable to generate any output, and will terminate before parsing or executing any commands. Explanation: The UNDEF parameter of a USER userid RACLINK UNDEF command was followed by something other than (node.id). Note that there must be no spaces in UNDEF(node.id). There must be a dot (.) between node node and user id. To send the output directly to the TSO terminal, issue the TSO command ALLOC FILE(CKGPRINT) DA(*) before giving the CKGRACF command. You may free CKGPRINT afterwards with FREE FILE(CKGPRINT). Severity: 12 Severity: 16 CKG743I No SYSTERM allocated Explanation: This message is issued when SYSTERM is not allocated. All output will still appear on CKGPRINT. Severity: 00 CKG744I Profile name contains invalid character character at position position Explanation: The input string for the profile name is not valid because it contains a character that is not allowed in profile names. Severity: 12 80 Messages Guide CKG749I CKGRACF command only allowed with NODE() Explanation: Within a CKGRACF CMD command, a nested CKGRACF command is allowed only in order to send it to another zSecure node. The NODE(node) option of the CKGRACF CMD command is required for this purpose. Severity: 12 CKG834I..CKG836I • CKG905I Messages from 800 to 899 CKG834I..CKG836I message Explanation: These messages are in response to debugging options. If you need information about these messages, contact IBM Software Support. Severity: 0 Explanation: A program call to the zSecure Server program was attempted while it was performing a termination sequence. User response: No action is required. If you need assistance about this message, contact IBM Software Support. Severity: 00 CKG837I IDENTIFY RC=n for CKGSRVIN at address Explanation: This message indicates a failure of the IDENTIFY service to establish the indicated module name at the indicated address. User response: See the MVS documentation about the IDENTIFY service. Severity: 12 CKG841I Severe SRVIN error PC RC=n - issuing user abend 841 Explanation: While reading from a remote node, an error condition was returned by the Program Call interface of the server. CKG874I Explanation: This message indicates invalid record contents for a RECFM=V(B)(S) data set. The record descriptor word does not match the DCB parameters. The Record Descriptor Word (RDW) is shown in hexadecimal. The first 2 bytes are the record length including the RDW. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. User response: Verify that the server is active, then restart the server and try again. Severity: 04 Severity: 16 CKG875I CKG842I SPECPROC returned length out of range R0=xxxxxxx - issuing user abend 842 Explanation: This message indicates that one of the internal interfaces related to the zSecure Server received an unexpected length and issued an abend. User response: Look for the message on the IBM support site. If no solution is posted, collect SYSPRINT on both the local and remote sides and contact IBM Software Support. Severity: 16 CKG851I Local CKNSERVE server no longer available (user abend 214 (x'0D6')) RECFM=V(BS) RDW hex exceeds LRECL=lrecl at record n ddname volser dsname RECFM=V(BS) BDW hex exceeds BLKSIZE=blksize at record n ddname volser dsname Explanation: This message indicates invalid block contents for a RECFM=V(B)(S) data set. The block descriptor word does not match the DCB parameters. The Block Descriptor Word (BDW) is shown in hexadecimal. The first 2 bytes are the block length including the BDW, unless the high order bit is on, in which case it can be a large block 4 byte length. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Severity: 04 Messages from 900 to 999 CKG904I Unconditional access is required to read from file file vol dsn(member) Explanation: A data set to which only conditional (PADS) access was granted was requested for SYSIN input. Unconditional read access is needed to read this type of data. The data set is not processed. Severity: 12 CKG905I A member name is required to read from file ddname data set dsn Explanation: An imbed statement was present referring to a PDS(E) data set, but the member to be read from that data set was not specified. Add the correct member to the imbed statement and resubmit the query. Severity: 12 Chapter 3. CKG messages 81 CKG907I • CKG947I CKG907I DYNALLOC trace: SVC 99 return code nn - meaning Explanation: This message is issued because of a failed SVC99 where DAIRFAIL did not return a message text. It has continuation lines detailing the individual text units contents after SVC 99 (DYNALLOC) completion. CKG939I Explanation: Message written if T was selected at the CKR938I prompt. Severity: 16 CKG942I Severity: 00 CKG915I UNIX write record nn failed RC nn [meaning] reason qqqq rrrrx [meaning] file ddname path Explanation: This message indicates that a BPX1WRV call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. Severity: 16 CKG919I Record with negative length length directed to ddname behind record recno Explanation: An invalid record was passed to the output routine. An empty record has been written instead. Contact IBM Software Support. proc: Buffer overrun - destinationlength sourcelength: data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. Severity: 24 CKG934I Environment mismatch for product code code Explanation: This message indicates that while code for the product code identified was installed, it is not running in its proper environment. For instance, some product codes are limited to UNIX tasks under z/OS, some to non-UNIX tasks under z/OS, and some to z/VM. Severity: 00 CKG944I UNIX type close RC nn [meaning] reason qqq rrrr x [meaning] file ddname path Explanation: This message indicates that a BPX1CLO call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. The type can be 'wronly' or 'rdonly'. Severity: 16 Severity: 24 CKG931I Terminated due to repeated attention Value value too large Explanation: This message indicates that the input parser received a numerical value that was too large. The maximum value that can be processed by the input parser is 2147483647. CKG945I UNIX action failed RC nn [meaning] reason qqq rrrr x [meaning] file ddname path Explanation: This message indicates that a BPX1OPN or BPX1FCT call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. The action can be 'wronly open', 'fcntl filetag', or 'rdonly open'. Severity: 16 Severity: 12 CKG947I CKG938I Repeated ATTN, enter C(ont) T(erminate) or A(bend) - Explanation: This interactive prompt offers the option to terminate or abend the program after a repeated attention. 82 Messages Guide Reading filedesc off failed RC nn [meaning] reason qqqq rrrr x [meaning] file ddname path Explanation: This message indicates that a BPX1RED (UNIX read) call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services CKG948I • CKG962I manual to look up other return and reason codes. Severity: 16 CKG948I Enablement information corrupt for product code code Explanation: This message shows a problem with product installation or entitlement. User response: Contact your system programmer to verify successful installation. Severity: 16 CKG949I CKG962B Command not supported in background Explanation: This message is issued by the command-execution module and indicates a command could not be executed through the TSO service facility. This can be caused, for example, by not including CKGRACF in the TSO authorized command list (AUTHCMD) in PARMLIB member IKJTSOxx. You can activate changes to this member without an IPL by using the TSO PARMLIB command. For more information on the PARMLIB command, see the TSO/E System Programming Command Reference. Severity: 16 Product code code installed and non-APF registration limit exceeded Explanation: This message is issued in response to DEBUG LICENSE for products that are installed but cannot be registered because the MVS limit for product registration by non-APF programs has been exceeded. CKG962C Command failed abend code Explanation: This message is issued by the command-execution module, and indicates a command ended abnormally with the indicated abend code. Severity: 12 User response: CKGRACF should run authorized. CKG962E Severity: 00 CKG950I Code not installed here for product code code Explanation: This indicates that you are attempting to run functionality for a product that is not installed here. CKG951I Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because command environment was not TSO/E. Severity: 16 CKG962F Severity: 16 system abend code (desc) trying to load modulemodulett Explanation: This message indicates a failure to load a module and the reason. Abend 806 means the module could not be found. Abend 306 may mean that a controlled environment was present and the module to be loaded was not program controlled. Severity: 08 Not running in a TSO/E environment Command failed, return code code (decimal) Explanation: This message is issued by the command-execution module. It indicates a command was unsuccessful and returned the indicated result code. If the message preceding this message is CKG740I, see the explanation of CKG740I. For all other situations, determine the command that was run and check the appropriate manual for possible return codes. For RACF commands, possible return codes are documented in the RACF Command Language Reference. Severity: 08 CKG955I program task heap STORAGE REQUEST ERROR: SIZE NOT POSITIVE Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. Severity: 16 CKG962I IKJTSOEV module not found Explanation: An attempt was made to establish a TSO environment, but the TSO environment initialization routine IKJTSOEV could not be found. Normally IKJTSOEV is in the link list. This will cause return code 20 when encountered as part of an attempt to execute a TSO command, and otherwise 8. Severity: 08 CKG962A Command terminated by attention Explanation: This message is issued by the command-execution module, and indicates a command was terminated by pressing the ATTN key. Severity: 10 Chapter 3. CKG messages 83 CKG962 • CKG962W CKG962 IKJTSOEV return code xx reason code yy service reason code zz (decimal) Explanation: This will cause return code 20 when encountered as part of an attempt to execute a TSO command. Severity: 08 CKG962 SVC 220 return code hh (hex) on command Explanation: This will cause return code 20 when encountered as part of an attempt to execute a RACF or CMS command. Command could not be found in an authorized library. Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because it was not found. Typically, this is an unsuccessful call to the CKGRACF authorized component, which failed because CKGRACF was not part of an authorized library in the link list, or was not found in an APF-authorized STEPLIB. Check whether the library containing CKGRACF is APF-authorized. Severity: 16 CKG962M Command may have failed, return code n Explanation: This message indicates that a command returned a nonzero return code less than or equal to 4. This message causes a minimum return code of 4. It depends on the command whether this is a partial failure or a warning. Severity: 04 CKG962N Severity: 00 CLIST processing through % not supported Explanation: This message is issued by the command-execution module. It indicates an attempt to run an CLIST using the % operator. Execution of CLISTs is not supported. Severity: 16 CKG962S IKJEFTSR fails return code error reason code reason Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed. The command returned the indicated error code and reason code. Severity: 16 CKG962T Command failed, ATTACH rc rc (decimal) Explanation: This message is issued by the command-execution module, and indicates failure to attach a TSO command. Severity: 16 Command not allowed from APF mode command Explanation: This message is issued by the command-execution module, and indicates that the indicated command is not in the TSO AUTHCMD list and also not in a built-in list of safe commands to be called from an APF authorized program. If the command was requested by yourself, try running it under IKJEFT01 or without APF authorization. If this message is in response to a built-in function, contact IBM Software Support. Severity: 16 84 Command has flushed TSO stack relogon required to close output trap file Explanation: This message is issued by the command-execution module. Generally this means that subsequent command output is not written to the CKGPRINT file. It might be lost or shown in line mode after leaving CKGRACF. Depending on the z/OS release, it might be sufficient to leave and reenter ISPF to restore normal behavior. In the worst case, a relogon is required. CKG962P Severity: 08 CKG962L CKG962O Messages Guide CKG962U Unauthorized functions cannot be invoked from an authorized environment Explanation: This message should not occur. Contact IBM Software Support. Severity: 16 CKG962W Command not found Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because it was not found. Typically, this is an unsuccessful call to the CKGRACF authorized component, which failed because CKGRACF was not part of an authorized library in the link list, or was not found in an APF-authorized STEPLIB. Check whether the library CKG962X • CKG976I containing CKGRACF is APF-authorized. CKG972I Severity: 16 CKG962X Syntax error in the command name Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because the name was not syntactically correct. Severity: 16 CKG963I Explanation: This message indicates an ambiguous abbreviation was entered, i.e. two or more keywords could be indicated by the abbreviated value. Specify the keyword intended in more detail. Severity: 12 CKG968I Explanation: This message indicates that the product cannot run because the load module is not complete. User response: Contact your system programmer to complete installation of the product. Severity: 16 CKG973I Ambiguous name "value" IFAEDDRG failed RC nn decimal Explanation: This message indicates that an attempt to register a previously registered product failed. CKG969I I/O error for dsn: description IBM Security product code code disabled or not installed Explanation: This indicates that you are attempting to run functionality for a product that is not installed here, or it is disabled for this system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKG974I User response: Contact IBM Software Support. Severity: 16 Enablement information missing for product IBM Security product disabled or not installed here for requested focus Explanation: Either the product is not installed here, or the requested focus is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. Explanation: This message indicates that an I/O error occurred during normal QSAM or BSAM input processing for dsn. Operation will be continued, but an abend or other error message may follow because of the information missing due to the I/O error. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 08 CKG975I CKG970I program task heap FREE STORAGE ERROR: message Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. Maximum length for this field is len at file line n Explanation: The input contains a multiple-line string that is too long. Multiple-line strings (print titles or quoted strings) have a maximum size len that was exceeded. Severity: 12 IBM Security product disabled or not installed Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 Severity: 16 CKG971I Severity: 16 CKG976I Code or enablement for product code code is missing Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 Chapter 3. CKG messages 85 CKG976 • CKG987I CKG976 IBM Security product or feature disabled or not installed here CKG982I Internal error: unknown error code at ddname line number Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. Explanation: The input parser error routine encountered an invalid error code. Contact IBM Software Support. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 24 CKG983I Severity: 16 CKG977I Installed PRODUCT OWNER('IBM CORP') ID(id) NAME('name') FEATURE('feature') VER(version) REL(release) MOD(modification) [ Product action RC rc decimal ] Explanation: This message is issued in response to DEBUG LICENSE for products that are installed. The action can be "registration" or "status." The return code is for IFAEDREG or IFAEDSTA, respectively, which are documented in MVS Programming: Product Registration. No continuation line is shown if product registration does not apply (for example, because of CKG979I). Severity: 00 CKG978I Product code code has been disabled in PARMLIB Explanation: This message is issued in response to DEBUG LICENSE for products that have been disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name by an entry in IFAPRDxx in your z/OS PARMLIB. Expecting typ1 list separator/terminator instead of type "value" at ddname line number Explanation: This message indicates that the input parser expected a list separator or terminator for the current list of the indicated type (this can for instance be a comma, blank, or end-of-line, depending on the context). Instead, it encountered the indicated token type type (and text value, if available). The input parser skips all input until it encounters a valid list separator or terminator for the current list. Severity: 12 CKG984I Invalid type list element type type "value" at ddname line number Explanation: This message indicates that the input parser expected a list element of the specified type, but found a token of a type not supported as a list element in this context. If available, the offending text value is also listed in the message. The input parser skips all input until it encounters a valid list separator or terminator for the current list. Severity: 12 User response: Run the product somewhere else, or ask your system programmer for enablement. CKG985I Severity: 00 Explanation: This message indicates that the input parser detected a missing required parameter or element in the list at the indicated line. CKG979I Product code code implied by other Explanation: This message is issued in response to DEBUG LICENSE for products that are not being registered because their entitlement is implied by a more encompassing entitlement. Severity: 00 CKG981I Invalid type "value" Explanation: This message indicates that the text value is not a valid value in the context type. Severity: 12 Required list element/parameter "value" missing at ddname line number Severity: 12 CKG986I Duplicate parameter value at ddname line number Explanation: This message indicates that the input parser detected a duplicate occurrence of the parameter or list element value at the indicated line. Severity: 12 CKG987I Syntax error: type1 expected instead of type2at "value" on ddname line number Explanation: This message indicates that the input parser expected a specific token type type1 in the current context. Instead of this, it found the token type type2 (at the text value, if available) on the indicated input line. 86 Messages Guide CKG988I • CKG999I Severity: 12 CKG988I CKG995I Syntax error: "c" expected instead of typeat "value" on ddname line number Explanation: This message indicates that the input parser expected a specific character "c" (presumably a delimiter) in the current context. Instead of this, it found the token type type (at the text value, if available) on the indicated input line. Severity: 12 CKG989I CKG989 Unexpected type ["value"] [for element] at ddname line number Skipping to EOL at unexpected type ["value"] at ddname line number Explanation: This message indicates that the input parser expected one of a number of specific token types, but found a different token type instead. If available, the offending text value and the element for which it is read are also listed in the message. The parser will either continue with the next token, or skip directly to the end of the line. Severity: 12 CKG991I ESTAE return code rc Severity: 04 DIAGNOSTIC DUMP SUPPRESSED FOR program TASK taskname type ABEND xxx Explanation: This message indicates that the program abend exit did not attempt to make a diagnostic summary dump. This is done to prevent recursive abend conditions involving the print file. The task name is PROGRAM for the main task or for the only task in a program. For a multi-tasking program, program might identify one of the subtasks. CKG994I Explanation: This message indicates that the print file open routine detected an invalid record length for the output file. This would have been overruled with a correct length for a Physical Sequential data set, but this is not done for Partitioned data sets to prevent making any existing PDS members inaccessible. Subsequent 013 or 002 abends may be caused by the invalid record length. CKG996I MFREE: NO LENGTH FOUND IN BLOCK FOR STACK name Explanation: This message indicates an internal stack error. It will be followed by a user ABEND 16. Contact IBM Software Support. Severity: 04 CKG997I STACK ERROR - ELEMENT POPPED IS NOT ON TOP OF STACK name Explanation: This message indicates an internal stack error. It will be followed by a user ABEND 16. Contact IBM Software Support. Severity: 16 Explanation: This message indicates that the program failed to establish an abend exit linkage. CKG993I LRECL INVALID; NOT OVERRULED BECAUSE PARTITIONED Last record truncated by end-of-file ddname CKG998I STACK OVERFLOW FOR STACK tasklevel stackname IN program Explanation: This message indicates an internal stack error. It is followed by a user abend 16. Contact IBM Software Support. Severity: 16 CKG999I STORAGE SHORTAGE FOR TASK taskname HEAP heapname IN program INCREASE REGION Explanation: This message indicates that the program needs more storage. It is followed by a user abend 16. If the heap name is LOWHEAP or SYSSTACK, then the request is for storage below the 16MB line. If the name is MAINHEAP, then the request is for storage anywhere. Increase the region (for a batch job) or SIZE (for a TSO command) and try again. Severity: 16 Explanation: This message indicates that end-of-file was reached for a RECFM=VBS input file in the middle of a multi-segment record. Severity: 16 Chapter 3. CKG messages 87 88 Messages Guide Chapter 4. CKN messages This chapter describes messages that are issued by the CKNSERVE program. The CKNSERVE program is the zSecure Server. zSecure Servers (usually one per system) form a network of peer nodes that can remotely fill requests from CKRCARLA, CKX, and CKGRACF. The following severity level codes are used by the CKNSERVE program: I Informational message. W Warning message. The task continues, but an error occurred. E Error message. The task may end immediately, or may attempt to continue. S Severe error message. A Action message. Operator action is needed to correct the situation. The CKN message numbers are grouped according to these categories: 100-399 400-499 500-599 600-699 700-799 800-899 900-999 Normal message, giving status or summary information. Debugging messages due to a DEBUG command Normal message, giving status or summary information. Error condition during execution. Error during the parsing of input, before any command is executed. Messages issued by architectural subcomponents. Messages issued by architectural subcomponents. The general meaning of the CKNSERVE severity codes and hence of the completion code is as follows: 00 Normal message, giving status or summary information. 04 Warning: a condition occurred which may cause the command to have an unexpected effect. 08 Error condition found during processing. 12 Syntax error in command input, or an invalid format of USR data. 16 Entitlement problem or invalid or unsupported files. 20 Unsupported condition found or installation error. 24 Internal error or other unexpected and unsupported condition in CKNSERVE was detected. Messages from 0 to 99 CKN000I Local hostname obtained from gethostname is HOSTNAME Explanation: This message indicates the local hostname that is returned from the gethostname service. This can be of interest if the server is not using the ZSECSYS configuration statement you expect. Severity: 00 © Copyright IBM Corp. 1998, 2015 CKN001I BPX1HST gethostname failed unix error Explanation: This message indicates the server failed to obtain the local hostname. The zSecure Server cannot operate without one. User response: Check the TCP/IP configuration. Ensure there is a global default or connect a TCPIPDATA file. If either of these is specified, see the 89 CKN002I • CKN011I UNIX System Services Messages and Codes manual for guidance. Severity: 12 CKN002I BPX1GAI getaddrinfo for hostname failed unix error Explanation: This message indicates the server failed to obtain the canonical domain name. The zSecure Server cannot operate without one. User response: Check the TCP/IP configuration. Ensure there is a global default or connect a TCPIPDATA file. If either of these is specified, see the UNIX System Services Messages and Codes manual for guidance. Severity: 12 CKN003I Canonical domain name is DNAMNAME Explanation: This message indicates the canonical domain returned by the getaddrinfo service. This can be of interest if the server is not using the ZSECSYS configuration statement you expect. If you do not specify an OPTION OWNSYS in the CKNIN input file, the server selects the first ZSECSYS that matches this name in its IPADDR parameter. Severity: 00 CKN004I BPX1SOC system TCP socket family ai_family abend Explanation: This message indicates a failure to obtain a socket of the indicated family type. The preferred type is 19 (AF_INIT6), but if that is inactive, fallback to family 2 (AF_INET) is expected. The use of any other family number is a software defect. The system is either a ZSECSYS name or the word "Server." User response: See z/OS MVS System Codes to determine the cause and actions. BPX1SOC system TCP socket failed unix error family ai_family socktype ai_socktype Explanation: This message indicates a failure to obtain a socket of the indicated family type. The preferred type is 19 (AF_INIT6), but if that is inactive, fallback to family 2 (AF_INET) is expected. The use of any other family number is a software defect. The system is either a ZSECSYS name or the word "Server." system TCP socket family ai_family established stream socket SOCKDESC Explanation: This informational message indicates for which system a specific socket descriptor number was established. You can use it to link subsequent error messages involving socket numbers to a specific system. The system is either a ZSECSYS name or the word "Server." Severity: 00 CKN007I BPX1BND bind call for port PORT socket SOCKDESC abend Explanation: This message indicates that an abend occurred during a bind call to establish a listener on the indicated port on the indicated socket. User response: See z/OS MVS System Codes to determine the cause and actions. Severity: 12 CKN008I BPX1BND bind call for port PORT socket SOCKDESC failed unix error Explanation: This message indicates that a UNIX error occurred during a bind call to establish a listener on the indicated port on the indicated socket. User response: See your UNIX system codes book to determine the cause and actions. Severity: 12 CKN009I Server socket SOCKDESC bound to port PORT Explanation: This message documents which socket number is used to listen to the indicated port number. Severity: 00 CKN010I Severity: 12 CKN005I CKN006I BPX1LSN listen on socket SOCKDESC abend Explanation: This message indicates that an abend occurred during a listen call on the indicated socket. User response: See z/OS MVS System Codes to determine the cause and actions. Severity: 12 CKN011I BPX1LSN listen failed on socket SOCKDESC unix error User response: See your UNIX system codes book to determine the cause and actions. Explanation: This message indicates that a UNIX error occurred during a listen call on the indicated socket. Severity: 12 User response: See your UNIX system codes book to determine the cause and actions. Severity: 12 90 Messages Guide CKN012I • CKN022I CKN012I Server now listening on socket SOCKDESC to port PORT with max queue depth BACKLOG Explanation: This message indicates that the server is now listening to the indicated port using the indicated socket number. Severity: 00 CKN013I BPX1AIO accept on socket SOCKDESC abend Explanation: This message indicates that an abend occurred during an asyncio accept call on the indicated socket. User response: See your UNIX system codes book to determine the cause and actions. Severity: 12 CKN018I BPX1AIO receive on socket SOCKDESC abend Explanation: This message indicates that an abend occurred during an asyncio receive call on the indicated socket. User response: See z/OS MVS System Codes to determine the cause and actions. Severity: 12 User response: See z/OS MVS System Codes to determine the cause and actions. CKN019I Severity: 12 Explanation: This message indicates that a UNIX error occurred during an asyncio receive call on the indicated socket. CKN014I BPX1AIO accept failed on socket SOCKDESC unix error Explanation: This message indicates that a UNIX error occurred during an asyncio accept call on the indicated socket. BPX1AIO receive failed on socket SOCKDESC unix error User response: See your UNIX system codes book to determine the cause and actions. Severity: 12 User response: See your UNIX system codes book to determine the cause and actions. CKN020I Severity: 12 Explanation: This message indicates that an abend occurred during an asyncio send call on the indicated socket for the indicated message type. CKN015I CKNCOMR unknown WKQRTYPE=xx on WKQR address Explanation: This message indicates that the communication task received an unknown request type. User response: Determine if this is a known problem with a specified fix. If so, apply the fix. If not, contact IBM Software Support. User response: See z/OS MVS System Codes to determine the cause and actions. Severity: 12 CKN021I Severity: 16 CKN016I BPX1AIO connect on socket SOCKET abend Explanation: This message indicates that an abend occurred during an asyncio connect call on the indicated socket. User response: See z/OS MVS System Codes to determine the cause and actions. Severity: 12 CKN017I BPX1AIO connect failed on socket SOCKET unix error port PORT of IPADDRESS Explanation: This message indicates that a UNIX error occurred during an asyncio connect call on the indicated socket for the indicated port and IP address. BPX1AIO send number byte TYPE msg on socket SOCKDESC abend BPX1AIO send NUMBER byte TYPE msg failed on socket SOCKDESC unix error Explanation: This message indicates that a UNIX error occurred during an asyncio send call on the indicated socket for the indicated message type. User response: See your UNIX system codes book to determine the cause and actions. Severity: 12 CKN022I Send failed on socket SOCKDESC unix error , closing socket Explanation: This error might be caused by a firewall action blocking the communication link from this server to the peer server. If the peer server is the managing node and this server is the managed node and the connection is successful, this is not necessarily a problem. If it is a problem, you must configure one or more of the firewalls to at least allow the connection to Chapter 4. CKN messages 91 CKN023I • CKN030I be established in one direction, from managing node to managed node. Severity: 08 User response: See your UNIX system codes book to determine the cause and actions. CKN027I Severity: 04 Explanation: This message indicates a protocol version error. Presumably the server is contacted by a newer zSecure Server that is not compatible with the version of the current server. CKN023I Send failed because socket SOCKDESC closed Explanation: This message indicates the socket was closed before a scheduled send action was ready. This might be caused by a server shutting down, or by a firewall terminating a connection. User response: If neither the local nor the remote server was shutting down, verify the configuration members for errors relating to the node this socket was connected to, and verify that the connection path is still working, Severity: 08 CKN024I Receive failed on socket SOCKDESC unix error Explanation: This message indicates that a UNIX error occurred during a send call on the indicated socket. This might be caused by a firewall action in the path and is not a problem if a connection the other way still exists, or if there is no client that needs the connection. User response: If there is not a problem with a client, ignore the message. If a client needs to be active, see your UNIX system codes book and follow its guidance. Severity: 04 CKN025I Receive failed because socket SOCKDESC closed Explanation: This message indicates the socket was closed before a scheduled receive action was ready. This might be caused by a server shutting down, or by a firewall terminating a connection. User response: If neither the local nor the remote server was shutting down, verify the configuration members for errors relating to the node this socket was connected to, and verify the connection path is still working. Severity: 08 CKN026I User response: Determine who is connected on this socket and verify it has the right port number configured for what it is trying to do. Severity: 08 CKN028I Unsupported TYPE level xx instead of xx received on socket SOCKDESC Explanation: This message indicates a protocol version error. Presumably the server is contacted by a newer zSecure Server that is not compatible with the version of the current server. User response: Ensure that all configured servers are on compatible levels. For example, follow a more gradual upgrade path. Severity: 08 CKN029I Unexpected TYPE length length found instead of length expected received on socket SOCKDESC Explanation: This message indicates a protocol error. Presumably the server is contacted by a service that uses a different protocol. User response: Determine who is connected on this socket and verify that it has the right port number configured for what it is trying to do. If it is a zSecure Server, verify that the version is compatible. If the version is documented as compatible, look for a problem solution for this message ID on the support web site. If you cannot find a solution, contact IBM Software Support. Severity: 08 CKN030I CKNRMSG called with invalid message id type len length for socket SOCKDESC Explanation: This message indicates a software problem. Negative message length field hexnum received on socket SOCKDESC Explanation: This message indicates a protocol error. Presumably the server was contacted by a service that uses a different protocol. User response: Determine who is connected on the indicated socket and verify it has the right port number configured for what it is trying to do. 92 Unknown message id TYPE received on socket SOCKDESC starts "string" Messages Guide User response: Save the server CKNPRINT output. Search for the message ID on the IBM support web site. If you cannot find a solution, contact IBM Software Support. Severity: 24 CKN031I • CKN041I CKN031I BPX1CLO failed close socket sockdesc unix error User response: Determine if the remote server is active and restart it if it is not. See your UNIX system codes book for more information on the error. Explanation: This message documents a problem that occurred during the close of a socket. Severity: 12 User response: See the UNIX System Services Messages and Codes manual and follow its guidance. CKN037I Severity: 04 CKN032I BPX1FAI freeaddrinfo for domain failed unix error Explanation: This message indicates that a UNIX error occurred during a freeaddrinfo call. Probably there is no impact on the server operation. User response: Save the CKNPRINT file and contact IBM Software Support. Severity: 12 CKN033I Explanation: This message indicates that the local server was contacted by the specified remote server, but the server is not defined in the server configuration file. User response: If you want the remote server to connect, update the server configuration. Otherwise, research who mimics a remote server because the connection attempt might constitute an attack. Severity: 08 BPX1GAI getaddrinfo ZSECSYS failed unix error for IPADDR CKN038I Explanation: This message indicates that a UNIX error occurred during a getaddrinfo call for the indicated IP address. User response: See your UNIX system codes book to determine the cause and actions. Severity: 08 CKN034I ZSECSYS ZSECSYS getaddrinfo resolves IPADDR to NUMIP Explanation: This informational message shows which IP address will be used to attempt to connect to the indicated ZSECSYS. CKNCLNR unknown WKQRTYPE=xx on WKQR address IPADDR connected to is zsecsys=ZSECSYS zsecnode=ZSECNODE smfid=name but not SYSNAME/ ZSYSNODE as defined in configuration file Explanation: This message indicates that the local server is contacting a remote server but the connection returns a different name than the name defined in the local server configuration file. User response: Verify that this connection is intended to work. If so, change one or both of the configuration files. Severity: 08 CKN040I Severity: 00 CKN035I Attempt to connect from zsecsys=ZSECSYS zsecnode=ZSECNODE smfid=name but not defined in configuration file Duplicate ZSECNODE NAME(ZSECNODE) definition Explanation: This message indicates an error in the server configuration file; a ZSECNODE is defined multiple times. Explanation: This message indicates that the communication task received an unknown request type. User response: Change or delete one of the node definitions. User response: Determine if this is a known problem with a specified fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 12 CKN041I Severity: 16 CKN036I Connect to zsecsys failed on socket SOCKDESC unix error Explanation: This message indicates that a connect call to the specified server failed. The server configuration file might not be accurate, a required network link might be down, or the remote server might not be active. Duplicate ZSECSYS NAME(ZSECSYS) definition Explanation: This message indicates an error in the server configuration file; a ZSECSYS name is defined multiple times. A ZSECSYS name must be unique. User response: Change or delete one of the system definitions. Severity: 12 Chapter 4. CKN messages 93 CKN042I • CKN054I CKN042I NO ZSECNODE NAME(ZSECSYS) defined Explanation: This message is issued if a ZSECSYS statement refers to an as yet undefined ZSECNODE. You must define a ZSECNODE before you define the ZSECSYS statement that refers to it. User response: Move or add a ZSECNODE statement, or correct a mistake in the node name. Severity: 12 CKN044I CKN048I Explanation: An OPTION MSGSUP specification contains a message number that is not valid. The number must be between 0 and 999. User response: Correct the MSGSUP specification. Severity: 12 CKN050I No valid ZSECSYS defined in parameters Explanation: The server configuration file must contain ZSECNODE and ZSECSYS statements. A valid ZSECSYS statement was not found. Message number to be suppressed must be in range 0...999 Server requires z/OS 1.9 or higher Explanation: This message indicates that the zSecure Server is not running on a supported z/OS release. Note that this message is suppressible but running zSecure Server this way is not supported. User response: Create a valid server configuration file. User response: Upgrade the z/OS release to a supported release if you need to use the zSecure Server on this system. Severity: 12 Severity: 16 CKN045I ZSECSYS statement missing for ZSECSYS specified on OPTION OWNSYS Explanation: A ZSECSYS statement was found missing, or the OPTION OWNSYS contains a mistake. User response: Correct the server conguration file so that OWNSYS refers to a defined ZSECSYS. CKN051I Server must run APF authorized Explanation: The server needs APF authorization to set up client communication and get RACF information. Note that this message is suppressible but running without APF authorization has very limited functionality as a non-client endpoint server, and is not supported. User response: Add the load library to the APF list. Severity: 12 Severity: 16 CKN046I IPADDR for own ZSECSYS differs from domain name Explanation: This message indicates the canonical name for the current system does not match the IPADDR on the SECSYS statement for the system on OPTION OWNSYS. This mismatch might cause remote systems to fail to connect to the current system. User response: Verify the DNS name for the current system name and update the configuration file. Severity: 04 CKN052I Server with servertoken SERVERTOKEN seems to be active already Explanation: This message indicates that a server is already running and using the indicated server token. That is not supported; only one server can be active per system at any time with a specific server token. User response: Change the server token if you intend to start a parallel server on the same system. Stop the first server instance if you intend to restart the server. Severity: 16 CKN047I Port number IPPORT not possible, must be in range 1..65535 CKN054I Unexpected IEANTRT return code rc Explanation: The IP port specification is not valid. The number must be between 1 and 65535. Explanation: This message lists an unexpected return code from the z/OS name token request service. User response: Correct the IPPORT specification. User response: Try to restart the server. If the problem persists, see the IEANTRT return code documentation and follow its guidance. If you cannot resolve the problem, check whether this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 12 Severity: 16 94 Messages Guide CKN055I • CKN067I CKN055I Servertoken token is defined for an incompatible version version this server uses version Explanation: This message documents that a server token was found with an incompatible version. User response: Use a different server token or use a different version of the client software. Severity: 16 persists, determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 08 CKN062I Obtaining new ET Explanation: This informational progress message documents that an Entry Table is needed by the server. Severity: 00 CKN056I CKNSERVE first start after IPL with servertoken token CKN063I Obtained new ET with token TOKEN Explanation: This message documents that a new name token was added to the system for the indicated server token. Explanation: This informational progress message documents which new Entry Table token was acquired by the server. Severity: 00 Severity: 00 CKN057I SYSEVENT DONTSWAP failed, return code rc Explanation: This message lists an unexpected return code from the SYSEVENT DONTSWAP call. User response: Try to restart the server. If the problem persists, see the SYSEVENT return code documentation and follow its guidance. CKN064I Explanation: This informational progress message documents that clients can now connect to the server though the Program Call. Severity: 00 CKN065I Severity: 16 CKN058I Using existing LX heXLX from servertoken Explanation: This informational progress message documents which Linkage Index is being reused by the server. Severity: 00 CKN059I Obtaining new LX Explanation: This informational progress message documents that a Linkage Index is needed by the server. Obtained new LX hex lx Explanation: This informational progress message documents which new Linkage Index was acquired by the server. Severity: 00 CKN061I IDENTIFY RC=decrc for CKNSVPC at address Explanation: This message lists an unexpected return code from the IDENTIFY call. User response: Try to restart the server. If the problem Unexpected IEANTCR return code decrc creating NAMETOKEN Explanation: This message lists an unexpected return code from the z/OS name token create service that occurred while trying to create a persistent server name token. User response: Try to restart the server. If the problem persists, see the IEANTCR return code documentation and follow its guidance. If you cannot resolve the problem, determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 16 CKN066I Severity: 00 CKN060I Address spaces now connected to ET Persistent server name token NAMETOKEN created successfully Explanation: This informational progress message documents which persistent name token was created. Severity: 00 CKN067I Unexpected IEANTCR return code decrc creating NAMETOKEN Explanation: This message lists an unexpected return code from the z/OS name token create service that occurred while trying to cerate a nonpersistent server name token. User response: Try to restart the server. If the problem persists, see the IEANTCR return code documentation Chapter 4. CKN messages 95 CKN068I • CKN084I and follow its guidance. If you cannot resolve the problem, determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 16 CKN068I is IBM software, look for the message ID on the support web site. Severity: 08 CKN081I Non-persistent server name token NAMETOKEN created successfully Explanation: This informational progress message documents which nonpersistent name token was created. Severity: 00 Invalid PLIST pointer passed address abend Explanation: This message indicates that the PC call made by the server was passed a parameter list address that was not valid. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN069I Removing Entry Table Explanation: This informational progress message documents that the server is attempting to remove an Entry Table. Severity: 00 CKN070I Entry Table removed while connections existed Explanation: This informational progress message documents that the server removed an Entry Table, but connections are still active. This might, for instance, cause 0D6 abends in clients. CKN082I Explanation: This message indicates that the PC call made by the server was passed a buffer length address that was not valid. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN083I Severity: 00 CKN072I Entry Table removed succesfully Explanation: This informational progress message documents that the server removed an Entry Table, and no connections were active. Severity: 00 Invalid BUFLEN pointer passed address abend Invalid token pointer passed address abend Explanation: This message indicates that the PC call made by the server was passed a token address that was not valid. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN073I SYSEVENT OKSWAP failed, return code decrc Explanation: This message lists an unexpected return code from the SYSEVENT OKSWAP call. There might be no impact on the server. User response: Try to restart the server and see if the error occurs again. Severity: 04 CKN080I Problem copying to address1 len length1 at address2 writing address3 len length2 from address4 - abend Explanation: This message indicates that the PC call made by the server was passed a buffer address or length that was not valid. User response: Fix the calling problem or, if the caller 96 Messages Guide CKN084I Invalid or expired token passed address cbid from jobname ASID asid user userid Explanation: This message indicates that the server does not know the token passed in a PC call. In rare cases this can occur if a server is restarted while a client is operating. It can also occur by sending a client end request and then sending another request like a remote file close. User response: If the server was restarted, ignore and restart the client operation. Otherwise, fix the calling program, or if the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN085I • CKN093I CKN085I Expired token passed old client number now new client number from jobname ASID asid user userid Explanation: This message indicates that the server does not know the token passed in a PC call. In rare cases this can occur if a server is restarted while a client is operating. User response: If the server was restarted, ignore and restart the client operation. Otherwise, fix the calling program, or if the caller is IBM software, look for the message ID on the support web site. CKN089I Explanation: This message indicates the server cannot update the token, presumably because it is not located in key 8 storage. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site Severity: 08 CKN090I Severity: 08 CKN086I Token passed belongs to job jobname ASID asid user userid; caller is jobname ASID asid user userid Explanation: This message indicates that the server was passed a client number in a PC call that belongs to another client. In rare cases this can occur if a server is restarted while a client is operating. User response: If the server was restarted, ignore and restart the client operation. Otherwise, fix the calling program, or if the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN087I Invalid token passed address - abend from jobname ASID asid user userid Explanation: This message indicates that the server does not know the token passed in a PC call. In rare cases this can occur if a server is restarted while a client is operating. It can also occur by sending a client end request and then sending another request like a remote file close. User response: If the server was restarted, ignore and restart the client operation. Otherwise, fix the calling program, or if the caller is IBM software, look for the message ID on the support web site No userid found, cannot identify Explanation: This message indicates that the server cannot identify the SAF user ID of the unit of work issuing the PC call. Consequently, it denies access. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site Severity: 08 Invalid FUNCTION pointer passed address - abend Explanation: This message indicates that the PC call made by the server was passed a function pointer that was not valid. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site Severity: 08 CKN091I Unsupported FUNCTION level xx instead of yy received from jobname ASID asid user userid Explanation: This message indicates that the server does not support the version of the function passed to the PC call. Presumably you are using a new client with an old server in an unsupported combination. User response: Connect to a newer server or use an older client. Severity: 08 CKN092I Unsupported FUNCTION length len1 instead of len2 received from jobname ASID asid user userid Explanation: This message indicates that the PC call made by the server was passed a message length for the specified function that was not valid. User response: Fix the calling program, or if the caller is IBM software, look for the message ID on the support web site Severity: 08 CKN088I Error updating token address - abend Severity: 08 CKN093I ZSECSYS ZSECSYS not defined to server; call from jobname ASID asid user userid Explanation: This message indicates an action was directed to a server name that was not defined in the configuration file for the server. User response: Specify a different target system in the client, or update the server configuration file with a definition for the desired system and restart the server. Chapter 4. CKN messages 97 CKN094I • CKN099I Severity: 04 CKN094I CKN098I Task task IEAVAPE failed RC=dec Explanation: This message indicates a failure to allocate a pause element. User response: Try to restart the server and redo the client action. If the problem persists, see the IEAVAPE return code documentation and follow its guidance. If you cannot resolve the problem, determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 12 CKN095I Explanation: This message indicates an action was directed to a server node that was not defined in the server configuration file. User response: Specify a different target node in the client, or update the server configuration file with a definition for the desired node and restart the server. Severity: 04 CKN099I Task task IEAVPSE failed RC=dec Explanation: This message indicates a failure to wait on a pause element. User response: Try to restart the server and redo the action. If the problem persists, see the IEAVPSE return code documentation and follow its guidance. If you cannot resolve the problem, determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 12 Task task IEAVDPE failed RC=dec Explanation: This message indicates a failure to deallocate a pause element. User response: Try to restart the server and redo the action. If the problem persists, see the IEAVDPE return code documentation and follow its guidance. If you cannot resolve the problem, determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 12 CKN097I Task task instance TCB address unrecognized request function from client client number job jobname ASID asid user userid Explanation: This message indicates that the server does not support the request passed to the PC call. Presumably you are using a new client with an old server in an unsupported combination. User response: Use the server token for a newer server or use an older client. Severity: 08 98 Messages Guide ZSECSYS ZSECSYS not part of node ZSECNODE, call from jobname ASID asid user userid Explanation: This message indicates an action was directed to a server name and node combination that is not defined in the server's configuration file. The specified ZSECSYS must be a member of the specified ZSECNODE. User response: Specify a different target system or node in the client, or update the server configuration file with a matching definition for the desired system and node and restart the server. Severity: 04 CKN096I ZSECNODE ZSECNODE not defined to server; call from jobname ASID asid user userid CKN100I • CKN111I Messages from 100 to 199 CKN100I Unexpected STIMERM SET RC=nn User response: Look up the abend in z/OS MVS System Codes to determine the cause and actions. Explanation: This message indicates that the STIMERM service received an unexpected return code. Severity: 16 User response: Refer to the appropriate z/OS MVS manual and follow its guidance. CKN108I Severity: 16 CKN101I Explanation: This message indicates the remote client handler task received an unknown request type. START command received from console user userid command Explanation: This informational message confirms that an operator START command was received with the indicated positional parameters. Severity: 00 CKN102I STCOM command received from console user userid command Severity: 00 MODIFY command received from console user userid command Explanation: This informational message confirms that the indicated operator MODIFY command was received. Severity: 00 CKN104I STOP command received from console user userid Explanation: This informational message confirms that an operator STOP command was received. Severity: 00 CKN105I Unexpected QEDIT RC=nn Explanation: This message indicates that the QEDIT service received an unexpected return code. User response: Refer to the appropriate z/OS MVS manual. Severity: 08 CKN106I User response: Determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Severity: 16 CKN109I Explanation: This informational message confirms that an operator START command was received with the indicated keyword parameters. CKN103I CKNRCLR unknown WKQRTYPE=nn on WKQR address Cleanup and terminating due to abend Explanation: This message indicates the an abend in the main task was intercepted and resource cleanup is taking place. Cleanup can be suppressed with OPTION NOCLEANUP but this might result in a non-reusable address space Task TASK ignoring ALLOC after END Explanation: This message indicates that a remote server was passed an ALLOC request for a client that is already terminating. In rare cases this can occur if a server is shutting down while a client is operating. User response: If the server was shutting down, ignore the message and restart the client operation. Otherwise, fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN0110I Task TASK ignoring DOIO after END from socket SOCKET Explanation: This message indicates that a remote server was passed an I/O request for a client that is already terminating. In rare cases this can occur if a server is shutting down while a client is operating. User response: If the server was shutting down, ignore the message and restart the client operation. Otherwise, fix calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN111I Task TASK ignoring DOIO for non-initialized client CLNTNO from socket SOCKDESC Explanation: This message indicates that a remote server was passed an I/O request for a client without having received an ALLOC request. In rare cases this can occur if a local server is shutting down while a client is operating. User response: If a server was restarted, ignore the message and restart the client operation. Otherwise, fix calling program. If the caller is IBM software, look for the message ID on the support web site. Chapter 4. CKN messages 99 CKN112I • CKN121I Severity: 08 CKN112I ALLO (allocate) received from unconfigured ZSECSYS on socket SOCKDESC - ignored Explanation: This message indicates that an ALLOC request was received on an unconfirmed connection. This message is accompanied by earlier messages that show the probable cause of the problem. User response: Change the server configuration file to define the indicated system. Severity: 08 CKN113I DOIO received from unconfigured ZSECSYS on socket SOCKDESC ignored Explanation: This message indicates that an I/O request was received on an unconfirmed connection. This message is accompanied by earlier messages that show the probable cause of the problem. User response: Change the server configuration file to define the indicated system. ENDC received from unconfigured ZSECSYS on socket SOCKDESC ignored Explanation: This message indicates that an end-client request was received on an unconfirmed connection. This message is accompanied by earlier messages that show the probable cause of the problem. User response: Change the server configuration file to define the indicated system. Severity: 08 CKN115I Severity: 08 CKN117I Explanation: This message indicates that a server task failed and was restarted more than once, up to the maximum restart limit. The server is shutting down. User response: Review CKNPRINT and the job log for messages showing the initial error and follow the guidance for those messages. Severity: 16 CKN118I CKNDOIR unknown WKQRTYPE=xx on WKQR address User response: Determine if this is a known problem with an applicable fix. If so, apply the fix. If not, contact IBM Software Support. Explanation: The server communication task was found to be inactive and a restart is being attempted. User response: Review CKNPRINT and the job log for messages showing the initial error and follow the guidance for those messages. CKN119I Task CKNCLNT restart initiated Explanation: The local client handler task was found to be inactive and a restart is being attempted. User response: Review CKNPRINT and the job log for messages showing the initial error and follow the guidance for those messages. Severity: 08 CKN120I Task CKNRCLT restart initiated User response: Review CKNPRINT and the job log for messages showing the initial error and follow the guidance for those messages. Severity: 08 CKN121I Severity: 16 RACF initialization failed for USERID RC=hexnum RSN=hexnum hex; notifying ZSECSYS job JOBNAME user USERID client CLNTNO Explanation: This message indicates that the remote mapped execution user ID failed to initialize with the indicated SAF return code and reason code. 100 Task CKNCOMT restart initiated Explanation: The remote client handler task was found to be inactive and a restart is being attempted. Explanation: This message indicates the remote worker task received an unknown request type. CKN116I Task restart limit reached, shutting down Severity: 08 Severity: 08 CKN114I User response: Look up the indicated SAF return code and reason code for RACROUTE REQUEST=VERIFY in the Security Server RACROUTE documentation. Messages Guide Duplicate request for file CLNT_DDNM received from ZSECSYS client CLNTNO job JOBNAME user USERID Explanation: This message indicates that two ALLOC requests were received for the same client file name. User response: Fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN122I • CKN131I CKN122I Allocated serverdd dsname member to clientdd of ZSECSYS client nn job JOBNAME ASID ASID user USERID Explanation: This informational message is issued to note the successful allocation of a server side data set for a remote client. Severity: 00 CKN127I Open failed for clientdd received from ZSECSYS client nn job JOBNAME ASID ASID user USERID Explanation: This message indicates the indicated client file could not be opened on the server. User response: Look for a message in the server job log about the data set being requested. Severity: 08 CKN123I Unsupported request for file clientdd received from ZSECSYS client nn job JOBNAME ASID ASID user USERID Explanation: This message indicates a protocol error. Get for unopened file clientdd received from ZSECSYS client nn job JOBNAME ASID ASID user USERID User response: Ensure that the server version supports the client version. If it does not, upgrade the downlevel version or use a different server. Explanation: This message indicates a protocol error from a client. The client application tried to obtain a record from a file it had not opened successfully. Severity: 08 User response: Look for open abend or open failure messages and follow the guidance. CKN124I I/O request but alloc failed for clientdd received from ZSECSYS client nn job JOBNAME ASID ASID user USERID CKN128I Severity: 08 CKN129I Explanation: This message indicates a protocol error. User response: Look for one or more messages about a failure and continue there. If no messages are recorded, restart the client and try again. If that does not help, restart the server and try again. If that does not help, fix the protocol error in the client. Severity: 08 CKN125I I/O request without alloc for clientdd received from ZSECSYS client nn job JOBNAME ASID ASID user USERID Explanation: This message indicates that the server received an allocation request without a target system or node; this is a client API error. User response: Fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 04 CKN130I Explanation: This message indicates a protocol error. User response: Look for one or more messages about a failure and continue there. If no messages are recorded, restart the client and try again. If that does not help, restart the server and try again. If that does not help, fix the protocol error in the client. Severity: 08 CKN126I Node ZSECNODE not currently connected; call from JOBNAME ASID ASID user USERID Explanation: This message indicates an attempt to access a remote server that is currently unavailable. User response: Try again later or verify why the connection cannot be created and remedy the cause. Severity: 04 Open serverdd abend for clientdd received from ZSECSYS client nn job JOBNAME ASID ASID user USERID Explanation: This message indicates an abend occurred while trying to open the indicated DD name on the server on behalf of the client file indicated. User response: See the MVS system codes for the indicated abend code and follow the guidance. Severity: 08 Alloc missing ZSECSYS/NODE; call from JOBNAME ASID ASID user USERID CKN131I System ZSECSYS not currently connected; call from JOBNAME ASID ASID user USERID Explanation: This message indicates an attempt to access a remote server that is currently unavailable. User response: Try again later or verify why the connection cannot be created and remedy the cause. Alternatively, use a ZSECNODE instead of a ZSECSYS to let the system find an active system on the node. Severity: 04 Chapter 4. CKN messages 101 CKN132I • CKN143I CKN132I Message DATA received from ZSECSYS on socket SOCKDESC for client nn that is no longer present Explanation: This message indicates a protocol error occurred while using the server. User response: Check the calling program and ensure that it does not wait excessively long during server interaction. CKN137I Explanation: This message indicates how many records were read from this data set on behalf of a remote client. Severity: 00 CKN138I Severity: 04 CKN133I RACF initialization failed for USERID abend Explanation: An abend occurred during a RACROUTE REQUEST=VERIFY for a local user ID that is the partner (peer) user ID for a remote client. User response: See the MVS system codes for the indicated abend code and follow the guidance. Task TASK ignores ALLOC after failed initialization Explanation: This message indicates a protocol error occurred while using the server. User response: Fix the calling program. Consider discontinuing the call after a failure. If the caller is IBM software, look for the message ID on the support web site. Severity: 04 CKN135I Communication task status SCKD address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 CKN139I TASK subtask status TSKD address dump Explanation: This message is part of a summary dump written in case of problems. Severity: 08 CKN134I Read number records from ddname dataset User response: No user action is required. Severity: 00 CKN140I Main task status RACF address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 Problem copying from address FUNCTION len hexlen - abend Explanation: This message indicates an abend occurred while returning data to the storage of the caller. User response: See the MVS system codes for the indicated abend code and follow the guidance. CKN141I Main task status ZNOD address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 Severity: 08 CKN142I CKN136I Open/get/close without alloc for clientdd from JOBNAME ASID ASID user USERID Explanation: This message indicates a protocol error in using the server. User response: Fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 08 Main task status ZSYS address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 CKN143I Main task status ZSCS address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. 102 Messages Guide CKN144I • CKN155I Severity: 00 CKN144I CKN150I Main task status DNAM address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Work queue element WKQR address type status dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 Severity: 00 CKN151I CKN145I Main task status INFO address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Wait element WKQR address type status dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 Severity: 00 CKN152I CKN146I Client handler task status for ZSECSYS CLNT address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 CKN147I Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 CKN148I Remote client handler task status for SYSNAME RCLN address dump User response: No user action is required. Severity: 00 Severity: 00 Work queue header WKQH address dump User response: No user action is required. Client handler task status for ZSECSYS client NO RFIL address dump Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 Notify client nn of failing server Explanation: This message is sent to a waiting client as a surrogate reply to the request the client was waiting on that could not be completed. User response: Restart the server or wait until the server is restarted and try again. Severity: 00 CKN155I Explanation: This message is part of a summary dump written in case of problems. Severity: 00 User response: No user action is required. CKN154I Explanation: This message is part of a summary dump written in case of problems. CKN149I Explanation: This message is part of a summary dump written in case of problems. CKN153I Local file name status for ZSECSYS client nn LFIL address dump Client status RLNK address dump Notify client nn of stopping server Explanation: This message is sent to a waiting client as a surrogate reply to the request the client was waiting on. The request could not be completed because the server received a STOP request from the operator. User response: Restart the server or wait until the server is restarted and try again. Severity: 00 Chapter 4. CKN messages 103 CKN156I • CKN166I CKN156I Server stopping - socket SOCKDESC wait cancelled Explanation: This message is sent to a waiting client as a surrogate reply to the request the client was waiting on. The request could not be completed because the server received a STOP request from the operator. User response: Restart the server or wait until the server is restarted and try again. Severity: 00 CKN161I Explanation: This message indicates that the main task is ready with shutdown and is terminating. Severity: 00 CKN162I Severity: 00 CKN157I Server failing - socket SOCKDESC wait cancelled Explanation: This message is sent to a waiting client as a surrogate reply to the request the client was waiting on that could not be completed. User response: Restart the server or wait until the server is restarted and try again. Severity: 00 CKN158I Unsecured connection rejected on socket sockdesc from/to zsecnode/zsecsys sysplex.clone.sysname njenode.smfid rrsfnode Explanation: An attempt was made to connect to or from a remote server, but the connection was not protected by AT-TLS. The server does not allow unsecured connections. Unsecured connections can be allowed using the OPTION statement. User response: Set up an AT-TLS protection between the servers with the policy agent. See the Installation and Deployment Guide for instructions. Severity: 00 activity on SYSNAME(name) SYSPLEX(name) [ LPARNAME(name) ] [ VMUSERID(name) ] [ HWNAME(name) ] CPU-id CPUid Product codes codes Products Explanation: This message shows the system, sysplex, LPAR, VM user ID, and hardware where it is running, and which IBM Security zSecure suite products are installed and not disabled through IFAPRDxx for use in this program. For a description of the product codes, see the License names table in any of the zSecure Admin and Audit user reference manuals. Each line in the "Products" section shows a product ID and the full name of a particular product feature, for example, 5655-N17 IBM Security zSecure Audit for RACF for code AUDITRACF. activity can be Runs or UNIX depending on the calling environment used. Severity: 00 CKN159I zSecure Server zsecnode/zsecsys token servertoken shutdown complete CKN163I [Unsecured|Secured|Self] connection on socket sockdesc from/to zsecnode/zsecsys sysplex.clone.sysname njenode.smfid rrsfnode Explanation: This message indicates that the zSecure Server has successfully established a connection to a peer zSecure Server or to itself. Severity: 00 CKN164I Client number job jobname user userid Explanation: This message is written to record the first request of a local client program to the zSecure Server. As long as the client requests pass the same token and are issued from the same userid and jobname (and the server has not restarted), the client is considered the same client. Severity: 00 Contents of CKRSITE module: Class: setting Explanation: This message is issued in response to OPTION DEBUG command. setting displays the relevant class name, for example, XFACILIT. Severity: 00 CKN165I zSecure Server zsecnode/zsecsys lost last connection to zsecnode/zsecsys Explanation: This message indicates that the last TCP connection to a partner zSecure Server was dropped. The connection remains dropped until a new allocation request is received. Severity: 00 CKN160I Connection dropped socket SOCKDESC wait cancelled Explanation: This message indicates a remote server connection was lost and a paused client was released. User response: Restore the network connection and try the operation again. 104 Messages Guide CKN166I An unexpected return code was received from IEFSSREQ SSI=54, Subsys=subsys, R15=rc, SSOBRETN=rsn Explanation: An IEFSSREQ request type 54 for subsystem subsys ended with return code rc for Register CKN167I • CKN173I 15 and reason code rsn for the SSOBRETN field, where: Severity: 00 v subsys is the name of the subsystem being queried, either JES2 or JES3. CKN169I v rc is the value of Register 15 returned from IEFSSREQ. v rsn is the IEFSSREQ reason code obtained from SSOBRETN. If a subsystem request using IEFSSREQ is issued, the CKN166I message is generated if an error occurs. If you are running z/OS version 1.8 or later, additional errors related to the JES node processing can occur. Normally, the call to IEFSSREQ returns information about the primary JES2 or JES3 subsystem that obtains the JES2 own node or JES3 home node. If this information is not returned, CKNSERVE cannot determine the name of the local JES node. Ignoring request id after an end-client request CKNE Explanation: This message indicates that a local server was passed the indicated request type for a client that is already terminating. This can occur, for example, if remote-files close requests are sent after and end-client request. User response: Ignore or fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 04 CKN170I BPX1CLO failed close listening socket SOCKDESC UNIX_ERROR User response: This error might be caused by running zSecure on an operating system that is not supported, or by recent maintenance to the operating system that might affect the IEFSSREQ service. For further information about the error, see the documented return code values for IEFSSREQ and SSOBRETN in z/OS MVS Using the Subsystem Interface SA38-0679. If you cannot resolve the problem, contact IBM Customer Support. Explanation: This message indicates that an attempt to close a socket failed. Severity: 08 Explanation: This message documents how many records were read from the indicated data source. CKN167I Error locating JES node, Subsys=subsys version Explanation: The CKN167I message is issued if the JES node cannot be determined from the IEFSSREQ subsystem request, where: v subsys is the name of the JES2 or JES3 primary subsystem. v version is the JES2 or JES3 version (for example, SP 1.8.0) User response: This error might be caused by recent maintenance to the operating system that might affect the IEFSSREQ service. Ensure that the primary JES2 or JES3 subsystem has initialized and try to restart the zSecure multisystem server. If you cannot resolve the problem, contact IBM Customer Support. User response: See your UNIX system codes book to determine the cause and actions. Severity: 04 CKN171I Severity: 00 CKN172I subsys node is node Explanation: During multisystem server initialization, this informational message is issued after the JES node is resolved, where: v subsys is the name of the primary subsystem, either JES2 or JES3. v node is the own node name (JES2) or home node name (JES3). Cannot open clntddnm twice; request by zsecsys client number job jobname user userid Explanation: This message indicates that two open requests were received for the same client file name User response: Fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 08 CKN173I Severity: 08 CKN168I Close after reading number records from ddname volser dsname Userid mapping not allowed for client-userid to target-userid, notifying zsecsys job jobname user client-userid client client-id Explanation: The target-userid does not have an approved PEER or MANAGED-BY association with client-userid, use of the target-userid is denied. User response: Add a CKNUMAP profile to define a user ID mapping or establish a user ID association through RACLINK. Severity: 08 Chapter 4. CKN messages 105 CKN174I • CKN183I CKN174I Userid mapping not implemented for client-userid, notifying zsecsys job jobname user client-userid client client-id Explanation: The client-userid does not have a mapping profile to determine the user ID to be used on the target system. Data access and command execution is denied. User response: Add a CKNUMAP profile to define a user ID mapping or establish a user ID association through RACLINK. Severity: 08 CKN175I RACF EXTRACT of [CKNADMIN | CKNUMAP] profile failed abendcode User response: See the additional security measures in the Installation and Deployment Guide for information on the ZSECNODE user ID. User response: Look for the message number on the IBM support web site. If you do not find a solution, contact IBM Software Support. Severity: 16 Task task ignoring DOIO after lost socket sockdesc Explanation: This message indicates that the server is discarding remote I/O requests because the connection to the remote server was lost. Put for unopened file localfile received from zsecsys client n job jobname user userid Explanation: This message indicates a protocol error; a PUT I/O is being received for a file that is not open. User response: Stop and restart the client program. If the problem persists, restart the local and remote servers. If the problem still persists, fix the client program or, if the client is IBM software, search for the message on the IBM support web site. Severity: 08 CKN181I Severity: 08 CKNDOIA unknown WKQRTYPE=xx on WKQR address Explanation: This message indicates that an unexpected condition was found in routine CKNDOIA. The task is terminated with user abend 179. CKN180I Explanation: The RACF extract function to obtain and verify USERID mapping information failed. If the message contains CKNUMAP, processing continues using the identity mapping. If the message contains CKNADMIN, processing continues without a ZSECNODE user ID. CKN176I CKN179I Put for unsupported file localfile received from zsecsys client n job jobname user userid Explanation: This message indicates a protocol error; a PUT I/O is being received for a filetype that does not support it. User response: When the remote server has restarted, run the query again. User response: Fix the client program. If the client is IBM software, search for the message on the IBM support web site. If you do not find a solution, contact IBM Software Support. Severity: 08 Severity: 08 CKN177I Task task ignoring ALLO after lost socket sockdesc Explanation: This message indicates the server is discarding remote file allocation requests because the connection to the remote server was lost. User response: When the remote server has restarted, run the query again. CKN182I Client n job jobname user userid passed m records to remote program via file remotefile Explanation: This informational message documents how many records were passed from the client to the remote program for the indicated remote file. Severity: 00 Severity: 08 CKN183I CKN178I Remote type file rmtfile dsname [member] for localfile of zsecsys client n job jobname user userid Explanation: This informational message documents which remote file name is used to funnel the remote command screen from the indicated client local file name. Severity: 00 106 Messages Guide Connection lost to server zsecsys during I/O on file ddname; from jobname ASID xxxx user userid Explanation: This message notifies the user that the connection to the remote server was lost during I/O operations on the indicated file name. User response: Wait until the connection to the target zsecsys or zsecnode is reestablished (ask for the remote server to be restarted or let the system select another CKN184I • CKN192I zsecsys in the target zsecnode), and run the query again. Severity: 08 CKN184I Failure during type access verification abendcode directed to current-node are not allowed. User response: Look up the indicated SAF return code and reason code in the Security Server RACROUTE documentation. Give the user a permit if the user needs permission to route commands to the indicated node, or add a CKNUNMAP mapping to a user ID that does exist. Explanation: An abend occurred while attempting to verify access to the indicated resource type. Severity: 08 The resource type can have a value of CKNADMIN or DIRECT: CKN188I CKNADMIN Refers to the site SAF class profiles CKNADMIN.TONODE.zsecnode DIRECT Refers to the RRSFDATA profile DIRECT.rrsfnode User response: See z/OS MVS System Codes to determine the cause of the abend and possible actions. Severity: 08 CKN185I Explanation: The indicated userid does not have sufficient access to the RRSFDATA DIRECT.zsecnode resource. Data sets and commands directed to zsecnode are not allowed. User response: Look up the indicated SAF return code and reason code in the Security Server RACROUTE documentation. Give the user a permit if the user needs permission to route commands to the indicated node. Severity: 08 CKN186I Explanation: An abend occurred while attempting to retrieve user ID mapping data. The RACLINK user ID association is not used. Data sets and commands directed to the system are not allowed. User response: See z/OS MVS System Codes to determine the cause of the abend and possible actions. Severity: 08 CKN189I Not authorized to access zsecnode , insufficient access to RRSFDATA DIRECT.zsecnode RC=retcode RN=reascde job jobname user userid client clientid Failure during CKNADMIN access verification abendcode, disallow use Explanation: An abend occurred while attempting to verify access to the CKNADMIN resource that controls access to the current node. Access to the system is not allowed. User response: See z/OS MVS System Codes to determine the cause of the abend and possible actions. Severity: 08 RACF Retrieval of RACLINK data failed abendcode, disallow use Connection lost to server ZSECSYS during ALLOC of file CLNTDDNM, job jobname user userid client clientno Explanation: This message indicates that during an ALLOC request the connection to the remote (target) server was lost, either through a failing network connection or because the server was shutting down or had other problems. User response: Retry the action after reestablishing the connection or after restarting the remote server. Severity: 08 CKN190I program ended abend Explanation: This message indicates that a program that was started on behalf of a client has terminated with the indicated abend. User response: See z/OS MVS System Codes to determine the cause of the abend and possible actions. Severity: 04 CKN191I program ended RC number Explanation: This informational message shows that a program started on behalf of a client terminated with the indicated return code. Severity: 00 CKN187I Not authorized to access current-node from source-node RC=retcde RSN=reascde job jobname user userid client clientid Explanation: The indicated userid does not have sufficient access to the resource CKNADMIN.FROMNODE zsecnode, which controls access to the current node. Data sets and commands CKN192I Excessive wait time n minutes for client clientno job jobname ASID asid; attempting release Explanation: This message shows that a client was waiting for a reply from a remote server longer than is reasonable. The action is terminated. This action might Chapter 4. CKN messages 107 CKN193I • CKN199I cause follow-on error messages. CKN197I User response: Look in CKNPRINT and the job log of the local server and remote server. If any problems are noted, restart the server associated with the problem. Severity: 04 CKN193I Invalid TYPE=type specification "string" for CLNTDDNM of ZSECSYS client clientno job jobname user userid Explanation: This message indicates a protocol error. Presumably the server was contacted by a client that uses a more recent version of the protocol User response: Ensure the client and server are on compatible levels. Maybe use a different server token to contact a server supporting the required level. Severity: 08 CKN194I Too many files at the same time for CLNTDDNM of ZSECSYS client clientno job jobname user userid Explanation: This message indicates an unsupported number of information requests are routed to the same remote program instance. User response: Try to simplify the query. Severity: 08 CKN195I Invalid TYPE=CKFREEZE specification "string" for CLNTDDNM of ZSECSYS client clientno job jobname user userid Explanation: This message indicates a protocol error. Presumably the server is contacted by a client that uses a more recent version of the protocol. User response: Ensure the client and server are on compatible levels. Maybe use a different server token to contact a server supporting the required level. Severity: 08 CKN196I Remote server file name RMTFILE not allocated for TYPE=CKFREEZE spec or CLNTDDNM of ZSECSYS client clientno job jobname user userid Explanation: This message indicates that an allocation is missing from the server for the indicated CKFREEZE file. User response: Restart the server. If that does not correct the problem, fix the calling program. If the caller is IBM software, look for the message ID on the support web site. Severity: 08 108 Messages Guide Remote server file name RMTFILE used for TYPE=CKFREEZE spec or CLNTDDNM of ZSECSYS client clientno job jobname user userid Explanation: This informational message documents which remote file is used to satisfy the CKFREEZE request from the client. Severity: 00 CKN198I Stopping server because program ended abend_or_RC Explanation: This message indicates that a requisite task terminated either with an abend or a nonzero return code. The server is shutting down. User response: Look in the job log and CKNPRINT of the local server and remote server. If you note any problems, resolve them and restart the server associated with the problem. Severity: 16 CKN199I Failure during CKNDSN access verification abend Explanation: An abend occurred during a RACROUTE REQUEST=AUTH authorization check. The access is not allowed. User response: See z/OS MVS System Codes to determine the cause of the abend and possible actions. Severity: 08 CKN200I • CKN207I Messages from 200 to 299 CKN200I Not authorized to access dsname, insufficient access to profile RC=hexrc RSN=hexrsn hex; client clientno job jobname user userid Explanation: No permission exists for the indicated profile. Consequently, access to the dsname is not allowed. This message can show either the client user ID or the ZSECNODE user ID. The ZSECNODE user ID is obtained from the APPLDATA of the matching CKNADMIN.FROMNODE profile. If a user ID is specified, it is used to control which data sets can be used by users from this ZSECNODE. User response: Look up the indicated SAF return code and reason code in the Security Server RACROUTE documentation for RACROUTE REQUEST=AUTH. Severity: 08 CKN201I Not authorized to use dstype dsname from system client clientno job jobname user userid User response: If you need more information, look for CKN200I or CKN199I in the remote server CKNPRINT. Severity: 08 Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 CKN205I Allocate failed RMTDDNM dsname [member] to CLNTDDNM of ZSECSYS client clientno job jobname user userid User response: If you need more information, look for IKJ* messages preceding this message in the remote server CKNPRINT file and follow the guidance. Severity: 08 OPTION name only valid in PARM string Explanation: The indicated option can be specified only on the PARM string, not in the CKNIN file. User response: Move the option to the PARM string and try the operation again. Severity: 12 ABEND authorizing class 'resource': abend Explanation: The indicated abend was encountered during a RACROUTE REQUEST=AUTH for the indicated resource. User response: See z/OS MVS System Codes to determine the cause of the abend and possible actions. CKN206I [Unsecured|Secured] connection not authorized on socket SOCKDESC [from|to] zsecnode/zsecsys sysplexclone.sysname njenode.smfid rrsfnode Explanation: An attempt was made to connect to or from a remote server, but the connection was not protected by AT-TLS. The server task is not authorized to the unsecured exception resource "CKNADM.INSECURE.secsys". User response: Set up an AT-TLS protection between the servers with the policy agent. See the Installation and Deployment Guide for information. Severity: 08 CKN207I Explanation: This message is passed back to the client for a failed allocation in the remote server. CKN203I Answer queue for WKQH address dump Severity: 08 Explanation: This message is passed back to the client to notify the client about the lack of authority to access dsname of type dstype. This message can be issued if either the client user ID or the ZSECNODE user ID has insufficient access to dsname. CKN202I CKN204I Partner cert name invalid on socket SOCKDESC [from|to] zsecnode/zsecsys sysplexclone.sysname njenode.smfid rrsfnode Explanation: The hostname DOMAIN name value in the ALTNAME extension of the peer certificate (certificate hostname) does not match the ZSECSYS name. Because the certificate is used as proof that the partner server is the real ZSECSYS partner node and not a masquerading attacker, this constitutes an identification-and-authentication failure. Neither was there a permit on the exception resource "CKNADM.CERTOKAY.secsys" which can be used to disable this identification-and-authentication feature. User response: Generate a certificate for the proper (remote) ZSECSYS name in the proper (local) key ring. See the Installation and Deployment Guide for information. Severity: 08 Chapter 4. CKN messages 109 CKN208I • CKN217 CKN208I Socket active WKQR address type status Explanation: This message is part of a summary dump written in case of problems. User response: No user action is required. Severity: 00 CKN209I CKN214I Test PC abend request from client n job jobname ASID asid user userid Explanation: User abend 214 will be issued from the PC routine to test the error recovery of the calling program. User response: No user action is needed. CKFREEZE ddname still in use. Refresh delayed Explanation: A refresh of the automatic snapshot file is needed but the file is still in use. User response: Ignore a single occurrence of this message. If the problem persists, restart the server. If that does not help, look for problems in the CKNPRINT output that might cause the delay in completing the client interaction and solve them. Severity: 08 Severity: 00 CKN215I Excessive idle time nn minutes for zsecsys client clientno job jobname user userid; simulating end Explanation: No interaction was received from a remote client for more than nn minutes. An end-client action will be simulated to free up enqueues and resources held in this server. This message is issued only if the remote client has been silent for 10 minutes or more. User response: No user action is required. CKN210I Client number job jobname user user closed file remotedd Explanation: This message indicates that a close request was received for a remote file from a remote CKRCALRA for which the program already has terminated. This is a normal occurrence directly before ending the client. Severity: 00 CKN211I RETRYINTERVAL interval must be 0 or between 1 and 1440 minutes Explanation: The supplied RETRYINTERVAL value is not in the valid range. Specify 0 to deactivate automatic retry. Specify a value of at least 1 and at most 1440 minutes to define how soon a failing communication between servers is retried. User response: Correct the input and retry the operation. Severity: 12 CKN212I Server zsecnode/zsecsys token servertoken now listening on port n Explanation: This message indicates that the server is now listening to connections from peer servers. It is issued both as a print message and as a WTO. Severity: 00 CKN213I Server zsecnode/zsecsys token servertoken stopping abend Explanation: This message warns that the server is stopping in response to an abend condition. It is issued both as a print message and as a WTO. Severity: 16 110 Messages Guide Severity: 08 CKN216I ABEND during READALL access check abendcode assume no access Explanation: An unexpected situation occurred during the access verification of the execution userid to the CKR.READALL resource in the XFACILITY resource class. The zSecure server informed the CKRCARLA client that the user does not have sufficient access to the CKR.READALL resource. User response: Review the abend code in the Security Server RACF Messages and Codes Manual. Severity: 08 CKN217 Node userid node-userid does not match cert-userid Explanation: The ZSECNODE user ID that was obtained from the matching CKNADMIN.FROMNODE profile does not match the user ID that is associated with the certificate of the node. The connection is refused and communication is stopped. User response: Verify that the ZSECNODE user ID that is specified in the APPLDATA of the matching CKNADMIN.FROMNODE profile is correct. Verify that the RACF user ID that is associated with the node certificate is correct. For more information on specifying these user IDs, see the section on setup for secure communication using AT-TLS in the Installation and Deployment Guide. Severity: 08 CKN218I • CKN875I CKN218I BPX1OPT setsockopt TCP_KEEPALIVE failed on socket sockdesc unix_error Explanation: This message indicates that a UNIX error occurred during a setsockopt call to set the TCP KEEPALIVE socket option to the ZSECSYS RETRYINTERVAL. This message is suppressible. User response: See your UNIX system codes book to determine the cause and actions. Explanation: This message indicates that a UNIX error occurred during a setsockopt call to request the port to be reusable. This message is suppressible. User response: See your UNIX system codes book to determine the cause and actions. Severity: 08 CKN222I Severity: 08 CKN219 BPX1OPT setsockopt SO_KEEPALIVE active failed on socket sockdesc unix_error Explanation: This message indicates that a UNIX error occurred during a setsockopt call to request the connection to be tested periodically. This message is suppressible. RACF ACEE clean up failed for userid RC=retcode RSN=reascde hex for sysname job jobname user userid client clientno Explanation: Removal of the security environment for user userid was not successful. The returncode and reasoncode for the RACROUTE REQUEST=VERIFY ENVIR=DELETE are shown in the message, together with the identification of the remote userid for which this security environment was created. User response: See your UNIX system codes book to determine the cause and actions. User response: Review the return and reason code for the RACROUTE function in the Security Server RACF RACROUTE Macro Reference. Severity: 08 Severity: 08 CKN220 BPX1OPT setsockopt TCP_NODELAY active failed on socket sockdesc unix_error Explanation: This message indicates that a UNIX error occurred during a setsockopt call to request the connection to not delay messages. This message is suppressible. User response: See your UNIX system codes book to determine the cause and actions. Severity: 08 CKN221 BPX1OPT setsockopt SO_REUSEADDR active failed on socket sockdesc unix_error CKN223I Negotiated TLS cipher cipher is not compliant with NIST 800-131A Explanation: This message indicates that the negotiated TLS cipher cipher is not compliant with NIST Special Publication 800-131A. User response: See the Cipher Suite Definitions topic in z/OS Cryptographic Services System SSL Programming for a description of the cipher. Specify a list of NIST 800-131A-compliant ciphers in the AT-TLS policy rules using the TTLSCipherParms statement. Severity: 04 Messages from 600 to 899 CKN600...CKN699 message Explanation: Messages in the range CKN600-CKN699 are internal error messages that are not individually documented. If you need information about a message in this range, contact IBM Software Support. CKN700...CKN799 message Explanation: Messages in the range CKN700-CKN799 are trace messages that are not individually documented. If you need information about a message in this range, contact IBM Software Support. contents for a RECFM=V(B)(S) data set. The record descriptor word does not match the DCB parameters. The Record Descriptor Word (RDW) is shown in hexadecimal. The first 2 bytes are the record length including the RDW. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Severity: 04 CKN875I CKN874I RECFM=V(BS) RDW hex exceeds LRECL=lrecl at record n ddname volser dsname Explanation: This message indicates invalid record RECFM=V(BS) BDW hex exceeds BLKSIZE=blksize at record n ddname volser dsname Explanation: This message indicates invalid block contents for a RECFM=V(B)(S) data set. The block Chapter 4. CKN messages 111 CKN893I • CKN942 descriptor word does not match the DCB parameters. The Block Descriptor Word (BDW) is shown in hexadecimal. The first 2 bytes are the block length including the BDW, unless the high order bit is on, in which case it can be a large block 4 byte length. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Severity: 04 Severity: 04 CKN893I Task task TCB addr ATTACH RC=n dec attempting to attach task ep Explanation: This message documents a failure to attach a new task task ep from the indicated TCB instance of a task called task. User response: Review the description of the ATTACH return code and take the appropriate action. For example, the return code might indicate a storage shortage. Severity: 16 CKN894I CKN896I Task task TCB taskaddr DETACH of task ep instance TCB subtaskaddr RC=nn dec User response: Review the description of the DETACH return code and take the appropriate action. Severity: 04 Task task TCB addr subtask task ep instance TCB subtaskaddr failed abend Explanation: This message documents that a DETACH task failed with the indicated abend code. The failure occurred in the daughter task instance TCB subtaskaddr of task ep of the indicated mother TCB instance of a task called task. Task task TCB addr zero ECB wait Explanation: This is an internal error message that indicates a problem in the software. User response: Look for the message number on the IBM support web site. If you do not find a solution, save the CKNPRINT and contact IBM Software Support. Severity: 16 CKN897I Explanation: This message indicates a failure to cleanly remove the indicated TCB instance of subtask task ep by the indicated owning instance TCB taskaddr of task task. The RC value is a nonzero DETACH return code. CKN895I User response: Review the meaning of the abend code and take the appropriate action. For example, the return code might indicate a storage shortage or an input or output-file-related failure. If it is a user abend code, there should be a message either in the print file or in a WTO in the job log or system log with the same decimal message number as the user abend code. If the user abend code is 16, then the message number might be different, for example, 999. Look up the message and follow its guidance. HMALLOC CALL ERROR: NON-THREADSAFE task1 heap from task2 Explanation: This is an internal error message that indicates a problem in the software. User response: Save the SYSPRINT and other relevant files and contact IBM Software Support. Severity: 16 CKN898I program Recursive abend percolated Explanation: This WTO message warns that a recursive abend condition occurred. Probably the attempt to provide a summary dump or an attempt to recover failed. User response: Resolve the initial abend. Severity: I Messages from 900 to 999 CKN900I IDENTIFY RC=rc for task taskaddr Explanation: The IDENTIFY service returned the indicated rc for the indicated task. Explanation: This WTO message explains why there is no diagnostic dump. A regular dump will be needed to analyze the problem. Severity: I Severity: 00 CKN942 CKN941I 112 DIAGNOSTIC DUMP SUPPRESSED FOR program BECAUSE GLOBAL AREA OR GLBLREG GARBLE AT xxxxxxxx Messages Guide Request to write record with negative length hexnum to ddname behind record decnum - user abend 942 Explanation: This messages indicates either a software CKN955I • CKN976 problem or an attempt to connect input files to the wrong DD names. User abend 942 is issued. This message is suppressible and results in the record being skipped. However, the resulting output file might be unusable and can give rise to follow-on errors. Suppressing this message is not recommended except as directed by IBM Software Support. User response: Check allocations and the validity of the connected data sets. If your checks do not reveal errors, contact IBM Software Support with relevant documentation. Severity: 16 Severity: 16 CKN973I IBM Security product code code disabled or not installed Explanation: This indicates that you are attempting to run functionality for a product that is not installed here, or it is disabled for this system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKN955I program task heap STORAGE REQUEST ERROR: SIZE NOT POSITIVE Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. Severity: 16 CKN968I IFAEDDRG failed RC nn decimal Explanation: This message indicates that an attempt to register a previously registered product failed. User response: Contact IBM Software Support. Severity: 16 CKN969I I/O error for dsn: description Explanation: This message indicates that an I/O error occurred during normal QSAM or BSAM input processing for dsn. Operation will be continued, but an abend or other error message may follow because of the information missing due to the I/O error. Severity: 08 CKN970I program task heap FREE STORAGE ERROR: message IBM Security product disabled or not installed here for requested focus Explanation: Either the product is not installed here, or the requested focus is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKN975I IBM Security product disabled or not installed Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKN976I Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. Code or enablement for product product or feature is missing Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 Severity: 16 CKN972I CKN974I Enablement information missing for product Explanation: This message indicates that the product cannot run because the load module is not complete. User response: Contact your system programmer to complete installation of the product. CKN976 IBM Security product or feature disabled or not installed here Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, Chapter 4. CKN messages 113 CKN977I • CKN999I contact your system programmer to verify installation. CKN999I Severity: 16 CKN977I Installed PRODUCT OWNER('IBM CORP') ID(id) NAME('name') FEATURE('feature') VER(version) REL(release) MOD(modification) [ Product action RC rc decimal ] Explanation: This message is issued in response to DEBUG for products that are installed. The action can be "registration" or "status." The return code is for IFAEDREG or IFAEDSTA, respectively, which are documented in MVS Programming: Product Registration. No continuation line is shown if product registration does not apply (for example, because of CKN979I). Severity: 00 CKN978I Product code code has been disabled in PARMLIB Explanation: This message is issued in response to DEBUG for products that have been disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name by an entry in IFAPRDxx in your z/OS PARMLIB. User response: Run the product somewhere else, or ask your system programmer for enablement. Severity: 00 CKN979I Product code code implied by other Explanation: This message is issued in response to DEBUG for products that are not being registered because their entitlement is implied by a more encompassing entitlement. Severity: 00 CKN993I DIAGNOSTIC DUMP SUPPRESSED FOR program TASK taskname type ABEND xxx Explanation: This message indicates that the program abend exit did not attempt to make a diagnostic summary dump. This is done to prevent recursive abend conditions involving the print file. The task name is PROGRAM for the main task or for the only task in a program. For a multi-tasking program, program might identify one of the subtasks. CKN998I STACK OVERFLOW FOR STACK tasklevel stackname IN program Explanation: This message indicates an internal stack error. It is followed by a user abend 16. Contact IBM Software Support. Severity: 16 114 Messages Guide STORAGE SHORTAGE FOR TASK taskname HEAP heapname IN program INCREASE REGION Explanation: This message indicates that the program needs more storage. If the heap name is LOWHEAP, then the request is for storage below the 16MB line. User response: Look in message CKF034I to determine what region was requested and what was granted to the job step. Increase the REGION value on the JOB or STEP card. It can also be beneficial to use the STORAGEGC command, though this will increase CPU usage. If the problem heap was LOWHEAP, there was not enough storage available below the line. Increasing the REGION might still help, if there was not enough storage above the line so that LOWHEAP storage was used instead. If there is a true storage shortage below the line, you could reduce I/O parallelism with the PARALLEL option or force the immediate freeing of allocations with the FREE option. Severity: 16 Chapter 5. CKR messages The CKRCARLA program is the main program in zSecure products. Using the special-purpose CARLa Auditing and Reporting language (CARLa), the CKRCARLA program processes RACF, SMF, and other types of information. This program is used by the products, such as zSecure Admin and Audit, zSecure Alert, zSecure Visual, and zSecure Adapters for QRadar SIEM. This chapter describes messages issued by the CKRCARLA program on the mainframe. These messages are prefixed with unique message identifiers in the form CKRnnnn or CKRnnnI, where nnnn and nnn indicate the unique message value. The message identifier is followed by a severity code. Note: The return code from the program is normally set to the maximum value of the return codes from any messages. If an OPTION NOWARNING is coded, the 04 return code from the program is reset to 00. The general meaning of the CKRCARLA severity codes and the completion code are: 00 Normal message, giving status or summary information, or a message indicating a decision taken. 04 Can be a general warning, or an error condition found as a result of VERIFY or REPORT processing. Removal of the error condition can be attempted by means of a command generated by zSecure (if CKRCMD was allocated). 08 Error condition usually found as a result of VERIFY or REPORT processing. No commands can be generated by zSecure to remove the error. 12 Syntax error in the command input. 16 Entitlement problem or invalid or unsupported files connected to zSecure. 20 Unsupported condition found in security database, VTOC or VVDS, or in volume sharing. 24 Internal error or other unexpected and unsupported condition detected in zSecure. 32 RETURN or JUMP key used. Messages are included in subsections, grouped by the hundred message-numbers. Messages from 0 to 99 CKR0000 program terminated due to input errors Explanation: Previous messages indicate an error in the parameters or command input file. The program does not perform any commands if the command input is not syntactically correct. Correct the errors and submit the job again. Severity: 12 © Copyright IBM Corp. 1998, 2015 CKR0001 No UNLOAD, SHOW, LIST, DISPLAY, (D)SUMMARY, REPORT, VERIFY, COPY, REMOVE, MOVE or MERGE specified Explanation: No commands were given or implied that would result in any output. Specify one of the commands indicated in the message. 115 CKR0002 • CKR0008 allowed by virtue of conditional access by this program. Severity: 12 CKR0002 Output file open failed - [(redirected virtualdd)] ddname [ path | dsname volser ] Severity: 00 Explanation: The OPEN for the indicated file (for example, CKRUNLOU or CKRCMD) failed. If you are running a batch job, refer to the job log for an abend code and reason code (the abend code is probably 013). If no abend and reason code is present, the DDname is probably not allocated. If you are running TSO interactively and no abend code is listed on your terminal, try specifying PROFILE WTPMSG and try it again. The ddname field in the CKR0002 message may contain garbage. The meaning of the abend code and reason code can be found in the MVS system messages and codes manuals. The message may indicate two DD names, the actual ddname and the dd= parameter referred to in the CARLa (virtualdd). CKR0005 Severity: 16 CKR0006 CKR0003 Open for input failed on file ddname volser dsn Explanation: Check the DD statement for the indicated file and any ALLOC DD=ddname command. Correct the error and submit the job again. Severity: 16 CKR0004 Processing started for [complex] pads ddname volume dsn Unloaded by program program v.l.m date time job name at date time on system name [ Complex name complex assigned ] Source type dataset i was volume datasetname databaseformat template level level Explanation: This message indicates the version of the program that created the unloaded security database, as well as the date and time the database was unloaded, and the SMF ID of the tCKRsystem on which the unload was performed. For each unloaded RACF or ACF2 data set contained in the file, the original volume and data set name are listed. For ACF2 the type of data set is indicated as well: LID, RULE or INFO. For RACF the database format is shown on the last line in the format formattype database format release, where formattype is Restructured or Non-restructured and release, if present, has the form RACF release FMID (v.r.m for older releases). The template level, if present, is the FMID or APAR number that last changed the templates, followed by numerical indicators of release level and APAR level, if this information is available. If the message contains the text PADS for pads, then this indicates that access allowed to the databases by virtue of conditional access by this program. In this case, the program will restrict its functionality to the user's scope. If the message contains the text program pathing for pads, then that access to the database was 116 Messages Guide nnnnnn profiles read, yyyy profiles selected (pp%) for complex Explanation: This message is written at the end of the profile input phase. During this phase SELECT, EXCLUDE, LIST and UNLOAD commands are processed and information is stored for the other commands. The total number of profiles in use in the RACF database is listed, as well as the number of profiles selected by the SELECT and EXCLUDE commands. This does not apply to SELECT and EXCLUDE in the scope of a NEWLIST command. Severity: 00 nn profiles truncated on ddname [path | volser dsname] Explanation: Due to the insufficient record length of output file ddname, profiles were truncated. This may result in erroneous error messages with respect to the truncated profiles if subsequent processing is done on the unloaded file, but this is not necessarily the case. For example, truncated group profiles will cause spurious error messages if you try or imply the VERIFY CONNECT command, but in general it will not cause any other trouble, due to the redundancy in the database. This message is issued when the profile length is too long for the current record length of the zSecure Admin UNLOAD file. To correct the cause, allocate the UNLOAD file with the following LRECL specification: LRECL=X,RECFM=VBS The Variable Blocked Spanned (VBS) record format allows an UNLOAD record to span more physical records. Severity: 08 CKR0007 File is empty - ddname volume dsn Explanation: The specified TYPE=UNLOAD file was allocated, but contained no records. Severity: 16 CKR0008 End-of-file before type record - ddname volume dsn Explanation: The specified TYPE=UNLOAD file contained some status records, but the indicated record type was not present. The indicated type can be ICB for the first RACF database record, CRDB for an origin database record, or FDR for the ACF2 FDR records. Probably the unload failed, or the system catalog points to a previous version of your unloaded data set (see CKR0009 • CKR0015 CKR0014 for a possible cause for this problem). Severity: 12 Severity: 16 CKR0013 CKR0009 siteidentifier activity on SYSNAME(name) SYSPLEX(name) [ LPARNAME(name) ] [ VMUSERID(name) ] [ HWNAME(name) ] CPU-id CPUid Product codes codes Products Explanation: This message shows a site-specific string, the system, sysplex, LPAR, VM user ID, and hardware where it is running, and which IBM Security zSecure suite products are installed and not disabled through IFAPRDxx for use in this program. For a description of the product codes, see the License names table in any of the zSecure Admin and Audit user reference manuals. Each line in the "Products" section shows a product ID and the full name of a particular product feature, for example, 5655-N17 IBM Security zSecure Audit for RACF for code AUDITRACF. activity can be Runs or UNIX depending on the calling environment used. Severity: 00 CKR0010 Explanation: No source of RACF profiles was found in implicit allocation mode. Normally the current RACF database would be allocated dynamically, but you are running on a CMS system, or on an MVS system without RACF active. Allocate the database you want to process explicitly to the CKRACF01 file (and if the database is split, to the CKRACFnn files) or use an ALLOC TYPE=RACF or ALLOC TYPE=UNLOAD command. Severity: 16 CKR0014 OPEN abend hhh-hh on file ddname Severity: 16 I/O error: synadaf message Explanation: An I/O error occurred on one of the CKRACFnn files. Check that the file allocated is indeed a RACF database with RECFM=F and LRECL=1024 for a non-restructured database and LRECL=4096 for a restructured database. On a VM system, it may also occur for a database on an OS formatted minidisk; in this case you can process the database by copying it to a temporary CMS formatted minidisk and process this copy. Explanation: This message indicates that the CKRUNLIN file, i.e. the security database UNLOAD file, contains invalid information. There are two common reasons: v the UNLOAD data set has incompatible/invalid DCB characteristics. You can check this by looking at the DCB info using ISPF option 3.2. They should be Organization Record format Record length Block size . More than 90 RACF data sets parallel not supported - use separate runs Explanation: This version of the program does not support processing more than 90 data sets at the same time. Use the ALLOC DB= command to select 90 or less data sets for processing. If your site requires operation on more than 90 data sets, contact IBM Software Support. . . . . . . . . . . . . : : : : PS VBS 32768 27998 If you find a record format U or data set organization PO, then your installation probably has an ACS routine, i.e. an SMS routine to set default data set characteristics, that assumes that any data set with the letters LOAD in the last qualifier is a load module data set. We recommend that you specify the DCB characteristics in the JCL of CKRJCPYR: //CKRUNLOU DD ...., // DSORG=PS,RECFM=VBS,LRECL=X,BLKSIZE=27998 Severity: 16 CKR0015 Severity: 16 CKR0012 File does not start with CRCF record ddname volume dsn v the UNLOAD data set was not filled by zSecure Explanation: The OPEN for the indicated file (CKRACFnn, or redirected database ddname) failed. If you are running a batch job, refer to the job log for an abend code and reason code (the abend code is probably 013). If you are running TSO interactively and no abend code is listed on your terminal, try specifying PROFILE WTPMSG and try it again. The ddname field in the CKR0010 message probably contains garbage. CKR0011 No file unload-ddname or db-ddname preallocated Open failed of [complex] primary RACF DB db file ddname data set dsname on volume Explanation: Refer to CKR0002 and CKR0010 for a discussion. Severity: 16 Chapter 5. CKR messages 117 CKR0016 • CKR0026 CKR0016 Open failed of [complex] secondary RACF DB db file ddname data set dsname on volume Explanation: Refer to CKR0002 and CKR0010 for a discussion. Severity: 16 CKR0017 CKR0017 Processing started for [complex] DB db pads ddname volume datasetname File ddname complex has databaseformat release template level level Explanation: The TYPE=RACF data set open was successful for the file indicated, and input of the database was started. The database format is shown on the second line in the format formattype database format release, where formattype is restructured or non-restructured and release if present has the form RACF release FMID (v.r.m for older releases). The template level, if present, is the FMID or APAR number that last changed the templates, followed by numerical indicators of release level and APAR level if this information is available. If the message contains the text PADS for pads, then this indicates that access to the data set was allowed by virtue of conditional access by this program. In this case, the program will restrict its functionality to the user's scope. Severity: 00 CKR0021 Unsupported BAM format: 1st block on odd nibble, block number nnnn, database num Explanation: During input of the Block Availability Map (BAM) an unsupported format was detected (a nibble is four bits and describes the segments of one block in non-RDS format). If no other errors are found and the error is reproducible, contact IBM Software Support. Severity: 20 CKR0022 Unsupported BAM format: odd # blks in other than last BAM block - block number nnnn db num Explanation: An unsupported format was detected during input of the Block Availability Map (BAM). If no other errors are found and the error is reproducible, contact IBM Software Support. Severity: 20 CKR0023 OPEN for input with QSAM failed for file ddname dataset dsn on vol Explanation: While using BDAMQSAM processing (currently this is the default mode), after conclusion of BDAM processing the data set could not be opened again with QSAM processing. Possibly other error messages were issued to indicate what went wrong. Severity: 16 CKR0018 No extents present for ddname volume datasetname Explanation: The file indicated was opened successfully, but no extents were present (the data set is empty). Severity: 16 CKR0019 ALLOC PRIMARY/BACKUP/ACTIVE/ INACTIVE/DB invalid if CKRACF01 pre-allocated Explanation: An ALLOCATE command for implicit allocation mode was present in the commands as well as a preallocated database. Either remove the ALLOCATE command or remove the CKRACFC01 file. Severity: 16 CKR0020 Type input terminated, LIMIT lim reached Explanation: The OUT or IN limit you specified on a LIMIT command has been reached, no more profiles or records (type) will be read. Severity: 00 118 Messages Guide CKR0024 Index marker not on block boundary: ddname block nnnn segment offset off Explanation: The RACF database was found to start an index block at an other segment than the first in a block. This format is not supported. If the problem is reproducible, run IRRUT200. If no errors are revealed, contact IBM Software Support. Severity: 20 CKR0025 Index block with invalid length: ddname block nnnn length len Explanation: The RACF database was found to contain an index block with a length unequal to 1024 for non-RDS and 4096 for RDS. This format is not supported. Contact IBM Software Support. Severity: 20 CKR0026 End of file in 2nd segment of profile: ddname block nnnn segment offset off Explanation: At the specified position in the RACF database a profile was being read and not complete at the end of the data set. Contact IBM Software Support. CKR0027 • CKR0032 Severity: 20 CKR0027 Unused segment instead of profile continuation: ddname block nnnn segment offset off Explanation: At the specified position in the RACF database, a profile was being read and was not complete according to the physical profile length field, but the Block Availability Map indicates that the next segment is not occupied. This may happen because of update activity on the database while performing the read. If the problem and the place where it occurs is reproducible, run IRRUT200 to analyze the database. If still no errors are revealed or, if the problem is intermittent and annoying, contact IBM Software Support. Severity: 20 CKR0028 File ddname extended nn block for profile at blk nnnn segment offset off needs yyy segments extra Severity: 20 Segment type X'hh' not supported ddname block nnnn segment offset off Explanation: An unknown database segment type was encountered. If the problem is reproducible at the same place, run IRRUT200. If this does not reveal structural errors, contact IBM Software Support. Severity: 20 CKR0030 Unsupported template addr. hexvalue len ll searching fldname in entity type n ICB at addr Explanation: While using the templates to scan a profile, an unsupported kind of template was encountered. If the error is reproducible, contact IBM Software Support. Severity: 20 CKR0031 Severity: 00 CKR0031 Severity: 00 Restricted mode active, no READ access to class CKR.READALL Explanation: Through a profile covering the CKR.READALL resource in the class specified in the CKRSITE area it is possible to define which users can read the full database (READ access) and those that will run in restricted mode (covering profile exists and NONE access). The current user has no READ access. Severity: 00 CKR0031 Unrestricted mode active, READ access to class CKR.READALL Explanation: Through a profile covering the CKR.READALL resource in the class specified in the CKRSITE area it is possible to define which users can read the full database (READ access) and those that will run in restricted mode (covering profile exists and NONE access). The current user has READ access. Severity: 00 CKR0031 Unrestricted mode active Explanation: This message indicated that the product defaults to unrestricted mode because it is not installed with the installation option RESTRICT, the input files can be processed without requiring read access granted to the program, and a profile covering the CKR.READALL resource in the class specified in the CKRSITE area is not defined. Severity: 00 CKR0032 Restricted mode active by installation option Restricted mode active because of pads Explanation: This message indicates that one or more of the input files could only be processed because of read access granted to the program. In that case, restricted mode processing is automatically activated. The message contains either the text PADS or the text program pathing for pads. CKR0031 Explanation: At the specified position nnnn/off in the RACF database a profile was being read and not complete at the logical end of the data set (i.e. the end according to the BAM blocks). The logical end of the database was automatically extended with nn blocks to get a complete profile. This may happen if a large new record was added to the RACF database during the database read. CKR0029 option in the CKRSITE module. For details on the CKRSITE module and installation options, see IBM Security zSecure CARLa-Driven Components: Installation and Deployment Guide. File ddname not allocated Explanation: The filename requested on a PRINT command was not found allocated. Review your JCL. Severity: 12 Explanation: This message indicates that the product was installed with restricted mode active. The restricted mode setting is specified by the RESTRICT installation Chapter 5. CKR messages 119 CKR0033 • CKR0041 CKR0033 [complex] DB db datasetname has number segments (of 256 byte) in use, number segments free (pp% used) Index uses pp%. Unusedspace. Using readmethod. Statistics Explanation: This message reports on the contents of a RACF data set. Each segment is 256 byte. Free space can be present at the end of the database (never used), or fragmented through the database. If all space is fragmented, Unusedspace will contain the text Free space completely fragmented, otherwise it will show Space beyond pp% never used. The data set is read without use of the index; readmethod can be BDAMQSAM, multitrack ECKD EXCP, or full-track EXCP. If either EXCP method was used, a third line is shown in the format Read number blocks from a total of number in number IOs. Cache hit was pp%. Severity: 16 CKR0038 Explanation: This message indicates that the proper CKFREEZE file for the security complex complex was missing or did not contain the range table needed. The program will proceed as if all profiles are in their proper RACF data set. Severity: 00 CKR0039 Severity: 00 CKR0034 Action for id id requested, but no occurrences were found Explanation: The REMOVE or MOVE command for the indicated user or group did not result in any commands being generated, since no permits or notifies to be moved exist. Check for typing errors or for SELECT statements that exclude part of the database. Severity: 00 CKR0035 at ddname record nnnnn, originally DB seq i RBA hexnum for complex complex Explanation: This message gives the location in a TYPE=UNLOAD file where a previous error message occurred. Severity: 00 Warning: RACF Range Table for complex complex unknown, SUPPRESS ICHRRNG implied product used cc.c CPU seconds, nn,nnn KB and took ss wall clock seconds Region requested rr,rrr KB, granted g,ggg+gg,gggg KB max used in jobstep uu,uuu+uu,uuu KB Errortrapcount Explanation: This message indicates the resource usage as well as the elapsed time for this run. If the run terminated unsuccessfully, the storage part is omitted. For TSO users, the CPU seconds include any work that was done on other ISPF logical screens under TSO while interactively displaying zSecure output screens. The second message line lists the region requested by the user, and the region granted to the job step by the installation. The third message line shows the actual maximum used during the job step. This includes any other tasks running in the job step, i.e., for TSO users it will include TSO and ISPF storage and anything else that has run on ISPF logical screens since logon. Region sizes can be formatted as below+above, where the first number is the region below the 16MB boundary and the second number is the region above the 16MB boundary, both in kilobyte units. If any errors were trapped, a fourth line will be shown in the format Error trap count is number. Severity: 00 CKR0036 at ddname block nnnn segment offset i DB seq j RBA hexnum for complex complex Explanation: This message gives the location in a TYPE=RACF file where a previous error message occurred. Allocation failed for DDNAME ddname source=source DSN=dsname status=ERR Explanation: During an attempt to dynamically allocate an active ACF2 (backup) data set, the program found that it could not succeed in doing so, because the requested data set was marked ERR by ACF2. This implies that ACF2 itself could not allocate the data set either, probably because the data set does not exist. The ddname indicates the type of data set for which the allocation failed. 120 RACF indicator set but no discrete profile found for volser datasetname Explanation: This message is issued due to a VERIFY INDICATED command. To solve this error condition a command sequence consisting of an ADDSD NOSET followed by a DELDSD for the profile is generated. Severity: 00 CKR0037 CKR0040 Messages Guide Severity: 04 CKR0041 Discrete profile found but RACF indicator not set volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. To solve the error condition a DELDSD NOSET command will be generated. CKR0042 • CKR0050 Severity: 04 CKR0042 Discrete profile present but no dataset on volume volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. To solve the error condition a DELDSD NOSET command will be generated. Discrete profile present but volume not mounted volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. To solve the error condition a DELDSD NOSET command will be generated. Severity: 04 CKR0044 PROGRAM dsn/vol obsolete complex program - volser dsname Reason Explanation: This message is issued due to a VERIFY PROGRAM function because the indicated data set does not exist on the indicated volume for any system in the complex. For each system a Reason line follows with one of the following detail explanations: v Volume is not mounted on system syst volser v VTOC is not readable on system syst volser v Data set does not exist on volume of syst volser dsname v Data set is not partitioned on volume of syst volser dsname If a CKRCMD file is allocated for the complex, an RALTER DELMEM command is generated to remove the obsolete member from the profile. Obsolete permit identity unknown program program - volser datasetprofile Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Basic program security mode. A program is defined on a conditional access list, but no matching program profile exists. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR0046 event permit identity in access list of non-VSAM volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with PROGRAM dsn/vol redundant, covered by dsn w/o vol complex program - volser dsname Explanation: This message is issued by the VERIFY PROGRAM function because the indicated volume-specific PROGRAM profile member is covered by a PROGRAM profile member without volume specification, and is, therefore, redundant. If a CKRCMD file is allocated for the complex, a commented-out RALTER DELMEM command is generated to remove the obsolete member from the profile. Severity: 04 CKR0048 event permit identity in access list VSAM profil volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a PERMIT DELETE VOL() command will be generated. Severity: 04 CKR0049 Severity: 04 CKR0045 Severity: 04 CKR0047 Severity: 04 CKR0043 event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a PERMIT DELETE VOL() command will be generated. Duplicate range in ICHRRNG complex complex key key Explanation: This message indicates that a RACF range table was encountered with the same range present twice. The program will use the first definition and ignore subsequent ones. Severity: 08 CKR0050 event permit identity in access list generic DATASET datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a PERMIT GENERIC DELETE Chapter 5. CKR messages 121 CKR0051 • CKR0057 command will be generated. Severity: 04 CKR0051 Date value "value" 2-digit year is ambiguous Explanation: This suppressible message indicates that a 2-digit year was encountered. By default, this is not allowed to prevent any year-2000 related confusion. In case this is a problem for backward compatibility, you can suppress the message. In this case the 2-digit years are all interpreted as lying in the 20th century (they are prefixed with 19, being backward compatible). No cut-off dates or windows are used because this would be newlist-type and fieldname-dependent and is not backward compatible. Severity: 12 CKR0052 event permit identity in access list model DATASET datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a PERMIT DELETE command will be generated. Severity: 04 CKR0053 Field field value "value" 2-digit year ambiguous at ddname line number Explanation: This suppressible message indicates that a 2-digit year was encountered in a newlist type=RACF. By default, this is not allowed to prevent any year-2000 related confusion. In case this is a problem for backward compatibility, the message can be suppressed. In this case the 2-digit years are all interpreted as lying in the 20th century (they are prefixed with 19, being backward compatible). No cut-off dates or windows are used because this would be newlist-type and fieldname-dependent and is not backward compatible. Severity: 12 CKR0054 event permit identity general resource profile class progname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a 122 Messages Guide COPY PERMIT/USER/GROUP command. To solve the error condition a PERMIT DELETE command will be generated. Severity: 04 CKR0055 event owner identity of non-VSAM DATASET profile volser datasetname make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition an ALTDSD VOL() OWNER() command will be generated. The new owner will be the HLQ of the profile, unless that is identical to identity. In that case it will be the name specified on the DEFAULT OWNER= command. The new owner selected is shown in the message. Severity: 04 CKR0056 event owner identity of VSAM DATASET profile volser datasetname - make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a ALTDSD VOL() OWNER() command will be generated. The new owner will be the HLQ of the profile, unless that is identical to identity. In that case it will be the name specified on the DEFAULT OWNER= command. The new owner selected is shown in the message. Severity: 04 CKR0057 event owner identity of generic DATASET profile datasetname - make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a ALTDSD GENERIC OWNER() command will be generated. The new owner will be the HLQ of the profile, unless that is identical to identity. In that case it will be the name specified on the DEFAULT OWNER= command. The new owner selected is shown in the message. Severity: 04 CKR0058 • CKR0065 CKR0058 event owner identity of model DATASET profile datasetname - make newowner CKR0062 event owner identity connect userid to group Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a ALTDSD OWNER() command will be generated. The new owner will be the HLQ of the profile, unless that is identical to identity. In that case it will be the name specified on the DEFAULT OWNER= command. The new owner selected is shown in the message. Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. To solve the error condition a CONNECT OWNER() command will be generated with the connect group as the new owner. Severity: 04 Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a RALTER OWNER() command will be generated with the default owner selected. CKR0059 event owner identity general resource profile progname - make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a RALTER OWNER() command will be generated with the default owner selected with DEFAULT OWNER=. The new owner selected is shown in the message. Severity: 04 CKR0060 event owner identity on user userid - make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. To solve the error condition an ALTUSER OWNER() command will be generated with the default owner selected with DEFAULT OWNER= as the new owner. The new owner selected is shown in the message. Severity: 04 CKR0061 event owner identity on group group make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. To solve the error condition an ALTGROUP OWNER() command will be generated with the default owner selected as the new owner. The new owner selected is shown in the message. Severity: 04 CKR0063 event owner identity general resource profile class key Severity: 04 CKR0064 event permit identity general resource profile class key Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Copy or Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Replace due to a COPY PERMIT/USER/ GROUP command. To solve the error condition a PERMIT DELETE command will be generated. Severity: 04 CKR0065 Missing userid userid on group group Explanation: This message is issued due to a VERIFY CONNECT command. It indicates that the indicated user ID is not found in the USERID repeat group of the indicated GROUP profile, or that there is no such group profile at all. Also, the group is not universal, or the group is universal but the connect has a connect attribute of SPECIAL, OPERATIONS, or AUDITOR, or a connect authority other than USE. Connect information should be present in three places in the RACF databases, and for each of those places a message CKR0065, CKR0066, or CKR0067 is issued if it was missing that specific piece. No support is present to remove this condition. Severity: 08 Severity: 04 Chapter 5. CKR messages 123 CKR0066 • CKR0074 CKR0066 Missing group group on user userid Explanation: This message is issued due to a VERIFY CONNECT command. It indicates that the indicated group was not found in the CONGRPNM repeat group of the indicated USER profile, or that there is no such user profile at all. Connect information should be present in three places in the RACF databases, and for each of those places a message CKR0065, CKR0066, or CKR0067 is issued if it was missing that specific piece. No support is present to remove this condition. Severity: 08 CKR0067 Missing connect userid to group group Explanation: This message is issued due to a VERIFY CONNECT command. It indicates that the indicated group was not found in the CGGRPNM repeat group of the indicated USER profile, or that there is no such user profile at all. Connect information should be present in three places in the RACF databases, and for each of those places a message CKR0065, CKR0066, or CKR0067 is issued if it was missing that specific piece. No support is present to remove this condition. Severity: 08 CKR0068 event id - identity referenced number times Explanation: This message summarizes the erroneous references found by the VERIFY PERMIT or MOVE/REMOVE/COPY PERMIT/USER/GROUP/ NOTIFY commands for each undefined or removed/copied identity. Severity: 00 CKR0069 No system has non-directed ctlg entry for cluster on volser clustername Explanation: This message indicates that a cluster clustername with at least one component on volume volser was cataloged in such a way that a STEPCAT or JOBCAT DD statement is needed to access it on all systems sharing the volume volser. In addition, there is no alias on any of the systems for the first qualifier(s), otherwise message CKR0294 would be issued instead. Severity: 04 CKR0070 Component name found twice in VTOC - volser datasetname Explanation: Two identical format 1 DSCB keys in the VTOC are not supported. If the error is reproducible (run zSecure Collect again first), the condition may be resolved by letting the VTOC index (if present) decide which one is in use, and modifying the DSCB of the other one to another name (if you want to keep the 124 Messages Guide data) or to a format 0 DSCB. If you modify the DSCB, you will have to rebuild the VTOC index. Severity: 08 CKR0071 Component name found in VVDS but not in VTOC - volser datasetname Explanation: Incidental cases may be the result of actions performed by the system between reading of the VTOC and the VVDS by zSecure Collect (opening the VVDS takes a considerable amount of time). If this message is reproducible for the same component (run zSecure Collect again first), then a problem exists. Perform the IDCAMS DIAGNOSE function on the VVDS: maybe a DELETE CLUSTER or DELETE VVR command will help. Severity: 08 CKR0072 Catalog not found on any volume for cluster name datasetname Explanation: This message is issued together with CKR0073 to indicate that the VVDS points to a catalog that was not found in the CKFREEZE file. This message lists the cluster name that was cataloged in the now-unavailable catalog. This need not be a problem if the data set was cataloged in another catalog, available through the regular search sequence. Severity: 04 CKR0073 Catalog not found on any volume on any system datasetname Explanation: This message is issued to indicate that references were found from the VVDS to the catalog indicated. The cluster names that were cataloged in the now-unavailable catalog are listed by separate CKR0072 and CKR0169 messages. Severity: 08 CKR0074 Discrete profile for VVDS present (not used by DFP) volser datasetname Explanation: DFP does not consult RACF for operations on the VVDS. Instead, APF authorization is required to open it. Therefore, the VVDS profile gives a false picture of the access requirements of the VVDS. For a pure RACF/DFP combination it should be deleted to avoid misleading data. However, you might want to verify that your non-IBM storage management products are properly using DASDVOL class and not using a VVDS data set profile. Severity: 04 CKR0075 • CKR0084 CKR0075 Inaccessible data set (RACF indicated and no profile) volser datasetname CKR0078 Redundant non-VSAM DATASET profile volser datasetname Explanation: An indicated data set exists that is not protected by any (discrete or generic) profile. This message is issued by the VERIFY PROTECTALL function. Since the data set is indicated (the DSCBIND bit in the VTOC, that tells RACF that this data set is protected by a discrete profile, is on), we expect a discrete profile. This situation may be acceptable when in your installation user data sets are only accessible to the user himself, and therefore there is no need to register PERMITs or audit requirements. An ADDSD NOSET command is generated to solve this error condition, unless VERIFY INDICATED was also specified: then a message CKR0040 was already issued, with the appropriate command sequence (see CKR0040). Note that adding the profile may not be enough, you might want to enhance the access list, or use a generic profile instead. Explanation: This message is issued due to the REMOVE REDUNDANT command. The command generated is DELDSD VOL(). Severity: 04 Explanation: This message is issued due to the REMOVE REDUNDANT command. The command generated is DELDSD VOL(). CKR0076 Unprotected data set (not RACF indicated, no generic) volser datasetname Explanation: This message is issued due to a VERIFY PROTECTALL command in NOPROTECTALL or PROTECTALL(WARN) environment. No command is generated. Severity: 08 CKR0077 Generic profile without matching data sets datasetname Explanation: The generic profile indicated appears not to protect any data sets. This message is issued by the VERIFY NOTEMPTY function and accompanied by a DELDSD GENERIC command for the profile in the CKRCMD. There could be several situations in which this message is issued while the profile still performs a valid function. It could be there to disallow allocation, it might protect data sets that are only temporarily present (maybe during a periodic batch run, or they are created and deleted regularly by TSO users), or the VERIFY NOTEMPTY run did not use a recent CKFREEZE data set as input. To check for temporary file existence, for example, during batch job run, it is recommended that you use SMF reporting and JCL library searches before deciding to delete an empty profile. After verification you can use the editor to delete any undesired commands before executing the CKRCMD results. Severity: 04 Severity: 04 CKR0079 Redundant VSAM data set profile volser datasetname Explanation: This message is issued due to the REMOVE REDUNDANT command. The command generated is DELDSD VOL(). Severity: 04 CKR0080 Redundant TAPE data set profile volser datasetname Severity: 04 CKR0081 Redundant MODEL data set profile datasetname Explanation: This message is issued due to the REMOVE REDUNDANT command. The command generated is DELDSD. Severity: 04 CKR0082 Inaccessible data set (not indicated and no generic) volser datasetname Explanation: This message is issued due to a VERIFY PROTECTALL command in a PROTECTALL(FAIL) environment. No command is generated. Severity: 04 CKR0083 Redundant generic data set profile datasetname Explanation: This message is issued due to the REMOVE REDUNDANT command. The command generated is DELDSD. Severity: 04 CKR0084 Component name found in VTOC but not in VVDS - volser datasetname Explanation: Incidental cases can result from actions that are performed by the system between readings of the VTOC and the VVDS by zSecure Collect (opening the VVDS takes a considerable amount of time). First, run IBM zSecure Collect again. If this message is Chapter 5. CKR messages 125 CKR0085 • CKR0096 reproduced for the same component, then a problem exists. Perform the IDCAMS DIAGNOSE function on the VVDS. Severity: 08 CKR0090 Severity: 08 CKR0085 Duplicate cluster entry found in 1 catalog on volume volser datasetname Explanation: This message indicates that the configuration input file CKFREEZE contains a catalog dump for a catalog on volume volser with the same cluster entry datasetname appearing twice. This might happen if you concatenate two CKFREEZE files containing dumps of the same catalog. Severity: 08 CKR0086 Explanation: This message summarizes the result of the SUPPRESS VOL= command per volume. Severity: 00 CKR0091 Explanation: This message summarizes the result of the LIMIT MSG= command per volume. Ownership cell not found for cluster cataloged on volser datasetname CKR0092 Number of detail messages is nnn Explanation: This message summarizes the total number of detail messages that will subsequently be issued. Severity: 00 Severity: 00 CKR0093 Explanation: This message summarizes the number of suppressed messages due to the SUPPRESS ID= and LIMIT ID= commands. Note that these two commands will only limit the number of messages issued, not the work performed by the VERIFY and REMOVE commands (use SELECT QUAL= for this if applicable). Severity: 00 Cluster not in any connected catalog, component on volser datasetname Explanation: The indicated cluster (datasetname) was referred to from MVS control blocks or from a VVDS, but the cluster was not part of any catalog connected to the master catalog on any system. Possibly, the volume was shared with a system for which you did not include a CKFREEZE file, or the master catalog for one of your systems was switched without it being synchronized with the old one first. The cluster will not be normally accessible. Severity: 00 CKR0095 Messages Guide volser has nnn discrete profile(s) but volume not mounted in complex [version] Explanation: This message (with CKR0093 and CKR0094) summarizes the result of the VERIFY ONVOLUME command per volume. Severity: 00 CKR0096 volser has nnn inaccessible data set(s) (RACF indicated, no profile) in complex [version] Explanation: This message (with CKR0097 and CKR0098) summarizes the result of the VERIFY PROTECTALL command per volume. Severity: 00 126 volser has nnn discrete profile(s) without data set on the volume in complex [version] Explanation: This message (with CKR0093 and CKR0095) summarizes the result of the VERIFY ONVOLUME command per volume. Severity: 00 CKR0089 volser has nnn discrete profile(s) for non-RACF indicated data sets in complex [version] Explanation: This message (with CKR0094 and CKR0095) summarizes the result of the VERIFY ONVOLUME command per volume. CKR0094 Id based suppress or limit request(s) nnn detail message(s) suppressed volser has nnn RACF indicated data set(s) without profile in complex [version] Explanation: This message summarizes the result of the VERIFY INDICATED command per volume. Severity: 08 CKR0088 volser message limit exceeded - nnn detail message(s) suppressed Severity: 08 Explanation: This message indicates that the configuration input file CKFREEZE contains a catalog dump from a catalog on volume volser with a cluster entry datasetname for which the ownership cell was not found. Check whether the record length of the CKFREEZE file is sufficient for your catalog records. CKR0087 volser suppress request - nnn detail message(s) suppressed CKR0097 • CKR0108 CKR0097 volser has nnn inaccessible data set(s) (not indicated, no profile) in complex [version] Explanation: This message (with CKR0096 and CKR0098) summarizes the result of the VERIFY PROTECTALL command per volume in a PROTECTALL(FAIL) environment. CKR0098) summarizes the result of the VERIFY PROTECTALL command per volume in a NOPROTECTALL or PROTECTALL(WARN) environment. Severity: 00 CKR0099 Severity: 00 CKR0098 volser has nnn unprotected data set(s) (not indicated, no profile) in complex [version] nnn messages suppressed for catalog catalog name Explanation: This message summarizes the result of the SUPPRESS CAT= or LIMIT MSG= command. Severity: 00 Explanation: This message (with CKR0097 and Messages from 100 to 199 CKR0100 Duplicate request for ID=name Explanation: More than one specific and incompatible request was made for one identity. Remove duplicates and use separate runs for conflicting requests. Admin and Audit for RACF: User Reference Manual. Severity: 12 CKR0104 Severity: 12 CKR0101 Duplicate REPORT PERMIT/SCOPE=id Explanation: An identity occurred twice in the indicated commands. Remove duplicates. Severity: 12 CKR0102 Explanation: You must use separate runs for each of these REPORT options. Severity: 12 CKR0103 Explanation: Both the field to be used as selection criterion and the exact or substring scan value for it must be specified. Severity: 12 CKR0105 The parameters OUTOFGROUP, NONDEFAULT and (NON)REDUNDANT are mutually exclusive Explanation: The field you requested on the LIST, SORTLIST, DISPLAY, or (D)SUMMARY command was neither a NEWLIST TYPE=RACF built-in field, nor found in the templates for any type of entity. Verify the spelling in the CARLa Command Language chapter in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Severity: 12 Field "fldname" to be processed unknown Explanation: The field you requested on the LIST, SORTLIST, DISPLAY, or (D)SUMMARY command is not a built-in field. Verify the spelling in the CARLa Command Language chapter in theIBM Security zSecure Catalog "catname" specified more than once Explanation: The same catalog was mentioned more than once for the same function. Possibly you used the repeat command of the editor and intended to change it to another name. Severity: 12 CKR0107 Severity: 12 CKR0103 Volume "volser" specified more than once Explanation: The same volume was mentioned more than once for the same function. Possibly you used the repeat command of the editor and intended to change it to another volume. CKR0106 Field "fldname" to be processed not found in any template FIELD must be specified with either SCAN or FIELDVALUE The parameters PROFILE, MASK/FILTER, MATCH and BESTMATCH are mutually exclusive Explanation: On the SELECT or EXCLUDE command only one selection option based on the profile key can be given. Severity: 12 CKR0108 Left margin cannot exceed right margin Chapter 5. CKR messages 127 CKR0109 • CKR0120 at ddname line number Explanation: In the MARGINS(x,y) command, x (the left margin) cannot exceed y (the right margin). If possible, the dataset and line number where this occurred are specified. Severity: 12 CKR0109 Value selection for field field not supported at ddname line number Explanation: The specified field has internally coded field values. This type is not supported, and can only be used for output. Severity: 12 BY= must precede PAGEBY= Explanation: The PAGEBY value must be the first in the BY list and the BY list must be in front of the PAGEBY option. Severity: 12 CKR0110 CKR0114 PAGEBY and BY combination implies page per profile Explanation: The combination of BY and PAGEBY parameter as specified or implied would result in a new page for each profile. This is probably not what you meant. Severity: 12 CKR0115 option only valid behind USER/PERMIT= Explanation: The option indicated is only valid behind COPY, MOVE or REMOVE options USER= or PERMIT=. Possibly you only need to change the order of the parameters. Severity: 12 CKR0116 option only valid behind USER/GROUP= Explanation: The option indicated is only valid behind COPY, MOVE or REMOVE options USER= or GROUP=. Possibly you only need to change the order of the parameters. Severity: 12 CKR0111 DB=1 must be included because it is the master database before token at ddname line number Explanation: The master database must always be included in the databases selected because it contains the RACF options to be used. Severity: 12 CKR0112 DB numbers only supported in range 1..64 before token at ddname line number Severity: 12 Explanation: The option indicated is only valid behind MOVE or REMOVE option TOGROUP=. Possibly you only need to change the order of the parameters. CKR0118 option only valid behind USER/GROUP/NOTIFY/PERMIT= Explanation: The option indicated is only valid behind COPY, MOVE or REMOVE options USER= or GROUP=. Possibly you only need to change the order of the parameters. Severity: 12 LIST commands must be followed by at least one parameter or NEWLIST must be a LIKELIST target Explanation: The LIST command may not be specified without any operands, since this would result in an empty line for each selected profile or record. The exception to this rule is a LIST command in a NEWLIST that is the target of a LIKELIST; presumably, the NEWLIST will have OUTLIM set to zero. Severity: 12 CKR0119 Messages Guide option only valid behind USER= Explanation: The option indicated is only valid behind COPY, MOVE or REMOVE options USER=. Possibly you only need to change the order of the parameters. Severity: 12 CKR0120 option not valid with COPY Explanation: The option indicated is only valid behind MOVE or REMOVE commands, not behind COPY. Severity: 12 128 option only valid behind (RE)MOVE TOGROUP= Severity: 12 Explanation: Selection by sequence number is only supported for sequence number 1 through 64. To use higher sequence numbers, you must preallocate CKRACFnn files. CKR0113 CKR0117 CKR0121 • CKR0131 CKR0121 Print options behind NEWLIST must be specified before the (SORT)LIST Explanation: In the scope of a NEWLIST command, the print and selection options must be specified before the LIST, SORTLIST, DISPLAY, or (D)SUMMARY command(s). Change the order of your commands, and run the job again. Severity: 12 CKR0126 Invalid date value before type "value" at ddname line number Explanation: This message indicates that the date value encountered before the place indicated in the input is incorrect. This can be due to invalid month names, year formats, day numbers, invalid separators, etc. For valid date formats, see the date field parameter descriptions in the zSecure user reference manuals. Severity: 12 CKR0122 Selection behind NEWLIST must be specified before the (SORT)LIST or (D)SUMMARY CKR0127 The access value ALTER-O was not expected before type "value" at ddname line number Explanation: In the scope of a NEWLIST command, the print and selection options must be specified before the LIST, SORTLIST, DISPLAY, or (D)SUMMARY command(s). Change the order of your commands, and run the job again. Explanation: This message indicates that the program has interpreted the previous token as the access value ALTER-O, but this value is considered not applicable in this context. Severity: 12 Severity: 12 CKR0123 Field "name" is not a segment or entity name - ddname line number Explanation: A segment or entity is expected, but a field of another type was specified instead. Severity: 12 CKR0124 Field field value "value" invalid at ddname line number Use DDMMMYYY, YYYY-MM-DD, YYYY/DDD, TODAY, DUMPDATE, optionally suffixed "-nn" Explanation: A date is expected but the format is not recognized. The program supports an ISO-format date (for example, 01OCT1999), a julian date (for example, 1999/274), and the two keywords TODAY and DUMPDATE. You can add an -xx suffix to the keywords to indicate a date that is xx days earlier (for example, TODAY-7). In addition, you can specify the value NEVER to indicate no date. Note: Not all date fields support DUMPDATE. For example, the certificate fields CERTSTRT and CERTEND do not allow it to be specified. Severity: 12 CKR0125 Expecting relational operator or "(" instead of type "value" at ddname line number Explanation: This message indicates that the program has interpreted the previous token as a fieldname and is now expecting the rest of the expression to test a field value. Possibly, you mistyped the keyword just before the indicated string. Severity: 12 CKR0129 Value list only valid with "=" or "<>" before delimiter "value" at ddname line number Explanation: This message indicates that you specified a value list with a relational operator including "less than" or "greater than." Use these relational operators only when specifying a single value; do not use them with a value list. Severity: 12 CKR0130 OPEN failed for ddname volume dsn Explanation: Refer to CKR0002 and CKR0010 for a discussion. Message number to be suppressed must be in range 0..1999 - nnnn Explanation: This message indicates that the message number validation failed. Type a decimal number without CKR prefix, or a list of such numbers enclosed in parentheses and separated by commas. Severity: 12 CKR0128 Severity: 16 CKR0131 File empty - ddname volume dsn Explanation: Refer to CKR0002 and CKR0010 for a discussion. Severity: 16 Chapter 5. CKR messages 129 CKR0132 • CKR0140 CKR0132 Reading configuration for system name iplvol volume from pads file volume dsn running OS version activeproducts Created by program progname job jobname at dd mmm yyyy hh:mm::ss:cc (runtype) Explanation: This message indicates when, where and how the CKFREEZE file for an MVS system was created, and on what version of what operating system. In activeproducts the following products may be listed: DFP version JES2 version ESM version TSO version HSM version, where ESM may be RACF, ACF2 or TSS, and DFP may be DFP or DFSMS; for DFSMS active components may be listed after the version number (for example, DFSMS 2.10.0 hsm rmm). The runtype used may be APF or non-APF; if it was non-APF some information will not be contained in the CKFREEZE. If the message contains the text PADS for pads, then this indicates that access to the data set was allowed by virtue of conditional access by this program. In this case, the program will restrict its functionality to the user's scope. Severity: 00 CKR0135 Concatenation of system sysid data behind system on file ddname invalid, use separate CKRCKFnn file for each system Explanation: This message indicates that it detected two concatenated CKFREEZE data sets in one input file. This is not supported. Use separate DDnames or multiple ALLOC TYPE=CKFREEZE commands. This message can also be issued when multiple zSecure Collect jobs have written to the same data set. Severity: 16 CKR0136 Indirect volser on VSAM profile not supported for multiple systems datasetname Explanation: This message indicates that the database contains a discrete VSAM data set profile with an indirect volser ('******'). The program does not support this with more than one system. The indirect volser would imply that the profile may cover more than one data set at the same time (seen from different systems). Severity: 08 CKR0132 Reading configuration for system name from pads file volume dsn created by progname job jobname at ddmmmyyyy hh:mm:ss.ffffff Explanation: This message indicates when, where and how the CKFREEZE file for a VM system was created. If the message contains the text PADS for pads, then this indicates that access to the data set was allowed by virtue of conditional access by this program. In this case, the program will restrict its functionality to the user's scope. CKR0137 Explanation: This message indicates that the program expects NONE, READ, EXECUTE, UPDATE, ALTER, USE, CREATE, CONNECT, or JOIN. Severity: 12 CKR0138 Severity: 00 CKR0133 VERIFY PERMIT and COPY/MOVE/REMOVE are mutually exclusive Explanation: The VERIFY PERMIT and COPY/MOVE/REMOVE commands cannot both be specified (since both commands use the same method internally). Severity: 12 CKR0134 Default system viewpoint name1 not found, using name2 instead Explanation: This message indicates that you specified a DEFAULT SYSTEM=name1 command. However, the system name1 is not present in the CKFREEZE files read by the program. Operation will continue with name2 instead. Severity: 04 Messages Guide Audit access must be ALTER, CONTROL, UPDATE, READ, or NONE - "value" at ddname line number Explanation: This message indicates that the value you specified for a field did not match the field type expected by the program. Severity: 12 CKR0139 Audit event must be ALL, SUCCESS, FAILURE, or NONE - "value" at ddname line number Explanation: This message indicates that the value you specified for a field did not match the field type expected by the program. Severity: 12 CKR0140 Number of profiles referring outside group is number for complex version Explanation: This message summarizes the number of profiles listed by a REPORT OUTOFGROUP command. Severity: 00 130 Field name value is not an access or authority - "value" at ddname line number CKR0141 • CKR0151 CKR0141 Number of non-default profiles found is number for complex version CKR0147 PATH/GETPROC mutually exclusive with VOL/UNIT - at ddname line number Explanation: This message summarizes the number of profiles listed by a REPORT NONDEFAULT command. Explanation: If you specify a UNIX pathname, then you cannot specify a volume serial or unit name. Severity: 00 Severity: 12 CKR0142 Of the xxxx profiles tested yyyy are redundant (pp%) for complex version Explanation: This message gives the number of profiles considered redundant by a REPORT NONREDUNDANT or REPORT REDUNDANT command. In addition, it compares this to the total number of profiles tested for redundancy. Severity: 00 CKR0143 Number of profiles and qualifiers in selected scope is number for complex version Explanation: This message summarizes the number of profiles and qualifiers listed by a REPORT SCOPE= or REPORT PERMIT= command. Severity: 00 CKR0144 MOD only valid with TYPE=CKRCMD/OUTPUT - at ddname line number Explanation: You specified MOD on an ALLOC statement with a TYPE other than CKRCMD or OUTPUT. This is not supported. Remove the MOD from the ALLOC statement. CKR0148 Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER command. It means that the undefined identity occurs in the STUSER field of the STDATA segment of the indicated STARTED profile. To solve the condition an RALT command will be generated to remove this field from the profile. Severity: 04 CKR0149 MOD mutually exclusive with VOL/UNIT/MEMBER/FILEDESC/PATH/ GETPROC - at ddname line number Explanation: The ALLOC MOD parameter cannot be combined with any of the parameters above. Either remove MOD or leave out the unsupported parameter. Severity: 12 CKR0146 FILEDESC mutually exclusive with VOL/UNIT and TYPE other than OUTPUT or CKRCMD - at ddname line number Explanation: You can only specify FILEDESC on an ALLOC TYPE=OUTPUT or TYPE=CKRCMD. Also it is mutually exclusive with VOL and UNIT. Severity: 12 event stgrp identity general resource profile STARTED profile Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/GROUP command. It means that the undefined identity occurs in the STGROUP field of the STDATA segment of the indicated STARTED profile. To solve the condition an RALT command will be generated to remove this field from the profile. Severity: 04 CKR0150 Severity: 12 CKR0145 event stuser identity general resource profile STARTED profile STARTED profile profile revoked user id not connected to group group - "user" is used. Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the user id in the STUSER field in the STDATA segment is not connected to the group in the STGROUP field, so that the undefined user ID user will be used, and furthermore the user id is revoked, so that even after curing the first problem the started task would run with reduced authority and might still experience problems (as indicated by CKR0575). This message indicates an error on the profile level, but no command is generated as it is unclear what the desired solution would be. Severity: 08 CKR0151 STARTED profile profile revoked user id not connected to group group - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the user id Chapter 5. CKR messages 131 CKR0152 • CKR0155 in the STUSER field in the STDATA segment is not connected to the group in the STGROUP field, so that the undefined user ID user will be used, and furthermore the user id is revoked, so that even after curing the first problem the started task would run with reduced authority and might still experience problems (as indicated by CKR0575). Note that the first qualifier of profile is generic, and either the user id or the group is specified as =MEMBER and thus evaluates to procedure, so that the main problem is not a condition on the profile level; no command is generated. is specified later) should be used. After correcting the second condition, a new run should "only" yield CKR0564. Severity: 08 CKR0154 STARTED profile profile contains group id id as STUSER and user id id2 as STGROUP - "user" is used - action to newuser newgroup note Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: it does not contain an STUSER field in the STDATA segment, and the STGROUP field does not contain a valid group ID but username id instead. Because of the severe first condition, the profile indicated will be ignored, and the started procedure table ICHRIN03 will be used instead. No attempt is made to cure this condition, because it may be intentional. To cure the second problem, a command is generated: if newgroup is group(=MEMBER), then the profile's first qualifier is a valid group ID, and STGROUP field is set to use that member name; otherwise, newgroup is NOGROUP and the STGROUP field will be removed from the STDATA segment, meaning that the default group (for the user when one is specified later) should be used. After correcting the second condition, a new run should "only" yield CKR0564. Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the STUSER field in the STDATA segment does not contain a valid user ID, but the groupname id, and the STGROUP field does not contain a valid group ID but the username id2. As a result of these errors, the user and group specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specifications. If the profile's first qualifier is a valid user or group, newuser or newgroup will be set to =MEMBER to use the member name, respectively; if not, they will be set to NOUSER and NOGROUP respectively to indicate the fields are to be deleted. If newuser is user(=MEMBER) (and thus newgroup is NOGROUP), the identities are both fixed and the action will be correct, although you still may have to note "but userid still revoked", meaning that the started task would run with reduced authority and might still experience problems (as indicated by CKR0575); if newuser is NOUSER the action will be change, there will be no note, and after the proposed change the profile would be so obviously unusable that RACF would fall back on started procedure table ICHRIN03, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 08 Severity: 08 Severity: 08 CKR0152 CKR0153 No STUSER specified on STARTED profile profile - ICHRIN03 is used - and user id id as STGROUP - changed to newgroup No STUSER specified on STARTED profile profile - ICHRIN03 is used - and undefined STGROUP id - changed to newgroup Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: it does not contain an STUSER field in the STDATA segment, and the STGROUP field does not contain a valid group ID but value id. Because of the severe first condition, the profile indicated will be ignored, and the started procedure table ICHRIN03 will be used instead. No attempt is made to cure this condition, because it may be intentional. To cure the second problem, a command is generated: if newgroup is group(=MEMBER), then the profile's first qualifier is a valid group ID, and STGROUP field is set to use that member name; otherwise, newgroup is NOGROUP and the STGROUP field will be removed from the STDATA segment, meaning that the default group (for the user when one 132 Messages Guide CKR0155 STARTED profile profile contains group id id as STUSER and undefined STGROUP id2 - "user" is used - action to newuser newgroup note Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the STUSER field in the STDATA segment does not contain a valid user ID, but the groupname id, and the STGROUP field does not contain a valid group ID but the value id2. As a result of these errors, the user and group specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specifications. If the profile's first qualifier is a valid user or group, newuser or newgroup will be set to =MEMBER to use the member name, respectively; if not, they will be set to NOUSER and NOGROUP respectively to indicate the fields are to be deleted. If newuser is user(=MEMBER) (and thus newgroup is NOGROUP), the identities are both fixed CKR0156 • CKR0159 and the action will be correct, although you still may have to note "but userid still revoked", meaning that the started task would run with reduced authority and might still experience problems (as indicated by CKR0575); if newuser is NOUSER the action will be change, there will be no note, and after the proposed change the profile would be so obviously unusable that RACF would fall back on started procedure table ICHRIN03, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 08 CKR0156 STARTED profile profile has undefined STUSER id and user id id2 as STGROUP - "user" is used - action to newuser newgroup note Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the STUSER field in the STDATA segment does not contain a valid user ID, but the value id, and the STGROUP field does not contain a valid group ID but the username id2. As a result of these errors, the user and group specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specifications. If the profile's first qualifier is a valid user or group, newuser or newgroup will be set to =MEMBER to use the member name, respectively; if not, they will be set to NOUSER and NOGROUP respectively to indicate the fields are to be deleted. If newuser is user(=MEMBER) (and thus newgroup is NOGROUP), the identities are both fixed and the action will be correct, although you still may have to note "but userid still revoked", meaning that the started task would run with reduced authority and might still experience problems (as indicated by CKR0575); if newuser is NOUSER the action will be change, there will be no note, and after the proposed change the profile would be so obviously unusable that RACF would fall back on started procedure table ICHRIN03, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 08 CKR0157 STARTED profile profile has undefined STUSER id and undefined STGROUP id2 - "user" is used - action to newuser newgroup note Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the STUSER field in the STDATA segment does not contain a valid user ID, but the value id, and the STGROUP field does not contain a valid group ID but the value id2. As a result of these errors, the user and group specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specifications. If the profile's first qualifier is a valid user or group, newuser or newgroup will be set to =MEMBER to use the member name, respectively; if not, they will be set to NOUSER and NOGROUP respectively to indicate the fields are to be deleted. If newuser is user(=MEMBER) (and thus newgroup is NOGROUP), the identities are both fixed and the action will be correct, although you still may have to note "but userid still revoked", meaning that the started task would run with reduced authority and might still experience problems (as indicated by CKR0575); if newuser is NOUSER the action will be change, there will be no note, and after the proposed change the profile would be so obviously unusable that RACF would fall back on started procedure table ICHRIN03, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 08 CKR0158 STARTED profile profile has STGROUP =MEMBER, which is a userid, and revoked STUSER id2 - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the STGROUP field in the STDATA segment contains =MEMBER but the indicated procedure in the indicated data set is not a valid group ID, but a user ID, so that the undefined user ID user will be used, and the user ID specified in the STUSER field is revoked, so that even after curing the first problem the started task would run with reduced authority and might still experience problems (as indicated by CKR0575). Note that the first qualifier of profile is generic, so that it may apply to different procedures as well; therefore, it is unclear how this should be cured, and no command is generated. Severity: 08 CKR0159 STARTED profile profile has STGROUP =MEMBER, which is undefined, and revoked STUSER id2 - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It describes two separate problems in the indicated profile in the STARTED class: the STGROUP field in the STDATA segment contains =MEMBER but the indicated procedure in the indicated data set is not a valid group ID, but undefined to RACF, so that the undefined user ID user will be used, and the user ID specified in the STUSER field is revoked, so that even after curing the first problem the started task would run with reduced authority and might still experience problems (as indicated by CKR0575). Note that the first qualifier of profile is generic, so that it may apply to different procedures as well; therefore, it is unclear how this should be cured, and no command is generated. Chapter 5. CKR messages 133 CKR0160 • CKR0170 Severity: 08 CKR0160 CKR0165 Unsupported RACF database blksize nnnnn (must be 1024 or 4096) on file ddname dsname Explanation: The database to be read had an unsupported blocksize. This may happen if you transmit a database to another system and receive it there without explicitly requesting the proper blocksize; the system will select another blocksize in this case. CKR0161 Segment name not in templates - name for entity type xx Explanation: A profile in a restructured database was read with a segment name that could not be found in the template for the indicated entity type. The message is followed by the exact source location of the profile to assist in further analysis. Entity type not found in BASE segment of key Explanation: The entity type of the base segment of a profile in a restructured database was not found in the expected place in the profile. Contact IBM Software Support if the profile can be displayed normally by RACF commands. Entity type user assumed - segment segname of key Explanation: This message indicates that a non-base segment was encountered for which the entity type could not be determined. The message is issued only if DEBUG SEGMENT has been issued. For RACF 1.9 and up, this can only occur for a DFP segment of a USER or GROUP profile. For most purposes, this does not really matter, since they are treated the same most of the time (i.e. as accessor ids). However, if you request a LIST with CLASS, then the class may erroneously show USER. Severity: 00 CKR0164 Severity: 08 Grouping resource in conditional access list not supported - class key Explanation: A general resource profile in a restructured database contained a conditional access list with a reference to a grouping class. The program supports only non-grouping classes in the conditional access list. Severity: 16 Maximum profile length on complex is nnnnn bytes for class key Explanation: This informational message details the maximum profile length found in your RACF database on the indicated complex. It can be used to determine how near you are to problems. For non-restructured databases, the maximum length is 64KB. Severity: 00 CKR0169 Cluster protection undecidable (not in any catalog or VVDS) clustername Explanation: The indicated cluster cannot be represented properly in the reports, because the VVDS or catalog information is missing. Severity: 08 Segment name segname not in segment table for entity type xx Explanation: A profile segment in a restructured database was read with a segment name that could not be found in the segment table for the indicated entity type. The message is followed by the exact source location of the profile to assist in further analysis. Severity: 16 134 Conditional access list refers to unknown class "class" in class key Explanation: A general resource profile in a restructured RACF database contained a conditional access list containing a reference to a class not found in the class descriptor table. This message is given only once per "class". CKR0168 Severity: 16 CKR0163 Severity: 16 CKR0167 Severity: 16 CKR0162 Explanation: A profile in a restructured RACF database was read with the indicated entity type. The ICB did not contain a template pointer for the indicated entity type. The message is followed by the exact source location of the profile to assist in further analysis. CKR0166 Severity: 16 Template not found for entity type xx Messages Guide CKR0170 Selection in restricted mode is not allowed on restricted field field at ddname line number Explanation: When the program is running in restricted or PADS mode, selection on the indicated field is not allowed. The program is running in restricted mode either because of a reason shown in a CKR0031 message or because SIMULATE RESTRICT was specified. This condition is considered a syntax CKR0171 • CKR0179 error (severity 12). If an ALLOWRESTRICT modifier explicitly indicates that the query must be executed anyway, this message is issued as a warning (severity 4) to remind you that the indicated field is treated as missing. The restrictions that apply to this field can be viewed in the "Restrictions" column of the output from the primary command FIELD after zooming in through BUILTIN and RACF, provided the command is also issued in restricted mode (SIMULATE RESTRICT in SETUP PREAMBLE will ensure this). CKR0174 Explanation: This message indicates that an unexpected condition was found in a usercatalog alias entry. Contact IBM Software Support. Severity: 20 CKR0175 Note: If the restriction is to OWNER or CKGOWNR and use of the restricted field is in a SELECT statement, message “CKR2463” on page 301 is issued instead. No support for n>1 associations in UCAT alias alias in BCS system volume dsn Unsupported number of qualifiers in usercat alias alias in BCS system volume dsn Severity: 04 or 12 Explanation: This message indicates that an alias entry in the catalog contained more than 4 qualifiers. Contact IBM Software Support. CKR0171 Severity: 20 Class not in descriptor table, default properties assumed - class Unexpected volume cell volser in BCS record cluster dsname Explanation: The indicated class (or its 4 character prefix in non-RDS databases) was present in the database, but not in the class descriptor table. Hence, the program cannot know which properties the class has and may use it incorrectly. This may for instance happen if you process a RACF database from a different system, or if classes were deleted from the class descriptor table without first removing all profiles in these classes. The message is followed by an indication which profile was first encountered with the offending class. To find all profiles you can use the SELECT CLASS= command. CKR0176 Severity: 08 (unless changed by the MSGRC parameter of the OPTION statement) Explanation: This message indicates that catalog information about VSAM data sets was missing from the CKFREEZE file(s) for the indicated complex, possibly because they were created without APF authorization. VERIFY NONEMPTY depends on completeness of the information and hence refuses to operate. CKR0172 ICHCNX00 returns qualifier "qual1" for internal but "qual2" for external format of dsname Explanation: This message indicates that an unexpected condition was found in an ICF catalog record. Contact IBM Software Support. Severity: 04 CKR0177 VERIFY NONEMPTY not performed on complex complex due to missing catalog information Explanation: The installation exit returns different qualifiers for the internal and external formats of the data set name, both of which are unequal to the first qualifier of the data set name. The program will choose the external one. The message can be suppressed by the command SUPPRESS MSG=172. Severity: 08 Severity: 16 (unless changed by the MSGRC parameter of the OPTION statement) Explanation: This message indicates that you used a system name that was not found in the CKFREEZE files. Possibly you mistyped the system name, or forgot to allocate the CKFREEZE file. CKR0173 ICHCNX00 returns qualifier "qual1" for internal but "qual2" for external format of dsname CKR0178 No CKFREEZE file for system name in SIMULATE SHARED VOLUME= volser command Severity: 12 Explanation: The installation exit returns different qualifiers for the internal and external formats of the data set name. The program will choose the external one. This message is issued only if the DEBUG QUAL command was issued. CKR0179 Severity: 00 Severity: 12 Conflicting share information for volume volume on system system Explanation: The SIMULATE commands are inconsistent with respect to the specified system/volume combination. Chapter 5. CKR messages 135 CKR0180 • CKR0192 CKR0180 No CKFREEZE file for system name in SIMULATE (NON)SHARED SYSTEM=name command Explanation: This message indicates that you used a system name that was not found in the CKFREEZE files. Possibly you mistyped the system name, or forgot to allocate the CKFREEZE file. Severity: 12 CKR0181 CKR0186 Explanation: This message indicates that you tried to define the volume name in system system as both shared and unshared on different SIMULATE commands. Severity: 12 CKR0187 Unknown subparameter - parm Explanation: This message indicates that the program does not recognize the specified parameter, at least not in this place. Conflicting SHARE/NONSHARE for volume name on system system Field name value string type not supported - 'value' at ddname line number Explanation: The only valid string types are X for hex, B for bit(mask), and C for character string (which is the same as omitting the type). Severity: 12 Severity: 12 CKR0188 CKR0182 Field name flag value must be GLOBAL, GENERAL or SPECIFIC - "value" at ddname line number Field name value invalid - bit string may only contain 0, 1, or . - "value" at ddname line number Explanation: This message indicates that for field name only the values GLOBAL, GENERAL and SPECIFIC can be specified. Explanation: This message indicates that the string of type B (bitmask) contains an invalid character. Specify 0 or 1 for an exact match on a bit, and dot "." for a do not care. Severity: 12 Severity: 12 CKR0183 Simulation not supported - parm Explanation: This message indicates that the specified parameter was recognized but is not supported for simulation. Severity: 12 CKR0189 Field name flag value must be FORCE or NOFORCE - "value" at ddname line number Explanation: This message indicates that an improper value was specified for the XRFSOFF flag. Severity: 12 CKR0184 Conflicting options SHARED and NONSHARED Explanation: This message indicates that you tried to define all volumes in all systems as both shared and unshared. Severity: 12 CKR0190 Field name value invalid - maximum bit string length is 32 at ddname line number Explanation: This message indicates that you tried to use a bitmask input string with more than 32 binary digits. This is not supported. Severity: 12 CKR0185 SIMULATE SHARE VOL=list should include the system names system system has to share the volume(s) with Explanation: This message indicates, that if you specify a system list for a volume, then it should contain a list of systems sharing the volume. You specified only one system, which is not sufficient to define the sharing relationship. If you meant that the volume is shared among all your systems, then you must completely omit the SYSTEM parameter. Severity: 12 CKR0191 Field name flag value must be hex, binary, YES, NO, ON, OFF, or a bit mask "value" at ddname line number Explanation: This message indicates that a value for a flag field was not recognized. Severity: 12 CKR0192 PAGELEN=nn must be larger than 5, or 0 to suppress page separators Explanation: This message indicates that you specified an invalid PAGELENGTH value. The page length includes all page headers and titles. Since these are printed on each page, there is a minimum page length 136 Messages Guide CKR0193 • CKR0199 of five (toptitle, title, subtitle, empty line, column header). If you do not want any headers, specify NOPAGE. If you just want one header per NEWLIST/SORTLIST, specify PAGELENGTH=0. would allow you to see information beyond your scope of authority. Note that even records 'in your scope' contain information that is not 'in your scope' to see since you are not given access to it by ACF2 itself. Severity: 12 Severity: 12 CKR0193 activereason using system name iplvol volume running operating system release with prod release Explanation: This message indicates that the active system settings are used. If activereason contains the text No configuration file, this is because no CKFREEZE file was present. If activereason shows Active configuration this is because of an explicit allocation request. Required information about system control blocks normally taken from the CKFREEZE file, like the RACF Class Descriptor Table (when processing a RACF database) will be taken from the current system. The message also indicates the security product prod (RACF, ACF2, or TSS) and its release level. Severity: 00 CKR0197 Unload not allowed with PADS access to configuration dataset Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to make an unload file. While this may not be strictly necessary in the case of PADS access to a CKFREEZE file, the program has only one restricted mode of operation, independently of exactly which input file was accessed through PADS mode. Severity: 12 CKR0197 Unload not allowed with program pathing access to configuration dataset Explanation: This message indicates that an unexpected condition was found in an ICF catalog record. Contact IBM Software Support. Explanation: This message indicates that the program is operating in restricted or program pathing mode and will not allow you to make an unload file. While this may not be strictly necessary in the case of program pathing access to a CKFREEZE file, the program has only one restricted mode of operation, independently of exactly which input file was accessed through program pathing mode. Severity: 20 Severity: 12 CKR0194 CKR0195 Volume cell missing from connector entry for dsname in catalog catname SIMULATE RESTRICT not possible on this system Explanation: This message indicates that it is not possible to simulate restricted PADS mode for a RACF database that does not have your current user ID defined in it. Severity: 12 CKR0196 Unload not allowed during PADS access to ddname volume dsn Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to make an unload file, since this would allow you to see information beyond your scope of authority. Note that even profiles 'in your scope' contain information that is not 'in your scope' to see since you are not given access to it by RACF itself. Severity: 12 CKR0196 Unload not allowed during program pathing access to ddname volume dsn CKR0198 Option not allowed in restricted mode option Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to use the indicated option or command, since it might influence access control decisions. If option is "DEBUG other than RESTRICT PERFORM DICT CPIC ACTION OUNIT" the severity of this message will be zero. Severity: 12 CKR0199 REPORT [SCOPE|PERMIT]=idname not allowed, id is not in your scope on complex complex version Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to request a scope or permit report for a user or group that is considered to be outside your scope of authority. Severity: 12 Explanation: This message indicates that the program is operating in restricted or program pathing mode and will not allow you to make an unload file, since this Chapter 5. CKR messages 137 CKR0200 • CKR0211 Messages from 200 to 299 CKR0200 Duplicate NONVSAM profile volume volser dataset datasetname Explanation: Two identical profile keys were found for the same volume. This is an anomaly in the RACF database. Only the first profile will be used in the program, and no support is present to remove the condition. Severity: 20 CKR0201 Duplicate TAPEDSN profile volume volser dataset datasetname Explanation: Two identical profile keys were found for the same volume, and both with DSTYPE=TAPE. This is an anomaly in the RACF database. Only the first profile will be used in the program, and no support is present to remove the condition. Severity: 20 error is reproducible, contact IBM Software Support. Severity: 20 CKR0206 Duplicate GLOBAL profile classname complex complex version Explanation: Two identical GLOBAL profiles for the indicated class were found. This is an anomaly in the RACF database. Only the first profile will be used, and no support is present to remove the condition. Severity: 20 CKR0207 Model name too long on profile identity complex complex version Explanation: The model profile name on a user or group profile contained more than 44 characters including the prefix. The program provides no support for this condition. Severity: 20 CKR0202 Duplicate VSAM profile volume volser cluster datasetname Explanation: Two identical profile keys were found for the same volume and both with DSTYPE=VSAM. This is an anomaly in the RACF database. Only the first profile will be used in the program, and no support is present to remove the condition. Severity: 20 CKR0203 CKR0208 field not found in type profile.complex complex version Explanation: Here type can be DATASET or GENERAL, and field can be UNIVACS, UACC, FLAG1, AUDIT, AUDITQS, AUDITQF, GAUDITQS or GAUDITQF. Contact IBM Software Support. Severity: 20 Duplicate MODEL profile datasetname CKR0209 identity defined as both USER and GROUP Explanation: Two identical profile keys were found, both for a model data set. This is an anomaly in the RACF database. Only the first profile will be used in the program, and no support is present to remove the condition. Explanation: The indicated identity was found as a profile in the class USER as well as the class GROUP. No support exists to handle this condition. Severity: 20 Severity: 20 CKR0204 Duplicate generic dataset profile base datasetname Explanation: Two identical profile keys were found, both for a generic data set profile. This is an anomaly in the RACF database. Only the first profile will be used, and no support is present to remove the condition. Severity: 20 CKR0205 field not found in profile datasetname complex complex version Explanation: Here field can be DSTYPE or MODELNAM. While searching the data set profile indicated for the specified field, end-of-profile was reached or the template did not contain the field. If the 138 Messages Guide CKR0210 USER "identity" doubly defined Explanation: Two user profiles were encountered with identical keys. Possibly you combined two copies of the same database in one run. Severity: 20 CKR0211 GROUP "identity" doubly defined Explanation: Two group profiles were encountered with identical keys. Possibly you combined two copies of the same database in one run. Severity: 20 CKR0212 • CKR0221 CKR0212 Numeric or flag field fldname exceeds supported length (4 byte) for profile key Explanation: This message indicates that during SELECT or EXCLUDE processing a profile was encountered with the field length for the indicated field exceeding 4 bytes. The program assumes that all numeric fields are 4 bytes or less in length. Severity: 20 CKR0213 Missing master catalog for system name Explanation: This message indicates that the CKFREEZE files did not contain a catalog dump of the master catalog for the indicated system, or that it was not clear which catalog was the master catalog. Severity: 16 CKR0214 CKFREEZE file required for selected options Explanation: This message indicates that you requested program functions that require the presence of a CKFREEZE file. However, no CKFREEZE or CKRCKF0n file was found allocated. CKR0217 Audit authority required to access field Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to request access to a field that is reserved for users with the auditor or group-auditor attribute. The ALLOWRESTRICT modifier causes the severity of this message to drop to 4, thus allowing the program to finish the query. The offending field will be shown blank. Severity: 12 or 04 CKR0218 Field field of length field-length extends number chars beyond target line length line-length - ddname line number Explanation: This message indicates that you requested more fields than will fit into the output line buffer, which has maximum length line-length. The indicated field (of length field-length) would extend number characters beyond the end of the output line. The requested field will be truncated automatically. Severity: 12 CKR0219 Severity: 12 ICHCNX00 exit abend sssuuu now activating SUPPRESS ICHCNX00 Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to request access to a field that is marked masked in the database templates. Explanation: This message indicates that an abend condition was intercepted while calling the current system's RACF exit ICHCNX00. This may easily happen if the exit requires supervisor state, key zero operation, or other authorized functions. The abend code was system abend sss (hexadecimal) or user abend uuu (hexadecimal). Calls to the exit will be suppressed for the remainder of the run. Severity: 12 Severity: 16 CKR0215 CKR0216 Non-PADS run required to access masked field field event permit identity whenclass whenprofile(1-15) class key Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that identity was found in the conditional access list of a general resource profile. Only the first 15 characters of the key in the conditional permit are shown. For (RE)MOVE or VERIFY a PERMIT DELETE WHEN(...()) command is generated to remove the conditional permit. For COPY a PERMIT WHEN(...()) command is generated to create the conditional permit. Severity: 04 CKR0220 Unsupported date length for fieldname location complex complex version Explanation: This message is issued when trying to format a variable length date field with an unsupported length. The field name from the template is indicated in the message, as well as the profile in which the condition was found, either in the format profile key or in the format connect user to group. Severity: 20 CKR0221 Warning: program profiles present but program control not active in system sys complex complex version Explanation: This message indicates that you requested a report concerning PROGRAM protection. Profiles were found in the class PROGRAM, but the system-wide option SETROPTS WHEN(PROGRAM) is not in effect. This means that the profiles will not be used by RACF, and will not be present on the REPORT AC1 and REPORT PADS output, unless you Chapter 5. CKR messages 139 CKR0222 • CKR0231 include a SIMULATE SETROPTS WHEN(PROGRAM) command. Severity: 16 Severity: 00 CKR0226 CKR0222 event supgrp identity of group name make name Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER command. The superior group field will be changed by an ALG command to the indicated group. Severity: 04 CKR0223 Invalid PRINT/NEWLIST output file file Explanation: This message indicates that the indicated filename or DDname is not valid as a target for a NEWLIST or PRINT command. The following reserved DDnames may not be specified: CKRUNLIN, CKRUNLOU, STEPLIB, SYSABEND, SYSUDUMP, SYSMDUMP, CKRCARLA, CKRTSPRT, XMLIN, XMLOUT, CKRACF*, CKRSMF*, and all redirections for those files. For additional information, see the OPTION command documentation in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Invalid sysid (must be lower or equal to 4 characters) Explanation: This message indicates a system name was found in a conditional access list entry that had more than 4 characters. This is not supported. contact IBM Software Support. Severity: 16 CKR0227 length must be in range n..32767 Explanation: This message indicates that the page or line length you supplied does not fall in the allowed interval 0..32767 for PL or 1..32767 for LL. If you want to prevent paginating the output, you should use PL=0 or NOPAGE. Severity: 12 CKR0228 Modifiers TITLE and TOPTITLE cannot be combined with WRAP/MORE/HOR field field at ddname line number Explanation: This message indicates that a modifier was specified that changes the appearance of a repeated field on the overview line but is not supported for page titles. Severity: 12 Severity: 12 CKR0229 CKR0224 nn profiles and nn segments read, nn profiles and nn segments selected (nn%) for complex [version] Explanation: This message is only issued for a Restructured Data Set and indicates the number of profiles (base segments) and non-base segments that were read and the numbers that were selected. The percentage is based on the sum of profiles and non-base segments. The number selected for a run that only uses merge will be zero. If other TYPE=RACF newlists, reports or verify commands are used, those will determine the number of selected profiles / segments. Severity: 00 CKR0225 DMS default setting not supported ppppppppv on complex complex system system Explanation: This message indicates that the indicated setting v for a DMS parameter pppppppp is not supported - results may be unpredictable. It can happen that the indicated parameter setting was assumed as a default by the program (because it is the default in DMS) if the actual value was missing in the CKFREEZE file. 140 Messages Guide Modifiers TITLE and TOPTITLE are mutually exclusive - field field at ddname line number Explanation: A field must be either part of the title or the toptitle. But you can specify the field twice with one of the modifiers on each. Severity: 12 CKR0230 Modifier PAGE not allowed after variable field without PAGE - field field at ddname line number Explanation: Fields that cause a page boundary when their value changes must be higher in the sort hierarchy than fields that do not have the page modifier. Severity: 12 CKR0231 (TOP)TITLE must occur before fields on output line - field field at ddname line number Explanation: Fields that are to be reported in a page title must be higher in the sort hierarchy than fields that do not have a (top)title modifier. Severity: 12 CKR0232 • CKR0243 CKR0232 KEY must occur before any non-key fields on display - field field at ddname line number CKR0238 Replace notify identity of model DATASET profile datasetname - with newnotify Explanation: The KEY modifier can only be used in a set of contiguous columns on the left of the display. This defines the part of the display that cannot be scrolled horizontally. Explanation: This message is issued due to a (RE)MOVE NOTIFY/PERMIT/USER, NEWNOTIFY= command. In response, an ALTDSD NOTIFY() command will be generated to change the notify field. Severity: 12 Severity: 04 CKR0233 Modifiers TITLE and TOPTITLE not valid with length 0 - field field at ddname line number Explanation: The field that is to be reported in a page title must have a fixed length. Severity: 12 CKR0234 option modifier invalid on LIST command, use SORTLIST before token at ddname line number Explanation: Use SORTLIST if you want to use the TOPTITLE, TITLE or PAGE modifier. Severity: 12 CKR0239 Change notify identity to id2 profile class key Explanation: This message is issued for a PROGRAM or GLOBAL profile due to a (RE)MOVE NOTIFY/ PERMIT/USER, NEWNOTIFY= command. In response, an RALTER NOTIFY() command will be generated to change the notify field. Severity: 04 CKR0240 BCS RACF indicator set but no discrete VSAM profile volser clustername Explanation: This message is issued due to a VERIFY INDICATED command. Severity: 04 CKR0235 Replace notify identity on non-VSAM DATASET profile volume datasetname with newnotify Explanation: This message is issued due to a (RE)MOVE NOTIFY/PERMIT/USER, NEWNOTIFY= command. In response, an ALTDSD NOTIFY() command will be generated to change the notify field. Severity: 04 CKR0236 Replace notify identity on VSAM DATASET profile volume datasetname with newnotify Explanation: This message is issued due to a (RE)MOVE NOTIFY/PERMIT/USER, NEWNOTIFY= command. In response, an ALTDSD NOTIFY() command will be generated to change the notify field. Severity: 04 CKR0237 Replace notify identity on generic DATASET profile datasetname - with newnotify Explanation: This message is issued due to a (RE)MOVE NOTIFY/PERMIT/USER, NEWNOTIFY= command. In response, an ALTDSD NOTIFY() command will be generated to change the notify field. Severity: 04 CKR0241 Discrete VSAM profile but BCS RACF indicator not set volser clustername Explanation: This message is issued due to a VERIFY ONVOLUME command. The volume indicated is the volume of the catalog (BCS) that contained an ownership cell with the RACF indicator bit off for the indicated cluster. To solve the error condition a DELDSD NOSET command will be generated. Severity: 04 CKR0242 Discrete VSAM profile present but no cluster found volser clustername Explanation: This message is issued due to a VERIFY ONVOLUME command. The volume indicated is the volume of the catalog that did not contain the cluster. To solve the error condition a DELDSD NOSET command will be generated. Severity: 04 CKR0243 Discrete VSAM profile but BCS volume not mounted volser clustername Explanation: This message is issued due to a VERIFY ONVOLUME command. The profile indicates a volume that is not mounted. To solve the error condition a DELDSD NOSET command will be generated. Severity: 04 Chapter 5. CKR messages 141 CKR0244 • CKR0252 CKR0244 Replace notify identity on tape DATASET profile volser datasetname with newnotify Explanation: This message is issued due to a (RE)MOVE NOTIFY/PERMIT/USER, NEWNOTIFY= command. In response, an ALTDSD NOTIFY() command will be generated to change the notify field. Severity: 04 CKR0245 event qualif identity of tape DATASET profile volser datasetname - output DELDSD Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. It indicates that the data set profile has a first qualifier that is undefined or to be removed. To solve the condition, a DELDSD VOL() command will be generated. The message and action may be suppressed by means of a SUPPRESS command. Severity: 04 CKR0246 event qualif identity of non-VSAM DATASET profile volser datasetname output DELDSD Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. It indicates that the data set profile has a first qualifier that is undefined or to be removed. To solve the condition, a DELDSD VOL() command will be generated. The message and action may be suppressed by means of a SUPPRESS command. event qualif identity of VSAM DATASET profile volser datasetname - output DELDSD Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. It indicates that the data set profile has a first qualifier that is undefined or to be removed. To solve the condition, a DELDSD VOL() command will be generated. The message and action may be suppressed by means of a SUPPRESS command. Severity: 04 142 Messages Guide event qualif identity of generic DATASET profile datasetname - output DELDSD Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. It indicates that the data set profile has a first qualifier that is undefined or to be removed. To solve the condition, a DELDSD command will be generated. The message and action may be suppressed by means of a SUPPRESS command. Severity: 04 CKR0249 event qualif identity of model DATASET profile datasetname - output DELDSD Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command. It indicates that the data set profile has a first qualifier that is undefined or to be removed. To solve the condition, a DELDSD command will be generated. The message and action may be suppressed by means of a SUPPRESS command. Severity: 04 CKR0250 Multivolume discrete profile but no RACF indicator volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. To solve the error condition a ALTDSD DELVOL command will be generated. Severity: 04 CKR0251 Severity: 04 CKR0247 CKR0248 Multivolume discrete profile but data set not found volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. To solve the error condition a ALTDSD DELVOL command will be generated. Severity: 04 CKR0252 Multivolume discrete profile but volume not mounted volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. To solve the error condition a ALTDSD DELVOL command will be generated. Severity: 04 CKR0253 • CKR0261 CKR0253 Cluster indicator unknown due to undumped catalog on volume clustername Explanation: The program was unable to determine whether the indicated cluster was RACF indicated or not, since the catalog in which it was cataloged according to the VVDS, was not present in the catalog dump. Discrete profile not used because GDG model present volser datasetname Explanation: This message is issued due to a VERIFY ONVOLUME command. It indicates that a discrete profile is present for a GDG generation, while at the same time a discrete non-VSAM or model profile exists for the GDG base name, and GDG modelling is active. To solve the error condition a DELDSD NOSET command will be generated. However, if the generation has already been rolled off the GDG, the command may be rejected with the error message "NOT FOUND IN CATALOG". In this case, the profile can only be removed by deactivating the system-wide MODEL(GDG) option before issuing the command. Severity: 04 CKR0255 event notify identity on non-VSAM DATASET profile volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command, and with event equal to Replace due to a COPY PERMIT/USER command. To solve the error condition an ALTDSD VOL() NONOTIFY command will be generated. Severity: 04 CKR0256 event notify identity on VSAM DATASET profile volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command, and with event equal to Replace due to a COPY PERMIT/USER command. To solve the error condition an ALTDSD VOL() NONOTIFY command will be generated. Severity: 04 CKR0257 Severity: 04 CKR0258 Severity: 08 CKR0254 (RE)MOVE NOTIFY/PERMIT/USER command, and with event equal to Replace due to a COPY PERMIT/USER command. To solve the error condition an ALTDSD NONOTIFY command will be generated. event notify identity on generic DATASET profile datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a event notify identity of model DATASET profile datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command, and with event equal to Replace due to a COPY PERMIT/USER command. To solve the error condition an ALTDSD NONOTIFY command will be generated. Severity: 04 CKR0259 event notify identity general resource profile class name Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command, and with event equal to Replace due to a COPY PERMIT/USER command. To solve the error condition a RALT NONOTIFY command will be generated. Severity: 04 CKR0260 event member identity general resource profile class key Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a (RE)MOVE PERMIT/USER command. This message is only issued for the NODES resource class. To solve the condition an RDEL command will be generated to remove the entire profile. Severity: 04 CKR0261 Key with unknown identity general resource profile class key Explanation: This message is issued due to a VERIFY PERMIT or (RE)MOVE PERMIT/USER command. This message is only issued for resource classes where some qualifier can be a user ID or group, like VMMDISK, VMBATCH, DLFDATA, JESJOBS, NODES, JESSPOOL, PROPCNTL, VMEVENT, and VMXEVENT. To solve the condition an RDEL command will be generated to remove the profile. Severity: 04 Chapter 5. CKR messages 143 CKR0262 • CKR0269 CKR0262 event user identity - defines OMVS default UID in BPX.DEFAULT.USER Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER command. It means that the identity to be removed defines the OMVS default UID, and that the error condition is not resolved. This error condition is not resolved when the default GID specification is present and not to be removed; if there would not have been a default GID specification to be kept, the condition would have been resolved by removing the specification(s), and CKR0298 would have been issued instead. CKR0266 Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command. It means that the identity to be removed was found in the RESOWNER field of the DFP segment. To solve the error condition an ALTDSD VOL() NODFP command will be generated. Severity: 04 CKR0267 Severity: 08 CKR0263 event notify identity general resource profile class key Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command, and with event equal to Replace due to a COPY PERMIT/USER command. To solve the condition a RALTER NONOTIFY command will be generated to remove the notify field. event R-ownr identity on non-VSAM DATASET profile volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command. It means that the identity to be removed was found in the RESOWNER field of the DFP segment. To solve the error condition an ALTDSD VOL() NODFP command will be generated. Severity: 04 event R-ownr identity of model DATASET profile datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command. It means that the identity to be removed was found in the RESOWNER field of the DFP segment. To solve the error condition an ALTDSD VOL() NODFP command will be generated. Severity: 04 CKR0268 Severity: 04 CKR0264 event R-ownr identity on generic DATASET profile datasetname event permit identity whenclass whenprofile(1-15) class key Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that identity was found in the conditional access list of a general resource profile. Only the first 15 characters of the key in the conditional permit are shown. To solve the condition a PERMIT DELETE WHEN(...()) command will be generated. Severity: 04 CKR0265 event R-ownr identity on VSAM DATASET profile volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE NOTIFY/PERMIT/USER command. It means that the identity to be removed was found in the RESOWNER field of the DFP segment. To solve the error condition an ALTDSD VOL() NODFP command will be generated. Severity: 04 144 Messages Guide CKR0269 event permit identity SYSID smfid PROGRAM profile Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that identity was found in the conditional access list WHEN(SYSID(smfid)) clause of a PROGRAM profile. To solve the condition a CKR0270 • CKR0277 PERMIT DELETE WHEN(SYSID(smfid)) command will be generated. Severity: 04 CKR0270 event permit identity whenclass whenprofile(1-15) PROGRAM profile Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that identity was found in the conditional access list clause of a PROGRAM profile other than WHEN(SYSID(...)). Only the first 15 characters of the key in the conditional permit are shown. To solve the condition a PERMIT DELETE WHEN(...()) command will be generated. Severity: 04 CKR0271 event permit identity in access list of tape dsn volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a PERMIT DELETE VOL() command will be generated. Severity: 04 CKR0272 Remove raclink node.id with id2 - output RACLINK UNDEFINE Explanation: This message is issued due to a REMOVE USER= command. In order to remove id2, its raclinks must be deleted first, hence RACLINK UNDEFINEs are generated for each. Severity: 00 CKR0273 event owner identity of tape DATASET profile volser datasetname - make newowner Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a (RE)MOVE PERMIT/USER/GROUP command, and with event equal to Replace due to a COPY PERMIT/USER/GROUP command. To solve the error condition a ALTDSD VOL() OWNER() command will be generated. The new owner will be the HLQ of the profile, unless that is identical to identity. In that case it will be the name specified on the DEFAULT OWNER= command. The new owner selected is shown in the message. Severity: 04 CKR0274 event notify identity on tape DATASET profile volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command. To solve the error condition a ALTDSD VOL() NONOTIFY command will be generated. Severity: 04 CKR0275 Inaccessible cluster (RACF indicated and no profile) volser datasetname Explanation: This message is issued due to a VERIFY PROTECTALL or VERIFY INDICATED command. To solve the error condition an ADDSD NOSET command will be generated, but only if VERIFY INDICATED was not specified. Note that adding the profile may not be enough, you might want to enhance the access list, or use a generic profile instead. Severity: 04 CKR0276 Unprotected cluster (not RACF-indicated, no generic) volser datasetname Explanation: This message is issued due to a VERIFY PROTECTALL command in NOPROTECTALL or PROTECTALL(WARN) environment. No command is generated. Severity: 08 CKR0277 event R-ownr identity on tape DATASET profile volser datasetname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a (RE)MOVE NOTIFY/PERMIT/USER command. It means that the identity to be removed was found in the RESOWNER field of the DFP segment. To solve the error condition an ALTDSD VOL() NODFP command will be generated. Severity: 04 Chapter 5. CKR messages 145 CKR0278 • CKR0288 CKR0278 Revoke for user identity requested Explanation: This message is issued due to a (RE)MOVE USER=, REVOKE command. In response, an ALTUSER REVOKE command will be generated. Severity: 00 CKR0279 Connect user identity to group identity as requested - output CONNECT Explanation: This message is issued due to a MOVE USER=, TOGROUP= command. In response, a CONNECT command will be generated. Severity: 00 CKR0280 Default group of identity becomes identity because removing former default Explanation: This message is issued due to a MOVE USER=, TOGROUP= command. In response, an ALTUSER DFLTGRP() command will be generated. Severity: 00 CKR0281 Remove user identity from identity as requested - output REMOVE Explanation: This message is issued due to a MOVE USER=, TOGROUP= command. In response, a REMOVE command will be generated. Severity: 00 CKR0282 Inaccessible cluster (not indicated and no generic) volser datasetname Explanation: This message is issued due to a VERIFY PROTECTALL command in a PROTECTALL(FAIL) environment. No command is generated. CKR0285 Explanation: This message is issued due to a (RE)MOVE NOTIFY/PERMIT/USER, NEWNOTIFY= command. In response, a RALTER NOTIFY() command will be generated to change the notify field. Severity: 04 CKR0286 Delete userid identity group identity as requested - output DELUSER Explanation: This message is issued due to a REMOVE USER= command. In response, a DELUSER command will be generated. Severity: 00 CKR0284 Delete group identity of depth depth output DELGROUP Explanation: This message is issued due to a REMOVE GROUP= command. In response, a DELGROUP command will be generated for the indicated group with the indicated depth. Severity: 00 146 Messages Guide No VTOC and no VVDS entry for cluster component on volser datasetname Explanation: This message is issued if a cluster component is referred to by a catalog entry or system control block, but could not be found in either the VTOC or the VVDS. Severity: 08 CKR0287 Non-restorable dataset, indic, no generic at archive volser datasetname of seq Explanation: This message is issued if the DMSFILES data set contains a DSNINDEX and RACFENCD record for a version of data set datasetname that was RACF indicated and protected by a discrete profile at the time of the archive operation, but the discrete RACF profile (with the encoded name) is not found in the RACF database anymore. According to the DMS documentation, this means that it is impossible to restore the data set without first changing the DSNINDEX records. If this message keeps occurring after repeating the zSecure Collect run, you should follow the procedures in the DMS documentation (for example, RACFCHK1) to reconcile the relationship between DMS and RACF. Severity: 08 CKR0288 Severity: 04 CKR0283 Replace notify identity general resource profile class key by newnotify Non-restorable data set, RACFENCD record missing for volser datasetname of seq Explanation: This message is issued if the DMSFILES data set contains a DSNINDEX record for a version of data set datasetname that was RACF indicated and protected by a discrete profile at the time of the archive operation, but does not contain a corresponding RACFENCD record. According to the DMS documentation, this means that it is impossible to restore the data set without first changing the DSNINDEX records. If this message keeps occurring after repeating the zSecure Collect run, you should follow the procedures in the DMS documentation (for example, RACFCHK1) to reconcile the relationship between DMS and RACF. Severity: 08 CKR0289 • CKR0296 CKR0289 Orphan RACFENCD record, DSNINDEX record missing for datasetname of seq Explanation: This message is issued if the DMSFILES data set contains a RACFENCD record for a version of the indicated data set without a corresponding DSNINDEX record. Possibly this may correspond to an 'orphan' discrete profile, this is currently not checked by the program. If this message keeps occurring after repeating the zSecure Collect run, you should follow the procedures in the DMS documentation (for example, RACFCHK1) to reconcile the relationship between DMS and RACF. Severity: 08 CKR0290 Discrete profile at archive non indicated data set volser datasetname of seq Explanation: This message is issued if a DSNINDEX record in the DMSFILES data set indicates that a version of the indicated data set was non-indicated and protected by a discrete profile at the same time (during the archive operation). This contradictory bit setting is not supported by the program. Severity: 08 CKR0291 RACFENCD record found but DSNINDEX discrete flag off volser datasetname of seq Explanation: This message is issued if a RACFENCD record has been found in the DMSFILES data set for a version of the data set datasetname (originally residing on volume volser) that also has a DSNINDEX record which tells that the data set was not protected by a discrete at the time of the archive. This contradictory bit setting is not supported by the program. Severity: 08 CKR0292 Connected catalog not found on any volume datasetname CKR0294 Cluster cataloged but not in proper ctlg on any system volser datasetname Explanation: This message is issued because this cluster is present in a catalog, but not in such a way that it can be accessed directly on any system for which a CKFREEZE was supplied, since there is no ALIAS for the HLQ of the cluster or for the dsname of the cluster in the master catalog. This means that on these systems this cluster can only be accessed from a batch job that uses a STEPCAT/JOBCAT allocation. If the cluster is not intended to be accessed from another system where an ALIAS is correctly defined, you should define an alias or delete the cluster. If this condition is intentional, you can suppress the message from the report with a SUPPRESS MSG=294 command. Severity: 04 CKR0295 Component part of two clusters on one system volser datasetname Explanation: This points to a maintenance issue with catalogs: the same VSAM component is defined in two (master or connected) catalogs on one system. You should investigate which definition is correct for this system, and whether the other definition is not used on another system. You can fix this error by uncataloging the component (or the whole cluster) from one of the catalogs. Severity: 08 CKR0296 PROGRAM profile w/o load module but info missing complex program Reason Explanation: This message is issued by the VERIFY PGMEXIST function because the indicated PROGRAM profile does not seem to cover any load module from any system in the complex, but some information necessary to be sure is missing. The message is followed by one or more Reason lines with one of the following detail explanations: v Not all VTOCs in CKFREEZE to search for data set without volser dsname Explanation: This message is issued if one of the system's master catalogs contains a usercatalog connector entry pointing to a catalog datasetname that could not be found. v Mig. catlg not in CKFREEZE to check data set any system dsname Severity: 08 v VTOC is not in CKFREEZE to check data set syst volser CKR0293 Volume not mounted on any system for cluster comp on volser datasetname Explanation: This message is issued if a catalog or system control block refers to a VSAM component on a volume that was not present in any of the CKFREEZE files. Severity: 08 v PDS dir. not available for migrated data set syst dsname v Mig. catlg not in CKFREEZE to check data set syst volume dsname v PDS dir. not available for migrated data set syst volume dsname v PDS directory not in CKFREEZE for data set syst volser dsname If you are using zSecure Admin or Audit for RACF, see the documentation for the VERIFY PGMEXIST, Chapter 5. CKR messages 147 CKR0297 • CKR0303 PROGRAMNONEMPTY, PROGRAMNOTEMPTY, PGMNONEMPTY, PGMNOTEMPTY commands in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for more information about missing VTOCs, missing migration catalogs, and missing PDS directory information. If a CKRCMD file is allocated for the complex, a commented-out RDELETE command is generated to remove the PROGRAM profile. Severity: 04 CKR0297 Obsolete PROGRAM, load module not in libraries complex program Explanation: This message is issued by the VERIFY PGMEXIST function because the indicated PROGRAM profile does not cover any load module from any system in the complex. If a CKRCMD file is allocated for the complex, an RDELETE command is generated to remove the PROGRAM profile. Severity: 04 CKR0298 event user identity - defines OMVS default UID in BPX.DEFAULT.USER output RALTER Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER command. It means that the identity to be removed defines the OMVS default UID, and that the error condition is resolved by removing the specification. If there was a default GID specification, it was to be removed as well; no separate message is shown. If there had been a default GID specification that should not be removed, the error condition would have been considered unresolvable and CKR0262 would have been issued instead. Severity: 04 CKR0299 event group identity - defines OMVS default GID in BPX.DEFAULT.USER output RALTER Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/GROUP command. It means that the identity to be removed defines the OMVS default GID, and that the error condition is resolved by removing the specification. It also means that the default UID specification was to be kept; otherwise CKR0298 would have been issued instead. Severity: 04 Messages from 300 to 399 CKR0300 Tape volume vvvvvv part of TAPEVOL profile key1 as well as key2 complex complex version Explanation: This message is issued if a volume serial is part of more than one TAPEVOL profile. This might be caused by running with split databases and an incorrect range table. Severity: 20 CKR0301 event permit identity whenclass whenprofile(1-15) - volume dsname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that the identity was found in the conditional access list of a discrete data set profile. Only the first 15 characters of the key in the conditional permit are shown. To solve the condition a PERMIT DELETE WHEN(...()) command will be generated. Severity: 04 148 Messages Guide CKR0302 event permit identity whenclass whenprofile(1-15) dataset dsname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command, and with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command. It indicates that the identity was found in the conditional access list of a generic data set profile. Only the first 15 characters of the key in the conditional permit are shown. To solve the condition a PERMIT DELETE WHEN(...()) command will be generated. Severity: 04 CKR0303 event permit identity whenclass whenprofile(1-15) model dsname Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command, and with event equal to Redundant due to a REMOVE REDUNDANT_PERMIT command. It indicates that the CKR0304 • CKR0313 identity was found in the conditional access list of a model data set profile. Only the first 15 characters of the key in the conditional permit are shown. To solve the condition a PERMIT DELETE WHEN(...()) command will be generated. Severity: 04 CKR0304 Tape information inconsistent on scratch status for volume volser datasetname Explanation: This message is issued if one tape catalog entry for volser indicates that it is a scratch volume, while another one indicates that it is not. It will be treated as a scratch volume. Severity: 08 CKR0305 Catalog entry conflicts with tape management system volser datasetname file seq Explanation: This message is issued if an ICF catalog and a tape catalog indicate different data set names for the same file sequence number on the same volume serial. The tape catalog is assumed to be correct, the ICF catalog entry will be ignored. TVTOC entry conflicts with tape management system volser datasetname file seq Explanation: This message is issued if a TVTOC entry in the RACF database and a tape catalog entry indicate different data set names for the same file sequence number on the same volume serial. The tape catalog is assumed to be correct, the TVTOC entry will be ignored. Severity: 08 CKR0310 Conflicting tape management information for file volser datasetname file seq Explanation: This message is issued if two tape catalog entries indicate different data set names for the same file sequence number on the same volume serial. There is no way to determine which is correct. Severity: 08 CKR0308 Catalog entry same fileseq as other catalog entry volser datasetname file seq Explanation: This message is issued if two ICF catalog entries indicate different data set names for the same file sequence number on the same volume serial. There is no way to determine which is correct. Conflicting tape management info on volume chaining volser datasetname previous vol2 Explanation: This message is issued if two tape management catalog entries indicate different previous volumes for the same volume serial. There is no way to determine which is correct. Severity: 08 CKR0312 TVTOC chaining conflict with tape management system volser datasetname previous vol2 Explanation: This message is issued if a TVTOC entry in the RACF database conflicts with the tape management catalog as to the previous volume for the indicated volume serial. The tape management catalog will be considered correct, and the TVTOC entry will be ignored. Severity: 08 CKR0313 Severity: 08 Adding previous volume pointer would create a loop volser datasetname previous vol2, reading source Explanation: This message is issued if vol2 is declared as the volume directly preceding volser, while volser already precedes vol2. source is either TVTOC, to indicate that the error was detected while processing the RACF database, or CKFREEZE, to indicate that the error was detected while processing the ICF and tape catalogs. The new link is not established; any TVTOC entries are processed first. Severity: 08 CKR0307 Catalog entry conflicts with TVTOC volser datasetname file seq Explanation: This message is issued if an ICF catalog and a TVTOC entry in the RACF database indicate different data set names for the same file sequence number on the same volume serial. The TVTOC is assumed to be correct, the ICF catalog entry will be ignored. CKR0311 Severity: 8 CKR0306 CKR0309 Catalog entries disagree on the previous volume of volser datasetname previous vol2 Explanation: This message is issued if two ICF catalog entries indicate different previous volumes for the same tape volume serial. There is no way to determine which is correct; vol2 is the ignored link. Severity: 08 Severity: 08 Chapter 5. CKR messages 149 CKR0314 • CKR0322 CKR0314 Catalog vol chaining conflicts with tape management volser datasetname previous vol2 Explanation: This message is issued if an ICF catalog entry conflicts with the tape management catalog as to the previous volume for the indicated volume serial. The tape management catalog will be considered correct, and the information from the catalog entry will be ignored. Severity: 08 CKR0315 Catalog vol chaining conflicts with TVTOC volser datasetname previous vol2 Explanation: This message is issued if an ICF catalog entry conflicts with a TAPEVOL TVTOC entry in the RACF database as to the previous volume for the indicated volume serial. The TVTOC will be considered correct, and the information from the catalog entry will be ignored. Severity: 08 CKR0316 Imbedded ISPF variable not found name at ddname line number Explanation: This message indicates that an INCLUDE or IMBED command was given for an ISPF variable, but the variable was not present in either the implicit function pool, the shared variable pool, or the profile variable pool. Severity: 12 CKR0317 Open failed [type abend rc-rr (interpretation)] for imbedded file ddname dataset dsname at ddname2 line number Explanation: This message indicates that an INCLUDE or IMBED command was given for a file, but the file could not be opened. If an abend occurred, the abend code, reason code and interpretation are given. Review the job log for messages with additional information. If no abend information is present in the message, a preceding CKR message should indicate the reason for the failure. CKR0319 ICHRIN03 generic entry allows masquerading any user sys entry "procname userid grpname" Explanation: This message indicates an undesirable effect of the contents of the Started Procedure Table ICHRIN03 on the indicated system sys. The generic entry allows persons with UPDATE access to a started task procedure library or JES2 parameter data set to masquerade as any user in the system by creating a procedure member with a name equal to the user ID to masquerade. The recommended form of the generic entry is to include in the generic entry a nonblank group name that is specifically meant to contain only the user IDs allowed to run as started tasks. Severity: 08 CKR0320 Option only valid behind NEWLIST option at ddname line Explanation: This message indicates that the indicated option was included on a BUNDLE, OPTION or PRINT command, but this option is only allowed on the NEWLIST. Examples are RDS, NONRDS, and RETAIN. Note that most PRINT options are also allowed on the NEWLIST command. Severity: 12 CKR0321 ICHRIN03 undefined user id procedure procname volume dsn status system Explanation: This message indicates a mismatch between the Started Procedure Table ICHRIN03 and the RACF database on system system. If status is system, the indicated procedure in the indicated procedure library maps to a user ID that is not defined in the RACF database; hence the procedure will run with the default authority, the undefined RACF user "*". If status is fallback, the indicated procedure has the same problem, but is currently unused; if no procedure library is indicated, there is no task by that name; if a library is indicated, the task is covered by a valid profile in the STARTED class and hence does not use ICHRIN03. Severity: 08 Severity: 12 CKR0322 CKR0318 ICHRIN03 generic entry is not the last one, ignored sys entry "procname userid grpname" Explanation: This message indicates an error in the contents of the Started Procedure Table ICHRIN03 on the indicated system sys. The generic entry must be the last entry to be handled as a generic entry by RACF. It appears that the generic entry in your ICHRIN03 is not the last entry. Severity: 08 150 Messages Guide ICHRIN03 undefined group id procedure procname volume dsn status system Explanation: This message indicates a mismatch between the Started Procedure Table ICHRIN03 and the RACF database on system system. If status is system, the indicated procedure in the indicated procedure library maps to a connect group that is not defined in the RACF database; hence the procedure will run with the default authority, the undefined RACF user "*". If status is fallback, the indicated procedure has the same problem, but is currently unused; if no procedure CKR0323 • CKR0328 library is indicated, there is no task by that name; if a library is indicated, the task is covered by a valid profile in the STARTED class and hence does not use ICHRIN03. CKR0326 Started task runs with default authority procname volume dsn status system Explanation: This message indicates a mismatch between the Started Procedure Table ICHRIN03 and the RACF database on system system. If status is system, the indicated procedure in the indicated procedure library maps to a user ID/group combination that has no connect defined in the RACF database; hence the procedure will run with the default authority, the undefined RACF user "*". If status is fallback, the indicated procedure has the same problem, but is currently unused; if no procedure library is indicated, there is no task by that name; if a library is indicated, the task is covered by a valid profile in the STARTED class and hence does not use ICHRIN03. Explanation: If status is system, this message identifies a started task that runs with the default RACF user (USER=*) on system system. This may be correct (if the task does not need any higher access than the UACC of the data sets accessed). On the other hand, often a number of procedures can be identified which will fail if started with this (lack of) authority. If status is fallback, the indicated procedure has the same problem, but is currently unused; if no procedure library is indicated, there is no task by that name; if a library is indicated, the task is covered by a valid profile in the STARTED class and hence does not use ICHRIN03. If you are not interested in the latter kind of potential problems, add SUPPRESS FALLBACK to the command input. To suppress all messages concerning the default user ID, you can add SUPPRESS ID=* (for ICHRIN03) and SUPPRESS ID=++++++++ (for the STARTED class) to the command input. To suppress only this message, add SUPPRESS MSG=326 to the command input. Severity: 08 Severity: 00 Severity: 08 CKR0323 CKR0324 ICHRIN03 no connect uid to group id proc procname volume dsn status system ICHRIN03 contains group id as user procname volume dsn status system Explanation: This message indicates a mismatch between the Started Procedure Table ICHRIN03 and the RACF database on system system. If status is system, the indicated procedure in the indicated procedure library maps to a user ID that is not defined as user in the RACF database, but as a group; hence the procedure will run with the default authority, the undefined RACF user "*". If status is fallback, the indicated procedure has the same problem, but is currently unused; if no procedure library is indicated, there is no task by that name; if a library is indicated, the task is covered by a valid profile in the STARTED class and hence does not use ICHRIN03. Severity: 08 CKR0325 ICHRIN03 contains userid id as group procname volume dsn status system Explanation: This message indicates a mismatch between the Started Procedure Table ICHRIN03 and the RACF database on system system. If status is system, the indicated procedure in the indicated procedure library maps to a group name that is not defined as group in the RACF database, but as a user; hence the procedure will run with the default authority, the undefined RACF user "*". If status is fallback, the indicated procedure has the same problem, but is currently unused; if no procedure library is indicated, there is no task by that name; if a library is indicated, the task is covered by a valid profile in the STARTED class and hence does not use ICHRIN03. CKR0327 sys ICHRIN03 entry unused (subsys no proc) procname Explanation: This message indicates a mismatch between the Started Procedure Table ICHRIN03 and the active procedure libraries. The indicated procedure name in ICHRIN03 does not cover any procedure in any of the MSTR and JES2 procedure libraries used for started tasks in any of the systems. Note: This message may also be issued if a CKFREEZE file is used that was produced by running zSecure Collect from an unauthorized library. If zSecure Collect is run with APF authorization, it will use cross memory functions to find the data sets allocated to STCPROC (or PROC00 if there's no STCPROC). Subsequently, it will read the PDS directory of each of these proclibs. Note that it is insufficient to tell zSecure Collect to dump the directories of the PDS data sets in an unauthorized run, because they will not be known as proclibs. Severity: 08 CKR0328 Obsolete permit identity unknown program program - in model datasetprofile Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Basic program security mode. A program is defined on a conditional access list, but no matching program profile exists. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 Severity: 08 Chapter 5. CKR messages 151 CKR0329 • CKR0337 CKR0329 Obsolete permit identity unknown program program generic datasetprofile Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Basic program security mode (RACF pre-z/OS 1.4 or specifically defined in later RACF releases). A program is defined on a conditional access list, but no matching program profile exists. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR0330 Open failed [type abend rc-rr (interpretation)] for imbedded member member of file ddname dataset dsname at ddname2 line number Explanation: This message indicates that an INCLUDE or IMBED command was given for a member, but the member could not be opened in the data set allocated to the file. If an abend occurred, the abend code, reason code and interpretation are given. Review the job log for messages with additional information. If no abend information is present in the message, a preceding CKR message should indicate the reason for the failure. Severity: 12 CKR0331 STC default authority - procname is a group procname volume dsn system system Explanation: This message indicates a mismatch for a specific procedure library member between the generic entry in the Started Procedure Table ICHRIN03 and the RACF database on system system. The indicated procedure in the indicated procedure library maps to a user ID that is not defined as a user in the RACF database, but as a group. Hence the procedure will be assigned the undefined RACF user "*" when started. CKR0333 Revoked started task uid userid procedure procname volume dsn status system Explanation: If status is system, this message indicates a nonstartable procedure on system system. The indicated procedure in the indicated procedure library maps to a user ID that is defined in the RACF database, but the user ID has been revoked. Consequently, the procedure is not startable. If status is fallback, the indicated procedure has the same problem, but is currently unused. If no procedure library is indicated, there is no task by that name. If a library is indicated, the task is covered by a valid profile in the STARTED class and does not use ICHRIN03. Severity: 08 CKR0334 JCL member hidden (duplicate) for procedure procname volume dsn Explanation: This message indicates a nonstartable procedure member. The indicated procedure in the indicated procedure library cannot be started, because it is part of a concatenation. The library prior to it in the concatenation has the same member defined. Consequently, this JCL member cannot be started. Severity: 00 CKR0335 Copy id1 to id2 adds discrete resource class key Explanation: This message indicates that a command was generated in the CKRCMD file to add a discrete general resource profile specific to id2 mimicking a similar existing profile for id1. The message is issued as the result of a COPY command. Severity: 04 Severity: 08 CKR0336 CKR0332 STC revoked connect user to group procname volume dsn status system Explanation: If status is system, this message indicates a procedure on system system that cannot be started. The indicated procedure in the indicated procedure library maps to a user ID/group combination that has a connect defined in the RACF database, but the connect has been revoked. Consequently, the procedure is not startable. If status is fallback, the indicated procedure has the same problem, but is currently unused. If no procedure library is indicated, there is no task by that name. If a library is indicated, the task is covered by a valid profile in the STARTED class and does not use ICHRIN03. Severity: 08 Explanation: This message indicates that a command was generated in the CKRCMD file to add a generic general resource profile specific to id2 mimicking a similar existing profile for id1. The message is issued as the result of a COPY command. Severity: 04 CKR0337 Messages Guide Copy id1 to id2 adds generic DATASET profile dsn Explanation: This message indicates that a command was generated in the CKRCMD file to add a generic data set profile specific to id2 mimicking a similar existing profile for id1. The message is issued as the result of a COPY command. Severity: 04 152 Copy id1 to id2 adds generic resource class key CKR0338 • CKR0348 CKR0338 Copy id1 to id2 adds model DATASET profile dsn Explanation: This message indicates that a command was generated in the CKRCMD file to add a model data set profile specific to id2 mimicking a similar existing profile for id1. The message is issued as the result of a COPY command. Replace owner id1 of new generic DATASET profile dsn - make id2 Explanation: This message indicates that a command was generated in the CKRCMD file to change the owner of a generic data set profile specific to id2 from id1 to id2. The message is issued as the result of a COPY command. Replace owner id1 of new model DATASET profile dsn - make id2 Explanation: This message indicates that a command was generated in the CKRCMD file to change the owner of a model data set profile specific to id2 from id1 to id2. The message is issued as the result of a COPY command. Severity: 08 Unsupported copy id for tape DATASET profile volser dsn Explanation: This message indicates that no command was generated in the CKRCMD file to copy the user-specific or group-specific discrete profile. The message is issued as the result of a COPY command. Severity: 12 CKR0346 CKR0342 Unsupported copy id non-VSAM DATASET profile volser dsn Explanation: This message indicates that no command was generated in the CKRCMD file to copy the user-specific or group-specific discrete profile. The message is issued as the result of a COPY command. If the COPY is issued as preparation to a rename operation, then a RENAME of the data set would automatically accomplish the rename of the discrete profile. Severity: 08 User implied in command input is a group - id Explanation: This message indicates that a command was given implying that the ID id is a user ID. However, id is defined as a group in the RACF database. Most commands will not be processed any further. Severity: 12 CKR0347 Severity: 08 Group implied in command input is a user - id Explanation: This message indicates that a command was given implying that the ID id is a group. However, id is defined as a user ID in the RACF database. Most commands will not be processed any further. Severity: 04 CKR0341 Unsupported copy id for member of profile class key Explanation: This message indicates that no command was generated in the CKRCMD file to copy the function of the user-specific entry in the member list of the indicated profile. The message is issued as the result of a COPY command. CKR0345 Severity: 04 CKR0340 Severity: 08 CKR0344 Severity: 04 CKR0339 message is issued as the result of a COPY command. If the COPY is issued as preparation to a rename operation, then a RENAME of the data set would automatically accomplish the rename of the discrete profile. event owner id1 by id2 in resource class key Explanation: This message indicates that a command was generated in the CKRCMD file to change the owner of a general resource profile specific to id2 from id1 to id2. The message is issued as the result of a COPY command. Severity: 04 CKR0348 parameter must come behind TOUSER Explanation: The order of the parameters on the COPY or MOVE command is invalid. The parameter indicated is only valid behind the TOUSER parameter. Severity: 12 CKR0343 Unsupported copy id for VSAM DATASET profile volser dsn Explanation: This message indicates that no command was generated in the CKRCMD file to copy the user-specific or group-specific discrete profile. The Chapter 5. CKR messages 153 CKR0349 • CKR0359 CKR0349 parameter only valid behind COPY Explanation: The parameter is not valid on the current MOVE or REMOVE command, but only on a COPY command. Severity: 12 CKR0355 PERMIT/USER/GROUP/NOTIFY are mutually exclusive operands that can occur once per command Explanation: Only one of the indicated operands is allowed per MOVE, REMOVE, or COPY command. Severity: 12 CKR0350 Number of permits/references processed on complex [version] is number Explanation: This message gives the number of permits and other references to users and groups that have been processed. It can be used as a measure for the complexity of your database and the IBM Security zSecure Admin and Audit for RACF command processed. Severity: 00 CKR0351 event owner identity on group name make name Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER command. Both the owner and the superior group field will be changed by an ALG command to the indicated group. Severity: 04 CKR0352 Add user id1 to group id2 as requested output ADDUSER Explanation: This message indicates that a command was generated in the CKRCMD file to add the user ID id1 with group id2 as its default group. The message is issued as the result of a COPY USER= command. Severity: 00 CKR0356 Not adding user userid as requested because all connects omitted by request - specify TOGROUP Explanation: This message indicates that a COPY request was given for a user userid, but the user could not be added since by your request (for example, FROMGROUP parameter or by means of SELECT commands) all connects would be omitted. In order to add a user ID, at least one connect group is required. Severity: 12 CKR0357 Procedure name not a userid - uses default procname volume dsn system system Explanation: This message identifies a started task that runs with the default RACF user (USER=*), because the user ID implied in the Started Procedure Table through the generic entry "* =" is not defined in the RACF database on system system. This may be correct (if the task does not need any higher access than the UACC of the data sets accessed). On the other hand, often a number of procedures can be identified which will fail if started with this (lack of) authority. To suppress all messages concerning the default user ID, you can add SUPPRESS ID=* (for ICHRIN03) and SUPPRESS ID=++++++++ (for the STARTED class) to the command input. To suppress only this message, add SUPPRESS MSG=357 to the command input. Severity: 00 CKR0353 Add group id1 to group id2 at depth depth as requested - output ADDGROUP Explanation: This message indicates that a command was generated in the CKRCMD file to add the group id1 as a subgroup of id2. The message is issued as the result of a COPY USER= command. Severity: 00 CKR0354 parameter only valid behind USER= or COPY PERMIT/GROUP= Explanation: The parameter is not valid on the current MOVE or REMOVE command, or the order of the parameters is invalid. Severity: 12 CKR0358 ICHRIN03 generic entry is privileged sys Entry "procname userid grpname" Explanation: This message indicates an undesirable feature of the Started Procedure Table ICHRIN03 on the indicated system sys. The generic entry has the privileged attribute, allowing any started task that is newly added to a procedure library to run with unaudited bypass of the access control decisions. This attribute is normally needed only by a few selected tasks, not by almost all started tasks. Severity: 08 CKR0359 ICHRIN03 generic entry is trusted sys Entry "procname userid grpname" Explanation: This message indicates an undesirable feature of the Started Procedure Table ICHRIN03 on the indicated system sys. The generic entry has the trusted 154 Messages Guide CKR0360 • CKR0370 attribute, allowing any started task that is newly added to a procedure library to run with bypass of the access control decisions. This attribute is normally needed only by a few selected tasks, not by almost all started tasks. Severity: 08 CKR0360 GROUP invalid behind MOVE Explanation: The parameter is not valid on the MOVE command. Use USER, PERMIT or NOTIFY to move a user or replace a permit or notify. TOGROUP required with MOVE USER/PERMIT Explanation: The parameter TOGROUP is missing from the MOVE command. Use this parameter to indicate to which group the user must be moved. Duplicate name for security category nn "name1" and "name2" in complex complex version Explanation: The member list of the CATEGORY profile in the class SECDATA defining the names of the security categories contains more than one name for the same internal representation of a category. This may happen if the database has more than one CATEGORY profile. Severity: 20 CKR0366 Severity: 12 CKR0361 CKR0365 The following profiles have no data rule specified - current settings used: Explanation: This message indicates that the profiles following the colon exist in both the source and the current database, containing different data. However, a mergerule prescribing a data policy was not found. Severity: 08 Severity: 12 CKR0367 CKR0362 Delete of userid userid not requested, but removal of all connects implied Explanation: The REMOVE or MOVE commands for user IDs and groups results in removal of all connects for the indicated user ID. However, no REMOVE of this user ID was requested. The user ID will not be deleted by the generated commands. You can either specify a TOGROUP for the user, add a REMOVE for the user, or change the current commands. You can also use the 'Delete all USERs connected to GROUP' option when running with the ISPF interface. Severity: 12 CKR0363 parameter only valid behind PERMIT= Explanation: The parameter indicated is not valid on the current command, or the order of the parameters is incorrect. CKR0364 Duplicate name for security level nn "name1" and "name2" complex complex version Explanation: The member list of the SECLEVEL profile in the class SECDATA defining the names of the security levels contains more than one name for the same level. This may happen if the database has more than one SECLEVEL profile. Severity: 20 Explanation: This message indicates that the profiles following the colon exist in both the source and the current database, containing different security related data. However, a mergerule prescribing an authority policy was not found. Severity: 08 CKR0368 The following users have no auth rule specified - revoke status unpredictable Explanation: This message indicates that the profiles following the colon exist in both the source and the current database, containing different security related data. However, no mergerule prescribing an authority policy could be found. Severity: 08 CKR0369 Severity: 12 The following profiles have no auth rule specified - source settings used: number logonid records read for complex [version] Explanation: This message is only issued for an ACF2 logon ID database and indicates the number of records that were read. Severity: 00 CKR0370 Indirect field reference to field is not supported at ddname line number Explanation: The indicated indirect reference from:field is not supported. Severity: 12 Chapter 5. CKR messages 155 CKR0371 • CKR0383 CKR0371 Field reference by : operator invalid on LIST command, use SORTLIST/DISPLAY - type "value" at ddname line number Explanation: In the NEWLIST TYPE=RACF, an indirect field reference from:field is only valid on the SORTLIST and DISPLAY commands, not on the LIST command. Severity: 12 CKR0372 Severity: 20 CKR0378 PROFLIST must refer to a previously defined NEWLIST NAME= parameter Explanation: PROFLIST accepts the name of a preceding NEWLIST as its value. The value you passed was not defined as the NAME of a NEWLIST. Severity: 12 Formats SECLEVEL and CATEGORY invalid on LIST command, use SORTLIST - type "value" at ddname line number Explanation: A security level or category format is only valid on the SORTLIST and DISPLAY commands, not on the LIST command. Severity: 12 CKR0373 command BDAMQSAM to the input. CKR0379 Explanation: The indicated option can only be specified on a command following NEWLIST. Severity: 12 CKR0380 Scan operator : only valid with "=" or "<>" - before delimiter "value" at ddname line number Explanation: The field value scan operator : is only valid when the field value comparator indicates equal or unequal. option only valid in scope of a NEWLIST command Action for user userid requested, but userid not defined Explanation: The REMOVE, MOVE, or COPY command for the indicated user cannot complete successfully, since the user does not exist. Check for typing errors or for SELECT statements that exclude part of the database. Severity: 12 Severity: 12 CKR0381 CKR0374 Field scan for string type t is not supported Explanation: You can only scan for a character string. Severity: 12 Action for group grpid requested, but group not defined Explanation: The REMOVE or COPY command for the indicated group cannot complete successfully, since the group does not exist. Check for typing errors or for SELECT statements that exclude part of the database. Severity: 12 CKR0375 Conversion error for selection of field name value "value" at ddname line number Explanation: The indicated value could not be converted to the internal format required for field name. Severity: 12 CKR0376 Modifier modifier invalid for field name at ddname line number CKR0382 name field invalid on LIST command, use SORTLIST - at ddname line number Explanation: The field name is only valid on the SORTLIST and DISPLAY commands, not on the LIST command. Severity: 12 Explanation: The output modifier (for example, EXPLODE or SCOPE) cannot be used with field name or output format. CKR0383 Severity: 12 Explanation: When in restricted access mode, the security database you process must contain a user ID equal to your user ID on the current system. No such user ID was found in the security database for the indicated complex. The run will be terminated. CKR0377 TTR Conversion routine fails on track Rn for ddname volser dsname Explanation: This message indicates a failure during EXCP mode processing. Contact IBM Software Support. The message can be circumvented by adding the 156 Messages Guide Severity: 12 Non-PADS access required to process RACF database of complex complex [version] without your userid userid CKR0383 • CKR0392 CKR0383 Unrestricted access required to process ACF2 database of complex complex [version] without your logonid logonid Explanation: When in restricted access mode, the security database you process must contain a logon ID equal to your logon ID on the current system. No such logon ID was found in the security database for the indicated complex. The run is terminated. Severity: 12 CKR0384 Non-PADS run required to access restricted field field Explanation: This message indicates that the program is operating in restricted or PADS mode and will not allow you to request access to a field that is not normally displayable by RACF commands. This condition is considered a syntax error (severity 12) unless an ALLOWRESTRICT modifier explicitly indicates that the query should be executed anyway; if the latter is the case, this message is issued as a warning (severity 4) to remind you that no output will be generated for the indicated field. Severity: 04 or 12 CKR0385 event member resource(1-33) class profile Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that the identity was found in a discrete member of a general resource profile in a grouping class. Only the first 33 characters of the member resource name are shown. To solve the condition a RALT DELMEM(...()) or RALT ADDMEM(...()) command will be generated. Severity: 04 CKR0386 event member resource(1-33) GLOBAL DATASET Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that the identity was found in a data set name present as member of a GLOBAL DATASET profile. Only the first 33 characters of the member resource name are shown. To solve the condition a RALT DELMEM(...()) or RALT ADDMEM(...()) command will be generated. Severity: 04 CKR0388 ISPLINK module missing, variable not available - varname at ddname line number Explanation: An IMBED or INCLUDE statement requested input from an ISPF variable, but the ISPF interface module ISPLINK could not be found. Severity: 12 CKR0389 ISPLINK module missing, no ISPF functions possible Explanation: A command requested ISPF functions, but no ISPF interface module ISPLINK was found, neither with BLDL nor linked into the CKRCARLA load module. Severity: 12 CKR0390 No active ISPF environment, no ISPF functions possible Explanation: A command requested ISPF functions, but the ISPLINK return code indicates it is incapable of performing ISPF commands. Severity: 12 event member resource(1-33) class profile Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, with event equal to Remove due to a REMOVE PERMIT/USER/GROUP command, and with event equal to Copy or Replace due to a COPY PERMIT/USER/GROUP command. It indicates that the identity was found in a generic member of a general resource profile in a grouping class. Only the first 33 characters of the member resource name are shown. To solve the condition a RALT DELMEM(...()) or RALT ADDMEM(...()) command will be generated. Severity: 04 CKR0387 CKR0391 Duplicate NEWLIST NAME=name at ddname line number, already defined at ddname2 line number2 Explanation: Two NEWLISTs have the same NAME=name parameter. This is not allowed. Severity: 12 CKR0392 DDNAME parameter required on UNLOAD in the scope of a NEWLIST Explanation: When an UNLOAD command is used in the scope of a NEWLIST command, the output file must be specified using the DDNAME= parameter or its equivalent (DD=, FILE=, F=). Severity: 12 Chapter 5. CKR messages 157 CKR0393 • CKR0399 CKR0393 Invalid DEBUG option - option CKR0399 Explanation: An invalid DEBUG option was used. Severity: 12 CKR0394 More than 16 SMF exits per subsystem not supported - system system-name Explanation: System system-name has more than 16 SMF exits for one or more SMF subsystems. This is not supported in current versions of MVS and zSecure. Severity: 16 CKR0395 Modifier WRAP cannot be combined with the format format - field name at ddname line number Explanation: This message indicates an error with the use of the WRAP or WORDWRAP. These output modifiers cannot be used on a column with the indicated output format. Severity: 12 CKR0396 nn rule records containing a total of nn entries read for complex [version] Explanation: This message is only issued for an ACF2 rule database and indicates the number of records that were read, as well as the total number of rule lines that were present in those records. Severity: 00 CKR0397 Field name of length field-length truncated to new-length to fit in line length line-length at ddname line number Explanation: This message indicates that field name did not fit on the output line and was truncated to fit the line length. It does not indicate an error condition. Severity: 00 CKR0398 Maximum of 255 merged NEWLISTSs exceeded before type "value" at ddname line number Explanation: The number of NEWLIST statements between a MERGELIST and ENDMERGE pair exceeded 255. Reduce the number of NEWLISTs, or split the report into several MERGELIST/ENDMERGE pairs. Severity: 12 158 Messages Guide SUMMARY must be the last command in a NEWLIST body, only one per NEWLIST Explanation: This message indicates that a SUMMARY or DSUMMARY command was followed by another command from the LIST family within the same NEWLIST. This is not allowed. Severity: 12 CKR0400 • CKR0411 Messages from 400 to 499 CKR0400 AND requires prior clause Explanation: A syntax error was detected in the input. The program thinks it has encountered an AND in an AND/OR list in a SELECT or EXCLUDE command, but has not encountered the previous clause. Severity: 12 CKR0401 OR requires prior clause Severity: 12 NOT clause expects parentheses instead of type "value" at ddname line number Severity: 12 Severity: 12 Explanation: This message indicates that a LIKELIST was used that did not refer to an existing NEWLIST name of the same type (indicated by type). A LIKELIST target must be the name of a NEWLIST of the same type that must come earlier in the input. There must be a LIST, SORTLIST/DISPLAY, or (D)SUMMARY command in the NEWLIST that is referred to. If you suppress this message all LIKELIST clauses which do not refer to a preceding NEWLIST select all records. Severity: 12 Expected valid monthday value instead of value Explanation: This message indicates that you specified a value for the MONTHDAY keyword of the SELECT or EXCLUDE command that is out of range. Valid monthday values are in the range 1 to 31. Severity: 12 CKR0408 LIKELIST must refer to a previously defined NEWLIST type=type NAME= parameter Error during conversion of string string Explanation: This message indicates that an error occurred during the conversion of string string from hexadecimal, decimal or binary. Check string for characters invalid in the specified conversion type. CKR0407 Explanation: This message indicates that the program has interpreted the previous token as a NOT in a SELECT or EXCLUDE command and is now expecting a clause within parentheses. CKR0403 Severity: 12 CKR0406 Explanation: A syntax error was detected in the input. The program thinks it has encountered an OR in an AND/OR list in a SELECT or EXCLUDE command, but has not encountered the previous clause. CKR0402 the end value. The only exception is a range of weekday values, which should have a start value different from the end value (a weekday range can handle wrap-arounds). Unknown event name name Explanation: This message indicates that you specified an event name for the EVENT keyword of a SELECT or EXCLUDE command that is unknown. Either specify an event by name or use an event number. Severity: 12 CKR0409 Substring selection only allowed with =, <> and ¬= Explanation: This message indicates that the <, >, <= or >= relational operator was used for a substring scan (indicated by a colon ":" after the relational operator). This is not allowed; only the equal and not-equal operations are defined for a substring scan. Severity: 12 CKR0404 Expected valid year value instead of value Explanation: This message indicates that you specified a value for the YEAR keyword of the SELECT or EXCLUDE command that is out of range. Valid year values are in the range 0 to 99 (with 1900 added implicitly), or 1900 and higher. Severity: 12 CKR0410 Value list only allowed with =, <> and ¬= Explanation: This message indicates that the <, >, <= or >= relational operator was followed by an opening parenthesis indicating the start of a list of values. This is not allowed; only the equal and not-equal operations are defined for a list of values. Severity: 12 CKR0405 Range error in type Explanation: This message indicates that you specified a range (two values separated by a colon) of type in the SELECT or EXCLUDE command that is not valid. The start value in a range must be lower than or equal to CKR0411 Expected valid time value instead of value Explanation: This message indicates that you specified Chapter 5. CKR messages 159 CKR0412 • CKR0421 a value for the TIME keyword of a SELECT or EXCLUDE command that is out of range. Valid time values are in the range 0000 to 2359; minute values of 60 or higher are not allowed. Warning: specifying TIME=10:00 would indicate an (invalid) time range from 0010 to 0000. Use TIME=1000 instead. CKR0416 Duplicate type number value Explanation: This message indicates that a type code was used twice in a value list of the TYPE keyword of the SELECT or EXCLUDE command. Severity: 12 Severity: 12 CKR0417 CKR0412 String longer than expected size value Explanation: This message indicates that you specified a string value that is longer than allowed for this keyword of the SELECT or EXCLUDE command. The allowed maximum length for this keyword is included in the message. Severity: 12 CKR0413 List not allowed for FIELDVAL type type Explanation: This message indicates that you used a value list with the NEWLIST TYPE=SMF FIELDVAL type MASK1 or MASK2. These FIELDVAL types can only be used with a single value. Severity: 12 CKR0414 Ignored empty list of type Explanation: This warning message indicates that you specified a keyword but no type value or list of values in the SELECT or EXCLUDE command. zSecure has ignored the keyword and will continue input processing. This message may also occur when a list contains only invalid values. Severity: 00 CKR0415 Duplicate event event while parsing eventname Explanation: While parsing a "select event<>" clause the indicated event was found to be specified twice. The second specification was eventname. This happens most often when an event was specified both by name or number, or as part of a predefined group of events (for example, ALLSVC). If it is unclear which other specification eventname is in conflict with, you can move the eventname specification to the beginning of the clause, and run the query again. The resulting CKR0415 message should then show the other eventname in the conflict. If the duplicate specification is intended (for example, event<>(ALLSVC(success),RACINIT(warning))), you should move one of the two to a separate event<> clause in your select. Severity: 12 Expected ( or =, ¬= or <> relational operator before type "value" at ddname line number Explanation: This message indicates that the program did not find the relational operator =, ¬=, or <> or the opening parenthesis of a value list in a SELECT or EXCLUDE command. Larger than/smaller than operators, and field-compare operators, are not allowed here. Severity: 12 CKR0418 SMF input terminated, limit SMFIN reached Explanation: This message indicates that zSecure Audit has stopped reading SMF records because the input limit defined by the SMFIN parameter of the LIMIT command has been reached. This message is for informational purposes only and does not indicate an error. Severity: 00 CKR0419 SMF input terminated, all OUTLIM limits reached Explanation: This message indicates that zSecure Audit has stopped reading SMF records because the output limit defined by the OUTLIM parameter of the NEWLIST command has been reached for all NEWLISTS of TYPE=SMF. Severity: 00 CKR0420 Warning: ALLOC NJENODE= node1 differs from CKFREEZE node node2 for complex complex Explanation: The NJE node on the ALLOC statement will be used instead of the actual node. This means that the commands will not be routed to the node they have been generated for, unless you are quite sure the node is now called by the name specified on the ALLOC statement. Severity: 00 CKR0421 Pattern pattern not allowed at ddname line number Explanation: This message indicates a string containing wildcard characters was used where it is not allowed, for example, for a substring scan or a field for 160 Messages Guide CKR0422 • CKR0431 which pattern searches are not supported. CKR0427 Severity: 12 CKR0422 Expected clause following operator Explanation: This message indicates that a select clause ended with operator, where operator is AND or OR. An AND or an OR should be followed by another select clause. Explanation: This message indicates the number of SMF records read and the number and percentage that were selected. Severity: 00 CKR0428 Severity: 12 CKR0423 List of type values not allowed Explanation: This message indicates that a list of values was used with the type (TIME or DATETIME) keyword of the SELECT or EXCLUDE command. This is not allowed; use a range of values (two values separated by a colon) or multiple clauses concatenated by ORs instead. Severity: 12 nn SMF records read, nn SMF records selected (nn%) [reason] input OPEN failed ddname volser datasetname Explanation: This message indicates that ddname was allocated but could not be opened for input. Check the DD statement for ddname, correct the error and submit the job again. The type shown is the newlist type for which the file was required; it is either SMF or the name of a newlist type defined with a DEFTYPE statement. For a DEFTYPE type file, no automatic scoping of the file contents is supported. Therefore, unconditional access to the file is required. If it can only be read via PADS, the reason will indicate that. Severity: 16 CKR0424 Warning: Ambiguous AND/OR usage, please use parentheses to indicate desired grouping Explanation: This message indicates that a SELECT/EXCLUDE or WHERE clause was ambiguous, and will be resolved left to right. This may not be desired; use parentheses around AND/OR clauses to indicate the desired grouping. SMF unload OPEN failed ddname volser datasetname Explanation: This message indicates that ddname was allocated but could not be opened for output. Check the DD statement for ddname, correct the error and submit the job again. Severity: 16 Severity: 04 CKR0425 CKR0429 Field "field-name" to be processed not valid for NEWLIST TYPE=list-type at ddname line number Explanation: The output field you requested on the LIST, SORTLIST, DISPLAY, or SUMMARY command has not been defined for the NEWLIST of type list-type. Verify the spelling. If list-type is equal to deftype, then that is not the newlist type itself, but indicates that the error occurred in a newlist defined with a DEFTYPE statement. Severity: 12 CKR0430 No type input files could be opened Explanation: This message indicates that no input files could be opened for newlist type type, either because no ddnames were allocated or because none of the allocated ddnames could be opened for input. Check the DD statements and submit the job again. The type shown is either SMF or the name of a newlist type defined with a DEFTYPE statement. Note that this message can also occur when ALLOCATE SMF ACTIVE was specified and system runs without active SMF recording. Severity: 12 CKR0426 Unknown descriptor type hex-value in CKASMFI CKR0431 Error in conversion of bitfield string Explanation: This message indicates that an internal error occurred in the selection of fields in a SMF record. Contact IBM Software Support. Explanation: This message indicates that an error occurred during conversion of a bitfield. Bitfields may consist of the characters 0, 1, and "." (don't-care). Severity: 08 Severity: 12 Chapter 5. CKR messages 161 CKR0432 • CKR0442 CKR0432 Field type type not supported for field field Explanation: This message indicates that the indicated field was used for SELECT/EXCLUDE processing; the field can only be used for output in the current NEWLIST type. The NEWLIST types for which this error message may occur support the selection of strings, bitfields, and numbers. Some field types like time zones can only be used for output. SUMMARY and LIST type commands without a prior NEWLIST are not supported for program product code code Explanation: SUMMARY, DSUMMARY, DISPLAY, LIST and SORTLIST commands are only valid within the context of a NEWLIST, unless the program is enabled to read a RACF database. If you are using the IBM Security zSecure Manager for RACF z/VM product and this error occurs, contact IBM Software Support. Severity: 12 CKR0434 Expected decimal value instead of type "value" at ddname line number Explanation: This message indicates that a non-decimal value was encountered where a decimal value was expected. Severity: 00 Value number (decimal) above maximum of maximum Explanation: This message indicates that a number was read that is too large to fit the field. zSecure either read the decimal number number or converted a quoted string (from hexadecimal or binary) that has decimal value number. Severity: 08 (unless changed by the MSGRC parameter of the OPTION statement) CKR0439 Meaning of DDNAME keyword has changed, use SMFDD instead - at ddname line number Explanation: This message indicates that a query used the NEWLIST TYPE=SMF keyword DDNAME. The meaning of this keyword has changed; use SMFDD instead. Severity: 12 162 Messages Guide PERMISSIONS of ALLOW and LOG are mutually exclusive with PREVENT Explanation: Selection of ACF2 data set access rules on an access level of PREVENT cannot be combined with selection on other access levels, at least not on the same PERMISSIONS keyword. Severity: 12 CKR0440 Field 'field-name' may not be used for select/exclude processing, use 'field-name2' instead Explanation: This message indicates that a select clause for the NEWLIST TYPE=SMF tried to use the field field-name, which can only be used for output. In some cases, an alternative field field-name2 is suggested. Severity: 12 CKR0441 Severity: 12 CKR0436 SMF input terminated: out of memory Explanation: This message indicates that input processing for NEWLIST TYPE=SMF was terminated because the program ran out of memory. Output will be generated for the records processed so far. To process more input, either create more restrictive SELECT/EXCLUDE statements, or increase the REGION size. Severity: 12 CKR0435 SMF input terminated by user attention request Explanation: This message indicates that input processing for NEWLIST TYPE=SMF was terminated because the user pressed the attention key. Output will be generated for the records processed so far. CKR0438 Severity: 12 CKR0433 CKR0437 Field 'field' may not be used in compare operations Explanation: The indicated field may not be used in a field vs field compare operation in the NEWLIST TYPE=SMF. Normal field-value comparisons are allowed. Severity: 12 CKR0442 Resource deletion: Migrated related name MIGRAT dsname catalog Explanation: This message indicates that a migrated data set name present in the HSM MCDS has a high level qualifier that should be deleted. It is however a related name for another data set name, that usually will have the same first qualifier. Any non-VSAM entries in the catalog for this name should be deleted CKR0443 • CKR0453 automatically by HSM when the base name is deleted. No specific command is being generated. Severity: 00 CKR0443 event appdat identity general resource profile class key CKR0448 Name of static system symbol exceeds record: hex Explanation: This message indicates that an unexpected layout of the system symbol table was encountered. Contact IBM Software Support. Severity: 20 Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE PERMIT/USER command. It means that the identity to be removed occurs in the APPLDATA field. This message is only issued for the TMEADMIN class. To solve the condition an RDEL command will be generated to remove the entire profile. Explanation: This message indicates that a duplicate system symbol definition was encountered. The new value is ignored. Contact IBM Software Support. Severity: 04 Severity: 20 CKR0444 ACL field invalid on SUMMARY/DSUMMARY, use USERID - at ddname line number Explanation: This message indicates that a summary cannot be performed on the special-purpose field ACL. Severity: 12 CKR0444 field field invalid on SUMMARY/DSUMMARY - at ddname line number Explanation: This message indicates that a summary should not be performed on the special-purpose field field. Severity: 12 CKR0445 Expansion for static system symbol too long: hex Explanation: This message indicates that an unexpected layout of the system symbol table was encountered. Contact IBM Software Support. Severity: 20 CKR0446 Expansion for static system symbol exceeds record: hex Explanation: This message indicates that an unexpected layout of the system symbol table was encountered. Contact IBM Software Support. Severity: 20 CKR0449 CKR0450 Duplicate static system symbol definition: var already val ; dupval ignored. Started processing type pads file ddname volser dsn Explanation: This message indicates that processing of SMF or Top Secret Security ATF input file ddname has started. In addition, it can indicate in pads by the text PADS that access to the data was allowed by virtue of a conditional access. If this is the case, then zSecure Audit will restrict functionality to the user's scope. Severity: 00 CKR0451 SMF processing at DDname ddname and RecNo recno Explanation: This message is printed in case of an abend. It indicates the ddname and record-number of the record being processed at the time of the abend. Severity: 00 CKR0452 SMF records were processed for the following systems: version complex-name system-name from start-date start-time to end-date end-time note Explanation: This multiple-line message is printed after SMF processing has finished; it indicates the date and time of the earliest and latest records processed for each system-id encountered. A note with the text (No CKFREEZE file) may be shown if no CKFREEZE file was related to the SMF ID. The note can also indicate the number of records processed. This message is for informational purposes only and does not indicate an error. Severity: 00 CKR0447 Name of static symbol too long: hex Explanation: This message indicates that an unexpected layout of the system symbol table was encountered. Contact IBM Software Support. CKR0453 Static system symbol table skipped : num entries claimed, but record too small Severity: 20 Explanation: This message indicates that the system symbol table had a length that did not fit the Chapter 5. CKR messages 163 CKR0454 • CKR0463 CKFREEZE record length. Run zSecure Collect again with a greater LRECL for the CKFREEZE data set. If this is at the maximum, contact IBM Software Support. SMF RACF command item display truncated at ddname record number Explanation: The display indicated is too large for its buffer; this can be either a command or a command parameter display as indicated by item. Severity: 20 CKR0454 CKR0458 SMFCACHE job tag system enabled but not useful - now disabled Explanation: This message indicates that the job tag system was turned off because it was not useful: the JOBID, USER, GROUP and TERMINAL keywords were not used in the selection (SELECT, EXCLUDE) or display (LIST, SORTLIST, DISPLAY) commands. Severity: 00 Severity: 08 CKR0459 ICHNCV00 simulate (system=sys) internal error: message Explanation: This message indicates a failure in the simulation of the naming convention table, ICHNCV00. Contact IBM Software Support. Severity: 12 CKR0455 SMFCACHE used size KB but had to skip skipped-number records and still had cached-number records cached for number out of full-number job tags Explanation: This message indicates that the job tag system was turned on during SMF processing; it also prints the amount of memory used, the number of records skipped because the cache was full, the number of records left incompleted after the last record was read, the number of incomplete job tags, and the overall number of job tags. Refer to the SMFCACHE command for more information. The records left incomplete and skipped were processed without RACF information. Severity: 00 CKR0456 SMFCACHE incomplete job tag job-tag with cached-num records cached and skipped-num skipped Explanation: This message is due to SMFCACHE VERBOSE. One of these messages is printed for each job tag incomplete at the end of SMF processing. It indicates the job affected, the amount of records cached at end-of-file and the amount of records skipped because the cache was full (these records were processed without RACF information). Severity: 00 CKR0457 SMFCACHE completed job tag job-tag with cached-num records cached and skipped-num skipped Explanation: This message is due to SMFCACHE VERBOSE. One of these messages is printed for every job tag that is complete and has cached some records. skipped-num indicates the amount of records skipped because the cache was full; these records were processed without RACF information. Severity: 00 164 Messages Guide CKR0460 Horizontal and dump format cannot be combined on one field - field at ddname line number Explanation: The DUMP output modifier and the HORIZONTAL output modifier may not be combined. Severity: 12 CKR0461 number SMF [type rectype] records were lost on system system-id from date time Explanation: This message is printed when an SMF record of type 7 is processed. It indicates that SMF records were lost on the system that generated the SMF file. It does not indicate an error in zSecure Audit or in SMF processing. If rectype is present, type rectype records were dropped due to SMF record flood options. Because some records were lost, the input to zSecure Audit might be incomplete. Any events that occurred during the recording gap cannot be audited. Severity: 00 CKR0462 Expected ( or =, ¬=, <>, ==, ¬==, or <<>> relational operator before type "value" at ddname line number Explanation: This message indicates that zSecure did not find the relational operator =, ¬= or <>, the field-compare operator ==, <<>>, or ¬==, or the opening parenthesis of a value list in a SELECT or EXCLUDE command. Larger than/smaller than operators are not allowed here. Severity: 12 CKR0463 Expected ( or =, ¬=, <>, <, >, <=, or >= relational operator before type "value" at ddname line number Explanation: This message indicates that zSecure did not find the relational operator =, ¬=, <>, <, >, <=, or >=, or the opening parenthesis of a value list in a SELECT or EXCLUDE command. Field-compare CKR0464 • CKR0471 operators are not allowed here. For additional information, see the SELECT/EXCLUDE- Field compare documentation in the user reference manual for your zSecure product. Severity: 12 CKR0464 Substring offset must be >= 1 Explanation: This message indicates that zSecure found an invalid substring offset in a SELECT or EXCLUDE command. The SUBSTRING operation requires an offset (the second SUBSTRING parameter) of at least 1. Severity: 12 CKR0465 Substring maxlen may not be zero Explanation: This message indicates that zSecure found an invalid substring maximum length in a SELECT or EXCLUDE command. If a maximum length is specified with a SUBSTRING operation, for example, SUBSTRING(field,offset,maxlen), the maximum length must be at least 1. Omit the maximum length altogether to select until the end of the field, for example, SUBSTRING(field,offset). Severity: 12 CKR0466 Substring endpos may not be before start Explanation: This message indicates that zSecure found an invalid substring end position in a SELECT or EXCLUDE command. If a maximum length is specified with a SUBSTRING operation, for example, SUBSTRING(field,offset:endpos), the end position must be equal to, or larger than, the start position (offset). Omit the end position altogether to select until the end of the field, for example, SUBSTRING(field,offset). Severity: 12 CKR0467 operations not allowed with format field name at ddname line number CKR0468 DDNAME ddname is in NOA status, and cluster name cluster name is not defined in the FDR - allocation failed Explanation: During an attempt to dynamically allocate an active ACF2 backup data set, the program found that the data set was not allocated by ACF2 because it had been overridden by a DD DUMMY specification in the ACF2 startup JCL. When subsequently trying to retrieve the data set name from the eligible ACF2 database clusters defined in the ACFDR, the program discovered that either the currently active database cluster was not defined in the ACFDR, or the indicated cluster did not have a data set defined for the function indicated by ddname. This implies that the program cannot determine which data set to allocate. Severity: 16 CKR0469 Compare fields may not both be repeated [ - field1 and field2 ] at ddname line number Explanation: This message indicates that the program found an invalid compare operation in a SELECT or EXCLUDE command. When two fields are compared (i.e. a field-field compare instead of a field-constant compare), at most one of the fields may be a repeat-group field. The compare operation attempted to compare two repeated fields, which is not supported. Severity: 12 CKR0470 Fields to be compared must have the same format [ - field1 and field2 ] at ddname line number Explanation: This message indicates that the program found an invalid compare operation in a SELECT or EXCLUDE command. When two fields are compared (i.e. a field-field compare instead of a field-constant compare), the fields must have an equivalent format, for example, both character-format or both numerical. The compare operation attempted to compare two fields with a different format, which is not supported. Explanation: This message indicates that zSecure found a manipulation operation that is specified for a field value that does not have the right format. An EXTRACTDN operation can be applied only to a distinguished name in X.509-DN format. The other operations can be applied only to character-format fields. CKR0471 Note: When field value operation functions are nested, the format that is shown might be an intermediate result. For example, the resulting format after EXTRACTDN is Char, so the function can be applied only once. Severity: 08 Severity: 12 Duplicate data set on SMS managed volumes volser dsname Explanation: During the comparison of library versions the same data set name was encountered on more than one SMS managed volume. This is not supported. Severity: 12 Chapter 5. CKR messages 165 CKR0472 • CKR0480 CKR0472 Conversion to SMS managed assumed for data set dsname Explanation: During the comparison of library versions in multiple CKFREEZE files a data set name was encountered first on a non-SMS managed volume and later on an SMS managed volume. It is assumed that the volume or data set was converted to SMS. Severity: 00 CKR0473 through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to adjust the protection of the discrete profile to the required level. Note that this may imply a reduction of the UACC. Severity: 04 CKR0477 READ-sensitive DATASET protection not CS1-compliant dsname - change profile Explanation: A data set with confidential data part of the Trusted Computing Base or designated as sensitive through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to adjust the protection to the required level while minimizing the impact on other data sets; a fully qualified generic is used to achieve this. Note that this may imply a reduction of the UACC. ALTER-sensitive DATASET protection not CS1-compliant dsname - modify profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to ALTER access through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. Usually this is limited to ICF catalogs. A command is generated to adjust the protection to the required level while minimizing the impact on other data sets; a fully qualified generic is used to achieve this. Note that this may imply a reduction of the UACC. Severity: 04 Severity: 04 CKR0478 CKR0474 READ-sensitive DATASET protection not CS1-compliant volser dsname ALTER-sensitive DATASET protection not CS1-compliant volser dsname modify profile Explanation: A data set with confidential data part of the Trusted Computing Base or designated as sensitive through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to adjust the protection of the discrete profile to the required level. Note that this may imply a reduction of the UACC. Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to ALTER access through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. Usually this is limited to ICF catalogs. A command is generated to adjust the protection of the discrete profile to the required level. Note that this may imply a reduction of the UACC. Severity: 04 Severity: 04 CKR0475 UPDATE-sensitive DATASET protection not CS1-compliant dsname - modify profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to updates through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to adjust the protection to the required level while minimizing the impact on other data sets; a fully qualified generic is used to achieve this. Note that this may imply a reduction of the UACC. CKR0479 Global access to sensitive dataset not CS1-compliant volser dsname Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile, because the access granted through the Global Access Table is too high. A command is generated to adjust the Global Access Table to the highest level still allowed. Note that this will imply a reduction of the availability of the data set to users. Severity: 04 Severity: 04 CKR0480 CKR0476 UPDATE-sensitive DATASET protection not CS1-compliant volser dsname modify profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to updates 166 Messages Guide READ-sensitive DATASET protection not CS1-compliant volser dsname - add profile Explanation: A data set with confidential data part of the Trusted Computing Base or designated as sensitive through the SIMULATE SENSITIVE command is not CKR0481 • CKR0489 protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to create a new fully qualified generic profile, using the current generic profile covering the data set; the protection of the new profile is adjusted to the required level. Note that this may imply a reduction of the UACC. UPDATE-sensitive DATASET protection not CS1-compliant volser dsname - add profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to updates through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to create a new fully qualified generic profile, using the current generic profile covering the data set; the protection of the new profile is adjusted to the required level. Note that this may imply a reduction of the UACC. Severity: 04 CKR0482 ALTER-sensitive DATASET protection not CS1-compliant volser dsname - add profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to ALTER access through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. Usually this is limited to ICF catalogs. A command is generated to create a new fully qualified generic profile, using the current generic profile covering the data set; the protection of the new profile is adjusted to the required level. Note that this may imply a reduction of the UACC. Severity: 04 CKR0483 READ-sensitive data set unprotected volser dsname - add profile Severity: 04 UPDATE-sensitive data set unprotected volser dsname - add profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to updates through the SIMULATE SENSITIVE command is not ALTER-sensitive data set unprotected volser dsname - add profile Explanation: A data set containing part of the Trusted Computing Base or designated as sensitive to ALTER access through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. Usually this is limited to ICF catalogs. A command is generated to create a new fully qualified generic profile; the protection of the new profile is set to the required level. Severity: 04 CKR0486 FIELDVAL may only be used for Select/Exclude - at ddname line number Explanation: The FIELDVAL field in NEWLIST TYPE=SMF may only be used for SELECT/EXCLUDE processing; it was used in a LIST, SORTLIST, or (D)SUMMARY command, which is not allowed. Severity: 12 CKR0487 Defined variable name (type=type) is not boolean/as/true, may not be used in clause Explanation: The indicated variable was used in a SELECT/EXCLUDE or WHERE clause, but was not a boolean or field-based define. This is not allowed. Severity: 12 CKR0488 Explanation: A data set with confidential data part of the Trusted Computing Base or designated as sensitive through the SIMULATE SENSITIVE command is not protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to create a new fully qualified generic profile; the protection of the new profile is set to the required level. CKR0484 Severity: 04 CKR0485 Severity: 04 CKR0481 protected as prescribed by the CS1 (Commercial Security 1) protection profile. A command is generated to create a new fully qualified generic profile; the protection of the new profile is set to the required level. Newlist [name=name] type=type suppressed for restricted mode at ddname line number Explanation: The indicated NEWLIST is not allowed in restricted mode and has been suppressed. Processing for the not-suppressed NEWLIST types will continue. Severity: 00 CKR0489 NEWLIST TYPE=PPT request for system system not supported for live system or non-APF CKFREEZE Explanation: The NEWLIST TYPE=PPT for the indicated system could not generate any output; this NEWLIST type requires a CKFREEZE file generated by an APF-authorized run of zSecure Collect. Severity: 00 Chapter 5. CKR messages 167 CKR0490 • CKR0499 CKR0490 $CAT size size (decimal) not supported in newlist type=JOBCLASS CKR0496 Warning: database for complex processed with settings from system system [version] Explanation: The NEWLIST TYPE=JOBCLASS does not support the JES2 $CAT table size found. Contact IBM Software Support and submit an error report containing the indicated size and your MVS and JES2 levels. Explanation: The RACF database of complex does not match the system to which the in-storage settings used for it refer. (This message only pertains to FUNCTION=MAIN or FUNCTION=BASE.) Severity: 16 Severity: 00 CKR0491 Repeated substring not allowed in TYPE=RACF clause - variable name Explanation: Nested substring requests are not allowed for NEWLIST TYPE=RACF clauses. Severity: 12 CKR0492 Field value manipulation or lookup not allowed in TYPE=RACF select clause variable name Explanation: Certain field value manipulations (CONVERT, PARSE, WORD) and field lookups are not allowed on select/exclude statements in NEWLIST TYPE=RACF if similar or other field value manipulations are also present in the DEFINE for the variable. Note that using SUBSTRING is allowed. CKR0497 Restricted mode does not allow using settings from any other system than complex Explanation: The RACF database of complex does not match the system to which the in storage setting used for it refer, and this is not allowed in restricted mode. Severity: 12 CKR0498 Warning: database for complex processed with settings from system Explanation: The RACF database of complex does not match the system to which the in storage settings used for it refer. (This message only pertains to FUNCTION=MERGE.) User response: Move all the manipulations to one DEFINE. User response: Explicitly partition the input data sets through use of the COMPLEX and VERSION keywords to represent the actual configurations in use. Severity: 12 Severity: 00 CKR0493 Boolean variable name may not be used as right-hand side of compare Explanation: While a boolean variable may be used in a SELECT statement, it may not be used at the right-hand side of a field-field compare. Severity: 12 CKR0494 Substring operation not allowed on boolean variable name Explanation: A substring function cannot operate on a defined variable of type BOOLEAN. Severity: 12 CKR0495 Concatenation of unloads in file ddname is not supported - stopping after 1st one Explanation: Multiple unloads must be allocated to separate ddnames, they cannot be concatenated. Severity: 12 168 Messages Guide CKR0499 Invalid cell in VVDS record for component cluster name Explanation: Parsing unexpectedly encountered the end of a VVDS cell. Severity: 08 CKR0500 • CKR0511 Messages from 500 to 599 CKR0500 Define for variable variable (type=type) at ddname line number conflicts with define at ddname line number Explanation: This error message indicates that two statistic variables with identical names were defined within the same NEWLIST. This is not allowed. repeat-group field of type field-name is part of a compound summary key. Severity: 12 CKR0506 Severity: 12 CKR0501 Define for variable variable (type=type) at ddname line number overrides define at ddname line number Explanation: This warning message indicates that a statistic variable was defined within a NEWLIST that has the same name as a statistic variable defined in a previous NEWLIST. The new definition overrides the old one; this may not be intended. Severity: 00 CKR0502 DISPLAY only contains repeat or detail fields, 1st level display would be empty for newlist at ddname line number Explanation: This error message indicates that a DISPLAY command did not contain any fields that could be displayed at the 1st level display. This is not allowed; include a non-repeated or non-detail field in the DISPLAY. If you specified the NEWLIST parameter DETAIL, use the output modifier NODETAIL on at least one non-repeated field. Severity: 12 CKR0503 Duplicate threshold specification before token at ddname line number Explanation: This error message indicates that more than one threshold output modifier was used for the same field. This is not allowed. Severity: 12 CKR0504 Explanation: Variable name was defined using a lookup operator. For NEWLIST TYPE=RACF, such variables may not be used in LIST commands. Use SORTLIST or DISPLAY instead. Severity: 12 CKR0507 Explanation: In the current version of zSecure, a SUMMARY command may not be used in a merged NEWLIST. Asterisk list operator is only valid on SUMMARY commands Explanation: This error message indicates that the asterisk (*) list operator was used in a LIST, SORTLIST, or DISPLAY command. It may only be used in a SUMMARY or DSUMMARY command. Severity: 12 CKR0508 ENDMERGE missing Explanation: This error message indicates that a merged NEWLIST was started but not ended. Severity: 12 CKR0509 ENDMERGE without MERGELIST Explanation: This error message indicates that an ENDMERGE command was found (which normally ends a merged NEWLIST), but no previous MERGELIST command was found to start the merged NEWLISTs. Severity: 12 CKR0510 Summary invalid in merged newlist at ddname line number Variable name at ddname line number defined with lookup - invalid with type=RACF LIST commands Target field field-name (type=type) undefined for define statistic-name at ddname line number Explanation: This error message indicates that a statistic variable was defined that has a target field which does not exist or has not been defined. Severity: 12 Severity: 12 CKR0511 CKR0505 Compound summary at level number cannot contain repeat group value "field-name" at ddname line number Explanation: In the current version of zSecure, a compound summary key must consist of non-repeat groups. This error message indicates that the ENDMERGE missing before ENDBUNDLE Explanation: This error message indicates that an ENDBUNDLE command was found, in a sequence of BUNDLE - MERGELIST - ENDBUNDLE. There should be an ENDMERGE command in this sequence. Chapter 5. CKR messages 169 CKR0512 • CKR0520 Severity: 12 CKR0512 CKR0516 Target field field-name (type=type) found at ddname line number does not have the required where clause for define statistic-name at ddname line number Explanation: This error message indicates that the statistic variable defined as the target for another variable does not have a WHERE clause. Since the purpose of a target variable is that WHERE clauses are shared, the target must have such a clause. Summary level number must have at least one summary key and key cannot be a defined var or lookup - newlist at ddname line number Explanation: This error message indicates that the (D)SUMMARY command of the indicated NEWLIST contained a summary level without a key-variable. This is only allowed in the topmost (leftmost) summary level. Valid summary key-variables are fields, not defined statistics and lookup-variables. Severity: 12 Severity: 12 CKR0517 CKR0513 Use of function is not licensed for IBM Security zSecure product code code Explanation: The function indicated (either a command or a parameter) is not licensed for the product used. For example, if IBM Security zSecure Admin is running without zSecure Audit on a z/OS system, this configuration is not licensed to use the NEWLIST TYPE=SMF command. For a description of the product codes, see the documentation for the NEWLIST LICENSE parameter in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. WRAP invalid because column length 0 and not the last in line or column floating - field field-name at ddname line number Explanation: This error message indicates that the WRAP output modifier was used in combination with an overriding length of zero for a column not last in line, or where another column with overriding length 0 (i.e. variable length) was present on the line. Since the purpose of FIELD(WRAP,0) is to fill up the rest of the output line, this is only allowed for the last column in a line. Severity: 12 Severity: 12 CKR0518 CKR0514 Variable statistic-name at ddname line number not defined as Boolean, Subselect, or As - invalid on LIST commands Explanation: This error message indicates that a summary statistic variable was used on a LIST, SORTLIST, or DISPLAY command. This is not allowed; these variables may only be used with (D)SUMMARY. Explanation: This error message indicates that a LIST command was used with NEWLIST option. This is not allowed with the NEWLIST option indicated; use SORTLIST or DISPLAY instead. Severity: 12 CKR0519 Severity: 12 CKR0515 WHERE clause invalid for define statistic-name (type=type) at ddname line number because target target-variable already has one Explanation: This error message indicates that a statistic variable with a target variable also has its own WHERE clause. This is not allowed; if the target variable has a WHERE clause it is automatically inherited, and cannot be overridden. To create two variables with differing WHERE clauses, write two separate defines, both with a WHERE clause, and remove the WHERE clause from the target variable. Severity: 12 Messages Guide Option only allowed for (D)SUMMARY - option-name at ddname line number Explanation: This error message indicates that summary option option-name was used with a LIST, SORTLIST or DISPLAY command. The indicated option may only be used with the SUMMARY and DSUMMARY commands. Severity: 12 CKR0520 Merged NEWLIST at ddname line number must use same LIST family member as NEWLIST at ddname line number Explanation: All NEWLISTs within a MERGELIST/ENDLIST pair should use the same output command: either DISPLAY or SORTLIST. This was not the case for the two newlists indicated. Severity: 12 170 LIST not allowed for NEWLIST option CKR0521 • CKR0530 CKR0521 SUPPRESS CKFREEZE ignored for restricted mode NEWLIST TYPE=SMF Explanation: When a NEWLIST TYPE=SMF is used in restricted mode (i.e. in PADS mode, with a NEWLIST SCOPE, or with SIMULATE RESTRICT), you may not use the SUPPRESS CKFREEZE command, because that would allow the user to circumvent restriction checking for VSAM components. Note that IOCONFIG is an alias of CKFREEZE. CKR0527 Subselect of field field not supported Explanation: This message indicates that a variable was defined as a subselect of the indicated field, but that subselects of this field are not supported. In the current version of zSecure, the only fields where a subselect is allowed are ACL, CUSTOM_DATA, and USR. See the DEFINE command for further information. Severity: 12 Severity: 00 CKR0528 CKR0522 Program was terminated by attention Explanation: The program was terminated because the ATTN key was pressed. Severity: 12 CKR0523 Group tree loop with num elements type1 id1 has type2 id2 as owner Explanation: This message is issued due to a VERIFY GROUPTREE command. The message indicates the size of the loop in the group tree; the run-on messages indicate all users and groups in the loop; type is user or group, and id indicates the RACF user ID or group ID. Subselect of "field" in "group" not allowed Explanation: This message indicates that in a subselect of group (either ACL, CUSTOM_DATA, or USR), a field was used that is not supported in the subselect. See the DEFINE command for a table of fields that are supported. Severity: 12 CKR0529 Invalid ACCESS VALUE "value" at ddname line number Explanation: The access value specified at the indicated ddname is invalid. Severity: 12 Severity: 08 CKR0530 CKR0524 Program was terminated due to storage shortage - increase REGION Explanation: The program was terminated because of a storage (memory) shortage. Try increasing the REGION size and running the program again. Severity: 12 kind only valid in PARM string type "value" at ddname line number Explanation: The kind parameter of the ALLOCATE command must be specified in a parameter string. The kind parameter can be any of these values: ERRDD INDD LETRAPOFF CKR0525 Contents of CKRSITE module: contents LETRAPON Explanation: This message is printed as the result of a SHOW CKRSITE command. contents displays the relevant portions of the CKRSITE module. NOCLEANUP Severity: 00 NODUMP NOCLOSE NODCBE NOESTAE CKR0526 CKRSITE class class not found in CDT for complex complex Explanation: This message indicates that the class used for CKGRACF profiles, which is set in the CKRSITE module, could not be found in the Class Descriptor Table. Most likely, this indicates an installation error. Severity: 12 NOLE OUTDD STORAGEGC TEXTPIPE UMASK User response: When specifying this parameter, include the ALLOCATE command in the PARM= parameter in the batch JCL. Severity: 12 Chapter 5. CKR messages 171 CKR0531 • CKR0541 CKR0531 Summary of exploded field "field" not allowed at ddname line number Explanation: The EXPLODE output modifier may not be used in a (D)SUMMARY command. The RESOLVE and EFFECTIVE output modifiers (which are a different type of EXPLODE) may also not be used. already defined; no ADDUSER command will be generated. Severity: 12 CKR0537 Severity: 12 CKR0532 Warning: global define for variable field (type=type) at ddname line number overrides local define at ddname line number Explanation: This warning message indicates that a local define for the indicated variable field was overridden by a global define. Maximum group nesting depth of 255 exceeded at group id - run VERIFY GROUPTREE to check for group loops Explanation: During processing of group-tree depths, the maximum depth of 255 was reached for the indicated group. This may be caused by a loop in the group-tree structure, which can be found using VERIFY GROUPTREE. It may also be caused by a group-tree that is more than 255 groups deep; this condition is not supported by IBM Security zSecure Admin and Audit for RACF. Severity: 16 Severity: 00 CKR0538 CKR0533 Reporting on the in-storage resource rule directories is not supported for system system Explanation: The required information cannot be accessed, because it is in fetch protected storage. As a partial circumvention, you can allocate a CKFREEZE created by an APF run of zSecure Collect. However, even such a CKFREEZE contains information about only a select few resource rule directories, so the report will be incomplete even in that case. Severity: 04 CKR0534 Explanation: The indicated base field used by the INDENT output modifier was not specified on the same (SORT)LIST or DISPLAY command. It must be specified behind the indented field. The NONDISPL output modifier may be used to keep the base field from being printed. Severity: 12 CKR0535 Create of group group requested, but group already defined Severity: 12 Create of userid user requested, but user already defined Explanation: This message indicates that the indicated user to be added by the COPY or MOVE command was 172 Severity: 12 Messages Guide ALLOC PRIMARY/BACKUP/INACTIVE invalid for specified type - before token at ddname line number Explanation: This message indicates an invalid ALLOC command. The options PRIMARY, BACKUP, INACTIVE are all invalid with the type specified on the command. The only live option that is valid is ACTIVE. Severity: 12 CKR0540 Explanation: This message indicates that the indicated group to be added by the COPY or MOVE command was already defined; no ADDGROUP command will be generated. CKR0536 Explanation: This message was issued due to a VERIFY GROUPTREE command and indicates that group SYS1 was not found. The VERIFY command was not processed. This message may be due to global SELECT/EXCLUDE processing, excluding group SYS1. If not, it indicates a serious problem in the RACF database, since group SYS1 is required. CKR0539 Indent base base not found behind field at ddname line number Group SYS1 not found, check SELECT/EXCLUDE statements OPEN abend-type on file ddname Explanation: An abend of the indicated type occurred when opening a TYPE=CKFREEZE file with the indicated ddname. Severity: 16 CKR0541 OPEN abend-type on file ddname Explanation: An abend of the indicated type occurred when opening a TYPE=UNLOAD file with the indicated ddname. Severity: 16 CKR0542 • CKR0552 CKR0542 CONNECT field must be used in a lookup - at ddname line number CKR0547 NEWLIST TYPE=MSG requested but no MPFT found. Possibly old CKFREEZE Explanation: The CONNECT field may not be used by itself in a (SORT)LIST or (D)SUMMARY command; if it is used, it must be based on an indirect reference to USERID when displaying a group profile, or based on an indirect reference to CONGRPNM or CGGRPNM when displaying a user profile. Explanation: This message is generated by the NEWLIST TYPE=MSG (MPF report). It indicates that an MPF report was requested, but that MPF data were not available. Check the CKFREEZE file used; the MPF report requires an APF-authorized zSecure Collect run with a focus including zSecure Audit. Severity: 12 Severity: 04 CKR0543 More than 7 JES subsystems not supported - VERIFY/REPORT STC in error Explanation: This message is generated by the VERIFY STC or REPORT STC command. It indicates that a system was analyzed with more than 7 JES2 or JES3 subsystems. zSecure does not support this. Severity: 16 CKR0548 NEWLIST TYPE=MSG requested but no MPFTENTY found Explanation: This message is generated by the NEWLIST TYPE=MSG (MPF report). It indicates that an MPF report was requested, but that MPF data were not available. Check the CKFREEZE file used; the MPF report requires an APF-authorized zSecure Collect run with a focus including zSecure Audit. Severity: 04 CKR0544 LX too high! LX=val (dec); maximum is val2 (dec) Explanation: This message is generated by the NEWLIST TYPE=PC (Program Call report). It indicates an internal error, or an inconsistency in a CKFREEZE file. Contact IBM Software Support. Severity: 20 CKR0545 NEWLIST TYPE=PC request for system system, but no PC data available. Perhaps old or non-APF CKFREEZE Explanation: This message is generated by the NEWLIST TYPE=PC (Program Call report). It indicates that a Program Call report was requested for the indicated system, but that Program Call data were not available. Check the CKFREEZE file used; the Program Call report requires an APF-authorized zSecure Collect run with a focus including zSecure Audit. CKR0549 NEWLIST TYPE=MSG requires CKFREEZE Explanation: This message is generated by the NEWLIST TYPE=MSG (MPF report). It indicates that an MPF report was requested, but that no CKFREEZE file was used. The MPF report requires a CKFREEZE file; check your JCL or your set of input files. Severity: 08 CKR0550 NEWLIST TYPE=MSG unexpected MPFTVRSN version, expected version2 Explanation: This message is generated by the NEWLIST TYPE=MSG (MPF report). It indicates an internal error condition. Contact IBM Software Support including your MVS level and both the version numbers indicated. Severity: 20 Severity: 00 CKR0551 CKR0546 NEWLIST TYPE=PC CKFREEZE data incomplete for SYSTEM system Explanation: This message is generated by the NEWLIST TYPE=PC (Program Call report). It indicates that the CKFREEZE for that system was not made with a sufficiently recent zSecure Collect with support for ASN-and-LX reuse support. When issued on a system running an older z/OS release, this indicates an internal error, or an inconsistency in a CKFREEZE file. Severity: 20 Expected MPFTs: amount1; got amount2 Explanation: This message is generated by the NEWLIST TYPE=MSG (MPF report). It indicates an internal error condition. Contact IBM Software Support. Severity: 20 CKR0552 No SMF subsystem information available for system Explanation: This message is generated by the NEWLIST TYPE=SMFOPT (SMF subsystem options report). It indicates no SMF subsystem information was available for the indicated system. Check your CKFREEZE file; the report requires an APF-authorized Chapter 5. CKR messages 173 CKR0554 • CKR0563 zSecure Collect run with a focus including zSecure Audit. CKR0559 CKRRMRG - Nil pointer found Explanation: Contact IBM Software Support. Severity: 08 Severity: 24 CKR0554 TCP/IP interface connection failed, error code code Explanation: A failure occurred while trying to connect zSecure to the TCP/IP interface. The error code is documented under z/OS Communications Server: IP and SNA Codes in the z/OS information center. If the code is not listed there, it is documented as a return code under z/OS UNIX System Services: Messages and Codes. See z/OS Internet Library to access the information center for your version of z/OS. CKR0560 Explanation: This message is produced by the VERIFY STC command. It indicates that profiles in the STARTED class exist, but that the class is not active. As a result, the profiles will be ignored, and the started procedure table ICHRIN03 will be used instead. Severity: 00 CKR0561 Severity: 04 CKR0555 Bitmask cannot be empty or longer than 2048 Explanation: A CARLa statement contains a bitmask value that is either empty or longer than 2048 symbols. User response: Review and correct the CARLa script. Severity: 12 CKR0556 STARTED class active, but no profiles found - ICHRIN03 is used Explanation: This message is produced by the VERIFY STC command. It indicates that the STARTED class is active, but does not contain any profiles. As a result, the started procedure table ICHRIN03 will be used instead. Severity: 00 CKR0562 Bitmask is not allowed Explanation: A CARLa statement contains a bitmask value that is not allowed. Profiles in STARTED class exist, but class not active - ICHRIN03 is used. ALLOC PRIMARY/BACKUP/ACTIVE/ INACTIVE/SMF cannot be combined with other source identifiers - at ddname line number User response: Review and correct the CARLa script. Explanation: An ALLOC statement referring to a data source obtained from control blocks in storage cannot at the same time point to an external data source. Severity: 12 Severity: 12 CKR0557 Invalid IP address or network prefix 'string' at ddname line number Explanation: This message indicates that a CARLa script has an IP address or network prefix specification (either IPv4 or IPv6) that is not valid. CKR0563 STARTED profile profile has no STDATA segment - ICHRIN03 is used - action to newuser note Explanation: Contact IBM Software Support. Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class does not contain an STDATA segment. As a result the profile indicated will be ignored, and the started procedure table ICHRIN03 will be used instead. A command is generated to create an STDATA segment with an STUSER specification newuser. If the profile's first qualifier is a valid user ID, newuser will be user(=MEMBER) the action will be correct and the profile should then be usable, although you still may have to note "but userid still revoked", meaning that the started task would run with reduced authority and might still experience problems (as indicated by CKR0575); if not, newuser will be NOUSER, the action will be change, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 24 Severity: 08 User response: Adjust the corresponding CARLa script to supply a valid IP address or network prefix specification. A network prefix consists of an IP address, a slash character (/), and an integer denoting the prefix length. With an IPv4 address, the prefix length can be 32 at most. With an IPv6 address, the prefix length can be 128 at most. Severity: 12 CKR0558 174 CKRRMRG - Illegal eyecatcher eyecatcher during logging Messages Guide CKR0564 • CKR0569 CKR0564 No STUSER specified on STARTED profile profile - ICHRIN03 is used Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class does not contain an STUSER field in the STDATA segment. As a result, the profile indicated will be ignored, and the started procedure table ICHRIN03 will be used instead. No attempt is made to cure this condition, because it may be intentional. Severity: 08 CKR0565 STARTED profile profile contains group id group as STUSER - "user" is used action to newuser note Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class does not contain a valid user ID in the STUSER field in the STDATA segment, but the groupname id. As a result, the user specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specification. If the profile's first qualifier is a valid user, newuser will be set to user(=MEMBER) to use the member name and the action will be correct, although you still may have to note "but userid still revoked," meaning that the started task would run with reduced authority and might still experience problems (as indicated by message CKR0575). If not, it will be set to NOUSER to indicate the field is to be deleted, the action will be change, there will be no note, and after the proposed change the profile would be so unusable that RACF would fall back on started procedure table ICHRIN03, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 08 CKR0566 STARTED profile profile has undefined STUSER id - "user" is used - action to newuser note Explanation: This message is produced by the VERIFY STC command. It indicates that the user ID, id, is not valid in the STUSER field in the STDATA segment of the specified profile in the STARTED class. As a result, the user specified in the profile will be ignored, and the undefined user ID, user, will be used instead. A command is generated to remove the erroneous specification. If the profile's first qualifier is a valid user, newuser will be set to user(=MEMBER) to use the member name and the action will be correct. However, note might specify "but userid still revoked," which means that the started task will run with reduced authority and might experience problems (as indicated by message CKR0575). If not, newuser will be set to NOUSER to indicate that the field is to be deleted, the action will be set to change, and note is not specified. After the proposed change the profile would be so unusable that RACF would fall back on started procedure table ICHRIN03, and a subsequent VERIFY STC would issue CKR0564 for the profile. Severity: 08 CKR0567 STARTED profile profile has STUSER =MEMBER, which is a groupid - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class contains the value =MEMBER in the STUSER field in the STDATA segment, but that the indicated procedure in the indicated data set is not a valid user ID, but a group ID. As a result, the procedure name will not be used as a user ID, and the undefined user ID user will be used instead. Note that the first qualifier of profile is generic, so that it may apply to different procedures as well; therefore, it is unclear how this should be cured, and no command is generated. Severity: 08 CKR0568 STARTED profile profile has STUSER =MEMBER, which is undefined - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class contains the value =MEMBER in the STUSER field in the STDATA segment, but that the indicated procedure in the indicated data set is not a valid user ID. As a result, the procedure name will not be used as a user ID, and the undefined user ID user will be used instead. Note that the first qualifier of profile is generic, so that it may apply to different procedures as well; therefore, it is unclear how this should be cured, and no command is generated. Severity: 08 CKR0569 STARTED profile profile has both STUSER and STGROUP =MEMBER "user" is used - action to deletions Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class has the value =MEMBER in both the STUSER and STGROUP fields in the STDATA segment. Since it is impossible for any procedure name to match both a user ID and a group ID at the same time, this is an error on the profile level. As a result, the specifications in the profile will be ignored, and the undefined user ID user will be used instead. If the profile's first qualifier is discrete, it is checked whether it matches a user ID or a group ID or neither, and deletions will contain NOGROUP or NOUSER or both, respectively, to indicate which specifications are to be Chapter 5. CKR messages 175 CKR0570 • CKR0574 deleted. If the profile's first qualifier is generic, it is not possible to do such a check, and deletions will be NOGROUP, which is the only choice that might possibly fix the problem (for some matching procedures). Only when the problem has been fixed with certainty (discrete first qualifier that matches a valid user ID) action will be correct, otherwise it will be change. started task would run with reduced authority and might still experience problems (as indicated by CKR0575), "but still unconnected, userid still revoked" if both problems remain (CKR0150), or it may be absent. The action will be correct if the resulting profile specifications would be usable (no missing connection) regardless of the user ID's revocation status, and change otherwise. Severity: 08 Severity: 08 CKR0570 STARTED profile profile contains userid id as STGROUP - "user" is used - action to newgroup note Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class does not contain a valid group ID in the STGROUP field in the STDATA segment, but the groupname id. As a result, the user specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specification. If the profile's first qualifier is a valid group, newgroup will be set to group(=MEMBER) to use the member name; if not, it will be set to NOGROUP to indicate the field is to be deleted. Note indicates further problems with the user ID id and newgroup, it may be "but still unconnected" to indicate that =MEMBER may be a valid group but still the profile specification would be ignored (as indicated by CKR0574), "but userid still revoked", meaning that the started task would run with reduced authority and might still experience problems (as indicated by CKR0575), "but still unconnected, userid still revoked" if both problems remain (CKR0150), or it may be absent. The action will be correct if the resulting profile specifications would be usable (no missing connection) regardless of the user ID's revocation status, and change otherwise. Severity: 08 CKR0571 STARTED profile profile has undefined STGROUP id - "user" is used - action to newgroup note Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class does not contain a valid group ID in the STGROUP field in the STDATA segment, but the value id. As a result, the user specified in the profile will be ignored, and the undefined user ID user will be used instead. A command is generated to remove the erroneous specification. If the profile's first qualifier is a valid group, newgroup will be set to group(=MEMBER) to use the member name; if not, it will be set to NOGROUP to indicate the field is to be deleted. Note indicates further problems with the user ID id and newgroup, it may be "but still unconnected" to indicate that =MEMBER may be a valid group but still the profile specification would be ignored (as indicated by CKR0574), "but userid still revoked", meaning that the 176 Messages Guide CKR0572 STARTED profile profile has STGROUP =MEMBER, which is a userid - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class contains the value =MEMBER in the STGROUP field in the STDATA segment, but that the indicated procedure in the indicated data set is not a valid group ID, but a user ID. As a result, the user ID specified in the profile will not be used, and the undefined user ID user will be used instead. Note that the first qualifier of profile is generic, so that it may apply to different procedures as well; therefore, it is unclear how this should be cured, and no command is generated. Severity: 08 CKR0573 STARTED profile profile has STGROUP =MEMBER, which is undefined - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class contains the value =MEMBER in the STGROUP field in the STDATA segment, but that the indicated procedure in the indicated data set is not a valid group ID. As a result, the user ID specified in the profile will not be used, and the undefined user ID user will be used instead. Note that the first qualifier of profile is generic, so that it may apply to different procedures as well; therefore, it is unclear how this should be cured, and no command is generated. Severity: 08 CKR0574 STARTED profile profile user id not connected to group group - "user" is used Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class contains a valid user and group, but that user id is not connected to group group. As a result, the user ID specified in the profile will not be used, and the undefined user ID user will be used instead. This message indicates an error on the profile level, but no command is generated as it is unclear what the desired solution would be. Severity: 08 CKR0575 • CKR0583 CKR0575 STARTED profile profile has revoked userid user - executes with reduced access Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class contains a valid user and group, but that user user is revoked. As a result, the user ID specified in the profile will be used, but the started task will run with reduced access, which may lead to problems. This message indicates an error on the profile level, but no command is generated as it is unclear what the desired solution would be. Severity: 08 CKR0576 No STARTED profile found, ICHRIN03 is used - procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated procedure in the indicated data set does not match any profile in the STARTED class. As a result, the started procedure table ICHRIN03 will be used instead. Severity: 00 CKR0577 STARTED profile profile not used by any started procedure Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class is not used for any procedure. The profile may be redundant. Note: This message may also be issued if a CKFREEZE file is used that was produced by running zSecure Collect from an unauthorized library. If zSecure Collect is run with APF authorization, it will use cross memory functions to find the data sets allocated to STCPROC (or PROC00 if there's no STCPROC). Subsequently, it will read the PDS directory of each of these proclibs. Note that it is insufficient to tell zSecure Collect to dump the directories of the PDS data sets in an unauthorized run, because they will not be known as proclibs. profile level; no command is generated. Severity: 08 CKR0579 STARTED profile profile has revoked userid =MEMBER - reduced access for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It indicates that the indicated profile in the STARTED class has the value =MEMBER in the STUSER field in the STDATA segment to indicate that the procedure should be used; however, although procedure is a valid user ID, it is revoked, so that started task will run with reduced authority and might experience problems. Note that the first qualifier of profile is generic, so that the problem is not a condition on the profile level; no command is generated. Severity: 08 CKR0580 TSO user user on system system not subject to RACF password control volume dataset Explanation: This message is produced by the VERIFY TSOALLRACF command. It indicates that on the system specified, the user indicated is included in the UADS data set indicated, but is not a valid RACF user ID. As a result, the user ID can logon using the password specified in the UADS data set, and is not subject to RACF control. Severity: 08 CKR0581 TSO user user on system system does not have a TSO segment - volume dataset Explanation: This message is produced by the VERIFY TSOALLRACF command. It indicates that on the system specified, the user indicated is included in the UADS data set indicated, is a valid RACF user ID, but does not have a TSO segment. The user ID is subject to RACF control, but takes its TSO attributes from the UADS data set, not the RACF database. Severity: 08 Severity: 00 CKR0582 CKR0578 STARTED profile profile user id not connected to group group - "user" is used for procedure volume dataset Explanation: This message is produced by the VERIFY STC command. It describes a problem in the indicated profile in the STARTED class: the user id in the STUSER field in the STDATA segment is not connected to the group in the STGROUP field, so that the undefined user ID user will be used. Note that the first qualifier of profile is generic, and either the user id or the group is specified as =MEMBER and thus evaluates to procedure, so that the main problem is not a condition on the ALLOC SMF invalid for specified type before token at ddname line number Explanation: This message indicates an invalid ALLOC command. A new syntax command can only describe one input source per command. Severity: 12 CKR0583 VSMLIST return code value Explanation: This message can occur if a live MVS system is examined and the VSMLIST service returns an unsupported return code. Contact IBM Software Chapter 5. CKR messages 177 CKR0584 • CKR0593 Support including the indicated value and your MVS level. Revoked users with weak DES password: num3 Non-revoked users with weak DES password: num4 Severity: 08 CKR0584 System system uses password hashing Explanation: This message is produced by the VERIFY PASSWORD command. It indicates that on the system specified, the password encryption method used is hashing. Any user with READ access to the RACF database or a copy/backup of the RACF database may be able to decode all passwords. Explanation: This message is produced by the VERIFY PASSWORD command. It provides a summary of the number of revoked and non-revoked users found with hashed or weak DES-encrypted passwords. Severity: 00 CKR0590 Severity: 00 Verify password requires RACF database, not unload for complex complex [version] Explanation: This message is produced by the VERIFY PASSWORD command. It indicates that the revoked user indicated has a weak DES-encrypted password. The password is not included in the message. Explanation: This message is produced by the VERIFY PASSWORD command. It indicates that the VERIFY PASSWORD command was used with an unloaded RACF database, instead of a 'real' RACF database (primary, backup, or copy). Since an unloaded database does not contain password information, password verification cannot be performed. Severity: 00 Severity: 00 CKR0585 CKR0586 Revoked user with weak password - user User with weak password - user Explanation: This message is produced by the VERIFY PASSWORD command. It indicates that the non-revoked user indicated has a weak DES-encrypted password. The password is not included in the message. Severity: 00 CKR0587 Revoked user with hashed password user Explanation: This message is produced by the VERIFY PASSWORD command. It indicates that the revoked user indicated has a hashed password, which can be decoded easily. The password is not included in the message. Severity: 00 CKR0588 User with hashed password - user Explanation: This message is produced by the VERIFY PASSWORD command. It indicates that the non-revoked user indicated has a hashed password, which can be decoded easily. The password is not included in the message. Severity: 00 CKR0589 178 Verify password result summary complex complex [version] Revoked users with hashed password: num1 Non-revoked users with hashed password: num2 Messages Guide CKR0591 Warning in ICHNCV00 parse for system : warning in convention convention-name type clause number Explanation: This message indicates that an ICHNCV00 feature is supported, but will be simulated with some restrictions. The warning indicates the type of feature not supported; the feature is used in convention convention-name, in a SELECT or ACTION clause, as indicated by type and number. At this time, this message will be issued for use of the RACGPID and RACUID features. It can be suppressed. Severity: 04 CKR0592 Error in ICHNCV00 parse for system: error in convention convention-name type clause number Explanation: This message indicates that ICHNCV00 could not be parsed, or an ICHNCV00 feature is not supported. Because of this, the table will not be simulated. The error indicates the problem; if a feature is not supported, the message will optionally include the convention convention-name, and a SELECT or ACTION clause, as indicated by type and number. This message can be suppressed. Severity: 04 CKR0593 ICHNCV00 not used because of parse errors Explanation: This message indicates that ICHNCV00 will not be used, because it could not be parsed, or it used features not supported by zSecure. It has been CKR0594 • CKR0599 preceded by one or more CKR0592 messages, which indicate the problem. CKR0599 Severity: 00 CKR0594 System system: using ICHNCV00 of date time Cannot be simulated by zSecure suppressed Reconstructed ICHNCV00 source code follows contents DEFINE for BUNDLEBY=field must be of type AS for statement at ddname line number Explanation: If a variable is used as the BUNDLEBY value, then it must be a variable defined with DEFINE AS and not a summary statistic, boolean, or SMF field. Severity: 12 Explanation: This message is generated by a SHOW ICHNCV00 command. The second line reports whether zSecure can simulate the naming convention table. If so, not will be omitted (instead of not) and an extra line may show suppressed as But was suppressed by SUPPRESS ICHNCV00 if applicable. Severity: 00 CKR0595 Qualifier of length size not supported in ICHNCV00 simulation Explanation: This message is generated during simulation of ICHNCV00. It indicates that a source data set name used qualifiers of the indicated size, which either is zero or larger than 8. zSecure will not translate the data set name. Severity: 00 CKR0596 Assignment beyond next empty qualifier not supported system system Explanation: This message is generated during simulation of ICHNCV00. It indicates that the naming convention table has an action that assigns to an output qualifier UQ beyond the last one in use, and beyond the first unused one, leaving a gap in the data set name. zSecure will not translate the data set name. Severity: 00 CKR0597 ALLOC PRIMARY/BACKUP/ACTIVE/ INACTIVE invalid for specified type before token at ddname line number Explanation: This message indicates an invalid ALLOC command. A live input source indicator was used with a type that does not support this. Severity: 12 CKR0598 The value "none" is mutually exclusive with other scan_inst values Explanation: The value NONE for a SELECT of an instruction scan field was used in a list with other instruction scan values. This is not allowed. Use an explicit OR instead. Severity: 12 Chapter 5. CKR messages 179 CKR0600 • CKR0610 Messages from 600 to 699 CKR0600 ENDBUNDLE without BUNDLE Explanation: This error message indicates that an ENDBUNDLE command was found (which normally ends a bundle of NEWLISTs), but no previous BUNDLE command was found to start the bundle. Severity: 12 CKR0601 Nested BUNDLE not allowed, check missing ENDBUNDLE for BUNDLE at ddname line number Explanation: This error message indicates that two BUNDLE commands were found without an intermediate ENDBUNDLE. BUNDLE commands may not be nested. Severity: 12 CKR0606 Explanation: The indicated field, which is SMF_FIELD, SMF_SECTION, or RACF_SECTION, was used in an output command. These fields, which are used to create user-defined SMF fields, may not be used directly in output commands. However, you can use these fields with a DEFINE command to create a new variable, and use that variable in output commands. Severity: 12 CKR0607 Severity: 12 CKR0602 Issue ENDMERGE before BUNDLE at ddname line number Explanation: This error message indicates that a BUNDLE command was found, in a sequence of MERGELIST - BUNDLE. There should be an ENDMERGE command in this sequence. You can include a MERGELIST - ENDMERGE in a BUNDLE ENDBUNDLE sequence, but not the other way around. Severity: 12 CKR0603 field may only be used in Select/Exclude/Define-As - at ddname line number database class profile base segment missing in complex complex Explanation: During a merge, it was detected that the specified profile has no base segment. Database is either Current® or Source. This profile will be skipped in the merge process. After completion of the current phase, the program will stop. This message can be the result of your select and exclude specifications. Next, you should check whether the specified profile has been damaged. If the profile is not damaged, verify the correctness of the profile itself, and take actions to correct or remove any incomplete profiles. Severity: 12 BUNDLE cannot contain DISPLAY - at ddname line number Explanation: This error message indicates that a DISPLAY command was found within a BUNDLE ENDBUNDLE. The BUNDLE command is intended for printed output; no interactive displays are allowed. Severity: 12 CKR0608 Use only one of DSN, DSNPREF, CMSFILE, PATH, FILEDESC, or GETPROC on ALLOC - at ddname line number Explanation: On an ALLOCATE command, at most one of the parameters DSN, DSNPREF, CMSFILE, PATH, FILEDESC, and GETPROC may be specified. Severity: 12 CKR0604 BUNDLEBY not on BUNDLE or NEWLIST but required at ddname line number Explanation: The BUNDLE - ENDBUNDLE commands require a BUNDLEBY parameter on the BUNDLE or on each NEWLIST in the bundle. In this case, the parameter was missing. Severity: 12 CKR0605 More than 32767 user-defined SMF fields not possible Explanation: This message indicates that you have reached the internal limit on the number of user-defined fields for the SMF report. Reduce the number of DEFINE SMF_FIELD, SMF_SECTION, or RACF_SECTION commands. 180 Messages Guide CKR0609 ALLOC uses both specific file format and specific option format keywords before token at ddname line number Explanation: The ALLOCATE command has two distinct formats, called the option format and the file format. Each has keywords only valid in that format, which cannot be mixed with keywords that indicate the other format. The two formats are described in the ALLOCATE command documentation in the user reference manual for your zSecure product. Severity: 12 CKR0610 ALLOC in file format requires explicit TYPE and input source specification before token at ddname line number CKR0612 • CKR0618 Explanation: The ALLOCATE command has two distinct formats, called the option format and the file format. When the latter is used without the SMF keyword (which specifies both at once), the TYPE keyword and one of the keywords DD, DSN, CMSFILE, PATH, FILEDESC, PRIMARY, BACKUP, ACTIVE, or INACTIVE are required. The two formats are described in the ALLOCATE command documentation in the user reference manual for your zSecure product. The run-on messages describe in detail how each input file will be used. The system name for a CKFREEZE file or live system may be preceded by an equal sign (=). This means that the system is primarily assigned to a different complex (where it does not have the equal sign), but it is also being used for this complex. This implies, for example, that SMF records with this system ID will not be assigned the complex name where the system is being displayed with the equal sign in front. Severity: 12 Ver ver CKR0612 Complex complex Severity: 04 Timestamp timestamp Complex names missing for two or more security databases, specify COMPLEX= on ALLOC statement Explanation: The program tried to assign default COMPLEX names to the security databases allocated, but could not decide which complex to assign to which database. Specify the COMPLEX parameter on all ALLOC statements of TYPE=RACF. Severity: 12 Warning: unload ddname1 and ddname2 apply to same system system Explanation: Two complexes were defined that turned out to have the same name. This means displays may be confusing since they show information from two databases under the same complex name. This can only happen if a TYPE=UNLOAD input file was used without an ALLOC COMPLEX parameter. It is better to rerun while specifying the COMPLEX parameter. Severity: 00 The complex message line shows the timestamp for the complex that is used in report headers. For implicit allocation, which automatically allocates the live RACF data base, prod shows the type of system, RACF, and the file name of the live data base. For explicit allocation, prod shows ???? and the file name is left blank. Volser volser Dsname dsname Missing product security database for system name complex complex - not allowed in restricted mode Severity: 12 CKR0617 Warning: missing product security database for system name complex complex Explanation: This message indicates that no product security database (which can be RACF, ACF2, or TSS) was available for the indicated system name, while one or more reports require the security information. The reports that need this information may be incomplete; other reports will be unaffected. Severity: 00 Input system structure overview (default system system complex complex Explanation: These messages give an overview of the allocated files and their use. These messages are mainly used to determine how zSecure will group different kinds of files (UNLOADs, CKFREEZEs) for multiple systems. Filename filename Explanation: This message indicates that in a restricted-mode (aka PADS) run, no product security database (which can be RACF, ACF2, or TSS) was available for the indicated system name. This makes a restricted-mode run impossible. CKR0618 CKR0615 System system Severity: 00 CKR0616 CKR0614 Prod prod Tapevol profile volumes not equal Explanation: During the merge of the mentioned tapevol profile it was discovered that the volume lists of the source and current versions are not equal. The profile will not be merged. CKR0613 Func func Processing product system system [version] as if protected by product2 complex complex is not allowed in restricted mode Explanation: This message indicates that no product security database (which can be RACF, ACF2, or TSS) was available for the indicated system system. Usually, the indicated product2 security database for the complex complex would have been used instead; but this is not allowed in restricted mode. Severity: 12 Chapter 5. CKR messages 181 CKR0619 • CKR0626 CKR0619 Overriding COMPLEX=complex for system name file ddname not allowed in restricted mode unless equal to ZSECNODE, RRSF node, SYSPLEX, SYSNAME, or SMF id Explanation: This message indicates that a COMPLEX= statement was used on the ALLOCATE command to override the complex used for the indicated file. This override is not allowed in restricted mode unless the value for this parameter is equal to ZSECNODE, RRSF node, SYSPLEX, SYSNAME, or SMF id. Severity: 12 CKR0620 kind database does not have id name Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The ID name, which is either SYS1 or IBMUSER, could not be found. This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 12 CKR0621 kind id name referred to but not defined - assume user Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The ID with the indicated name was referred to (as owner, default-group, superior group, or in a user-group connection) but could not be found. As a work-around, IBM Security zSecure Admin assumes it is a user. This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 04 CKR0622 kind id name defined as both user and group Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The ID with the indicated name is known as both a user and as a group. This is caused by a structural error in the database, which must be repaired before the ID can be merged. You may be able to work around this problem by using global EXCLUDE commands. 182 Messages Guide Severity: 12 CKR0623 kind id name has no owner - assume SYS1 Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The ID with the indicated name was found, but no owner could be determined. As a work-around, IBM Security zSecure Admin assumes the owner is SYS1. This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 04 CKR0624 kind user name has no default-group and no connects Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. For the user with the indicated name, no default-group could be found, and no other connects could be found that would serve as fall-back. This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 12 CKR0625 kind group name has no superior-group assume SYS1 Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The group with the indicated name was found, but no superior group could be determined. As a work-around, IBM Security zSecure Admin assumes the superior group is SYS1. This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 04 CKR0626 kind group name has supgrp<>owning group, assuming owner should be set to supgrp Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind CKR0627 • CKR0635 (Source or Current) database. The group with the indicated name was found, and has different groups as superior-group and owner. As a work-around, zSecure Audit assumes the superior group should also be used as the owner. This is caused by a structural error in the database. Severity: 04 CKR0627 kind database has structural errors please run VERIFY CONNECT,PERMIT Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database was diagnosed in the preceding messages. Run VERIFY PERMIT and/or VERIFY CONNECT. Severity: 00 CKR0628 TVTOC merge not supported Explanation: During a merge, it was detected that some TAPEVOL profiles with a TVTOC are present in both source and current databases. This message serves to warn you that such profiles will not be merged. Severity: 04 CKR0629 kind database has id name but is not a user/group Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The ID name, which is either SYS1 or IBMUSER, could be found, but was not of the correct kind (group for SYS1, user for IBMUSER). This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 12 CKR0630 Two merge sources not allowed Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates that two source RACF databases were found. The merge requires exactly one source and one current database. See the preceding CKR0615 message for an overview of the RACF databases and their function. Severity: 12 CKR0631 Two merge currents not allowed Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates that two current RACF databases were found. The merge requires exactly one source and one current database. See the preceding CKR0615 message for an overview of the RACF databases and their function. Severity: 12 CKR0632 Merge requires source and current Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates that no source database, no current database, or no database at all was found. The merge requires exactly one source and one current database. See the preceding CKR0615 message for an overview of the RACF databases and their function. Severity: 12 CKR0633 These src groups have a SUPGROUP rule but are not selected: group ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of groups was found for which a MERGERULE SOURCEID SUPGROUP command was specified. However, the groups were not selected to be merged. This is an error: either select the groups to be merged, or omit the MERGERULE commands for the groups. Severity: 12 CKR0634 kind user name has no default-group, using connect group Explanation: This message is issued by the IBM Security zSecure Admin database merge checking routines, and indicates a structural error in the kind (Source or Current) database. The user with the indicated name was found, but no default-group could be determined. As a work-around, IBM Security zSecure Admin uses the existing connection to group. This may be caused by a structural error in the database, or by a global SELECT or EXCLUDE statement. The profiles that should be merged should be selected by a SELECT statement within the MERGE/ENDMERGE block, not by a global SELECT. Severity: 04 CKR0635 MERGE internal error: description Explanation: An internal error occurred during a IBM Security zSecure Admin database merge. Write down the indicated description and contact IBM Software Support. Severity: 16 Chapter 5. CKR messages 183 CKR0636 • CKR0645 CKR0636 Errors in merge phase number - stopped early Explanation: An error occurred during pass number of a IBM Security zSecure Admin database merge. The error was described in the previous messages. Because of these errors, the IBM Security zSecure Admin database merge was unable to continue and stopped. apply to references to the indicated IDs (for example, on access lists). This is an error: either select the user or group IDs to be merged, or omit the MERGERULE commands for the indicated IDs Severity: 12 CKR0642 Severity: 12 CKR0637 Merge requires a local current RACF database Explanation: A merge was specified, but an eligible database to merge into was not supplied. You cannot merge into a nonlocal database through the zSecure Server network. The following current ids are the target of > 1 rename: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID RENAME commands was found. Several of these commands renamed a SOURCE ID to the same CURRENT id. This is not allowed. However, you can achieve the effect desired by merging the SOURCE database in multiple runs. Severity: 12 Severity: 12 CKR0643 CKR0638 Merge requires a local RACF source database Explanation: A merge was specified, but an eligible database to merge from was not supplied. You cannot merge from a nonlocal database through the zSecure Server network. Severity: 12 The following users have a SUPGROUP rule: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID SUPGROUP commands was found that specified a user as SOURCEID. This is not allowed: a SUPGROUP option can only apply to a group. Correct the MERGERULE commands. Severity: 12 CKR0639 CKREFRI: command buffer overflow Explanation: This message indicates that one or more classes were left off from the SETROPTS REFRESH command. Severity: 08 CKR0640 The following src ids have a rule but are not defined: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID commands was found that specified an nonexisting user or group ID. This is an error: either correct the user or group IDs, or omit the MERGERULE commands for the indicated IDs. Severity: 12 CKR0641 These src ids have a RENAME, are not selected, and do not exist in current: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID RENAME commands was found. The indicated IDs are valid user and group IDs on the SOURCE system, but are not selected to be merged, so the commands cannot apply to SOURCE IDs. The new name specified with the RENAME option does not exist on the CURRENT system and will also not be created during the merge, so the commands cannot 184 Messages Guide CKR0644 A SUPGROUP rule for SYS1 is not allowed: Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID SUPGROUP commands was found that specified a superior group for a group that would be called SYS1 after the merge. This is not allowed: SYS1 should not have a superior group. The src-id shows the original group name (before any renames); the cur-id will be SYS1. Orig src-id New cur-id Severity: 12 CKR0645 The following current ids are the target of src+rename: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID RENAME commands was found. One or more of these commands renamed a SOURCE ID to a CURRENT ID that is also the target of a selected SOURCE ID that was not renamed. This is not allowed. However, you can achieve the effect desired by merging the SOURCE database in multiple runs. Severity: 12 CKR0646 • CKR0653 CKR0646 The following users were specified as a SUPGROUP: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID SUPGROUP commands was found that specified a user as SUPGROUP. This is not allowed: a SUPGROUP option must specify a group as new superior group. However, you can specify a user as owner for a group, using the MERGERULE SOURCEID OWNER option. Correct the MERGERULE commands. Following groups found in source. They are users in current: Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of groups that were selected to be merged had the same name as a user on the CURRENT system (possibly after being renamed). This is not allowed. The src-id column lists the users; the cur-id column lists the new name after the merge. Correct the MERGERULE commands. Source src-id Current cur-id Severity: 12 CKR0648 Following users found in source. They are groups in current: Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of users that are selected to be merged have the same name as a group on the CURRENT system (possibly after being renamed). This is not allowed. The src-id column lists the users; the cur-id column lists the new name after the merge. Correct the MERGERULE commands. Source src-id Current cur-id Severity: 12 CKR0649 Ids defined as owner, but not defined/selected: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID OWNER commands was found that specified a user or group that would be absent after the merge. This is an error. Correct the MERGERULE commands. Severity: 12 Ids defined as supgroup, but not defined/selected: ids Explanation: During an IBM Security zSecure Admin database merge, pass 2, a number of MERGERULE SOURCEID SUPGROUP commands was found that specified a group that would be absent after the merge. This is an error. Correct the MERGERULE commands. Severity: 12 CKR0651 Severity: 12 CKR0647 CKR0650 The following groups are part of a supgroup loop: groups Explanation: During an IBM Security zSecure Admin database merge, pass 3, it was determined that the group tree structure after the merge would result in a loop of the indicated groups. This is an error, and should be fixed by specifying or correcting MERGERULE SOURCEID SUPGROUP commands. Severity: 12 CKR0652 The following groups are source-only; their src-only supgrp is not selected: Explanation: During an IBM Security zSecure Admin database merge, pass 3, a number of groups was found that were selected to be merged and do only exist on the SOURCE database. In addition, no SUPGROUP command was specified, and their superior groups on the SOURCE system were not selected to be merged. This is an error, and should be fixed by selecting the source superior groups, not selecting the groups, or by specifying MERGERULE SOURCEID SUPGROUP commands. Orig src-grp New cur-grp Orig-sup src-supgroup Severity: 12 CKR0653 The following groups have conflicting supgrps, and no command: Explanation: During an IBM Security zSecure Admin database merge, pass 3, a number of groups was found that were selected to be merged and do exist on both the SOURCE and the CURRENT database. In addition, the superior groups were different; the source superior group was also selected to be merged; and no command was specified that could resolve this conflict. This is an error, and can be corrected in various ways: (1) Changing the selection criteria; (2) specifying a MERGERULE SOURCEID SUPGROUP command; (3) specifying a MERGERULE SOURCEID DATA command; (4) specifying a MERGERULE DEFAULT DATA command. Source src-grp Current cur-grp Orig-s src-s Orig-ren renamed-src Cur-sup cur-supgroup Chapter 5. CKR messages 185 CKR0654 • CKR0660 Severity: 12 CKR0654 Group SYS1 was renamed, and no superior group was specified Explanation: During an IBM Security zSecure Admin database merge, pass 3, it was detected that group SYS1 from the SOURCE database was renamed using a MERGERULE SOURCEID RENAME command. However, the new group did not already exist on the CURRENT database, and no new superior group was specified. This is an error, and can be corrected using MERGERULE SOURCEID commands. Severity: 12 CKR0655 These src-only users have an owner that is not selected: Explanation: During an IBM Security zSecure Admin database merge, pass 4, it was detected that one or more users that occurred only on the source database, have an owner that is not present on the current database, and is not selected to be merged. In addition, no MERGERULE SOURCEID OWNER command had been specified. This is an error, since no owner can be determined. Either specify the desired owner, or select the user's owner to be merged. Source src-user Current cur-user Src-Owner src-owner Severity: 12 CKR0656 These users have conflicting owners, no command: Explanation: During an IBM Security zSecure Admin database merge, pass 4, it was detected that one or more users that are present on both source and current system have conflicting owners. In addition, no MERGERULE SOURCEID OWNER, MERGERULE SOURCEID DATA, or MERGEID DEFAULT DATA command had been specified. This is an error, since no owner can be determined. Source src-user Current cur-user Src-Own src-own Cur-own current-owner MERGERULE DEFAULT AUTHORITY was specified that could resolve the conflict. This is an error. For each conflicting user-group connection, the message lists the name of the user and group on the source and current databases. Src-user s-user CKR0658 Explanation: During an IBM Security zSecure Admin database merge, pass 5, one or more user-group connections were found that have conflicting attributes in the source and current version. In addition, no MERGERULE SOURCEID AUTHORITY or 186 Messages Guide Cur-grp c-group The following users have no connects after the merge: Explanation: During an IBM Security zSecure Admin database merge, pass 6, it was detected that one or more users did not have any group-connections after the merge. This is an error, which should be corrected by (1) deselecting the user; (2) selecting one or more of the connect-groups; or (3) renaming the user to a user already existing on the CURRENT system. Source src-id Current cur-id Src-dfltgrp source defaultgroup Severity: 12 CKR0659 The following users have no dfltgrp, and > 1 copied connect: Explanation: During an IBM Security zSecure Admin database merge, pass 6, it was detected that one or more users did have two or more group-connections after the merge, but the source default group was not merged, and no default-group could be determined. This is an error, which can be corrected in various ways, including: (1) deselecting the user; (2) selecting the source defaultgroup to be merged; or (3) renaming the user to a user already existing on the CURRENT system. Source src-id Current cur-id Src-dfltgrp source defaultgroup Severity: 12 Severity: 12 The following connects have conflicting attrs and no auth rule: Cur-user c-user Severity: 12 CKR0660 CKR0657 Src-grp s-group The following users have two dfltgrp candidates: Explanation: During an IBM Security zSecure Admin database merge, pass 6, it was detected that one or more users have two candidate default groups, and no MERGERULE SOURCEID DATA or MERGERULE DEFAULT DATA commands had been specified that could resolve the conflict. This is an error. Source Current Src-dflt Cur-dflt CKR0661 • CKR0669 src-id cur-id src-dflt current defaultgroup Severity: 12 CKR0661 Severity: 12 Warning: product system name now processed as if protected by product2 database of complex name2 Explanation: This message indicates that no product security database (which can be RACF, ACF2, or TSS) was available for the indicated system name. The indicated product2 security database for the complex name2 is used instead. Severity: 00 CKR0662 Warning: RACF Class Descriptor Table for complex name unknown, using current system CDT Severity: 00 Started task info missing, ICHRIN03 not in ddname for system name complex complex [version] Explanation: This message is issued by VERIFY/REPORT STC. It indicates that though the STARTED class will still be processed, the fallback started task information for the indicated system name is missing. The report may be incomplete. Severity: 08 CKR0664 CKR0666 Explanation: Command generation is done per complex. Each complex needs its own output file (since the commands must be sent to the proper complex). These messages indicate which TYPE=CKRCMD file was used for which complex. CKR0667 Extra CNSX without class - file ddname volume dsn Explanation: The Class Descriptor Table in the input source contains less class descriptors than CDT extension (CNSX) records. Possibly a record was truncated in the database unload file or something more serious is happening. Check that the file has DCB attributes RECFM=VBS,LRECL=X. Severity: 16 CKR0668 Class name CNSX mismatch file ddname Explanation: The Class Descriptor Table in the input source contains other CNSX pointers than the CDT extension (CNSX) records themselves. Possibly a record was truncated in the database unload file or something more serious is happening. Check that the file has DCB attributes RECFM=VBS,LRECL=X. Severity: 16 Two-pass read of RACF db not supported, use an unload for complex name Explanation: A RACF database (as opposed to an UNLOAD) cannot be used in a two-pass read. Use an UNLOAD instead. This may be caused by including fields like ANYSUPGROUP (which needs to know the group structure to operate) in your query, or using lookups in a NEWLIST TYPE=RACF selection (for which, for example, ownership relations must be known ahead of time). CKR0669 UNLOAD COMPLEX= parameter not valid for NEWLIST TYPE=type Explanation: The COMPLEX parameter on the UNLOAD statement is meant to indicate which complex security database should be unloaded. An unload file can contain information of one complex Class name and higher miss CNSX on file ddname volume dsn - probably unloaded with downlevel release Explanation: The unload file misses Class Descriptor Table Extension (CNSX) records starting with the class indicated. Reports may be false. Severity: 16 CKR0669 Severity: 12 CKR0665 System system complex complex NJE node node has been assigned free CKRCMD file ddname volume dsn Severity: 00 Explanation: This message indicates that no RACF Class Descriptor Table (CDT) could be found for the indicated system name. The current systems CDT is used instead. CKR0663 only, while a NEWLIST can print information from multiple complexes. The COMPLEX parameter has no meaning for non-security database NEWLISTs and results in this error message. Class name and higher miss CNSX on file ddname - downlevel CNFCOLL does not support RACF 2.2 Explanation: The CKFREEZE file misses Class Descriptor Table Extension (CNSX) records starting with the class indicated. Reports may be false. Severity: 16 Chapter 5. CKR messages 187 CKR0670 • CKR0678 CKR0670 Incompatible RCVT and CNST release NEWLIST TYPE=CLASS incomplete allocate proper CKFREEZE for system Explanation: You cannot safely mix RACF 2.2 or higher unloads and CKFREEZEs with lower level RACF ones for the same system. Consequently, the NEWLIST TYPE=CLASS output cannot be trusted. Use a consistent input set (for example, an unload and CKFREEZE produced on the same system). Severity: 04 CKR0675 Warning: complex not processed for ALLOC TYPE=CKRCMD FILE=ddname COMPLEX=name Explanation: You specified a CKRCMD output file for the indicated complex, but this complex was not found in the input set. The output file will not be used. Severity: 00 Severity: 16 CKR0676 CKR0671 Explanation: You specified a filename reserved for other purposes as the target for the unload. Specify another filename on the DDNAME parameter. Severity: 12 CKR0672 Only one MERGE allowed - previous ignored Explanation: More than one MERGE input command was specified. Only the last one specified will be used. Multiple RACF database merge jobs should be split into multiple runs. Duplicate value for keyword keyword for source id id Explanation: In the MERGE input commands, a MERGERULE SOURCEID=id statement was used to set the option keyword. However, this option had already been set for the same ID in the preceding MERGERULE commands. This is an error. Severity: 12 CKR0673 Explanation: During an IBM Security zSecure Admin database merge, pass 4, it was detected that one or more groups have a MERGERULE SOURCEID OWNER command. These commands specified a group as new owner; however, the owner specified was not equal to the superior group determined in the previous pass. This is an error. Either specify the desired owner as a superior group, or use a user as owner. Source src-grp Current cur-grp New-sup supgrp Own-parm owner specified Severity: 12 Severity: 04 CKR0673 These groups have an OWNER pararameter that is not equal to the supgroup: DDNAME=ddname is invalid on UNLOAD Duplicate value for keyword keyword for resource class class Explanation: In the MERGE input commands, a MERGERULE SOURCECLASS=class statement was used to set the option keyword. However, this option had already been set for the same general resource class in the preceding MERGERULE commands. This is an error. CKR0677 For the following source-only profiles no current owner could be found: Explanation: During an IBM Security zSecure Admin database merge, pass 7, it was detected that one or more data set or general resource profiles only occur on the source database. In addition, no owner could be found on the current database for these profiles: the source owner was not merged, and does not exist on the current database; and the high-level qualifier is not a valid ID on the current database. This is an error. It can often be resolved by selecting the indicated owner to be merged, or by specifying a MERGERULE SOURCEID OWNER command for the profile's high-level qualifier. S-owner owner Class class Profile profile Severity: 12 Severity: 12 CKR0678 CKR0674 EOF without ENDMERGE... ENDMERGE assumed Explanation: In the MERGE input commands, the input ended after a MERGE command was read, but before an ENDMERGE command was read. A closing ENDMERGE is assumed. 188 Messages Guide The following profiles have an unresolved access list because no policy was set: Explanation: During an IBM Security zSecure Admin database merge, pass 8, it was detected that the access list for one or more data set or general resource profiles contained differences that could not be resolved. This is an error. It can be resolved by specifying a CKR0679 • CKR0687 MERGERULE SOURCEID AUTHORITY command for the profile's high-level qualifier, or by a MERGERULE DEFAULT AUTHORITY command. Class class Current profile name profile Severity: 12 CKR0679 Warning: skipped undefined id "id" during merge of access list Id occurred number times Explanation: During an IBM Security zSecure Admin database merge, pass 8, an access list ID was encountered that did not exist in the RACF database. This access list entry will not be merged. You may ignore this message; run VERIFY PERMIT to clean up the RACF database. Severity: 04 CKR0680 Skipping non-base segments for profiles discrete-name Explanation: During an IBM Security zSecure Admin database merge, several discrete profiles had an identical name. In addition, non-base segments were found. The non-base segments cannot be assigned to a base segment and will be skipped. Severity: 04 CKR0681 General resource class name is only present on the source system (Profiles are not merged) ignored Explanation: During an IBM Security zSecure Admin database merge, pass 1, the general resource class name was encountered, which contains profiles which are selected to be merged. However, the class is only present on the source system. The profiles will not be merged. If a mergerule was specified for the class, a third line ignored will be shown with the format MERGERULE SOURCECLASS=class ignored. Severity: 00 CKR0682 General resource class name is generic on the source system, not on the current (SETROPTS GENERIC written to CKRCMD) Explanation: During an IBM Security zSecure Admin database merge, pass 1, the general resource class name was encountered, which contains generic profiles which are selected to be merged. However, generic processing for the class is only active on the source system. A SETROPTS GENERIC command for the class has been written to CKRCMD. If this is not desired, exclude the class from the database merge. Severity: 00 CKR0683 General resource class name is active on the source system, not on the current Explanation: During an IBM Security zSecure Admin database merge, pass 1, the general resource class name was encountered, which contains profiles which are selected to be merged. However, the class is only active on the source system. The profiles will be merged, but may not perform a useful function on the current system. Severity: 00 CKR0684 Invalid conditional access list entry for id name - skipped Profile: class key Explanation: During an IBM Security zSecure Admin database merge, pass 8, a conditional access list entry for user or group name was encountered that contains garbage. RACF PTF levels existed in the past that could create such invalid entries. The profiles will be merged, but may miss the remainder of the access list on the current system. Severity: 08 CKR0685 File filename effective linelength nn conflicts with first CKRCMD linelength mm used for NEWLIST DD=CKRCMD Explanation: If you use CKRCMD output and process the databases of more than one security complex, then output is not written to one file only. Instead, it is redirected automatically to one TYPE=CKRCMD file per complex. NEWLIST definitions are (can be) linelength-dependent. Because of this it is required that the effective linelength is identical for all these TYPE=CKRCMD files. This requirement is not present if you do not use a NEWLIST DD=CKRCMD. Severity: 12 CKR0686 ACF2_CHANGE num reads beyond end-of-record Explanation: An ACF2 SMF record for a logonid or infostorage change claimed to contain information beyond the end of the record. Possibly the record was truncated. Severity: 08 CKR0687 Some ACF2_CHANGE values omitted Explanation: An ACF2 SMF record for a logonid or infostorage change contained more information than fit into internal zSecure Audit buffers. Some repeat group values will be missing. Severity: 08 Chapter 5. CKR messages 189 CKR0688 • CKR0700 Explanation: An ACF2 SMF record contained an unsupported value for the field ACFATYPE. The unsupported value is given in hex. Explanation: A field was modifiable in principle but the output format used is not supported for modification. If you did not specify an overriding format, then this is an internal error. Contact IBM Software Support. Severity: 20 Severity: 24 CKR0688 CKR0689 Unknown ACFATYPE xx Unknown ACF2 subtype xx Explanation: An ACF2 SMF record contained an unsupported value as the value for ACSMFREC (the record subtype). The unsupported value is given in hex. Severity: 20 CKR0690 Unsupported ACF2 mode=xxx Explanation: An ACF2 SMF record contained an unsupported value as the value for ACVMFTF. The unsupported value is given in hex. In module - description Explanation: This is a progress indicator of the merge process. Severity: 00 CKR0692 File file additional snapshot was created at timestamp Explanation: This messages indicates that a TYPE=CKFREEZE input file contained two concatenated system snapshots. This second snapshot is ignored by IBM Security zSecure. Severity: 00 CKR0693 Two-pass read of merge source activated Explanation: This message indicates that the merge source database has to be read twice to minimize memory usage. This is usually caused by selection fields like ANYSUPGRP that need to know the group-structure to operate. Severity: 00 CKR0694 Safety limit of 50 repeat commands exceeded Explanation: The MERGE command generation automatically splits commands in pieces of 16KB. After 50 such splits the command was still not complete. Command generation has been abandoned, because it is highly probable that there is an internal error. Contact IBM Software Support. Severity: 08 CKR0696 No CKRCMD for merge function Explanation: A merge was requested but no file was present to generate the commands for the specified database function (source or current). Severity: 20 CKR0691 CKR0695 Field fieldaddr fieldname format outputformat not supported for modify defined at ddname line number Severity: 08 CKR0697 Unknown entity type nn Explanation: The profile caching mechanism encountered an unsupported entity type. Contact IBM Software Support. Severity: 20 CKR0698 Duplicate connect user / group Explanation: The profile caching mechanism encountered a duplicate connect in a non-RDS RACF database. Severity: 20 CKR0699 MERGERULE SOURCECLASS specified for class class but class not found in source CDT Explanation: A MERGERULE SOURCECLASS was specified for a class that is not present in the class descriptor table of the source database. Make sure the class name is specified correctly. Severity: 12 Messages from 700 to 799 CKR0700 First volume catalog entries conflict, file seq volser datasetname first vol2 Explanation: This message is issued if two ICF catalog entries indicate different first volumes for datasetname, 190 Messages Guide sequence number seq on tape volume volser. There is no way to determine which one is correct; vol2 is the ignored indication. Severity: 08 CKR0701 • CKR0710 CKR0701 First volume conflict in tape mgmnt for file seq volser datasetname first vol2 Explanation: This message is issued if two tape catalog entries indicate different first volumes for datasetname, sequence number seq on volume volser. There is no way to determine which one is correct; vol2 is the ignored indication. Severity: 08 CKR0706 First volume conflict catalog/TVTOC for file seq volser datasetname first vol2 Explanation: This message is issued if an ICF catalog entry conflicts with a TVTOC entry in the RACF database as to the first volume for datasetname, sequence number seq on volume volser. The TVTOC information will be considered correct, and the ICF catalog indication, vol2, will be ignored. Severity: 08 CKR0702 First volume conflict tape mgmnt/TVTOC, file seq volser datasetname first vol2 Explanation: This message is issued if a TVTOC entry in the RACF database conflicts with the tape management catalog as to the first volume for datasetname, sequence number seq on volume volser. The tape management catalog will be considered correct, and the TVTOC indication, vol2, will be ignored. Severity: 08 CKR0707 Erroneous count in multi-volume link table, complex volser count count Explanation: This message is issued if the count field declaring the number of secondary volumes defined for the complex starting with volser in the ensuing link table is less than 1 or exceeds the maximum value, i.e., count is greater than 5 (for a TLMS base record) or 32 (for a TLMS multi-volume record). Any multi-volume link information in this record is ignored. Severity: 08 CKR0703 First volume conflict tape mgmnt/catlg, file seq volser datasetname first vol2 Explanation: This message is issued if an ICF catalog entry conflicts with the tape management catalog as to the first volume for datasetname, sequence number seq on volume volser. The tape management catalog will be considered correct, and the ICF catalog indication, vol2, will be ignored. Severity: 08 CKR0708 Bad sequence number in multi-volume table of complex volser sequence number vseq Explanation: This message is issued if an entry in a table defining secondary volumes for the TLMS complex starting with volser contains a volume sequence number vseqless than 2. Such entries are skipped. Severity: 08 CKR0704 First volume conflict with tape mgmnt, file seq volser datasetname first vol2 Explanation: This message is issued if an information source (probably ICF catalog, possibly TVTOC) conflicts with the tape management catalog as to the first volume for datasetname, sequence number seq on volume volser. The tape management catalog will be considered correct, and the other indication, vol2, will be ignored. CKR0709 CONVERSION abend-type for TLMS volume volser Explanation: This message is issued when converting the volume sequence or volume count field in a CKFREEZE entry representing a TLMS base record for volume volser from packed decimal to binary fails. Any multi-volume information in this record is ignored. Severity: 20 Severity: 08 CKR0710 CKR0705 First volume conflict with catalog for file seq volser datasetname first vol2 Explanation: This message is issued if an information source (probably ICF catalog, possibly TVTOC) conflicts with an ICF catalog entry as to the first volume for datasetname, sequence number seq on volume volser. The earlier information will be considered correct, and the new ICF information, vol2, will be ignored. Volume sequence conflict in multi-volume complex volser sequence number vseq ignored vol2 Explanation: This message is issued if vol2 was identified as the vseqth volume of the multi-volume complex starting with volser, but another volume had already been. The new link information is ignored. Severity: 08 Severity: 08 Chapter 5. CKR messages 191 CKR0711 • CKR0720 CKR0711 Secondary volume is scratch in nonscratch complex volser volume vol2 Explanation: This message is issued if vol2 is a scratch secondary volume in a complex starting with the nonscratch volume volser. Perform the IDCAMS DIAGNOSE function on the VVDS: maybe a DELETE NVR command will help. Severity: 08 CKR0717 Severity: 08 CKR0712 Alleged first volume denies involvement in complex volser referenced by vol2 Explanation: This message is issued if a nonscratch volume vol2 was linked to a TLMS complex starting with volser, but volser was not identified as the start of a multi-volume complex by its base record or no base record was found for it. Non-VSAM data set found in VVDS multiple times - volser datasetname Explanation: When deleting data sets a non-VSAM SMS-managed data set will be DELETEd primarily via the catalog mentioned in the NVR and DELETEd NOSCRATCH from other catalogs. This message indicates multiple NVRs were found, so the generated commands do not have the NOSCRATCH keyword for several catalogs for a single data set; this means one or more commands may fail. Be extra attentive when reviewing the generated commands. Severity: 08 Severity: 08 CKR0718 CKR0713 Orphan secondary volume in TLMS multi-volume complex volser orphan volume vol2 Explanation: This message is issued if a nonscratch volume vol2 refers to another volume volser as the first of its TLMS complex, but no appropriate link information was found. Resource deletion: DELETE non-VSAM volser datasetname catalogname Explanation: This message indicates a DELETE was generated for a non-VSAM data set called datasetname. If catalogname equals default catalog no catalog keyword was specified, else the command was specifically directed to the catalog displayed. Severity: 00 Severity: 08 CKR0719 CKR0714 Multi-volume complex without any secondary volumes volser count count Resource deletion: DELETE non-VSAM NOSCRATCH volser datasetname catalogname Explanation: This message is issued if a volume volser was identified as the start of a multi-volume complex, but no valid link information was found for it at all. count is the volume count as indicated in volser's base record. Explanation: This message indicates a DELETE NOSCRATCH was generated for a non-VSAM data set called datasetname. If catalogname equals default catalog no catalog keyword was specified, else the command was specifically directed to the catalog displayed. Severity: 08 Severity: 00 CKR0715 Missing secondary volume in multi-volume complex volser sequence number vseq Explanation: This message is issued if volser was identified as the start of a multi-volume complex and some link information was found, but an intermediate volume is missing. Severity: 08 CKR0716 Non-VSAM data set found in VVDS but not in VTOC - volser datasetname Explanation: Incidental cases may be the result of actions performed by the system between reading of the VTOC and the VVDS by zSecure Collect (opening the VVDS takes a considerable amount of time). If this message is reproducible for the same data set (run zSecure Collect again first), then a problem exists. 192 Messages Guide CKR0720 Resource deletion: SUPPRESS del n-vsam noscr volser datasetname catalogname Explanation: This message indicates a DELETE NOSCRATCH would have been generated for a non-VSAM data set called datasetname if you would have allowed the generation of DELETE NOSCRATCH commands. If catalogname equals default catalog no catalog keyword would have been specified, else the command would have been specifically directed to the catalog displayed. Severity: 00 CKR0721 • CKR0729 CKR0721 Resource deletion: DELETE cluster datasetname catalogname Explanation: This message indicates a DELETE was generated for a VSAM cluster called datasetname. If catalogname equals default catalog no catalog keyword was specified, else the command was specifically directed to the catalog displayed. Severity: 00 CKR0722 Resource deletion: DELETE cluster NOSCRATCH datasetname catalogname Explanation: This message indicates a DELETE NOSCRATCH was generated for a VSAM cluster called datasetname. If catalogname equals default catalog no catalog keyword was specified, else the command was specifically directed to the catalog displayed. CKR0726 Explanation: This message indicates a command sequence ALLOCATE - FREE DELETE was generated to delete the DSCB of a non-VSAM data set called datasetname residing on volume volser because no suitable DELETE was possible. This is the case if the data set is cataloged on the default system, but not in any connected catalog, in which case reason will be unconnected catalog; or if it is only in catalogs on DASD that is not shared with the default system, in which case reason will be remote catalog not shared; or if no catalog entry was found at all, in which case reason will be not in any catalog anywhere. Severity: 00 CKR0727 Severity: 00 CKR0723 Resource deletion: SUPPRESS delete cluster NOSCRATCH datasetname catalogname Explanation: This message indicates a DELETE NOSCRATCH would have been generated for a VSAM cluster called datasetname if you would have allowed the generation of DELETE NOSCRATCH commands. If catalogname equals default catalog no catalog keyword would have been specified, else the command would have been specifically directed to the catalog displayed. Severity: 00 CKR0724 Resource deletion: DELETE GENERATIONDATAGROUP datasetname catalogname Explanation: This message indicates a DELETE GENERATIONDATAGROUP was generated for a GDG called datasetname. If catalogname equals default catalog no catalog keyword was specified, else the command was specifically directed to the catalog displayed. Severity: 00 Resource deletion: DELETE non-VSAM DSCB from volser datasetname reason Resource deletion: orphan non-VSAM DSCB kept volser datasetname reason Explanation: This message indicates a command sequence ALLOCATE - FREE DELETE would have been generated to delete the DSCB of a non-VSAM data set called datasetname residing on volume volser if you would have allowed the generation of such sequences because no suitable DELETE was possible. This is the case if the data set is cataloged on the default system, but not in any connected catalog, in which case reason will be unconnected catalog; or if it is only in catalogs on DASD that is not shared with the default system, in which case reason will be remote catalog not shared; or if no catalog entry was found at all, in which case reason will be not in any catalog anywhere. Severity: 00 CKR0728 Catalog entries disagree on the previous volume of diskvolser datasetname previous vol2 Explanation: This message is issued if two ICF catalog entries indicate different previous volumes for the same disk volume serial. There is no way to determine which is correct; vol2 is the ignored link. Severity: 08 CKR0725 Resource deletion: DELETE ALIAS aliasname catalogname Explanation: This message indicates a DELETE ALIAS was generated for a catalog alias called aliasname. If catalogname equals master catalog no catalog keyword was specified, so the command will act on the active master catalog; else the command was specifically directed to the catalog displayed, normally a nonactive master catalog. Severity: 00 CKR0729 First volume of catalog entry is secondary in other diskvolser datasetname Explanation: This message is issued if one ICF catalog entry indicates that disk volume diskvolser is the first volume of datasetname, while another indicates it is a secondary volume. The entry encountered first is considered correct, the other is ignored. Severity: 08 Chapter 5. CKR messages 193 CKR0730 • CKR0778 CKR0730 Resource copying: DEFINE ALIAS aliasname catalogname Explanation: This message indicates a DEFINE ALIAS was generated for a catalog alias called aliasname. If catalogname equals master catalog no catalog keyword was specified, so the alias will be defined in the active master catalog; else the command was specifically directed to the catalog displayed, normally a nonactive master catalog. The new alias is related to the same catalog as the alias copied (not shown). Severity: 00 CKR0731 RACFVARS profile key has no leading '&': profilename complex complex version Explanation: A general resource profile was encountered in class RACFVARS with an unexpected format. Severity: 04 CKR0732 No CKFREEZE present, no resource management commands are generated Explanation: This message indicates that certain types of commands pertaining to resources would have been generated if a CKFREEZE had been present. management is equal to either deletion or copying if only resource deletion or copying commands would have been generated, or deletion and copying if both would have been. This message is also echoed to the CKRCMD file. It is not issued when these functions are explicitly suppressed or not implied. CKR0736 field field invalid for NEWLIST TYPE= type Explanation: Use of the indicated field is not supported for this newlist type. Severity: 12 CKR0737 Requested new owner owner is undefined on complex complex Explanation: This message is issued when the owner specified for a copy user action is not defined in the complex mentioned. Severity: 12 CKR0738 Requested new default group group is undefined on complex complex Explanation: This message is issued when the default group specified for a copy user action is not defined in the complex mentioned. Severity: 12 CKR0739 Resource deletion: DELETE migrated cluster MIGRAT dsname catalog Explanation: This message indicates that a migrated VSAM cluster data set name present in the HSM MCDS has a high level qualifier that should be deleted. A DELETE PURGE command has been generated to accomplish a delete without automatic restore. Severity: 00 Severity: 00 CKR0740...CKR0777 message CKR0733 VSM area conflict: address is type1 name1 and type2 name2 Explanation: Contact IBM Software Support. Explanation: All messages in this range are internal error messages generated as a result of internal consistency checking. Contact IBM Software Support. Severity: 16 Severity: 24 CKR0734 Imbed failed, file ddname1 not allocated at ddname2 line number Explanation: This message indicates that the external data source could not be imbedded, because the specified ddname, ddname1, was not allocated. Severity: 12 CKR0735 IMBED parameters FILEDESC/PATH mutually exclusive with DD/MEM at ddname line number Explanation: The imbed statement can only contain one external data source. Severity: 12 194 Messages Guide CKR0778 The PROTECTED parameter cannot be used with either the NEWPASSWORD or NEWPHRASE parameters. Explanation: The PROTECTED parameter allows you to set up a user ID that cannot be used to log on. The NEWPASSWORD and NEWPHRASE parameters are used to establish a password or password phrase for a user ID. User response: If you want to set up a user ID that has a password or password phrase, remove the PROTECTED parameter. If you want to set up a user ID that cannot be used to logon, remove the NEWPASSWORD or NEWPHRASE parameters. Severity: 12 CKR0779...CKR0785 • CKR0799 CKR0779...CKR0785 message CKR0794 Explanation: All messages in this range are internal error messages generated as a result of internal consistency checking. Contact IBM Software Support. Explanation: Contact IBM Software Support. CKROUBU range error, TLHVIX=num1 BUHD#TLHD=num2 Severity: 24 Severity: 24 CKR0795 CKR0786 CKRXINIT.CKRDIDID: Identity filter name is longer than 246 - name Explanation: The DMAPNAME field in a user profile contains an identity filter reference that exceeds the maximum length supported. The RACMAP_REGISTRY field might miss values. Severity: 20 CKR0787 message Explanation: This internal-error message is generated as a result of internal consistency checking. Contact IBM Software Support. Severity: 24 CKR0788 Owner field for user userid not filled in Explanation: Contact IBM Software Support. Severity: 24 Explanation: All messages in this range are internal error messages generated as a result of internal consistency checking. Contact IBM Software Support. Severity: 24 CKR0792 Explanation: Contact IBM Software Support. Severity: 24 CKR0796 Severity: 24 CKR0797 Explanation: Contact IBM Software Support. CKACMEM: No TVOL for dataset volume Explanation: This message indicates an internal error condition in the zSecure Audit Library Update report. Contact IBM Software Support. Severity: 24 CKACMEM: No CVOL for dataset volume Explanation: This message indicates an internal error condition in the zSecure Audit Library Update report. Contact IBM Software Support. Severity: 24 CKR0799 End of used area in middle of profile: ddname block blockno segment offset segno CKACMEM: No dataset context available Explanation: This message indicates an internal error condition in the zSecure Audit Library Update report. Contact IBM Software Support. CKR0798 CKR0789...CKR0791 message BUNDLEBY not found CKACMEM: No CFIXB dataset volume Explanation: This message indicates an internal error condition in the zSecure Audit Library Update report. Contact IBM Software Support. Severity: 24 Severity: 24 CKR0793 Database conflict for complex between ddname1 and ddname2 - specify unique complex names Explanation: Multiple security databases were found for the same complex name. This can be caused by a default complex name being derived (for example, from ZSECSYS) that is the same as an explicitly specified complex name. User response: Make sure that you use a unique complex name for each security database. Severity: 16 Chapter 5. CKR messages 195 CKR0800...CKR0802 • CKR0842 Messages from 800 to 899 CKR0800...CKR0802 message Explanation: These messages are in response to debugging options. If you need information about these messages, contact IBM Software Support. Severity: 00 CKR0803 Invalid OS formatted RACF DB specified for ddname data.set.name Explanation: This message indicates that the RACF database data set specified above as a part of the VM installation process either does not exist or is not an OS formatted RACF database file. Check your VM installation to ensure that you specified the correct options. Severity: 16 CKR0808 TTT conversion result CCCC HHHH nnnn not in extent mmmm - ooooo for pppExtent 0 range qqqq - rrrr Explanation: During an attempt to convert a relative track address to an absolute track address, the CKRCCHH routine encountered an error. The error indicates that the relative track was outside extent for the OS formatted RACF database. Submit an error report to IBM Software Support. Severity: 24 CKR0809...CKR0836 message Explanation: These messages are in response to debugging options. If you need information about these messages, contact IBM Software Support. Severity: 0 CKR0804 Error OS formatted RACF DB has nn extents. Only able process if it has 1 extent Explanation: This message indicates that the RACF database data set specified above as a part of the VM installation process either does not exist or is not an OS formatted RACF database file. Check your VM installation to ensure that you specified the correct options. IDENTIFY RC=n for CKRSRVIN at address Explanation: This message indicates a failure of the IDENTIFY service to establish the indicated module name at the indicated address. User response: See the MVS documentation for the "IDENTIFY service." Severity: 12 Severity: 16 CKR0805 CKR0837 I/O error on device nnnn cc=mm R15=nn CKR0841 Severe SRVIN error PC RC=n - issuing user abend 841 Explanation: This message indicates that an I/O error occurred attempting to issue a DIAG A8 to return the sense information for the OS formatted RACF database. Submit an error report to IBM Software Support. Explanation: While reading from a remote node, an error condition was returned by the Program Call interface of the server. Severity: 08 User response: Verify that the server is active, then restart the server and try again. CKR0806 FILEDEF error RC=nn for ddname fn ft fm/data.set.name Explanation: This message indicates that an error occurred during an attempt to issue a FILEDEF command either for a CMS file (fn ft fm) or for the OS formatted RACF database (data.set.name). Submit an error report to IBM Software Support. Severity: 08 CKR0807 Internal error CKRCCHH RC=16 Explanation: This internal message indicates that an invalid relative track number was passed to the CKRCCHH routine. Submit an error report to IBM Software Support. Severity: 08 196 Messages Guide Severity: 16 CKR0842 SPECPROC returned length out of range R0=xxxxxxx - issuing user abend 842 Explanation: This message indicates that one of the internal interfaces related to the zSecure Server received an unexpected length and issued an abend. User response: Look for the message on the IBM support site. If no solution is posted, collect SYSPRINT on both the local and remote sides and contact IBM Software Support. Severity: 16 CKR0843 • CKR0875 CKR0843 FILEDATA=RECORD record recno has bytes bytes (hex), exceeding max_bytes bytes; closing file ddname path Explanation: This message indicates record recno of UNIX file path in FILEDATA=RECORD format has bytes bytes. This value exceeds the maximum allowed number of bytes: max_bytes. This indicates that the file is corrupted. Consequently, no attempt is made to read further records from the file. The file is closed. Last FILEDATA=RECORD record truncated by end-of-file ddname path Explanation: This message indicates that an end-of-file was reached for UNIX file path in FILEDATA=RECORD format in the middle of a record. This is an indication that the file is corrupted. Severity: 08 CKR0845 CKNSRVIR queue file message type from zsecsys length length because waiting on zsecsys2 file file2 Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. Severity: 0 CKR0846 Explanation: A program call to the zSecure Server program was attempted while it was performing a termination sequence. User response: No action is required. If you need assistance about this message, contact IBM Software Support. CKR0874 CKNSRVIR return queued file message type from zsecsys length length Severity: 0 DTISPF.FMTVXML called but not yet enabled Explanation: This message indicates a problem with the routine to escape characters for XML output. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, contact IBM Software Support and provide a description of how to recreate this problem for analysis. RECFM=V(BS) RDW hex exceeds LRECL=lrecl at record n ddname volser dsname Explanation: This message indicates invalid record contents for a RECFM=V(B)(S) data set. The record descriptor word does not match the DCB parameters. The Record Descriptor Word (RDW) is shown in hexadecimal. The first 2 bytes are the record length including the RDW. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Severity: 04 CKR0875 Explanation: This message is written only if requested by a DEBUG CKNSRVIR_POST statement. If you need information about this message, contact IBM Software Support. CKR0848 Local CKNSERVE server no longer available (user abend 214 (x'0D6')) Severity: 00 Severity: 08 CKR0844 CKR0851 RECFM=V(BS) BDW hex exceeds BLKSIZE=blksize at record n ddname volser dsname Explanation: This message indicates invalid block contents for a RECFM=V(B)(S) data set. The block descriptor word does not match the DCB parameters. The Block Descriptor Word (BDW) is shown in hexadecimal. The first 2 bytes are the block length including the BDW, unless the high order bit is on, in which case it can be a large block 4 byte length. This is handled as an end-of-file condition. The severity is 4 to avoid disrupting processes that might encounter empty data sets and need to continue. User response: Recreate the data set or omit the data set from the input. Severity: 04 Severity: 24 Chapter 5. CKR messages 197 CKR0900 • CKR0911 Messages from 900 to 999 CKR0900 debug message Explanation: This debug message is only relevant for IBM Software Support and is not present in any Generally Available version of the software. Severity: 00 CKR0908 Severity: 00 CKR0901 continuation lines detailing the individual text units contents after SVC 99 (DYNALLOC) completion. DTISPF internal error: MX#B > DTLNLEN Explanation: This message indicates a problem in formatting the display. Unexpected data may be displayed. User response: Contact IBM Software Support and provide a description of how to recreate this problem for analysis. Explanation: CCSID conversion has failed (for details, see CKR0917). Fallback was allowed or forced by SUPPRESS MSG=917, but there is no fallback support for this specific CCSID pair. This message is issued only once per CCSID pair. Severity: 16 CKR0908 Severity: 24 CKR0902 ENDDTPRO error: written beyond DTLNLEN Explanation: This message is followed by a user abend 902. It indicates that the program is terminating because of a problem. User response: Make sure you have no DEBUG command in your input and try again. If the problem persists without DEBUG options, contact IBM Software Support. Unconditional access is required to read from file file vol dsn(member) Explanation: A data set to which only conditional (PADS) access was granted was requested for SYSIN or XMLIN input. Unconditional read access is needed to read this type of data. The data set is not processed. Severity: 12 CKR0905 A member name is required to read from file ddname data set dsn Explanation: An imbed statement was present referring to a PDS(E) data set, but the member to be read from that data set was not specified. Add the correct member to the imbed statement and resubmit the query. CCSID conversion from nn to mm system abend 019-00 because z/OS V1R2 or higher is required Explanation: The Unicode services are required for the requested function or input, but not available on this operating system level. Hence the translation service issued a system abend 019 reason code 0 ("downlevel system" ). No fallback is possible. The program may subsequently terminate with another S019-00 abend. Severity: 16 CKR0909 Severity: 24 CKR0904 CCSID conversion from nn to mm fails and no fallback CCSID conversion from nn to mm fallback to simple low-128 character translation Explanation: CCSID conversion has failed (for details, see CKR0917). Fallback will be done because either there was no explicit request for UTF-8 output, or because message 917 was explicitly suppressed. Fallback means that a simple ASCII translation will be done. This implies that any UTF-8 characters that are not the equivalent of the low 128 ASCII characters will be displayed as one or more dots (depending on the length of the UTF-8 character). Possibly whole names consist only of dots in this fallback mode. This message is issued only once per CCSID pair. Severity: 00 CKR0910 HLLENQ status report identifier Explanation: These messages are issued in response to DEBUG ENQ. Severity: 00 Severity: 12 CKR0911 CKR0907 DYNALLOC trace: SVC 99 return code nn - meaning Explanation: This message is issued either because of DEBUG SVC99, or because of a failed SVC99 where DAIRFAIL did not return a message text. It has 198 Messages Guide service RC=rc hex RSN=rsn hex [for qname-scope rname]: explanation Explanation: A call to the indicated service (either ENQ or ISGENQ) did not complete with RC=0. This may happen for a perfectly innocent reason, such as an APF authorized program issuing an ENQ against the CKR0912 • CKR0917 unauthorized QNAME CKRDSN. Hence, this message should be considered informational only. CKR0914 Severity: 00 CKR0912 STIMERM error: explanation Explanation: Contact IBM Software Support. Multiple HLLQENQ ACTION=xxx,ID=id calls without an intervening HLLQDEQ ID=id or HLLQDEQ ALL are not supported Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR0915 CKR0913 Serialization could not obtain all ENQs Explanation: The program could not obtain ENQs on all requested resources, and hence cannot continue. The resource for which no ENQ could be obtained has been identified in a preceding message CKR0911. Severity: 16 CKR0913 Serialization encountered a serious error UNIX write record nn failed RC nn [meaning] reason qqqq rrrrx [meaning] file ddname path Explanation: This message indicates that a BPX1WRV call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. Explanation: The program attempted to obtain ENQs on all requested resources, but encountered an unexpected condition. The run cannot continue. Look for a preceding message CKR0911 to identify the exact cause of the failure. Severity: 16 Severity: 16 Explanation: This message indicates that the compression routines found a severe error. A user abend 915 is issued. Contact IBM Software Support. CKR0913 Serialization has obtained all ENQs Explanation: The program successfully obtained ENQs for all requested resources. Severity: 00 CKR0913 Severity: 04 Serialization WAIT timed out Explanation: The program attempted to obtain ENQs on all requested resources, but not all resources were immediately available. After waiting for the number of minutes specified on the MAXWAIT subparameter of the OPTION SERIALIZATION command, one or more required resources were still unavailable. The program gives up and aborts the run. Look for a preceding message CKR0911 to identify the unavailable resources. Severity: 16 Deflate record nn failed RC nn meaning, file ddname pathname Severity: 16 CKR0916 Serialization starts waiting for ENQs Explanation: The program attempted to obtain ENQs on all requested resources, but not all resources were immediately available. The program will wait for the remaining resources to become available. Look for a preceding message CKR0911 to identify the resources that were not immediately available. CKR0913 CKR0915 CCSID conversion from nn to nn warning RC=nn reason rrrrrrrr x meaning [Length left for source nnn target nnn] [Suspect length>16MB source xxxxxxxx target xxxxxxxxx] Explanation: This message indicates a failure in conversion of character encoding between the indicated CCSIDs. 1208 stands for UTF-8; 37, 1140, 1147 are typical EBDIC encodings. A common cause is printing into columns that are too small—while the UTF-8 representation can be wider than the EBCDIC representation—or trying to convert while a SET UNI command is in progress (for example, to load new conversion tables). The severity is 4 to indicate that the program continues operation. The message can contain a subline about suspect length, followed by a user abend 916. If this occurs, contact IBM Software Support. This message (and the abend) is suppressible. Severity: 04 CKR0917 CCSID conversion from nn to nn error RC=nn reason nnnn x meaning [Suspect length>16MB source nnn target nnn] Explanation: This message indicates a severe failure in the conversion of character encoding between the Chapter 5. CKR messages 199 CKR0918 • CKR0927 indicated CCSIDs. 1208 stands for UTF-8; 37, 1140, 1147 are typical EBDIC encodings. Common causes are: the absence of the proper conversion image needed for conversion between the indicated CCSIDs, or no SET UNI having been done at all to load conversion images (on lower z/OS releases). You may need to contact the person who maintains Unicode support on your system. The message can contain a subline about suspect length, followed by a user abend 917. If this occurs, contact IBM Software Support. This message (and the abend) is suppressible. If suppressed, fallback to a basic ASCII translation will be attempted, but all non-US characters will translate to one or more dots. Suppressing while ENCODING=UTF-8 is specified for an output file is not recommended, in the sense that the output is not guaranteed to conform to the UTF-8 standard. The severity of this message is 4 if fallback was to be attempted and 16 if fallback was not allowed due to ENCODING=UTF-8. If this message is explicitly suppressed by a SUPPRESS MSG=917 command, then fallback to an ASCII translation will be attempted even if an ENCODING=UTF-8 request is present. In case of a fallback attempt a message CKR0908 or CKR0909 will be issued. Severity: 04 or 16 CKR0921 DELDUP: Called with element size 0 Explanation: A field with a specified or implied NODUP option was handled incorrectly. The field will not be sorted. Contact IBM Software Support. Severity: 24 CKR0922 DELDUP: Called with NIL pointer Explanation: A field with a specified or implied NODUP option was handled incorrectly. The field will not be sorted. Contact IBM Software Support. Severity: 24 CKR0923 Input from a TSO/E terminal is not supported - DD ddname Explanation: Input from a TSO/E terminal in line mode is not supported. Severity: 20 CKR0924 DD ddname DSN dsn invalid block size: blksize Explanation: After ddname has successfully been OPENed, its DCB must indicate a positive block size unless ddname is a DUMMY device. Severity: 16 CKR0918 Uninitialized anchor passed to CCSID conversion Explanation: This message indicates a program failure where conversion is requested without first telling between which encodings. Contact IBM Software Support. A user abend 918 is issued. This message (and the abend) may be suppressed, but results are unpredictable. Severity: 24 CKR0919 Record with negative length length directed to ddname behind record recno Severity: 24 DELDUP: Element size is size - DICT option ignored Explanation: A field with a specified or implied NODUP option was handled incorrectly. This may appear as a storage leak. Contact IBM Software Support. Severity: 24 200 Messages Guide Member member DDname ddname DSname dsn Problem description Explanation: The program received a non-zero return code from the FIND SVC when trying to locate the indicated member. The problem description on the second line gives the exact nature of the problem. Severity: 16 CKR0926 Explanation: An invalid record was passed to the output routine. An empty record has been written instead. Contact IBM Software Support. CKR0920 CKR0925 LOAD of module module failed Explanation: The program expected the module named to be available. However, it could not be found. Contact IBM Software Support. Severity: 16 CKR0927 CEEPIPI(call_sub) to procedure failed: reason Explanation: This is an internal error that indicates that a subroutine could not be called via LE. Contact IBM Software Support. Severity: 20 CKR0928 • CKR0942 CKR0928 LE environment could not be established|terminated, RC rc Explanation: This is an internal error in the Language Environment® processing. Contact IBM Software Support. Severity: 20 CKR0929 procedure call type type on ddname after record recno reports: msg Explanation: The specified procedure, used on an ALLOCATE GETPROC= statement, issued a nonzero return code with explanation msg. If msg contains a C2P message number, check the IBM Security zSecure Alert: User Reference Manual. In other cases, contact IBM Software Support. Recno indicates the number or records that were successfully obtained. Contact IBM Software Support. Severity: 24 CKR0934 Value value too large Explanation: This message indicates that the input parser received a numerical value that was too large. The maximum value that can be processed by the input parser is 2147483647. Severity: 12 CKR0935 Dictionary Statistics Explanation: These messages are issued in response to DEBUG DICT and can be used to determine the performance of the dictionary reference mechanism. Severity: 00 Severity: 08 CKR0936 CKR0930 Block count unequal - information may be missing for ddname Explanation: This message can occur when reading from tape. It indicates that during End Of Volume processing of one or more tapes allocated to the ddname the block count as recorded in the DCB differs from the block count in the trailer label of the tape. The information read may not be complete. Severity: 08 CKR0931 proc: Buffer overrun - destinationlength sourcelength:data Explanation: A buffer overrun occurred in the format procedure proc. This message will be followed by a user ABEND 931. Contact IBM Software Support. It is possible to suppress the user ABEND 931 by specifying SUPPRESS FMTABEND (see reference to Command Language, SUPPRESS, FMTABEND), however this can result in corrupted output or other errors. Severity: 24 CKR0932 proc: Dictionary entry at address: hash=storedhash, should be actualhash for value Explanation: The specified dictionary entry was damaged, which was noted by proc. Contact IBM Software Support. Severity: 24 CKR0933 Explanation: A dictionary reference delete request was issued that did not specify what reference to delete. Contact IBM Software Support. Severity: 24 CKR0937 Explanation: A delete request for the dictionary entry at the indicated address and with the displayed characteristics returned a nonzero return code rc. routine internal error for string length length Explanation: The indicated routine failed in an attempt to add a dictionary entry with the indicated characteristics. If routine is DICTNEW, this may be a request to add an entry that already existed. Contact IBM Software Support. Severity: 24 CKR938I Repeated ATTN, enter C(ont) T(erminate) or A(bend) - Explanation: This interactive prompt offers the option to terminate or abend the program after a repeated attention. CKR0939 Terminated due to repeated attention Explanation: Message written if T was selected at the CKR0938 prompt. Severity: 16 CKR0942 DICTDEL: LISTDEL for address. hash32 avll avlr bc llll returned RC=rc DICTDEL called with NIL reference address Environment mismatch for product code code Explanation: This message indicates that while code for the product code identified was installed, it is not running in its proper environment. For instance, some product codes are limited to UNIX tasks under z/OS, Chapter 5. CKR messages 201 CKR0943 • CKR0953 some to non-UNIX tasks under z/OS, and some to z/VM. CKR0947 Severity: 00 Reading filedesc off failed RC nn [meaning] reason qqqq rrrr x [meaning] file ddname path Explanation: The current implementation of ALLOC TEXTPIPE is limited to a maximum of 10 files to be put into the pipe. The indicated file will be processed 'normally', i.e. without redirection to the textpipe. Explanation: This message indicates that a BPX1RED (UNIX read) call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes, the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. Severity: 16 Severity: 16 CKR0943 CKR0944 More than 10 files for TEXTPIPE, skipping file name UNIX type close RC nn [meaning] reason qqq rrrr x [meaning] file ddname path Explanation: This message indicates that a BPX1CLO call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqqq and reason code rrrr, both in hexadecimal. For well-known return codes and reason codes the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. The type can be 'wronly' or 'rdonly'. Severity: 16 CKR0945 UNIX action failed RC nn [meaning] reason qqq rrrr x [meaning] file ddname path Explanation: This message indicates that a BPX1OPN, BPX1FCR, BPX1FST, or BPX1FCT call failed with the indicated return code in decimal and the reason code split into reason code qualifier qqq and reason code rrrr, both in hexadecimal format. For well-known return codes and reason codes, the numeric values are followed by an explanatory string. Use the IBM Unix System Services manual to look up other return and reason codes. The action can be 'wronly open', 'fchattr filefmt', 'fstat', 'fcntl filetag', or 'rdonly open'. Severity: 16 CKR0946 Unix record larger than buffer size buflength- split Explanation: This message warns that a record that originally was very large is now processed as two separate records. Severity: 04 CKR0948 Enablement information corrupt for product code code Explanation: This message shows a problem with product installation or entitlement. User response: Contact your system programmer to verify successful installation. Severity: 16 CKR0949 Product code code installed and non-APF registration limit exceeded Explanation: This message is issued in response to DEBUG LICENSE for products that are installed but cannot be registered because the MVS limit for product registration by non-APF programs has been exceeded. Severity: 00 CKR0950 Code not installed here for product code code Explanation: This indicates that you are attempting to run functionality for a product that is not installed here. Severity: 16 CKR0951 system abend code (desc) trying to load module module Explanation: This message indicates a failure to load a module and the reason. Abend 806 means the module could not be found. Abend 306 may mean that a controlled environment was present and the module to be loaded was not program controlled. Severity: 08 CKR0953 action RPL error rc=nn reason=nn for dd dsn on vol after nn records Explanation: This message indicates a failure reading the indicated VSAM data set. Severity: 16 202 Messages Guide CKR0954 • CKR962B CKR0954 action ACB error rc=nn code=nn for dd dsn on vol Explanation: This message indicates a failure reading the indicated VSAM data set. Severity: 16 CKR0961 function failed - error message Explanation: This message is issued by the command-execution module, and means that the ISPF function (which can be BROWSE or LMFREE) failed. The error message returned by the function is included. Severity: 00 CKR0955 program task heap STORAGE REQUEST ERROR: SIZE NOT POSITIVE Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. CKR0961 LMINIT failed - error message Explanation: This message is issued by the command-execution module, and means that the ISPF LMINIT function failed. The error message returned by the function is included. Severity: 12 Severity: 16 CKR0962 CKR0959 type PQUERY area DTAREA on panel panel return code rc Explanation: Restart ISPF and if the problem persists, contact IBM Software Support. Severity: 08 CKR0960 Written command Explanation: This message is issued by the command-execution module. It means that the indicated command was successfully written to CKRTSPRT. Severity: 00 CKR0960 Successful command; command2 Explanation: This message is issued by the command-execution module. It means that the indicated command or commands were successfully executed. Severity: 00 CKR0960 TSOCMD RC=code (decimal) for command; command2 Explanation: This message is issued by the command-execution module. It means that the indicated command or commands were executed but returned the indicated result code. Typically, this indicates that an error occurred in the command. This RC is the same as documented as CKX return code under Chapter 7, “CKX messages,” on page 325. IKJTSOEV module not found Explanation: This message is issued by the command-execution module, and indicates a TSO/E environment could not be established because the TSO/E environment module was not found. This can be caused by older TSO releases. This will cause return code 20 when encountered as part of an attempt to execute a TSO command, and otherwise 8. Severity: 08 CKR0962 IKJTSOEV return code cc reason code rr service reason code src (decimal) Explanation: This message is issued by the command-execution module, and indicates a TSO/E environment could not be established because the TSO/E environment module failed with the indicated return and reason codes. Severity: 08 CKR0962 SVC 202 return code cc Explanation: This message is issued by the command-execution module, and indicates a failure to execute a CMS command. Severity: 08 CKR962A Command terminated by attention Explanation: This message is issued by the command-execution module, and indicates a command was terminated by pressing the ATTN key. Severity: 08 Severity: 00 CKR962B Command not supported in background Explanation: This message is issued by the command-execution module and indicates a command could not be executed through the TSO service facility. This can be caused, for example, by not including Chapter 5. CKR messages 203 CKR962C • CKR962S CKGRACF in the TSO authorized command list (AUTHCMD) in PARMLIB member IKJTSOxx. You can activate changes to this member without an IPL by using the TSO PARMLIB command. For more information on the PARMLIB command, see the TSO/E System Programming Command Reference. Severity: 08 CKR962C Command failed abend code Explanation: This message is issued by the command-execution module, and indicates a command ended abnormally with the indicated abend code. Severity: 08 CKR962E Not running in a TSO/E environment Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because command environment was not TSO/E. CKR962M Command may have failed, return code <n> Explanation: This message indicates that a command returned a nonzero return code less than or equal to 4. This message causes a minimum return code of 4. It depends on the command whether this is a partial failure or a warning. Severity: 08 CKR962N Command not allowed from APF mode command Explanation: This message is issued by the command-execution module, and indicates that the indicated command is not in the TSO AUTHCMD list and also not in a built-in list of safe commands to be called from an APF authorized program. If the command was requested by yourself, try running it under IKJEFT01 or without APF authorization. If this message is in response to a function, call IBM Software Support. Severity: 08 CKR962O CKR962F Command failed, return code code (decimal) Command has flushed TSO stack relogon required to close output trap file Explanation: This message is issued by the command-execution module. It indicates a command was unsuccessful and returned the indicated result code. If the message preceding this message is CKG740I, see the explanation of CKG740I. For all other situations, determine the command that was run and check the appropriate manual for possible return codes. For RACF commands, possible return codes are documented in the RACF Command Language Reference. Explanation: This message is issued by the command-execution module. Generally this means that subsequent command output is not written to the SYSPRINT file. It may be lost or shown in line mode after leaving zSecure. Depending on the z/OS release, it may be sufficient to leave and reenter ISPF to restore normal behavior. In the worst case, a relogon may be required. Severity: 08 CKR962P CKR962G CKGRACF command produced a warning; return code 4 Explanation: The CKGRACF command was executed successfully but did produce a warning message. Severity: 08 CKR962L Command could not be found in an authorized library. Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because it was not found. Typically, this is an unsuccessful call to the CKGRACF authorized component, which failed because CKGRACF was not part of an authorized library in the linklist, or was not found in an APF-authorized STEPLIB. Check whether the library containing CKGRACF is APF-authorized. Severity: 08 204 Messages Guide CLIST processing through % not supported Explanation: This message is issued by the command-execution module. It indicates an attempt to run an CLIST using the % operator. Execution of CLISTs is not supported. Severity: 08 CKR962S IKJEFTSR fails return code error reason code reason Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed. The command returned the indicated error code and reason code. Severity: 08 CKR962T • CKR0969 CKR962T Command failed, ATTACH rc rc (decimal) CKR0963 Ambiguous name "value" Explanation: This message is issued by the command-execution module, and indicates failure to attach a TSO command. Explanation: This message indicates an ambiguous abbreviation was entered, i.e. two or more keywords could be indicated by the abbreviated value. Specify the keyword intended in more detail. Severity: 08 Severity: 12 CKR962U Unauthorized functions cannot be invoked from an authorized environment Explanation: This message should not occur. Contact IBM Software Support. Severity: 08 CKR962W Command not found Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because it was not found. Typically, this is an unsuccessful call to the CKGRACF authorized component, which failed because CKGRACF was not part of an authorized library in the linklist, or was not found in an APF-authorized STEPLIB. Check whether the library containing CKGRACF is APF-authorized. Severity: 08 CKR962X Syntax error in the command name Explanation: This message is issued by the command-execution module, and indicates a TSO command could not be executed, because the name was not syntactically correct. Severity: 08 CKR962Y Authorized commands not supported in dynamic TSO environment - call from IKJEFT01 instead Explanation: This is caused by a NEWLIST with the CMD option running in an unauthorized environment. When using the CMD option, an APF authorized environment is required, for instance by running under the TSO monitor program IKJEFT01, or by running under zSecure Alert. Note that the zSecure Audit main program CKRCARLA itself should not be installed as APF-authorized. As an alternative to the CMD option, you may write the output to a file and run procedure C2RCXTSO in a subsequent jobstep. Severity: 08 CKR964I MEMBER NAME REQUIRED FOR WRITES TO PDS(E) DATA SET dsn Explanation: This message indicates that a member name is required, but not specified, for the data set with the indicated dsn. The program will issue user abend 964. CKR965I MEMBER mem CAN ONLY BE USED WITH PDS(E); NOT FOR dsn Explanation: This message indicates that a member name (mem) was specified, but not allowed, for the data set with the indicated dsn. The program will issue user abend 965. CKR966I CANNOT USE MEMBER mem ON TERMINAL FILE ddname Explanation: This message indicates that a member name (mem) was specified, but not allowed, for the terminal output file with the indicated ddname. The program will issue user abend 966. CKR967I RECFM=F INVALID FOR LRECL=X,RECFM=VBS PREFERRED DATA SET dsname Explanation: This message indicates that a fixed record format was specified but not allowed for the output file with the indicated ddname. This is not supported for the indicated data set. The program will issue user abend 967. CKR0968 IFAEDDRG failed RC nn decimal Explanation: This message indicates that an attempt to register a previously registered product failed. User response: Contact IBM Software Support. Severity: 16 CKR0969 I/O error for dsn: description Explanation: This message indicates that an I/O error occurred during normal QSAM or BSAM input processing for dsn. Operation will be continued, but an abend or other error message may follow because of the information missing due to the I/O error. Severity: 8 Chapter 5. CKR messages 205 CKR970I • CKR0978 CKR970I program task heap FREE STORAGE ERROR: message Explanation: This message indicates an internal memory management error. It is followed by a user abend 16. The message identifies the heap as well as the program and task that created the heap. Contact IBM Software Support. Severity: 16 CKR0975 IBM Security product disabled or not installed Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKR0971 Maximum length for this field is len at file line n Explanation: The input contains a multiple-line string that is too long. Multiple-line strings (print tiles or quoted strings) have a maximum size len that was exceeded. Severity: 12 CKR0972 Enablement information missing for product CKR0976 Code or enablement for product code code is missing Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members for enablement information in your z/OS PARMLIB. If the members are specified correctly, contact your system programmer to verify installation. Explanation: This message indicates that the product cannot run because the load module is not complete. Severity: 16 User response: Contact your system programmer to complete installation of the product. CKR0976 Severity: 16 Explanation: Either the product is not installed here, or it is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. CKR0973 IBM Security product code code disabled or not installed Explanation: This indicates that you are attempting to run functionality for a product that is not installed here, or it is disabled for this system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check the active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 CKR0977 Severity: 16 CKR0974 IBM Security product disabled or not installed here for requested focus Explanation: Either the product is not installed here, or the requested focus is disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name. User response: Check active IFAPRDxx members in your z/OS PARMLIB. If these are specified correctly, contact your system programmer to verify installation. Severity: 16 IBM Security product or feature disabled or not installed here Installed PRODUCT OWNER('IBM CORP') ID(id) NAME('name') FEATURE('feature') VER(version) REL(release) MOD(modification) [ Product action RC rc decimal ] Explanation: This message is issued in response to DEBUG LICENSE for products that are installed. The action can be "registration" or "status." The return code is for IFAEDREG or IFAEDSTA, respectively, which are documented in MVS Programming: Product Registration. No continuation line is shown if product registration does not apply (for example, because of CKR0979). Severity: 00 CKR0978 Product code code has been disabled in PARMLIB Explanation: This message is issued in response to DEBUG LICENSE for products that have been disabled for the current system name, sysplex name, LPAR name, VM user ID, or hardware name by an entry in IFAPRDxx in your z/OS PARMLIB. 206 Messages Guide CKR0979 • CKR0990 User response: Run the product somewhere else, or ask your system programmer for enablement. Severity: 00 CKR0979 Product code code implied by other Explanation: This message is issued in response to DEBUG LICENSE for products that are not being registered because their entitlement is implied by a more encompassing entitlement. If you are using the IBM Security zSecure Manager for RACF z/VM product, you should not get this message. Contact IBM Software Support. Severity: 00 CKR0981 Invalid type "value" Severity: 12 Internal error: unknown error code at ddname line number Explanation: The input parser error routine encountered an invalid error code. Contact IBM Software Support. Explanation: This message indicates that the input parser detected a missing required parameter or element in the list at the indicated line. Severity: 12 CKR0986 Expecting type1 list separator/terminator instead of type "value" at ddname line number Explanation: This message indicates that the input parser expected a list separator or terminator for the current list of the indicated type (this can for instance be a comma, blank, or end-of-line, depending on the context). Instead, it encountered the indicated token type type (and text value, if available). The input parser skips all input until it encounters a valid list separator or terminator for the current list. Severity: 12 CKR0984 Invalid type list element type type "value" at ddname line number Explanation: This message indicates that the input parser expected a list element of the specified type, but found a token of a type not supported as a list element in this context. If available, the offending text value is also listed in the message. The input parser skips all input until it encounters a valid list separator or terminator for the current list. Severity: 12 Duplicate parameter value at ddname line number Explanation: This message indicates that the input parser detected a duplicate occurrence of the parameter or list element value at the indicated line. CKR0987 Syntax error: type1 expected instead of type2 at "value" on ddname line number Explanation: This message indicates that the input parser expected a specific token type type1 in the current context. Instead of this, it found the token type type2 (at the text value, if available) on the indicated input line. Severity: 12 CKR0988 Severity: 24 CKR0983 Required list element/parameter "value" missing at ddname line number Severity: 12 Explanation: This message indicates that the text value is not a valid value in the context type. CKR0982 CKR0985 Syntax error: "c" expected instead of type at "value" on ddname line number Explanation: This message indicates that the input parser expected a specific character "c" (presumably a delimiter) in the current context. Instead of this, it found the token type type (at the text value, if available) on the indicated input line. Severity: 12 CKR0989 Unexpected type ["value"] [for element] at ddname line number CKR0989 Skipping to EOL at unexpected type ["value"] at ddname line number Explanation: This message indicates that the input parser expected one of a number of specific token types, but found a different token type instead. If available, the offending text value and the element for which it is read are also listed in the message. The parser will either continue with the next token, or skip directly to the end of the line. Severity: 12 CKR0990 Expecting = or ( instead of type at "value" on ddname line number Explanation: This message indicates that the input parser expected an "=" or "(" but found a different token type instead. If available, the offending text value Chapter 5. CKR messages 207 CKR0992 • CKR999I is also included in this message. CKR998I Severity: 12 CKR0992 ABNEXIT/STXIT/ESTAE return code rc Explanation: This message indicates that the program failed to establish an abend exit linkage. STACK OVERFLOW FOR STACK tasklevel stackname IN program Explanation: This message indicates an internal stack error. It is followed by a user abend 16. Contact IBM Software Support. Severity: 16 Severity: 04 CKR999I CKR993I DIAGNOSTIC DUMP SUPPRESSED FOR program TASK taskname type ABEND xxx Explanation: This message indicates that the program abend exit did not attempt to make a diagnostic summary dump. This is done to prevent recursive abend conditions involving the print file. The task name is PROGRAM for the main task or for the only task in a program. For a multi-tasking program, program might identify one of the subtasks. CKR0994 Last record truncated by end-of-file ddname Explanation: This message indicates that end-of-file was reached for a RECFM=VBS input file in the middle of a multi-segment record. Severity: 16 CKR995I LRECL INVALID; NOT OVERRULED BECAUSE PARTITIONED DATA SET Explanation: This message indicates that the print file open routine detected an invalid record length for the output file. This would have been overruled with a correct length for a Physical Sequential data set, but this is not done for Partitioned Data Sets to prevent making any existing PDS members inaccessible. Subsequent 013 or 002 abends may be caused by the invalid record length. CKR996I MFREE: NO LENGTH FOUND IN BLOCK FOR STACK name Explanation: This message indicates an internal stack error. It will be followed by a user ABEND 16. Contact IBM Software Support. Severity: 04 CKR997I STACK ERROR - ELEMENT POPPED IS NOT ON TOP OF STACK name Explanation: This message indicates an internal stack error. It will be followed by a user ABEND 16. Contact IBM Software Support. Severity: 16 208 Messages Guide STORAGE SHORTAGE FOR TASK taskname HEAP heapname IN program INCREASE REGION Explanation: This message indicates that the program needs more storage. It will be followed by a user abend 16. If the heap name is LOWHEAP or SYSSTACK, then the request is for storage below the 16MB line. If the name is MAINHEAP, then the request is for storage anywhere. If the name is SMFCACHE, then the zSecure Audit job tag system used too much memory; see the SMFCACHE command. For MAINHEAP and SMFCACHE it could be beneficial to use the ALLOC STORAGEGC command, though this will increase CPU usage. Severity: 16 CKR1000 • CKR1010 Messages from 1000 to 1099 CKR1000 ALLOC PRIMARY/BACKUP and ACTIVE/INACTIVE are mutually exclusive pairs - before token at ddname line number Explanation: This message indicates an invalid ALLOC command. The option PRIMARY is mutually exclusive with BACKUP on one command. The option ACTIVE is mutually exclusive with INACTIVE on one command. Severity: 12 CKR1001 MASKTYPE=ACF2 invalid with TYPE=RACF - token at ddname line number Explanation: This message indicates that an explicit masktype specification on a newlist was issued. However, ACF2 masks cannot be used for NEWLIST TYPE=RACF. Severity: 12 CKR1002 Processing started for [ complex ] [program pathing] databasetype ddname volume dsn CKR1006 ACFCDSP abend (explanation) Explanation: This indicates an abend was intercepted while trying to format an ACF2 database record for display by the L line command. Severity: 16 CKR1007 USER "id" doubly defined Explanation: This message indicates that 2 logon ID records were found for one logon ID. This indicates a problem with the database allocation. Check the ALLOC TYPE=ACF2LID statements and verify that the proper data sets are allocated to the ddnames. Severity: 20 CKR1008 RULE "key" doubly defined Explanation: This message indicates that 2 rule records were found for one data set access rule. This indicates a problem with the database allocation. Check the ALLOC TYPE=ACF2RULE statements and verify that the proper data sets are allocated to the ddnames. Severity: 20 Explanation: The data set open was successful for the file indicated of the database type indicated, and input of the database was started. CKR1009 Severity: 00 Explanation: This message indicates that a command ALLOC TYPE=ACF2LID PRIMARY or ALLOC TYPE=ACF2RULE PRIMARY will fail in this release. The backup database will be used instead. CKR1003 Syntax error in NLS table var at "where" in ":" statement Explanation: A PANEL statement contains invalid syntax. The statement may occupy up to five lines. CKR1004 CKRACTS: VDEFINE return code n for var len len Explanation: The ISPF VDEFINE service for a PANEL statement failed with the specified return code. Severity: 12 CKR1005 Field field not available on current display level for panel Explanation: This message indicates that a PANEL statement for a line command defined in the NLS table requested a field, but the field was not present on the display statement in the newlist. Severity: 12 Severity: 00 CKR1010 Severity: 12 Reading the live ACF2 database not supported in this release, using backup database instead CKFREEZE DSN info missing for system sys cluster cluster Explanation: This message indicates that catalog processing was attempted but no default catalog was found for the indicated cluster in the system. This might be a follow-on error for message CKR0213 (missing master catalog), or it might be that you are erroneously using only SHARED=NO CKFREEZE files. If so, none of the files contain the user catalog that the alias in the master catalog for the indicated cluster points to. In this case, you would also see a CKR0292 message for the missing catalog snapshot. This message can also occur when analyzing CKFREEZE files from several data centers and DASD sharing is set incorrectly. For example, a catalog volume defaults to shared because UCB has been generated as shared. It can also occur when analyzing several point-in-time snapshots for the same system without using ALLOC VERSION=, which is required to compare points in time. Chapter 5. CKR messages 209 CKR1011 • CKR1021 User response: Check that you are running with sufficient SHARED=YES CKFREEZE files to cover all disks that are being shared or just were generated in HCD as shared (even if they are not really shared). Specify ALLOC VERSION= when analyzing multiple point-in-times. Run newlist type=dasdvol to see what volume sharing is assumed. If incorrect sharing is assumed because the UCB was generated as SHARED in HCD while the volume is actually not shared, then add appropriate SIMULATE SHARED statements for those volume serials. With modern disks, usually the box serial number disambiguates the sharing but some S390 emulation products exist that do not properly simulate DASD box serial uniqueness; this can necessitate the use of the SIMULATE SHARED statement. Also, a CKFREEZE that is created with IO=NO will not even contain the DASD box serial numbers. Note: It is possible to suppress this message but the results are not guaranteed. Severity: 20 CKR1011 No catalog on system for component in cluster Explanation: Catalog information was missing. Contact IBM Software Support. CKR1015 Zero TAG in C2ARULE Explanation: Contact IBM Software Support. Severity: 24 CKR1016 Requested rule entry number is not positive Explanation: Contact IBM Software Support. Severity: 24 CKR1017 C2ARULE: Unsupported record type type Explanation: Contact IBM Software Support. Severity: 24 CKR1018 C2ARULE: Unsupported record version number in record record Explanation: An access rule record of unknown layout was found. This error message is followed by a hexadecimal dump of the offending record. Contact IBM Software Support. Severity: 20 CKR1019 Severity: 24 C2ARULE: requested rule entry # number but this rule has only number entries Explanation: Contact IBM Software Support. CKR1012 Not enough storage for summary Increase region Explanation: While preparing the summary a storage shortage condition was encountered. Either increase the region or simplify the query or summary. Severity: 16 CKR1013 Duplicate SIM SMF request for system sys record n Explanation: This message indicates that two SIMULATE commands were given for the same SMF system ID and record number. Severity: 12 Severity: 24 CKR1020 Explanation: During processing of a field it was discovered that the ACCVT for the specified complex was missing, while the ACCVT contains information that is needed to successfully complete the processing for this field. This can occur if you are using an UNLOAD for input without an associated CKFREEZE file. In this case, zSecure Audit for ACF2 assumes the default settings are in effect. Severity: 04 CKR1021 CKR1014 SIMULATE SMF requires a CKFREEZE file for system smfid ACCVT not found for complex complex default GSO settings assumed Invalid UID string descriptor ANY_UID_STRING treated as UID Explanation: This message indicates that a SIMULATE SMF command with a SYSTEM=smfid was specified, but no CKFREEZE for that SMFid was found. The SIMULATE command is ignored. Either allocate a CKFREEZE for the system, or change the SIMULATE command to be valid for all systems by removing the SYSTEM=smfid parameter. Explanation: You are using a CKFREEZE created by an old version of zSecure Collect. The information describing the layout of your UID string is incomplete, making it impossible to determine whether you are using multi-valued UID strings, and if so, which part of the UID string contains the multi-valued field. The program will assume you do not use multi-valued UID strings and continue processing. Severity: 00 Severity: 04 210 Messages Guide CKR1022 • CKR1035 CKR1022 FDE not found for fieldname ANY_UID_STRING treated as UID Explanation: During processing of the ANY_UID_STRING pseudo field, it was discovered that the Field Definition Entry for one of the fields that make up the UID string could not be found. As a consequence, it cannot be determined whether the ACF2 6.2 Multi-Valued UID-string feature is in use. Hence, the program stops trying to find this out and treats ANY_UID_STRING as a standard single-valued UID. CKR1029 LID database cannot be processed without FDE information from CKFREEZE or current ACF2 system Explanation: zSecure Audit for ACF2 needs the information from the Field Definition Entries to process the logonid database, but could not find the FDEs. This can be caused by processing a copy of an ACF2 logonid database (rather than an unload) on a system where ACF2 is not active, without allocating a CKFREEZE file containing the necessary information. Severity: 12 Severity: 04 CKR1030 CKR1023 Zero tag in C2AFLD Impossible TLHD type number in C2ALFD2 Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1024 TAG tag out of FDE bounds (0,number) CKR1031 Explanation: Contact IBM Software Support. Severity: 24 CKR1025 Invalid record type xx in C2AFLD Explanation: Contact IBM Software Support. Field "fieldname" has no valid definition for complex complex at ddname line number Explanation: This message indicates that the Field Definition Entry for the field indicated in the message could not be found. Severity: 12 Severity: 24 CKR1032 CKR1026 A LIKELIST cannot refer to a select with a BESTMATCH parameter - before token at ddname line number Explanation: This message indicates that the newlist referred to in the LIKELIST parameter uses the BESTMATCH parameter in its selection which is not allowed. SELECT and EXCLUDE statements are invalid before a NEWLIST statement Explanation: For zSecure Audit for ACF2, SELECT and EXCLUDE commands are only valid within the context of a NEWLIST. Severity: 12 CKR1033 Severity: 12 Array index error in C2ALFDE for tag number; LFDE dimensions are 0,number Explanation: Contact IBM Software Support. CKR1027 The BESTMATCH parameter cannot be used in combination with EXCLUDE - at ddname line number Explanation: The BESTMATCH parameter can not be used for exclude processing. Severity: 12 CKR1028 Only one SELECT allowed in combination with a BESTMATCH parameter Explanation: It is not allowed to use the BESTMATCH parameter in combination with multiple (implicitly ORed) select statements. Severity: 12 Severity: 24 CKR1034 The BESTMATCH parameter cannot be used together with an OR function - at ddname line number Explanation: It is not allowed to use the BESTMATCH parameter in combination with an (explicit) OR statement. Severity: 12 CKR1035 recordtype record missing - ddname volume dsn Explanation: This message indicates that during processing of an unload, it was discovered that a vitally important record is missing. Probably the unload failed. Chapter 5. CKR messages 211 CKR1036 • CKR1047 Severity: 16 CKR1036 CKR1041 Field "fldname" is only supported for SUBSELECT clauses Explanation: The field you specified on a DEFINE, SELECT, LIST, SORTLIST, DISPLAY or (D)SUMMARY command was not found in the templates for any type of entity, and is as a built-in field only supported for SUBSELECT clauses. If you are running zSecure for RACF, you can verify the spelling and use of the requested fields with the help of the TEMPLATE command described in the RACF profiles documentation in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Severity: 12 CKR1037 Explicit allocation mode: CKRCMD referred, but none allocated Explanation: Since one or more ALLOC statements were found, explicit allocation mode was in effect, which implies that no files were implicitly allocated that could be allocated explicitly (which includes CKRCMD), no CKRCMD files were explicitly allocated, and yet CKRCMD was referred as the target of a NEWLIST (F=CKRCMD). Add ALLOC statements for one or more CKRCMD files (one for each complex to be processed). Severity: 12 CKR1038 Explanation: This message indicates that the site-defined flag field encountered before the place indicated in the input is not specified correctly. Site-defined flag fields can be used for SELECT/EXCLUDE processing only by specifying field=ON, field=YES, field=OFF or field=NO. Severity: 12 CKR1042 Invalid decimal input value at ddname line number Explanation: This message indicates that the value encountered before the place indicated in the input is not a valid decimal number. This can be due to excessively long input. Severity: 12 CKR1043 Length value not supported for hexadecimal fields at ddname line number Explanation: This message indicates that the value encountered before the place indicated in the input is of an unsupported length. Hexadecimal fields of up to and including 256 bytes in length are supported for SELECT/EXCLUDE processing, but longer fields are not. Severity: 12 Zero SLGN tag in contents node value CKR1044 Explanation: Contact IBM Software Support. Severity: 24 CKR1039 Invalid value for flag field field at ddname line number Date conversion error for field at ddname line number Date conversion error for value Explanation: This message indicates that the date value encountered before the place indicated in the input is incorrect. This can be due to invalid month names, year formats, day numbers, invalid separators, etc. Invalid hexadecimal input value at ddname line number Explanation: This message indicates that the value encountered before the place indicated in the input is not a valid hexadecimal number. Severity: 12 CKR1045 Impossible input type value at ddname line number Explanation: Contact IBM Software Support. Severity: 24 Severity: 12 CKR1046 CKR1040 Unsupported input type for field at ddname line number No data in complex-dependent node Explanation: Contact IBM Software Support. Severity: 24 Explanation: This message indicates that the field encountered before the place indicated in the input is a type that cannot be used for SELECT/EXCLUDE processing. CKR1047 Severity: 12 Explanation: Contact IBM Software Support. Severity: 24 212 Messages Guide Complex dependency not supported for newlist type value CKR1048 • CKR1059 CKR1048 Complex dependency not supported for format type value Explanation: Contact IBM Software Support. CKR1055 event notify identity facility class profile profile Explanation: Contact IBM Software Support. Explanation: This message is issued with event equal to Undefined due to a VERIFY PERMIT command, and with event equal to Remove due to a REMOVE USER command. It means that the identity to be removed was present in the NOTIFY field of the mentioned OnePass mapping profile. To solve the error condition, an RDEL command will be generated to remove the profile. Severity: 12 Severity: 04 Severity: 24 CKR1049 CKR1050 Unknown pseudo field; TAG=value CKRPUTV: too many output elements on line Explanation: A single output record appeared to contain millions of output elements. No new output is written to this record and to some extent this condition is handled like an out of storage condition, but processing may continue. Contact IBM Software Support. CKRPUTV: too many elements in repeat group fieldaddr fieldname defined at ddname line number Explanation: A single instance of the indicated repeat group appeared to contain millions of entries. No new output is written to this repeat group and to some extent this condition is handled like an out of storage condition, but processing may continue. Contact IBM Software Support. Severity: 16 CKR1053 Format format can only be used with the acl-type field - name at ddname line number Explanation: The indicated format only works with the ACL field or with the ACF2_ACL field, or with a defined variable based on it. Explanation: Since the FIRSTONLY modifier implies that a repeat group is reduced to a single entry, a combination with the repeat group modifier MORE makes no sense. CKR1057 Default owner owner is undefined on complex complex Explanation: This message is issued when the owner specified on the DEFAULT OWNER= command is not defined in the complex mentioned, and a RACF command containing this would have been generated. It is only shown once per complex. Severity: 12 Modifier FIRSTONLY cannot be combined with SORT on a summary for field name at ddname line number Explanation: Summary processing requires an early reduction of the repeat group to a single entry. This means that an early sort must be done. This is not supported in combination with certain field manipulations, such as lookups and restrict processing, under certain conditions. It is possible for a field to have an internal SORT modifier that has not actually been specified or implied in explicit CARLa. If you are using zSecure for RACF, see the NODUP system-wide option documentation in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for more information. Severity: 12 CKR1058 Severity: 12 CKR1054 Modifier FIRSTONLY is mutually exclusive with MORE - field name at ddname line number Severity: 12 Severity: 16 CKR1051 CKR1056 CKRPRTFL: No storage left for WRAP buffer for fieldaddr fieldname - WRAP turned off defined at ddname line number Explanation: A WRAP or WORDWRAP modifier was specified for the indicated field but this request could not be honored due to storage shortage - the generated report may not be in the desired format. Severity: 08 CKR1059 Repeat group restriction for fieldname1 is not supported - field fieldname2 at ddname line number Explanation: This message may occur in restricted mode for partially restricted fields. It indicates that the current version does not support partial restriction of fieldname1. As a result fieldname2 will result in an empty column. (Fieldname2 is the requested field, fieldname1 Chapter 5. CKR messages 213 CKR1060 • CKR1069 the actual database field; they may differ if fieldname2 is a defined variable.) Severity: 04 CKR1060 VERIFY STC and COPY/MOVE/ REMOVE are mutually exclusive Explanation: VERIFY STC and COPY/MOVE/ REMOVE commands cannot both be specified. CKR1065 masktype in mixed quotes before type "value" at DDname line number Explanation: A mask appears to be specified with mismatching start and end quotes, for example, starting with a single quote (') and ending with a double quote ("). The masktype can be Extended attribute mask or Access intent mask. Severity: 12 Severity: 12 CKR1066 CKR1061 option only valid behind COPY GROUP TOGROUP Explanation: The option specified is only valid behind the COPY GROUP= TOGROUP= command. Possibly you only need to change the order of the parameters. masktype cannot exceed line boundary type "value" at DDname line number Explanation: The indicated type of mask appears to cross a line boundary. The masktype can be Extended attribute mask or Access intent mask. Severity: 12 Severity: 12 CKR1067 CKR1062 Delete group groupid suppressed, still HLQ for DATASET profiles Explanation: This message indicates that the groupid indicated would have been deleted as the result of the commands given. However, there are still data set profiles with this ID as HLQ in the RACF database (probably due to the SUPPRESS DELDSD command). Since the DELGROUP would fail in this instance, it is suppressed. Explanation: The mask type being parsed uses '+' and '-' to specify a list of attributes that should be 'on' or 'off,', respectively; two such indicators were found with no attributes specified in between. The masktype can be Extended attribute mask or Access intent mask. To specify a fixed size list of attribute settings rather than a mask, do not use quotes. Instead use, for example, just --s-. Severity: 12 Severity: 04 CKR1063 masktype: double +/-; found type "value" at DDname line number NEWDATA only valid behind COPY TOUSER/TOGROUP Explanation: This message indicates that the NEWDATA keyword was encountered in an unexpected position. It is only valid behind a COPY USER TOUSER or COPY GROUP TOGROUP construction. Possibly you only have to change the order in which the command keywords are given. Severity: 12 CKR1068 masktype: =, + or - expected; found type "value" at DDname line number Explanation: The mask type being parsed uses '+' and '-' to specify a list of attributes that should be 'on' or 'off', respectively, or '=' to specify an exact list of attributes; no such indicator was found. The masktype can be Extended attribute mask or Access intent mask. To specify a fixed size list of attribute settings rather than a mask, do not use quotes. Instead use, for example, just ap--. Severity: 12 CKR1064 CKRCFV: Duplicate UNIX device dev in system system complex complex Explanation: A CKFREEZE record containing a mount point was encountered associating it to a device number that was already used for another file system on this system. The mount record is ignored, no new file system dump is started. Severity: 20 CKR1069 Explanation: The character indicated is not recognized for the mask type being parsed. The masktype can be Extended attribute mask or Access intent mask. Valid attribute characters for the former are a, p, s and l; for the latter d, r, w and x. Furthermore, '+', '-' and '=' are valid indicators for 'on' and 'off', and the mask should be enclosed in quotes. Blanks are ignored. Severity: 12 214 Messages Guide Unexpected character in masktype; found type "value" at DDname line number CKR1070 • CKR1078 CKR1070 Internally inconsistent masktype before type "value" at DDname line number Explanation: The mask just parsed is syntactically correct but semantically inconsistent, i.e., at least one attribute was requested to be on as well as off. The masktype can be Extended attribute mask or Access intent mask. Severity: 12 CKR1071 masktype ends with + or - before type "value" at DDname line number Explanation: The mask type being parsed uses '+' and '-' to specify a list of attributes that should be 'on' or 'off', respectively; the last such indicator had not been followed by any attributes when the closing quote was encountered. The masktype can be Extended attribute mask or Access intent mask. Severity: 12 CKR1072 OMVS HOME contains invalid value for user userid in complex complex version: home Explanation: The HOME field value in the OMVS segment of the indicated user ID does not allow the user to logon to z/OS Unix System Services, and this was apparent from its syntax: home does not start with a '/', and is not "." or "./". Severity: 08 CKR1075 Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot build a proper mount point qualifier search structure. In TYPE=UNIX newlists the HOME_OF field will show up empty, AUDITCONCERN may be incomplete, and AUDITPRIORITY may be too low. The output from TYPE=TRUSTED newlists may be incomplete as well. Severity: 08 CKR1076 CKAOUNIX.CKASDIR: No memory to build SDIRs Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot build a proper subdirectory search structure. In TYPE=UNIX newlists the HOME_OF field will show up empty, AUDITCONCERN may be incomplete, AUDITPRIORITY may be too low, and DEPTH and ATTR may be in error. The output from TYPE=TRUSTED newlists may be incomplete as well. Severity: 08 CKR1074 CKAOUNIX.CKATHOM: No memory to build associations, home directories are not determined Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot determine the home directories of the users. In TYPE=UNIX newlists the HOME_OF field will show up empty, AUDITCONCERN may be incomplete, AUDITPRIORITY may be too low, and DEPTH and ATTR may be in error. The output from TYPE=TRUSTED newlists may be incomplete as well. CKAOUNIX.CKAQMNT: Out of memory error in ADDINOD, home directories are not determined Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot determine the home directories of the users. In TYPE=UNIX newlists the HOME_OF field will show up empty, AUDITCONCERN may be incomplete, and AUDITPRIORITY may be too low. The output from TYPE=TRUSTED newlists may be incomplete as well. Severity: 08 CKR1077 Severity: 04 CKR1073 CKAOUNIX.CKAQMNT: No memory to build QMNTs Command type file ddname does not support file options fileoption ... Explanation: The indicated command output DD-name, which can be CKR2PASS (for CARLa commands for a second pass) or CKRCMD (for TSO command output) does not support the indicated file option(s), which can include UTF-8 (Unicode), COMPRESS=GZIP, and MAXPAGE (limitation in pages). Severity: 12 CKR1078 FOCUS must precede parameters requiring entitlement checks Explanation: This message indicates the LIMIT FOCUS command was issued after the focus had been decided. The focus is decided at the first parameter that needs to know which focus the program is running with. An example of such a parameter is NEWLIST TYPE=type for a newlist type that is only entitled for some product codes. User response: Move the command more to the beginning of the input. Severity: 12 Chapter 5. CKR messages 215 CKR1079 • CKR1089 CKR1079 CKAOUNIX.CKAINOX: No memory to build INOXes, UNIX file name lookups are not performed. CKR1084 No more than 128 DEFTYPE statements allowed before token at ddname line number Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot build a proper inode search structure. In TYPE=SMF newlists the RECORDDESC may be incomplete and UNIX_PATHNAME will be empty. Explanation: This message indicates that you have exceeded the internal limit on the number of user-defined newlist types. Reduce the number of DEFTYPE statements. If the current limit (128 such newlists) is a problem for your installation, contact IBM Software Support. Severity: 08 Severity: 12 CKR1080 Format formatname cannot be used with the fieldname1 field - fieldname2 at ddname line number Explanation: The internal representation of field1 only allows use of special formats on this field. (Fieldname2 is the requested field, fieldname1 the actual base field used; they may differ if fieldname2 is a defined variable.) SCOPE= mutually exclusive with notPROFLIST chaining - newlist name at DDname line number Explanation: A SCOPE=id parameter was specified on newlist name that also specified a PROFLIST= or NOTPROFLIST= parameter and was itself the target of a PROFLIST=name or NOTPROFLIST=name specification. This combination is not supported. Severity: 12 CKR1082 Severity: 12 DEFTYPE missing TYPE= parameter before token at ddname line number Severity: 12 DEFTYPE ABBREV2=abbrev2 is reserved reserve reason at ddname line number Explanation: The abbrev2 specified at the given location conflicts with another abbreviation. This can be the abbreviation of a predefined newlist, a value used for internal processing, or the ABBREV2 specified on another DEFTYPE. The first two conflict types can be avoided by always choosing a national character ($, #, or @) as part of the ABBREV2. If the latter occurs, you need to check and fix your DEFTYPE specifications for this query. Severity: 12 Explanation: The newlist type name is unknown. Perhaps a DEFTYPE statement is missing. Severity: 12 CKR1087 Undefined ALLOC TYPE=name at ddname line number Explanation: The allocation type name is unknown. Perhaps a DEFTYPE statement is missing. CKR1088 Messages Guide Started processing type=name pads file ddname volser dsn Explanation: This message indicates that processing for the indicated newlist type started reading the indicated data set. If the message contains the text PADS for pads, then this indicates that access to the data set was allowed by virtue of conditional access by this program. Severity: 00 CKR1089 number type records read number2 type records selected (p%) Explanation: This message is written at the end of the input phase for type type. It indicates the number of records that were read and selected for output for the newlist type. The selection count does not consider lookups because they are output as part of another newlist type. All records are read in case of a lookup, but only the lookup target fields are stored. Severity: 00 216 Undefined type name at ddname line number Severity: 12 Explanation: A DEFTYPE statement must contain a TYPE= specification. CKR1083 Duplicate DEFTYPE for type name at ddname1 line number1 and at ddname2 line number2 Explanation: A user-defined newlist type can have only one definition per run. CKR1086 Severity: 12 CKR1081 CKR1085 CKR1090 • CKR1097 CKR1090 CKRPUTV.CKRPTCLS: Not enough memory to allocate RPTY for fieldaddr fieldname; TLST recordaddr Explanation: A very large repeat group field could not be stored; this field will be empty in the indicated record. Severity: 08 CKR1091 Overriding length zero on field field only valid on last field in display line at ddname line number Explanation: In a display, the overriding length zero can only be used on the last field on a line. This field will then use the remaining space on the line on the screen. CKR.READALL in class class not defined. Using defaults. Explanation: Normally a profile covering the CKR.READALL resource is used to decide whether the user is allowed to read the complete database or only has access to data that is in his/her scope. No such profile is defined, or the class is incorrectly specified. The restricted/unrestricted decision will now be based on the data in the CKRSITE area or on the type of access the user has on the database (PADS/non-PADS). For additional information, see the IBM Security zSecure CARLa-Driven Components: Installation and Deployment Guide. Severity: 00 CKR1093 databasetype RACF DB cannot be allocated. Not present on system. Explanation: The database indicated is not present on the active system and thus could not be used. Check your system configuration and specify an existing database. Severity: 12 CKR1094 CKROUNIT: modifier can only be specified on first field on a line. field at DDname line number Explanation: The CONDPAGE and NOTEMPTY modifiers influence a complete output line. As such they are only accepted on the first field of that line. Severity: 12 CKATUID: Storage shortage, field fieldname is not filled in. Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot build a proper RACF ID search structure. In TYPE=UNIX newlists the indicated field will be empty and UNIX_ACL will be incomplete. In type=SMF newlists the RECORDDESC may be incomplete. The output from TYPE=TRUSTED newlists may be incomplete as well. The fieldname may be OWNER or GROUP, meaning that UIDs cannot be translated to RACF user IDs, or GIDs cannot be translated to RACF groups, respectively. Severity: 08 CKR1096 Severity: 12 CKR1092 CKR1095 errordesc in mask-type audit flags string string Explanation: A syntax error was detected in a mask-type specification string for a UNIX audit flags field. For details on the correct syntax, see the Unix field section of the user reference manual for your zSecure product. The errordesc can be Duplicate operator specification if a second '+', '-' or '=' is encountered with no attributes in between, for example, r=s,=f. It can be Duplicate setting for read, Duplicate setting for write or Duplicate setting for exec if the string uses an = specification for read, write, or exec as well as a + or - specification for the same access type, or multiple =, multiple +, or multiple - specifications; it can be Duplicate setting for a duplicate specification for all access types. It can be No operator specified when an audit setting indicator is found that was not preceded by +, -. or =. It can be Select on true AND false invalid if the specification was syntactically correct but semantically inconsistent, i.e., at least one flag was requested to be on as well as off. Severity: 12 CKR1097 errordesc in mask-type file mode string string Explanation: A syntax error was detected in a mask-type specification string for a UNIX file mode field. The errordesc can be Typed and generic specification if both 'u','g' and/or 'o' specific and nonspecific clauses occur in a single mask. It can be Duplicate operator specification if a second '+', '-' or '=' is encountered with no attributes in between, for example, g=r,=w. It can be No target for operator specified if a '+', '-' or '=' is encountered that is not preceded by (at least one of) 'u', 'g', 'o', or 'a' to indicate the owner, group, or other access group, or all access groups. It can be Duplicate use of group u, Duplicate use of group g, or Duplicate use of group o if the string uses an = specification for owner, group, or other as well as a + or - specification for the same access group, or multiple = specifications; it can be Duplicate Chapter 5. CKR messages 217 CKR1098 • CKR1105 use of operand for group group for multiple + or specifications. It can be No operator specified when a access type is found that was not preceded by +, -. or =. It can be s is not valid for group o if s (setuid/setgid) is specified or implied for group other. It can be t is not valid for group u or t is not valid for group g if the sticky bit is specified or implied for the owner or group access group, respectively. It can be Select on true AND false invalid if the specification was syntactically correct but semantically inconsistent, i.e., at least one flag was requested to be on as well as off. For additional information about the correct syntax, see the Unix field section of the user reference manual for your zSecure product. Severity: 12 CKR1098 Illegal expected in specificationtype-type objecttype string string Explanation: A syntax error was detected in the indicated kind of specification. Expected can be character or value; specificationtype can be mask, octal, or text; objecttype can be file mode, generic file mode or audit flags. The objecttype generic file mode refers to the "nonspecific" specification type for an access type. For details on the correct syntax, see the Unix field section of the user reference manual for your zSecure product. Severity: 12 CKR1099 Specificationtype-type objecttype string should have length required before type "value" at DDname line number Explanation: The indicated kind of specification has a fixed length different from the length encountered. Specificationtype can be Octal or Text; objecttype can be file mode or audit flags. . For additional information about the correct syntax, see the Unix field section of the user reference manual for your zSecure product. Severity: 12 Messages from 1100 to 1199 CKR1100 OBTAIN RC=nn on ddname volser dsname Explanation: This message indicates that a DSCB could not be obtained for dsname from the VTOC on disk volume serial volser. Restore the data set if necessary, or correct the data set name. If all is correct, try specifying the command BDAMQSAM in your preamble to work around this problem. Severity: 16 CKR1101 Unexpected IOS rc hhx, CSW stat stat sns sense cmd op for ddname volser dsname Explanation: This message indicates that EXCP failed with the indicated return code, status, and sense information. Contact IBM Software Support if the data set is not defective. Try specifying the command BDAMQSAM in your preamble to work around this problem. Severity: 20 CKR1102 Unexpected end-of-file at CCHHR cc hh r rel blk nnn for ddname volser dsname Explanation: This message indicates that an end-of-file marker was found on the track before the last block indicated by the Block Availability Map (BAM) was reached. This can also be a follow-on error to an I/O failure indicated by an earlier message. Contact IBM Software Support if the data set is not defective. Try specifying the command BDAMQSAM in your preamble to work around this problem. 218 Messages Guide Severity: 20 CKR1103 Unexpected block length bb at CCHHR cchhr rel blk nnn for ddname volser dsname Explanation: This message indicates that a block length that differs from the block size indicated in the VTOC was encountered for the indicated relative block number. Contact IBM Software Support if the data set is not defective. Try specifying the command BDAMQSAM in your preamble to work around this problem. Severity: 20 CKR1104 Empty block in use according to BAM ddname block blkno segment offset offset Explanation: The block mentioned did not contain data, while the BAM indicated that it should. If the problem does not go away if the query is done again, run IRRUT200. If no problems are found by IRRUT200, contact IBM Software Support. Severity: 08 CKR1105 Unexpected len in RXNE index rel blk block. Explanation: This message indicates that the length found while processing a non-RDS index was too small. If the problem does not go away if the query is done again, contact IBM Software Support. The problem can probably be circumvented by specifying SUPPRESS INDEX. CKR1106 • CKR1117 can probably be circumvented by specifying SUPPRESS INDEX. Severity: 16 CKR1106 Expected data block not found ddname block block Explanation: This message indicates that a block in the indicated RACF data set was actually an index block, while the index said it was a data block. If the problem does not go away if the query is done again, run IRRUT200. If no problems are found by IRRUT200, contact IBM Software Support. The problem can probably be circumvented by specifying SUPPRESS INDEX. Severity: 08 CKR1111 Explanation: During merge processing an invalid access level was encountered. This is probably caused by the corruption of a record in the database. Severity: 16 CKR1112 Severity: 20 CKR1107 Index conflict on rel blk block on ddname for key Explanation: This message indicates that a block in a RACF data set was referred to as both an index and a data block by the index. If the problem does not go away if the query is done again, run IRRUT200. If no problems are found by IRRUT200, contact IBM Software Support. The problem can probably be circumvented by specifying SUPPRESS INDEX. Severity: 16 CKR1108 Index conflict on rel blk block on ddname for key Explanation: This message indicates that a block in a RACF data set was referred to as both an index and a data block by the index. If the problem does not go away if the query is done again, run IRRUT200. If no problems are found by IRRUT200, contact IBM Software Support. The problem can probably be circumvented by specifying SUPPRESS INDEX. Severity: 16 Unexpected access level hex xx Unexpected CONNECT authority hex xx for userid/groupid Explanation: During merge processing an invalid CONNECT authority was encountered. This is probably caused by the corruption of a record in the database. Severity: 16 CKR1113 Data set name has but a single qualifier skipped Explanation: During matching of access rules and data sets, a data set was encountered of which the name consists of but a single qualifier. This is not supported. Processing is skipped for this data set only. Severity: 20 CKR1114 Data set name has a HLQ of more than 8 characters long - skipped Explanation: During matching of access rules and data sets, a data set was encountered of which the name has a high level qualifier more than eight characters long. Since this data set cannot be protected by ACF2 rules, further processing is skipped for this data set. Severity: 20 CKR1109 Entity type group assumed - segment segment of key Explanation: This message indicates that a non-base segment was encountered for which the entity type user or group could not be determined. The message is only issued if DEBUG SEGMENT has been specified. Severity: 00 CKR1110 CKR1115 Explanation: Contact IBM Software Support. Severity: 24 CKR1116 Index points to free space ddname block block segment offset segment Explanation: This message indicates that the index of the indicated RACF data set points to a data block that is not in use according to the Block Availability Map. If the query is done again and the problem does not go away, run IRRUT200. If no problems are found by IRRUT200, contact IBM Software Support. The problem logonid has $PREFIX but no $AUTI skipped logonid AUTI has disappeared - skipped Explanation: Contact IBM Software Support. Severity: 24 CKR1117 CKRACTS: VDEFINE return code n for var len len Explanation: The ISPF VDEFINE service for a PANEL statement failed with the specified return code. Severity: 12 Chapter 5. CKR messages 219 CKR1118 • CKR1133 CKR1118 Missing UADS information for complex complex - APF CKFREEZE needed Explanation: While checking whether a logonid is able to logon to TSO, it was found that UADS information is needed to answer this question. However, the relevant information was not available (a CKFREEZE file made by an APF authorized zSecure Collect run is needed). The program will assume that the logonid cannot logon to TSO. Severity: 04 CKR1119 CKR1127 key is of an unsupported type Explanation: Contact IBM Software Support. Severity: 24 CKR1128 key has an unknown layout - version number number Explanation: The specified resource rule has an unsupported layout. Contact IBM Software Support. Severity: 20 Invalid field length length found; field offset is offset Explanation: An invalid length was returned for the field at the specified offset in a logonid record. Contact IBM Software Support. CKR1129 Invalid Sequence Number number for field tag in record key Explanation: Contact IBM Software Support. Severity: 24 Severity: 20 CKR1130 CKR1120 Number of entries invalid length Unknown RuleHeader line type requested for key Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1121 DSN mask not found Explanation: Contact IBM Software Support. Severity: 24 CKR1122 First entry in record key refers to a previous one for field offset Explanation: Contact IBM Software Support. Severity: 24 Record length invalid length Explanation: Contact IBM Software Support. Severity: 24 CKR1123 CKR1131 CDSR not found Explanation: Contact IBM Software Support. CKR1132 Record "key" doubly defined Explanation: The indicated resource rule was encountered before in the same security complex. This indicates a problem with the database allocation. Check the ALLOC TYPE=ACF2INFO statements and verify that the proper data sets are allocated to the ddnames. Severity: 20 Severity: 24 CKR1133 CKR1125 Invalid offset offset for field tag in record key Explanation: Contact IBM Software Support. Severity: 24 CKR1126 key is not marked as an InfoStorage record Explanation: Contact IBM Software Support. Severity: 24 220 Messages Guide [complex] DB db datasetname read pp% to obtain number segments (of 256 byte) Unusedspace. Using readmethod. Used number special, number index, and number data blocks for number requests. Statistics Explanation: This message reports on the indexed read of a RACF data set. It indicates the number of segments to be read, and the percentage that actually was read physically to obtain this data. The percentage can grow above 100% if some parts had to be read more than once. Free space can be present at the end of the database (never used) or fragmented through the database. If all space is fragmented, Unusedspace will contain the text Free space completely fragmented, otherwise it will show Space beyond pp% never used. readmethod can be BDAM, indexed ECKD EXCP, or indexed EXCP. If either EXCP method was used, a CKR1134 • CKR1141 fourth line is shown in the format Read number blocks from a total of number in number IOs. Cache hit was pp%. number type records processed, selected number2 (p%) Explanation: This message indicates that for newlist type number records were read, and of those read, number2 were actually selected. Severity: 00 CKR1134 CKR1137 SIMULATE specification at DDname line number conflicts with the command at DDname line number Severity: 00 CKR1138 Record "key" appears to be a directory: "id" Explanation: Multiple SIMULATE CNGRACF or SIMULATE CKGRACF commands per complex are not allowed. Neither are multiple SIMULATE CNGRACF or SIMULATE CKGRACF commands that do not explicitly specify a complex. Explanation: The indicated structured InfoStorage record has an inconsistent layout. Contact IBM Software Support. Severity: 12 Severity: 20 CKR1135 Undefined type lookup element value at ddname line number Explanation: This message indicates that an error has been made in specifying an indirect reference. The syntax for a deftype lookup is as follows: FIELD:TYPE.KEY.TARGET where TYPE is a type of newlist, created with a DEFTYPE command, and KEY and TARGET are previously defined fields in the same newlist type. For a more detailed explanation of indirect references, see DEFINE command - Field value manipulation in the user reference manual for your zSecure product. Element is type, key, or target and indicates the syntax element that is in error; for key or target type reflects the TYPE. CKR1139 program used cc.c CPU seconds, nn,nnnKB, and took ss wall clock seconds Explanation: This message is issued after most processing has been done but before newlist output processing. It indicates the resource usage as well as the elapsed time for this run. Its main use is to measure resource usage in the ISPF interface, since the corresponding CKR0039 at the end of the SYSPRINT is not very usable for this purpose since it includes all user think time while looking at the ISPF displays, and all resource consumption (like recursive queries or other ISPF commands) done from the ISPF display. Severity: 00 Severity: 12 CKR1140 CKR1135 Undefined lookup element value before token at ddname line number Explanation: This message indicates that an error has been made in a MAILTO= specification. The syntax is as follows: MAILTO=:TYPE.TARGET where TYPE is a type of newlist, created with a DEFTYPE command, and TARGET is a previously defined field in that newlist type. See OPTION command - MAILTO in the user reference manual for your zSecure product. Element is type or target and indicates the syntax element that is in error. Explanation: This message indicates that you have exceeded the internal limit on the number of systems (I/O configurations). Reduce the number of ALLOCATE statements for CKFREEZEs. If the current limit (100 effective configurations) is a problem for your installation, contact IBM Software Support. Severity: 12 CKR1141 Severity: 12 CKR1136 Field LID not found Explanation: zSecure Audit for ACF2 cannot store the logonid. This can be caused by processing a copy of an ACF2 logonid database on a system where ACF2 is not active and without allocating a CKFREEZE file containing the necessary information. For the processing of an unload, this is a fatal error. Maximum number of max systems exceeded for system system Maximum number of max complexes exceeded for complex complex Explanation: This message indicates that you have exceeded the internal limit on the number of complexes (security databases). Reduce the number of ALLOCATE statements for such databases. If the current limit (100 such databases) is a problem for your installation, contact IBM Software Support. Severity: 12 Severity: 20 Chapter 5. CKR messages 221 CKR1142 • CKR1152 CKR1142 Duplicate and conflicting entry for key=key in lookup type.key.target Value "value1" retained, value "value2" from record number ignored. Explanation: While reading the file(s) for type type a duplicate entry was found for field key which was used as the key field of the lookup. In this case, the duplicate entries, value1 and value2, specify different values. Only value1 will be stored for display of the lookup. Note that message CKR2363 is issued if duplicate entries are found and value1 and value2 are identical. Severity: 00 CKR1143 Word number must be >= 1 Explanation: The number in an expression WORD(field,number,delimiter) was not specified correctly. Severity: 12 CKR1144 Illegal BUNDLEMAILTO function at ddname line number Explanation: The specified BUNDLEMAILTO value is invalid. It has to be a series of field value manipulation functions with the BUNDLEBY base field. For additional information, see the documentation for the BUNDLE command in the user reference manual for your zSecure product. Severity: 12 CKR1148 CKRCFV: Encountered another DMSFILES dump for system system complex complex - skipped volume dsname Explanation: This message is issued when the program detects multiple DMSFILES dumps on a single system and cannot decide which one to use. There are no adverse effects to current program output. Severity: 004 CKR1149 ALLOC command at ddname line number condition a previous one - ignored Explanation: The indicated ALLOC command for an ACTIVE or INACTIVE security database is either identical to a previous ALLOC command, or incompatible with a previous one, as indicated by the message. In the latter case, the indicated command specifies (or implies) to allocate the PRIMARY security database, whereas a previous command specified the BACKUP, or v.v. The command is ignored. Severity: 00 CKR1150 Record "key" doubly defined Explanation: The indicated structured InfoStorage record was encountered before in the same security complex. This indicates a problem with the database allocation. Check the ALLOC TYPE=ACF2INFO statements and verify that the proper data sets are allocated to the ddnames. Severity: 20 CKR1145 BUNDLEMAILTO is only valid on the BUNDLE command at ddname line number CKR1151 field <Asymmetric AREMFLG> flag Explanation: The BUNDLEMAILTO keyword is not supported on the command it was specified on. Explanation: An ACF2 SMF record of an unsupported layout was encountered. The SMF record is possibly corrupted. Contact IBM Software Support. Severity: 12 Severity: 20 CKR1146 PAS attribute requires KEY modifier before token at ddname line number Explanation: The point-and-shoot modifier (PAS) is only supported on fields that have a KEY modifier as well (i.e., cannot be scrolled off the display). CKR1151 field <id: unintelligible AREMFLG> flag Explanation: An ACF2 SMF record of an unsupported layout was encountered. The SMF record is possibly corrupted. Contact IBM Software Support. Severity: 20 Severity: 12 CKR1152 CKR1147 CKRCFS: Encountered another MCDS for system system - skipped volume dsname Warning: Dynamic parse table for complex name unknown, using current system DPT Explanation: This message is issued when the program detects multiple MCDSes on a single system and cannot decide which one to use. There are no adverse effects to current program output. Explanation: This message indicates that no dynamic parse table (DPTB) could be found for the indicated complex name. The current system's DPTB is used instead. The DPTB defines which custom fields can be used for this complex. Severity: 04 Severity: 00 222 Messages Guide CKR1153 • CKR1165 CKR1153 ENDBUNDLE missing CKR1160 Explanation: This message indicates that a BUNDLE was started but not ended. Explanation: SORT is a repeat group modifier, and field is not a repeated field. Therefore, it is ignored. Severity: 12 CKR1154 Duplicate allocation of type type for complex complex Explanation: In an ACF2 complex only one data set of each type (LID, rule and infostorage) can be allocated. Verify the allocation statements on your query. Severity: 12 CKR1155 Expected Audit Function Code instead of field Explanation: A number or an Audit Function Code indication (without quotes) should have been specified. Severity: 12 CKR1156 Modifier SORT applies to repeated fields only - not useful for field at ddname line number Severity: 04 CKR1161 scope record: NextKey nesting level depth exceeded Explanation: ACF2 scope records support a maximum of 10 NextKey nesting levels. The scope record identified in this message is a record exceeding this maximum. Further processing for this record is aborted. Severity: 04 CKR1162 Impossible length value value for fieldname fieldvalue Explanation: Contact IBM Software Support. Unload output file cannot have RECFM=U - [(redirected CKRUNLOU)] ddname [path | volser dsname] Explanation: An UNLOAD to a data set with RECFM=U is not supported. Output the UNLOAD data to a data set with another format and try again. Severity: 16 Severity: 24 CKR1163 scope record: improbable number of NextKeys Explanation: The identified scope record appears to have multiple NextKeys - a logical impossibility. Contact IBM Software Support. Severity: 24 CKR1157 LIKELIST cannot be specified in a subselect clause CKR1164 Explanation: Specifying a LIKELIST clause in a subselect clause is not allowed. Severity: 12 CKR1158 Subselect of "field" in "subselectclause" not allowed in SELECT statement Explanation: In a subselect clause on the SELECT statement some fields are not allowed, because their value cannot be determined until after the database has been read. For example, the ACL fields USER and GROUP cannot be used, because the access list contains an ID that must be related to a matching profile to determine the type--use ID instead. Severity: 12 CKR1159 Lookup not allowed in subselect clause in SELECT statement - before type "value" at ddname line number datasetname exceeds 2 GB in size. This could be a cause for RACF database corruption. Explanation: A RACF data set is limited in size to 2 GB. Larger data sets can cause database corruption. The indicated data set is larger than 2 GB. A severity of 8 indicates that the space above 2 GB is in use and you will most likely encounter RACF database corruption. A severity of 4 indicates that this space is not in use. Severity: 04 or 08 CKR1165 Modifier UNIVERSAL invalid for field field at ddname line number Explanation: This message indicates that the UNIVERSAL modifier was used on a field that does not support its use. Only the ACL and CONNECTS-like fields support this modifier. Severity: 12 Explanation: Lookups are forbidden in a subselect clause on a SELECT statement, because they can only be performed after the database has been read. Severity: 12 Chapter 5. CKR messages 223 CKR1166 • CKR1173 CKR1166 A type access level was not expected before type "value" at ddname line number Explanation: This message indicates that the program has interpreted the previous token as an access level of type type, but this type is considered inapplicable in this context. The type can be UNIX, ACF2, scope, module or DEFINE. You only use UNIX and ACF2 access values for selection in newlist type=TRUSTED. You only use scope values for selection in the TRUSTED and REPORT_SCOPE newlist types. You only use module values for selection in newlist types REPORT_AC1 and REPORT_PADS. DEFINE access values are only used in newlist types ACCESS and RACF_ACCESS. Severity: 12 CKR1168 Unknown directory layout for identifier - number Explanation: During creation of an unload, the program encountered a scope directory with an unknown layout identifier. The program tries to continue, but there's no guarantee that the generated output will be correct. Contact IBM Software Support. Severity: 20 CKR1169 Illegal time value before token at ddname line number Explanation: This message is issued when reading a DATETIME format value where the time is not recognizable. Severity: 12 CKR1166 The access value value was not expected before type "value" at ddname line number Explanation: This message indicates that the program has interpreted the previous token as the access value value, but this value is considered inapplicable in this context. HIDDEN is only used for selection in newlist type=REPORT_STC. QUALOWN is only used in newlist types REPORT_SCOPE, ACCESS, and RACF_ACCESS. OWNER is only used in newlist types TRUSTED, REPORT_REDUNDANCY, REPORT_SENSITIVE, REPORT_NONDEFAULT, REPORT_OUFOFGROUP, and REPORT_PROFILE. The values ADD, A-READ, DELETE, D-READ. ADD-DEL, and AD-READ are only used in newlist types TRUSTED and REPORT_SCOPE. Severity: 12 CKR1166 A CONNECT authority was not expected before type "value" at ddname line number Explanation: This message indicates that the program has interpreted the previous token as a CONNECT authority, but this value is considered inapplicable in this context. CONNECT authorities are only used in NEWLIST TYPE=RACF_ACCESS. Severity: 12 CKR1167 Unknown directory layout number empty SSCP assumed Explanation: During analysis of the ACF2 resident scope structure, the program encountered a scope directory with an unknown layout identifier. To prevent abends, processing of the directory is skipped completely, which effectively implies that all SCPLISTs are considered empty. This makes the program unusable for scoped administrators. Contact IBM Software Support. Severity: 24 224 Messages Guide CKR1170 Invalid continuation of date value before token at ddname line number Explanation: This message is issued when reading a DATETIME format value where characters remain behind the date part. Severity: 12 CKR1171 Request storing for segment typing due to newlist field and ambiguous entity Explanation: This message is triggered by DEBUG SEGMENT if all users and groups will be stored to help disambiguating the entity type of segments in a RACF restructured database. This specific message is given if there is a LIST family statement that needs a field that depends on the proper entity type being determined. Severity: 00 CKR1172 Request storing for segment typing due to newlist selection Explanation: This message is triggered by DEBUG SEGMENT if all users and groups will be stored to help disambiguating the entity type of segments in a RACF restructured database. This specific message is given if the SELECT statement itself needs the entity type disambiguated. Severity: 00 CKR1173 Global select indicates no storing for segment typing is needed. Explanation: This message is triggered by DEBUG SEGMENT if all users and groups need NOT be stored to help disambiguating the entity type of segments in a RACF restructured database. It may override a message CKR1171, CKR1172. CKR1304, or CKR1305. This typically happens if the global SELECT and an inner CKR1174 • CKR1184 (newlist) SELECT are in fact disjoint. CKR1179 Severity: 00 CKR1174 RRSF command propagation is active on CURRENT system. Reducing maximum command size to 5000 bytes. Explanation: RRSF command propagation has a limit of 5000 bytes on the size of propagated commands. Because RRSF command propagation is active on the CURRENT system, the maximum command size is reduced from 16 kilobytes to 5000 bytes. Severity: 00 CKR1175 Unexpected minidisk user1 dev in CP directory for user2 Explanation: This message means that in a VM CKFREEZE file the CP directory had an unexpected layout. If you feel that the product should support this situation, contact IBM Software Support. Explanation: This message is issued by VERIFY NONEMPTY or VERIFY ALLNOTEMPTY to indicate that the profile is obsolete according to any of those commands. An RDELETE RACF command will be generated to remove the profile. Severity: 04 CKR1180 Unexpected minidisk user1 dev in CP directory Explanation: This message means that in a VM CKFREEZE file the CP directory had an unexpected layout. If you feel that the product should support this situation, contact IBM Software Support. Severity: 04 CKR1181 VERIFY NONEMPTY/ONVOLUME not performed on complex complex due to missing CP directory Explanation: This message means that a VM CKFREEZE file was missing, or that it did not contain CP directory information. The functions that need it will not be performed. Severity: 08 CKR1178 No VMMDISK profile protection for minidisk on volume volume user.dev Explanation: This message is issued by VERIFY PROTECTALL if no profile matches the minidisk definition in the VM CP directory and no HCPRWA information is available. No command is generated to remedy the situation; you must determine the access requirements yourself. The default action taken by VM is defined by whatever is encoded on the SYSSEC macro in the HCPRWA module. Unsupported FDE for field: FLAGS=SPECIAL Explanation: According to its Field Definition Entry, the indicated field has non-standard processing requirements. This is not supported for site-defined fields. Severity: 20 CKR1182 Severity: 08 CKR1177 Discrete VMMDISK profile but no minidisk defined profile Explanation: This message is issued by VERIFY ONVOLUME to indicate that the profile is obsolete because the minidisk does not exist anymore. An RDELETE RACF command will be generated to remove the profile. Severity: 08 CKR1176 Generic VMMDISK profile without matching minidisks profile Unsupported FDE for field: HEADER=NONE Explanation: Site-defined multi-valued bit fields are not supported. Severity: 20 CKR1183 Unsupported FDE for field: (X)VL, but not DYNAMEL Explanation: The indicated multi-valued field is defined as having entries with a variable length, but does not possess a way to indicate the actual length for each entry. Contact IBM Software Support. Severity: 20 CKR1184 Unsupported FDE for field: STATUS=PSEUDO Explanation: The only currently supported pseudo field is the UID string in a logonid record. Contact IBM Software Support. Severity: 20 Severity: 08 Chapter 5. CKR messages 225 CKR1185 • CKR1196 CKR1185 Unsupported FDE for field: length = 0 CKR1192 field does not HAVE multiple values Explanation: FDE-defined fields with a length of zero bytes in general cannot be used as a selection criterion. Their use on a SORTLIST statement or suchlike is equally futile. Explanation: The indicated field is not defined as multi-valued. However, a request was encountered for a value other than the first one. Contact IBM Software Support. Severity: 20 Severity: 24 CKR1186 Unsupported FDE for field: remote default value Explanation: Fields of which the default value is not present in the FDE proper are not supported. Severity: 20 CKR1187 Unsupported FDE for field: unsupported TYPE: type - type(hex) Explanation: The indicated field does not have one of the eight ACF2-defined data types (binary, character, packed decimal, time, bit flag, TOD stamp, hexadecimal or encrypted). Contact IBM Software Support. Severity: 20 CKR1188 Inconsistent FDE for field: TYPE=BIT, FLAGS=MULTI Explanation: A bit-flag type field, being only one bit in size, by definition cannot have multiple values. Contact IBM Software Support. Inconsistent FDE for field: FLAGS=MULTI, STATUS=PSEUDO Explanation: Multi-valued ACF2 pseudo fields are not supported. Contact IBM Software Support. Severity: 20 CKR1190 Inconsistent FDE for field: DYNAMEL, but not (X)VL Explanation: The indicated multi-valued field has a length byte for each value, even though the values have a constant length. While this may be a legal field definition, it's currently unsupported. Contact IBM Software Support. Severity: 20 CKR1191 Inconsistent FDE for field: TYPE=PACKED, LENGTH > 16 Explanation: Packed decimal fields cannot exceed 16 bytes in length. Contact IBM Software Support. Severity: 20 226 Messages Guide Inconsistent AMULTFLD for field: AMULTCUR < 0 Explanation: The indicated multi-valued field has a negative number of values. Contact IBM Software Support. To identify the record causing the error use DEBUG FIELD. For additional information about the DEBUG command, see the user reference manual for your zSecure product. Severity: 20 CKR1194 Inconsistent AMULTFLD for field: requested value # > AMULTCUR Explanation: The indicated multi-valued field does not have as many values as are requested. Contact IBM Software Support. To identify the record causing the error use DEBUG FIELD. For additional information about the DEBUG command, see the user reference manual for your zSecure product. Severity: 20 CKR1195 Severity: 20 CKR1189 CKR1193 Inconsistent AMULTFLD for field: AMULTCUR > FDEMVMAX Explanation: The indicated multi-valued field has more values defined than are allowed by its Field Definition Entry. Contact IBM Software Support. To identify the record causing the error use DEBUG FIELD. For additional information about the DEBUG command, see the user reference manual for your zSecure product. Severity: 20 CKR1196 Inconsistent AMULTFLD for field: AMULTOFF past record end Explanation: The multi-valued field header of the indicated field is present in the ACF2 database record, but the actual values are not. Contact IBM Software Support. To identify the record causing the error use DEBUG FIELD. For additional information about the DEBUG command, see the user reference manual for your zSecure product. Severity: 20 CKR1197 • CKR1204 CKR1197 field: DYNAMEL running past record end Explanation: The requested field value is not physically present in the ACF2 database record, even though the multi-valued field header indicates it should be. Contact IBM Software Support. To identify the record causing the error use DEBUG FIELD. For additional information about the DEBUG command, see the user reference manual for your zSecure product. Severity: 20 CKR1198 field: fixed MV past record end Explanation: The requested field value is not physically present in the ACF2 database record, even though the multi-valued field header indicates it should be. Contact IBM Software Support. To identify the record causing the error use DEBUG FIELD. For additional information about the DEBUG command, see the user reference manual for your zSecure product. Severity: 20 CKR1199 IMBED NODUP does not support the FILEDESC/PATH parameters Explanation: The NODUP parameter was used on the IMBED command in combination with the FILEDESC or PATH parameter. This is not supported. Severity: 12 Messages from 1200 to 1299 CKR1200 keyword invalid without ERRORMAILTO or SMTPMAILFROM or FROM or REPLYTO Explanation: The keywords MAILTO (MT) and BUNDLEMAILTO (BMT) are used to generate an e-mail message. If they are used, a valid value for at least one of the keywords mentioned is essential to create a valid SMTP header. Severity: 12 CKR1201 Fields with format outfrmt can only be modifiable once per record or detail display - name at ddname line number or name in parm string Explanation: The field name occurs twice or more on the same display, and both occurrences are modifiable. This is not allowed unless the format is CHAR or ASIS. This may apply to the record level display, or this may apply to the detail display. Either display the field only once, or add the NOMODIFY modifier to all except one of them. Severity: 12 CKR1202 Repeat group field name can only be displayed as modifiable once per detail display -name at ddname line number or name in parm string Explanation: The field name occurs twice or more on the detail display, both occurrences are modifiable, and the field is defined as a repeat group. This is not supported. Either display the field only once on the repeat group line, or add the NOMODIFY modifier to all except one of the occurrences. Severity: 12 CKR1203 BASIC or MAIN not specified on program profile program used in DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced-Warning program security mode. A program is defined on a conditional access list, and an accompanying specific profile is defined, but that profile is missing APPLDATA('MAIN') or APPLDATA('BASIC'). Because RACF runs in Enhanced-Warning mode, a commented RALTER PROGRAM APPLDATA('MAIN') command is generated. This command can be uncommented and run when you decide that the mentioned program needs to be on the conditional access list. For additional information, see VERIFY PADS in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Severity: 04 CKR1204 No specific program profile found for program program used in DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced-Warning program security mode. A program is defined on a conditional access list and no corresponding specific program profile is found but a non-specific program profile is. Because RACF runs in Enhanced-Warning mode, commented commands for copying the non-specific profile to a specific one and adding APPLDATA('MAIN') are generated. These commands can be uncommented and run when you decide that the mentioned program needs to be on the conditional access list. For additional information, see VERIFY PADS in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Chapter 5. CKR messages 227 CKR1205 • CKR1212 Severity: 04 CKR1205 CKR1209 No non-specific profile found for program profile program used in DATASET profile volser datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced-Warning program security mode. A program is defined on a conditional access list, but no matching program profile exists. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 BASIC or MAIN not specified on program profile program used in generic DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced program security mode. A program is defined on a conditional access list and a accompanying specific program profile is defined, but that program profile does not have APPLDATA('MAIN') or APPLDATA('BASIC') defined. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1206 No non-specific profile found for program profile program used in generic DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced-Warning program security mode. A program is defined on a conditional access list, but no matching program profile exists. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1207 No non-specific profile found for program profile program used in DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced-Warning program security mode. A program is defined on a conditional access list, but no matching program profile exists. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1208 BASIC or MAIN not specified on program profile program used in DATASET profile volser datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced program security mode. A program is defined on a conditional access list and an accompanying specific program profile is defined, but that program profile does not have APPLDATA('MAIN') or APPLDATA('BASIC') defined. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 228 Messages Guide CKR1210 BASIC or MAIN not specified on program profile program used in DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced program security mode. A program is defined on a conditional access list and a accompanying specific program profile is defined, but that program profile does not have APPLDATA('MAIN') or APPLDATA('BASIC') defined. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1211 No specific program profile found for program program used in DATASET profile volser datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced program security mode. A program is defined on a conditional access list and a accompanying specific program profile is defined, but that program profile does not have APPLDATA('MAIN') or APPLDATA('BASIC') defined. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1212 No specific program profile found for program program used in generic DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced program security mode. A program is defined on a conditional access list and a accompanying specific program profile is defined, but that program profile does not have APPLDATA('MAIN') or APPLDATA('BASIC') defined. CKR1213 • CKR1219 To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1213 No specific program profile found for program program used in DATASET profile datasetprofile for ID identity Explanation: This message is issued due to a VERIFY PADS command while RACF runs in Enhanced program security mode. A program is defined on a conditional access list and a accompanying specific program profile is defined, but that program profile does not have APPLDATA('MAIN') or APPLDATA('BASIC') defined. To solve the error condition, a command is generated to remove the WHEN-clause. Severity: 04 CKR1214 WTO failed RC=rc (dec) newlist at ddname line number Explanation: This message indicates that an error occurred while issuing a write-to-operator message (WTO) for the newlist mentioned. This message will be followed by the WTO in question. Severity: 0 4 CKR1219 SNMP trap failed msg newlist at ddname line number Explanation: The sending of an SNMP trap for newlist failed. The sending routine reported msg. Possible messages and their reasons are: Table 4. CKR1219 messages Message Explanation missing specific type The first line of the CARLa (sort)list for sending an SNMP trap did not start with an integer indicating the specific type of the trap. unknown variable(s): variable1, variable2, ... Some strings were not recognized as variables, possibly due to typos in the CARLa (sort)list. total length of variables is too large, even after trimming each variable to 1023 characters Even though the contents of each variable did not exceed 1023 characters, the total size of the variable strings and their contents exceeded the maximum of 32000 bytes. SnmpEnc failed It was not possible to encode the SNMP trap; there may be a semicolon in the community string or the enterprise string may be incorrectly formatted. IBM-1047 to ISO8859-1 conversion failed: not enough memory EBCDIC to ASCII conversion failed due to memory shortage. Cannot open converter from IBM-1047 to ISO8859-1 EBCDIC to ASCII conversion was not supported. Contact IBM Software Support. socket error: rc return code (hex), reason reason code (hex); error message string A socket could not be created; details can be found in the UNIX System Services Messages and Codes manual. PIPE is only valid on PATH/FILEDESC at ddname line number Explanation: A PIPE specification is only useful on a PATH or FILEDESC allocation. Either remove PIPE or change to a PATH or FILEDESC allocation. Severity: 12 CKR1215 CKR1218 GETPROC is only valid on TYPE=SMF, TYPE=ACCESS, or <deftype> - at ddname line number Explanation: GETPROC is invalid for input types other than SMF, ACCESS, or those defined with the DEFTYPE command. Additionally, the GETPROC parameter is only intended for internal IBM Security zSecure use. Severity: 12 CKR1216 WTO/SNMP/SYSLOG/CMD are mutually exclusive - at ddname line number Explanation: You can only specify ONE special delivery type (that is, CMD, SNMP, SYSLOG, or WTO) on a newlist. Severity: 12 CKR1217 PL/LL mutually exclusive with WTO/SNMP/SYSLOG/CMD/XML - at ddname line number Explanation: SNMP, WTO, SYSLOG, CMD, and XML imply a specific line and pagelength. These values are not available for modification. Severity: 12 Chapter 5. CKR messages 229 CKR1220 • CKR1226 Table 4. CKR1219 messages (continued) Message Explanation sendto error: rc return code Data could not be sent on (hex), reason reason code a socket; details can be (hex); error message string found in the UNIX System Services Messages and Codes manual. usage: <specific> -c <community> -g <generic> -e <enterprise> The syntax of the line with the specific trap was incorrect; the line should start with an integer which specifies the specific-trap field; it is optionally followed by '-c community', '-g generic' (where generic is an integer which specifies the generic-trap field), and '-e enterprise' (where enterprise is a dot separated list of integers) (DNS), or the SNMP destination temporarily not in (Dynamic) DNS. Severity: 04 CKR1222 Explanation: The indicated field cannot be used as a security database lookup field in a SELECT clause. Lookups in a SELECT clause are restricted to: (ANY)SUPGROUP/OWNER/DFLTGRP. User response: Change the SELECT clause in the statement to specify only keywords from this group or refer to a newlist type other than the default (RACF). Severity: 12 CKR1223 The specific-trap field is not an integer <generic> must be an integer The generic-trap field is not an integer Severity: 12 Call to C routine CKRTRAP failed The routine CKRTRAP could not be called. This is probably the result of a missing or incorrectly established LE environment. Verify that ALLOC NOLE has not been specified for this run. CKR1224 CKR1220 GETHOSTNAME rc rc (dec), errno errno (hex) Explanation: The GETHOSTNAME call failed. This can result in invalid SMTP HELO statements and SNMP traps. This can be caused (amongst other reasons) by missing TCP/IP resolver data, or no capability to perform UNIX calls (for example, no UID provided). Severity: 08 CKR1221 Incomplete mailbox specification token at ddname line line Explanation: An error was encountered in the mailbox specification before the token specified. For information about address specification, refer to the RFC 2822 syntax documented in the user reference manual for your zSecure product. If an E-mail address list is in use, the ddname can be of the form Rxxxxxxx, where xxxxxxx is a decimal number. In this case it refers to the record number within the E-mail address list you are using. To find the <deftype> used, you can refer to the last message CKR1088 shown before this message. Severity: 12 CKR1225 E-mail name at ddname line number sent to address, subject: subject Explanation: This is an informational message indicating that an e-mail message has been generated as requested for newlist name, from the given input location. It was sent to address, with the subject shown. Severity: 00 Could not resolve snmp-destination rc rc newlist newlist at ddname line line Explanation: The snmp-destination as specified on the SNMPTO keyword of the newlist specified could not be resolved to an IP address. No SNMP traps will be sent to this destination. This could be the result of an erroneous specification, incorrectly configured TCPIP, temporary unavailability of the Domain Name Server 230 CLEANUP and NOCLEANUP are mutually exclusive before token at ddname line number Explanation: The keywords CLEANUP and NOCLEANUP of the ALLOCATE command are mutually exclusive. <specific> must be an integer Severity: 04 field lookup not supported on select - at ddname line number Messages Guide CKR1226 ALLOC TYPE=esm ACTIVE is invalid on a non-esm system - at ddname line number Explanation: An allocation request for the active security database for External Security Manager esm was received. That ESM is not active on this system, so the allocation cannot be done. CKR1227 • CKR1235 Severity: 12 CKR1227 CKR1231 Sent SNMP trap to nr recipients, including IPaddress port port newlist at ddname line number Explanation: This message is issued to inform you that an SNMP trap was sent for newlist. Severity: 00 CKR1228 Field "SYSTEM" required in NEWLIST TYPE=deftype for format format - time zone omitted for fieldaddr fieldname at ddname line number Missing domain in mailbox address token at ddname line line Explanation: No domain was found in the mailbox specification before the token specified. For information about address specification, refer to the RFC 2822 syntax documented in the user reference manual for your zSecure product. If an E-mail address list is in use, the ddname can be of the form Rxxxxxxx, where xxxxxxx is a decimal number. In this case it refers to the record number within the E-mail address list you are using. To find the <deftype> used, you can refer to the last message CKR1088 shown before this message. Severity: 12 Explanation: The DATETIMEZONE, SMFTIMESTAMPZONE, and XSD_DATETIME formats need a system to determine which time zone to use. For a DEFTYPE newlist you should DEFINE a field SYSTEM yielding the SMFid of the system to use. For additional information about the date and time formats, see the LIST command - Format names documentation in the user reference manual for your zSecure product. CKR1232 Severity: 04 If this NEWLIST is part of a MERGELIST, the ENDMERGE will be followed by message CKR2338 if both of the following conditions are true: CKR1229 Format format not supported on SUMMARY/BUNDLEBY - time zone omitted for fieldaddr fieldname at ddname line number Explanation: This message indicates that a NEWLIST was suppressed because of the FIRST_PER_NAME option. The message identifies the NEWLIST with this name that is being used instead. v The NEWLIST that was suppressed is the first NEWLIST in the MERGELIST. v The output command used is DISPLAY or SORTLIST. Explanation: The system corresponding to each record determines the time zone used for the DATETIMEZONE and SMFTIMESTAMPZONE formats. For a SUMMARY, this value is ambiguous. For additional information about the DATETIMEZONE and SMFTIMESTAMPZONE formats, see the LIST command - format names documentation in the user reference manual for your zSecure product. Severity: 00 Severity: 04 Severity: 20 CKR1230 Missing local part of mailbox address token at ddname line line Explanation: No local part (username) was found in the mailbox specification before the token specified. For information about address specification, refer to the RFC 2822 syntax documented in the user reference manual for your zSecure product. If an E-mail address list is in use, the ddname can be of the form Rxxxxxxx, where xxxxxxx is a decimal number. In this case it refers to the record number within the E-mail address list you are using. To find the <deftype> used, you can refer to the last message CKR1088 shown before this message. Suppressing NEWLIST NAME=name at ddname line number, using the one at ddname2 line number CKR1233 C2ARULE: record key corrupted: invalid trailer offset Explanation: The indicated access rule record has an unexpected layout. It is probably corrupted. Contact IBM Software Support. CKR1234 Record key has an invalid trailer offset Explanation: The indicated resource rule record has an unexpected layout. It is probably corrupted. Contact IBM Software Support. Severity: 20 CKR1235 Start of interval number at time Explanation: This message indicates that a new pass of processing has started after receiving a soft end-of-file condition. Severity: 00 Severity: 12 Chapter 5. CKR messages 231 CKR1236 • CKR1245 CKR1236 MAILFONTSIZE must be in range 1..7 Explanation: MAILFONTSIZE should be a number in the range 1 to 7, corresponding to 8, 10, 12, 14, 18, 24, and 26 point size if the browser default font is set at 12 point (the user may change that). CKR1241 SNMP is not supported under VM Explanation: There is no support yet for issuing SNMP traps under VM. If this is a problem for your installation, contact IBM Software Support. Severity: 12 Severity: 12 CKR1242 CKR1237 WTO/SNMP/SYSLOG/CMD are mutually exclusive with e-mail - at ddname line number Explanation: You can only specify ONE special delivery type (that is, e-mail, CMD, SYSLOG, SNMP, or WTO) on a newlist. Hexadecimal string cannot be longer than 255 Explanation: The input contained a string that was supposed to be converted from text to hexadecimal, and that string was longer than 255 bytes. This is not supported. Severity: 12 Severity: 12 CKR1243 CKR1238 Allocation of C2REMAIL failed. Writer: "writer" Class: "class" NJENode: "node" Explanation: An error occurred during the allocation of the C2REMAIL DD. Check whether the values of the SMTPWRITER, SMTPCLASS and SMTPNJENODE parameters are valid. Severity: 16 CKR1239 WTO issued newlist at ddname line number Explanation: This message indicates that a WTO was successfully issued for the newlist mentioned. This message will be followed by the WTO in question. Newlist [name=name] type=type at ddname line number did not contain a resolved SNMP destination - suppressed Explanation: The output for the specified newlist was supposed to be sent to an SNMP or SYSLOG destination. However, the specified destination cannot be reached. The newlist output has been suppressed. If the redirected output was sent to the default system file, you can find the newlist information in that file. The default for SNMP is C2RSNMP; the default for SYSLOG is C2RSYSLG. To facilitate output testing, if SNMPTOFILE or SYSLOGTOFILE was also specified, the newlist will not be suppressed. User response: In the program that generated the newlist output, update the SYSLOGTO= or SNMPLOGTO= parameter to specify a valid IP address that the system can access. If you have specified a valid address, check with your system administrator to find out why the destination cannot be reached. Severity: 00 232 Explanation: No phrase used in an e-mail address specification can exceed 512 characters. The erroneous phrase was encountered before the token specified. For information about address specification, refer to the RFC 2822 syntax documented in the user reference manual for your zSecure product. If an e-mail destination file is in use, the ddname can be of the form Rxxxxxxx, where xxxxxxx is a decimal number. In this case it refers to the record number within the e-mail destination file you are using. To find the <deftype> used, you can refer to the last message CKR1088 shown before this message. Severity: 12 Severity: 00 CKR1240 Phrase in mailbox address cannot be longer than 512 characters token at ddname line number Messages Guide CKR1244 OUTPUTFORMAT=outputformat is only valid in combination with MAILTO - at ddname line number Explanation: The output format outputformat is only supported for e-mailed newlists. Change or remove the OUTPUTFORMAT specification, or supply the correct e-mail parameters. Severity: 12 CKR1245 Implicit lookup from type type to (field field) is not supported at ddname line number Explanation: Object type lookup to the security database is not supported from the indicated newlist type. The list of supported source types is REPORT_SCOPE, SMF, RACF, TRUSTED. Severity: 12 CKR1246 • CKR1252 CKR1246 mailoption is not valid on the individual NEWLIST level within a BUNDLE at ddname line number Explanation: The NEWLISTs in the BUNDLE are treated as a whole. Specify the mailoption on the BUNDLE statement or an OPTION statement preceding the BUNDLE instead. Severity: 12 CKR1247 mailto is not valid within a BUNDLE at ddname line number Explanation: BUNDLE does not support MAILTO use BUNDLEMAILTO instead. v Partitioned data set does not exist on any volume any system dsname v Volume is not mounted on system syst volser v VTOC is not readable on system syst volser v Data set does not exist on system syst volser dsname v Data set is not partitioned on system syst volser dsname If a CKRCMD file is allocated for the complex, an RALTER DELMEM command is generated to remove the obsolete member from the profile. Severity: 04 CKR1251 Severity: 12 CKR1248 Deprecated syntax "(HOR[,len])" is equivalent to "HOR([len]),0)" Explanation: This message is issued when a first HORIZONTAL modifier is detected for a field or defined variable, and the specification uses old syntax, and is not accompanied by WRAP or an explicit length 0. See the LIST command - Repeated format modifiers documentation in the user reference manual for your zSecure product. Severity: 00 CKR1249 Explanation: This message is issued by the VERIFY PROGRAM function for a volume-unspecific PROGRAM member because there does not appear to be any volume on any system in the complex where the indicated data set name resolves to an actually existing partitioned data set. The message is followed by one or more Reason lines with one of the following detail explanations: v Not all VTOCs in CKFREEZE to search for data set without volser dsname v Mig. catlg not in CKFREEZE to check data set any system dsname Deprecated syntax "(HOR[,len2])" evaluates to "HOR(len1))" here variablename defined at ddname line num Explanation: This message is issued when a second HORIZONTAL modifier is detected for a defined variable. That is, there was already a HORIZONTAL modifier on the preceding DEFINE statement, and the specification uses old syntax, is either not accompanied by an explicit length 0 or a nonzero column length is implied, and WRAP has not been specified (either on the DEFINE or as a local override). For more detailed information about the HORIZONTAL modifier, see the LIST command - Repeated field format modifiers in the user reference manual for your zSecure product. Note that the equivalent expression depends on the DEFINE statement for the variable! Severity: 00 CKR1250 PROGRAM dsn may be obsolete but info is missing complex program - dsname Reason PROGRAM data set name is obsolete complex program - dsname Reason Explanation: This message is issued by the VERIFY PROGRAM function for a volume-unspecific PROGRAM member because there is no volume on any system in the complex where the indicated data set name resolves to an actually existing partitioned data set. The message is followed by one or more Reason lines with one of the following detail explanations: See VERIFY PROGRAM in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for more information about missing VTOCs, and missing migration catalogs. If a CKRCMD file is allocated for the complex, a commented-out RALTER DELMEM command is generated to remove the obsolete member from the profile. Severity: 04 CKR1252 PROGRAM IPL volume entry dsn/****** obsolete complex program - ****** dsname Reason Explanation: This message is issued by the VERIFY PROGRAM function because there is no system in the complex where the indicated data set name resolves to a partitioned data set actually existing on the IPL volume. For each system a Reason line follows with one of the following detail explanations: v Data set not on IPL volume of system syst volser dsname v Data set is not partitioned on IPL volume of syst volser dsname If a CKRCMD file is allocated for the complex, an RALTER DELMEM command is generated to remove the obsolete member from the profile. Chapter 5. CKR messages 233 CKR1253 • CKR1257 Severity: 04 CKR1253 PROGRAM IPL vol entry dsn/****** appears obsolete complex program - ****** dsname Reason Explanation: This message is issued by the VERIFY PROGRAM function because there appears to be no system in the complex where the indicated data set name resolves to a partitioned data set actually existing on the IPL volume, but one or more error conditions were detected. For each system a Reason line follows with one of the following detail explanations: v IPL volume appears unmounted on system syst volser v VTOC appears unreadable for IPL volume of syst volser v Data set not on IPL volume of system syst volser dsname v Data set is not partitioned on IPL volume of syst volser dsname If a CKRCMD file is allocated for the complex, a commented-out RALTER DELMEM command is generated to remove the obsolete member from the profile. Severity: 04 CKR1254 PROGRAM dsn/****** unused but info missing complex program - ****** dsname Reason Explanation: The message is issued by the VERIFY PROGRAM function because there appears to be no system in the complex where the indicated data set name resolves to a partitioned data set actually existing on the IPL volume, and no error conditions were detected. For each system a Reason line follows with one of the following detail explanations: v IPL volume appears unmounted on system syst volser v VTOC appears unreadable for IPL volume of syst volser v VTOC not present in CKFREEZE for IPL volume syst volser commented-out RALTER DELMEM command is generated to remove the obsolete member from the profile. Severity: 04 CKR1255 Explanation: The message is issued by the VERIFY PROGRAM function because there appears to be no system in the complex where the indicated data set name resolves to an actually existing partitioned data set on the indicated volume. For each system a Reason line follows with one of the following detail explanations: v Volume is not mounted on system syst volser v VTOC is not readable on system syst volser v VTOC is not present in CKFREEZE syst volser v Mig. catlg not in CKFREEZE to check data set syst volser dsname v Data set does not exist on volume of syst volser dsname v Data set is not partitioned on volume of syst volser dsname If you are using zSecure for RACF, see VERIFY PGMEXIST in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for more information about missing VTOCs, and missing migration catalogs. If a CKRCMD file is allocated for the complex, a commented-out RALTER DELMEM command is generated to remove the obsolete member from the profile. Severity: 04 CKR1256 Severity: 08 v Data set not on IPL volume of system syst volser dsname CKR1257 v Data set is not partitioned on IPL volume of syst volser dsname 234 Messages Guide Started Procedure Table truncated number1 entries declared, number2 read system system complex complex Explanation: The image of the Started Procedure Table in the CKFREEZE for the indicated system is incomplete. As a result, less output will be produced by NEWLIST TYPE=SPT (for example, AU.S RACF control - STCTABLE). v Mig. catlg not in CKFREEZE to check data set syst volser dsname If you are using zSecure for RACF, see VERIFY PGMEXIST in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for more information about missing VTOCs, and missing migration catalogs. If a CKRCMD file is allocated for the complex, a PROGRAM dsn/vol obsolete, but missing information complex program volser dsname Reason Started Procedure Table truncated number1 entries declared, number2 read system system complex complex [version] Explanation: The image of the Started Procedure Table in the CKFREEZE for the indicated system is incomplete. As a result, less output will be produced by REPORT STC, and VERIFY STC results may be incorrect. Severity: 08 CKR1258 • CKR1266 CKR1258 Effective record length 0 at CKFREEZE record <yyyy> of <ddname> <vol> <dsn> Explanation: This message indicates that a CKFREEZE file contained an invalid record with effective length 0. This usually has one of two causes. Either the file is not a CKFREEZE file at all, or it has been transported or decompressed by a utility that does not have proper support for LRECL=X,RECFM=VBS files. In that case, information will be missing. We suggest you try to analyze the original file on the system where it was originally created and verify that the message does not occur there. In that case, a utility is the culprit. If this message occurs on a file created by a successful zSecure Collect run without any utility touching the file before it was analyzed, then contact IBM Software Support. The message is suppressible, but be aware that information is probably missing and may result in invalid reports or internal error messages. Severity: 12 CKR1263 Explanation: The indicated field has a format for which modify is not supported in a concatenation. The field occurs in a concatenation on a record or summary display level. To restore the ability to modify the field, take it out of the concatenation. To avoid the message, add an explicit NOMODIFY modifier to the field. Severity: 00 CKR1264 Severity: 16 CKR1259 UNLOAD not valid for NEWLIST TYPE=type Explanation: The UNLOAD statement is not supported for this NEWLIST type. For NEWLIST types defined with DEFTYPE, you can use LIST RECORD instead. Severity: 12 CKR1260 Explanation: The specified word is not recognized here. A decimal number or NO (without quotes) should have been specified. Severity: 12 CKR1261 CKRPRTFL: Value length longlength in recordaddr truncated to 65535 for format outputformat for fieldaddr fieldname at ddname line number Explanation: The indicated output format does not support input lengths above 65535. A value with the indicated long length for the indicated field in the indicated record was truncated to that length before calling the output format routine. The resulting output may differ from what was expected. Severity: 08 CKR1262 The value "None" is mutually exclusive with other Reason values - before token at ddname line num Explanation: The value NONE for a SELECT of a RACF reason field was used in a list with other RACF reason values. This is not allowed. Use an explicit OR instead. fieldaddr fieldname made nonmodifiable in concatenation on detail display with format outputformat at ddname line number Explanation: The indicated field has a format for which modify is not supported in a concatenation. The field occurs in a concatenation on a detail display level. To restore the ability to modify the field, take it out of the concatenation. To avoid the message, add an explicit NOMODIFY modifier to the field. Severity: 00 CKR1265 Expected NO or decimal number instead of word fieldaddr fieldname made nonmodifiable in concatenation on display level with format outputformat at ddname line number fieldaddr fieldname made nonmodifiable in concatenation on detail display with WRAP at ddname line number Explanation: The indicated field has a WRAP or WORDWRAP modifier, so that modify is not supported in a concatenation. The field occurs in a concatenation on a detail display level. To restore the ability to modify the field, take it out of the concatenation. To avoid the message, add an explicit NOMODIFY modifier to the field. Severity: 00 CKR1266 Scattered field fieldaddr2 fieldname2 concatenation fieldaddr1 fieldname1 made nonmodifiable on display level at ddname line number Explanation: The indicated field2 that is part of the concatenation started with the indicated field1 occurs multiple times on the record or summary display level in a modifiable capacity. This is an unsupported combination. As a result the entire concatenation is made nonmodifiable. To restore the ability to modify this field within the concatenation, add a NOMODIFY modifier to the other instances on the same display level. To restore the ability to modify the rest of the concatenation, add a NOMODIFY modifier to field2. Severity: 00 Chapter 5. CKR messages 235 CKR1267 • CKR1276 CKR1267 Scattered field fieldaddr2 fieldname2 concatenation fieldaddr1 fieldname1 made nonmodifiable on detail display at ddname line number Explanation: The indicated field2 that is part of the concatenation started with the indicated field1 occurs multiple times on the detail display level in a modifiable capacity. This is an unsupported combination. As a result the entire concatenation is made nonmodifiable. To restore the ability to modify this field within the concatenation, add a NOMODIFY modifier to the other instances on the same display level. To restore the ability to modify the rest of the concatenation, add a NOMODIFY modifier to field2. Severity: 00 CKR1268 Modifiers DETAIL, NODETAIL and BOTH are mutually exclusive - field fieldname at ddname line number Explanation: These modifiers each control the display level a field or literal in a DISPLAY statement should appear on, and cannot be combined. Severity: 12 CKR1269 Modifier modifier2 overrides modifier modifier1 - definedvariable at ddname line number Explanation: The indicated modifier1 was specified on the indicated DEFINE statement. The definedvariable is used with modifier2 here, which overrides this default. The two attributes are not combined. Severity: 00 CKR1270 Lookup from detail field fieldname1 to overview is not supported for fieldname2 at ddname line number Explanation: Base field field1 requires special processing, which is only done when the detail level is generated. Since the base values will not be available when the overview level is generated, this lookup is not supported. To get the lookup on the overview without its base field, insert a new occurrence of field1 before the one on the detail level into the DISPLAY statement with a NONDISPL modifier. Severity: 12 CKR1271 CUA attribute attribute2 overrides CUA attribute attribute1 - definedvariable at ddname line number Explanation: The indicated attribute1 was specified on the indicated DEFINE statement. The definedvariable is used with attribute2 here, which overrides this default. The two attributes are not combined. 236 Messages Guide Severity: 00 CKR1272 Unexpected CSRSI return code xxxxxxxx Explanation: This message indicates that the CSRSI service returned an unexpected return code. As a result, no CPU model detail information can be shown for the live system. Severity: 00 CKR1273 Field name flag value must be UPPER or ASIS - "value" at ddname line number Explanation: This message indicates that for field name only the values UPPER and ASIS can be specified on the select statement. Severity: 12 CKR1274 Field field value must be DISALLOWED or ALLOWED - "value" at ddname line number Explanation: This message indicates that for field (CDTGEN (alias CLASS_GENERIC_ALLOWED) or CDTGENL (alias CLASS_GENLIST_ALLOWED)) only the values DISALLOWED (alias NO or OFF) and ALLOWED (alias YES or ON) can be specified on the select statement. Severity: 12 CKR1275 MACCHECK value must be NORMAL, REVERSE, or EQUAL - "value" at ddname line number Explanation: This message indicates that for field CDTMAC only the values NORMAL, REVERSE, or EQUAL can be specified on the select statement. Severity: 12 CKR1276 Selection in restricted mode is not allowed with type clause at ddname line number Explanation: When the program is running in restricted or PADS mode, selection with the indicated type of clause is not allowed. The program is running in restricted mode either because of a reason shown in a CKR0031 message or because SIMULATE RESTRICT was specified. This condition is considered a syntax error (severity 12). If an ALLOWRESTRICT modifier explicitly indicates that the query must be executed anyway, this message is issued as a warning (severity 4) to remind you that the indicated field is treated as missing. See also CKR0170. Severity: 04 or 12 CKR1277 • CKR1288 CKR1277 Implicit lookup to type type1 not supported from type type2 at ddname line number Explanation: Object attribute lookup is not supported for this combination of newlist types. (implicit) object property lookup. The only types allowed are BOOLEAN, AS, and TRUE. Severity: 12 CKR1283 Severity: 12 CKR1278 Explicit lookup to type type1 not supported from type type2 through field field at ddname line number Explanation: Id lookup to the specified type type1 is not supported from type type2. If you are using zSecure for RACF, the only target type allowed is RACF. If you are using zSecure for ACF2, this is actually a lookup to ACF2_LID information for an ACF2 security database. Severity: 12 Expecting lookup field before token at ddname line number Explanation: This message indicates that a lookup specification was expected but the field name encountered was blank or missing. Severity: 12 CKR1284 Filter comparison only allowed with =, <>, and ^= before name at ddname line number Explanation: A field can only be compared with a filter using a =, <>, or ^= operator. Severity: 12 CKR1279 The BESTMATCH parameter can only be used in a newlist context at ddname line number Explanation: The BESTMATCH parameter was used on a global select, i.e. before the first NEWLIST statement. This is not supported. Move the select statement to the correct NEWLIST TYPE=RACF. Severity: 12 CKR1280 Duplicate user userid in connect list of group groupid complex complex version Explanation: The USERID field of the indicated GROUP profile contains the indicated user ID more than once. This is an anomaly in the RACF database. RACF will only use the first connect entry, and zSecure will show only the entry RACF uses. However, during selection both connect entries are considered, which may result in unexpected output. No support is present to remove the condition. CKR1285 Column width width insufficient for DUMP(n), width2 required - field fieldname at ddname line number Explanation: DUMP(n) formatting requires room for dump offset, separators and at least one full word. For additional information about the DUMP format, see the LIST command - Format names documentation in the user reference manual for your zSecure product. Severity: 12 CKR1286 Scope-filtered repeat group field field cannot be used as lookup key at ddname line number Explanation: This message indicates that a repeat group field that needs entry-level scope processing is not supported as a lookup key. Severity: 12 Severity: 04 CKR1287 CKR1281 Defined variable variable (type=type) is not boolean/as/true, may not be used as lookup target at ddname line number Explanation: This message indicates that a variable of an improper type was used as a lookup target for an (explicit) ID lookup. The only types allowed are BOOLEAN, AS, and TRUE. RACLIST value must be ALLOWED, REQUIRED, or DISALLOWED - "value" at ddname line number Explanation: This message indicates that for field CDTRACL only the values ALLOWED, REQUIRED, and DISALLOWED can be specified on the select statement. Severity: 12 Severity: 12 CKR1288 CKR1282 Defined variable variable (type=type) is not boolean/as/true, may not be used as lookup target at ddname line number Explanation: This message indicates that a variable of an improper type was used as a lookup target for an UACC value must be ALTER, CONTROL, UPDATE, READ, ACEE, or NONE - "value" at ddname line number Explanation: This message indicates that for field CDTUACC only the values ALTER, CONTROL, Chapter 5. CKR messages 237 CKR1289 • CKR1297 UPDATE, READ, ACEE, and NONE can be specified on the select statement. CKR1293 Severity: 12 CKR1289 No DDname number 00-99 left for <dsn or path> Explanation: This message indicates that the maximum supported number of automatic allocations for a specific file type (DD name prefix) has been reached. Reduce the number of file sets in SE.1 or manually create additional ALLOC statements with your own DDnames for the additional files needed. Explanation: The CERTIFICATE_TRUSTED field can only have one of the following values: NOTRUST (or No), TRUST (or TRUSTED or Yes) and HIGHTRUST (or HIGH or Hi). Specify a valid value on the select statement. Severity: 12 CKR1294 Severity: 12 CKR1290 No entry with address less than or equal to address found in the NUCMAP Explanation: The program searched for a module with address address in the nucleus map, but couldn't locate it. If you receive this message but are unsure about the reason you should contact IBM Software Support. CERTIFICATE_TRUSTED value must be NOTRUST/No, TRUST/Yes, or HIGHTRUST/Hi - "value" at ddname line number Allocation failure for ddname dsname [for alias dsname] Explanation: Dynamic allocation failed for the indicated data set. Diagnostic information regarding the precise cause of failure will be present in a preceding message from DAIRFAIL. Processing is aborted. Severity: 16 CKR1295 Severity: 20 CKAOUNIX.CKATSEC: No memory left to build TSEC ACLs Explanation: The indicated seclabel is defined twice. This is an anomaly in the RACF database. Only the first profile will be used in the program, and no support is present to remove the condition. Explanation: There appears to be a memory shortage--try increasing the REGION size or limiting the query. As a result, UNIX processing cannot determine access to the various SECLABELs. In TYPE=UNIX newlists the HOME_OF, AUDITCONCERN and AUDITPRIORITY fields may show incorrect or incomplete output. In TYPE=TRUSTED, some concerns may not be reported. Severity: 20 Severity: 08 CKR1291 CKR1292 Duplicate SECLABEL profile seclabel complex complex version RACSTAT unexpected RC. CLASS='class' SAF RC=safrc RACF RC=racfrc RSNCODE=rsn Explanation: While retrieving the dynamic class descriptor table from the system using RACROUTE REQUEST=STAT calls, the program received a return code indicating an error. zSecure Audit will stop processing the dynamic CDT. To determine the cause of the error, you can look up the return codes in the Security Server RACF RACROUTE Macro Reference . Note that if the error occurs halfway through processing the CDT (class will be other than all blanks) zSecure Audit will continue using the partial CDT. If the error happens before any class setting is returned (which is more probable) zSecure Audit falls back to using the static CDT. This message is suppressible. Severity: 16 CKR1296 Explanation: This message indicates that an allocation was done for an TYPE=CKFREEZE file, but the content of he data set does not conform to a CKFREEZE layout, nor is it an unload. Severity: 16 CKR1297 Messages Guide UNLOAD allocated as CKFREEZE file ddname volume dsn Explanation: This message indicates that an allocation was done for a TYPE=CKFREEZE file, but the content of the data set proves that it is actually a TYPE=UNLOAD data set. Probably some lines were interchanged in CARLa, in the JCL, or in the set of input files in SE.1. Severity: 16 238 Not a CKFREEZE file - ddname volume dsn CKR1298 • CKR1305 CKR1298 SORTLIST/DISPLAY invisible because of NONDISPL on summary key(s) at ddname line number Explanation: This message indicates that one of the summary levels had only non-displayable summary keys, which is interpreted as a request to suppress output for this and all lower summary levels. Since the output for SORTLIST/DISPLAY hierarchically comes below the lowest summary level, this would also be suppressed. So the SORTLIST/DISPLAY request cannot be honored. Either delete the SORTLIST/DISPLAY statement, or remove the NONDISPL indicator from a summary key. CKR1299 Duplicate group groupid in connect list of user userid Explanation: The CGGRPNM field of the indicated USER profile contains the indicated group ID more than once. This is an anomaly in the RACF database. RACF will only use the first connect entry, and zSecure will show only the entry RACF uses. However, during selection both connect entries are considered, which may result in unexpected output. No support is present to remove the condition. Severity: 04 Severity: 12 Messages from 1300 to 1399 CKR1300 Unexpected index entry id hexid ddname rel blk blknum offset hexnum table hexnum lvl level Explanation: An unexpected kind of entry with an unsupported ID was found in the RACF database index. Adding a SUPPRESS INDEX command to your CARLa stream may circumvent this problem. From within the ISPF interface you can specify this under SETUP PREAMBLE. If the RACF utility IRRUT200 does not warn of inconsistencies or errors, contact IBM Software Support. If it does report inconsistencies, reorganize your RACF database with IRRUT400. Invalid active segment table for source sourcename Explanation: When processing a record containing an image of the in-storage RACF database templates, an unexpected condition was encountered. If source equals system, the record came from a CKFREEZE, otherwise it came from an UNLOAD. The program will obtain templates from another source, if necessary, but these will not necessarily be completely up to date. Severity: 04 CKR1302 Severity: 00 CKR1303 Severity: 16 CKR1301 indicating the templates were taken from an UNLOAD). In either case, template level will indicate RACF release level and the APAR level that last changed the templates, followed by their numerical equivalents if that information is available. The message will also indicate whether the incore templates are equal to the database templates. Since the incore templates will only be used if they're more recent than the ones in the database, the message will generally say (different from DB). Complex complex uses template type templates of source sourcename template level template level comparison Explanation: This message states which templates will be used to process the RACF database of the indicated complex. If template type equals database, source and sourcename will equal complex and complex, respectively. In this case, the message will not give any details on the template level; that information is available in the preceding CKR0004 for this complex. If template type equals incore, source can be either system (indicating the templates were taken from either the live settings or a CKFREEZE) or complex (generally Too many id lookup fields, limit is around 8000 Explanation: This message indicates that there are too many lookup fields to be stored for users or groups. For character fields, the limit is around 8000. Reduce the number of define statements used as a lookup target. Severity: 12 CKR1304 Request storing for segment typing due to newlist exclude Explanation: This message is triggered by DEBUG SEGMENT if all users and groups will be stored to help disambiguating the entity type of segments in a RACF restructured database. This specific message is given if the SELECT statement itself does not need to disambiguate an entity type, but does include both USER and GROUP, and a field used in the EXCLUDE statement does need it. Severity: 00 CKR1305 Request storing for segment typing due to where clause Explanation: This message is triggered by DEBUG SEGMENT if all users and groups will be stored to help disambiguating the entity type of segments in a Chapter 5. CKR messages 239 CKR1306 • CKR1314 RACF restructured database. This specific message is given if a defined variable includes a WHERE clause that needs a disambiguated entity type. Severity: 00 CKR1306 Global exclude needs storing for segment typing Explanation: This message is triggered by DEBUG SEGMENT if all users and groups will be stored to help disambiguate the entity type of segments in a RACF restructured database. This specific message is given if a global EXCLUDE statement includes fields that need the entity type to be disambiguated (for example, EXCLUDE CLASS=USER SEGMENT=OMVS). Severity: 00 CKR1307 Not licensed to read esm datasource ddname volser dsn(member) Explanation: If datasource is unload, this message indicates that you tried to process an UNLOAD created on a system running External Security Manager esm. You are not licensed to examine this type of UNLOAD. Verify that you run with the correct IFAPRDxx member or remove the offending UNLOAD from the query. If datasource is remote database, this message refers to a security database allocated through the zSecure Server network. CKR1310 CONNECT lookup not supported on DEFINE - at ddname line number Explanation: This indicates that a :CONNECT lookup is not supported on the DEFINE statement. You can only use it on a SORTLIST or DISPLAY statement, like "SORTLIST KEY USERID USERID:CONNECT" Severity: 12 CKR1311 Type type already used by builtin newlist at ddname line number Explanation: The TYPE=type specification of the DEFTYPE command at the given location conflicts with a newlist type predefined in IBM Security zSecure. To avoid conflicts of this nature, you should always use a national character ($, #, or @) as part of your DEFTYPE TYPE= names. Severity: 12 CKR1312 CKRSTPMB: Invalid member length xx : program - member complex complex version Explanation: While storing the memberlist for PROGRAM profile program an entry member with length xx (in hexadecimal) was found. This length is too short to contain a valid entry. This memberlist entry is ignored. Severity: 20 Severity: 16 CKR1313 CKR1308 DEFTYPE parameter does not contain a national character at ddname line number Explanation: The parameter of the DEFTYPE command at the given location, which can be TYPE or ABBREV2, does not contain a national character ($, #, or @). While this is not normally a problem, conflicts might occur in the future when new TYPE or ABBREV2 values are predefined in IBM Security zSecure. This message can be suppressed by adding the NOWARN parameter to the DEFTYPE specification. Severity: 04 CKR1309 DDNAME ddname has already been assigned to dsn - at inputdd line number Explanation: You have issued multiple ALLOC commands for the ddname indicated and two (or more) of these specify the DSN/CMSFILE/PATH parameter. The first of these parameter values is shown as dsn, and the location of the second ALLOC command is line number in inputdd. Fix the ALLOC statements in your query, and run it again. Severity: 12 Lookup through field fieldname not supported at ddname line number Explanation: Specification of a target newlist type lookup key is only supported for deftype lookups. Severity: 12 CKR1314 Switching to sequential mode switchreason on complex DB nn ddname volser dsn So far read number special, number index, and number data blocks of current queue length number So far read number blocks from a total of number in number IOs Explanation: This message indicates that the program expects continuation of indexed I/O to yield a longer response time than just processing this RACF data set sequentially. This decision is taken separately for each RACF data set in a RACF database. If switchreason is as requested by client, this decision is the result of logically analyzing the query and is generated only if a CKRCARLA instance is running as a database server through the zSecure Server network. The local client instance would make this decision before starting I/O. If switchreason is due to high number of requests, this 240 Messages Guide CKR1315 • CKR1323 is a dynamic decision based on the actual I/Os queued. This behavior can be suppressed (for debugging and performance analysis purposes) by the command SUPPRESS INDEXCUTOFF (always indexed I/O if possible) or SUPPRESS INDEX (always sequential I/O). You can change the cutoff point for indexed I/O with LIMIT INDEXBIAS. For details, see the documentation for the SUPPRESS and LIMIT commands in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Note: These commands only apply to the CKRCARLA instance that reads the CARLa; the local client and a remote database server instance have their own input commands. Severity: 00 CKR1315 Option option incompatible with FILEFORMAT=XML - field fieldname at ddname line number Explanation: The field output modifier indicated is not compatible with FILEFORMAT=XML. Instead of a modifier, this can also be STRING to indicate that a literal is not supported as it has no XML element associated with it. CKR1319 NEWLIST NAME=name invalid XML name - at ddname line number Explanation: XML output is done in the form of structured XML elements that have an element name defined by the NEWLIST NAME= parameter. Hence the name must conform to rules for XML names: it cannot start with "XML", with a digit, or with a hyphen, and it cannot contain national characters. Severity: 12 CKR1320 XML field element name name at ddname line number same as record element set by NAME=name at ddname line number Explanation: This message indicates that a field name is used that is the same as a newlist name printing to the same output file with FILEFORMAT=XML. XML output is done in the form of structured XML elements that have a root element name defined by the NEWLIST DD= parameter, record-level subelements with the element name defined by the NEWLIST NAME= parameter, and field-level subelements defined by (SORT)LIST field names. These cannot be the same in a well-formed XML document. Severity: 12 Severity: 12 CKR1321 CKR1316 Option option incompatible with FILEFORMAT=XML - at ddname line number The BESTMATCH parameter cannot be used in a WHERE clause - at ddname line number Explanation: The NEWLIST option indicated is mutually exclusive with FILEFORMAT=XML. Explanation: The BESTMATCH parameter was used on a WHERE clause in a DEFINE statement. This is not supported. The BESTMATCH parameter can only be used on a SELECT statement in a newlist. Severity: 12 Severity: 12 CKR1317 NEWLIST NAME is required with FILEFORMAT=XML at ddname line number Explanation: XML output is done in the form of structured XML elements that have an element name defined by the NEWLIST NAME= parameter. Hence it is required Unsupported segment segname in complex complex Explanation: This message indicates that a new segment name was found in the RACF database templates that is not supported by the current version of zSecure. Severity: 08 Severity: 12 CKR1318 CKR1322 Duplicate XML field element name name in newlist newlist at ddname line number Explanation: This message indicates that a duplicate field name is specified or implied (by alias processing) within a LIST or SORTLIST statement. This is not possible with FILEFORMAT=XML, since repeated element names are used for repeated field values. CKR1323 EUdate separator can only be a /, - or blank token at ddname line number Explanation: Only the separators slash(/), dash(-) and blank( ) are allowed on the EUdate format. Verify your specifications and resubmit the query. Severity: 12 Severity: 12 Chapter 5. CKR messages 241 CKR1324 • CKR1333 CKR1324 Option option warningtext possible UTF-8 values - field fieldname at ddname line number Explanation: When producing a report in a non-default output encoding, the field output modifier indicated is not compatible with this field that might contain values in Unicode. This applies to INDENT, TITLE and TOPTITLE. This message is issued with a severity of 0 if FILEOPTION ENCODING=EBCDIC applies to the report to inform you that this query will no longer work when you change the encoding. If any other output encoding is active, it is issued as a syntax error with a severity of 12. Severity: 00 or 12 CKR1325 Option option already set differently for output file, unexpected change by newlist name at ddname line number Explanation: The indicated option is an output file property that cannot be set differently across NEWLISTs writing to the same file. This message is normally issued with severity 12 (syntax error), but for options that should be file properties in principle but might vary across NEWLISTs, it is issued with severity 4 (warning). These options are NOPAGE, PAGELENGTH, OVERPRINT, MAXPAGE, PAGETEXT, and CAPS. In general it is recommended to set output file options with the FILEOPTION statement and refer to the ddname on the NEWLIST or MERGELIST statement with DD=, and omit those options on OPTION or NEWLIST statements. The CKR1325 message is often caused by OPTION parameters setting the default for subsequent newlists and conflicting with what was implied by the FILEOPTION statement. Severity: 04 or 12 CKR1326 FILEOPTION DD=ddname must be positioned before first reference to DDname at ddname line number CKR1328 Explanation: The source database in a merge operation has mixed case password enabled, but the current database has not. If passwords are copied from the source database to the current database, users with a mixed case password will not be able to login using this password. Severity: 00 CKR1329 Severity: 12 CKR1330 MERGELIST NAME= required at source for XML element containing newlist name at ddname line number Explanation: For FILEFORMAT=XML combined with a MERGELIST the MERGELIST defines the "common" XML element name containing the individual newlists between MERGELIST and ENDMERGE as children. To be able to output the XML element, you need to define its element name by specifying the NAME= parameter on the MERGELIST. Severity: 12 CKR1331 Soft newline not supported for display at ddname line number Explanation: The soft newline operator /n can only be used on the (SORT)LIST and SUMMARY command, not on the DISPLAY or DSUMMARY commands. Either use the hard newline operator / or convert to a (SORT)LIST. Severity: 12 CKR1332 CKROUNIT: More than 50 soft newlines not supported on a single line at ddname line number Explanation: Only 50 instances of the soft newline operator /n are supported between hard newlines (the / operator). Severity: 12 Option not valid behind FILEOPTION option at ddname line number Explanation: The FILEOPTION command can only reference output file options, no other options such as NEWLIST options. For a list of valid options and their exact meaning, see the FILEOPTION command documentation in the user reference manual for your zSecure product. Severity: 12 242 Duplicate MERGELIST NAME=name at ddname line number Explanation: This message indicates that two mergelist specifications contain the same name. This is not allowed: a MERGELIST name must be unique. Explanation: Any reference to a DD-name with file options should follow the FILEOPTION statement. CKR1327 Mixed case password support disabled on current system Messages Guide Severity: 12 CKR1333 Unsupported value nn for MAXWAIT: not in the range 1..59 at ddname line number Explanation: OPTION SERIALIZATION(MAXWAIT) supports only values in the range of 1 through 59, inclusive. CKR1334 • CKR1343 Severity: 12 CKR1334 CKR1339 Program not authorized. Disabled APF serialization options UNIT, VOLSER, ENQ(SYSDSN), and MAXWAIT Explanation: OPTION SERIALIZATION has been specified with at least one of the following parameters: UNIT, VOLSER, ENQ(SYSDSN), or MAXWAIT. Having dynamic allocation wait until the unit or volser becomes available requires APF authorization. The same is true for requesting an ENQ on QNAME SYSDSN, and for specifying a maximum time to wait until the ENQ request can be specified. Since the program lacks this authorization, it will not wait for units or volsers, will not request ENQs on SYSDSN, and will ignore the specified value for MAXWAIT. Severity: 04 CKR1335 SERIALIZATION options option1 and option2 are mutually exclusive at ddname line number Explanation: You cannot both WAIT and FAIL if the ENQ request cannot be immediately satisfied. Neither can you request that the program issue an ENQ and not issue an ENQ (NOENQ) at the same time. Explanation: XML output is done in the form of structured XML elements that have a root element name defined by the NEWLIST DD= parameter. The DD= parameter must have been specified somehow (as an OPTION before the first NEWLIST or explicitly on the newlist, or on a MERGELIST). Severity: 12 CKR1340 Option only valid behind OPTION <parm> at <ddname> line <lineno> Explanation: This message indicates that a parameter was specified that is recognized by the program, but not valid on the command you specified. It is only valid behind OPTION. Severity: 12 CKR1337 Severity: 12 CKR1341 Explanation: This message indicates that OPTION MSGRC does not support arbitrary message numbers. It currently supports only CKR0171, CKR0172, and CKR0438. Severity: 12 CKR1338 Message number nnn severity sss exceeds maximum 99, MSGRC at ddname line lineno Explanation: The maximum severity that can be assigned to a message by OPTION MSGRC is 99. Severity: 12 XML element name set by NEWLIST NAME=name same as root set by DD=name at ddname line number Explanation: XML output is done in the form of structured XML elements that have a root element name defined by the NEWLIST DD= parameter, and record-level subelements with the element name defined by the NEWLIST NAME= parameter. These cannot be the same in a well-formed XML document. Severity: 12 CKR1342 Message number nnn not supported for MSGRC at ddname line lineno NEWLIST DD=name invalid XML name - at ddname line number Explanation: XML output is done in the form of structured XML elements that have a root element name defined by the NEWLIST DD= parameter. Hence the name must conform to rules for XML names: it cannot start with "XML", with a digit, or with a hyphen, and it cannot contain national characters. Severity: 12 CKR1336 NEWLIST FILEFORMAT=XML root element name must be specified as DD=, cannot be omitted - at ddname line number XML field element name name at ddname line number in newlist name same as root set by DD=name at ddname line number Explanation: XML output is done in the form of structured XML elements that have a root element name defined by the NEWLIST DD= parameter, record-level subelements with the element name defined by the NEWLIST NAME= parameter, and field-level subelements defined by (SORT)LIST field names. These cannot be the same in a well-formed XML document. CKR1343 Option option incompatible with ENCODING=UTF-8 - at ddname line number Severity: 12 The message indicates that UTF-8 output encoding cannot be combined with the indicated options. Chapter 5. CKR messages 243 CKR1344 • CKR1354 CKR1344 File/DD specification is required on FILEOPTION at ddname line number Explanation: This message indicates that FILEOPTION requires specification of FILE=/F=/DDNAME=/DD= to indicate to which file it is supposed to apply. Severity: 12 CKR1345 MERGELIST NAME=name invalid XML name - at ddname line number Explanation: XML output is done in the form of structured XML elements that have an element name defined by the MERGELIST NAME= parameter. Hence the name must conform to rules for XML names: it cannot start with "XML", with a digit, or with a hyphen, and it cannot contain national characters. Severity: 12 CKR1346 XML element name set by NEWLIST NAME=name at ddname line number same as element set by MERGELIST NAME=name at ddname line number Explanation: XML output is done in the form of structured XML elements that have optional mergelist-level element defined by the MERGELIST NAME= parameter, and record-level subelements defined by the NEWLIST NAME= parameter. These cannot be the same in a well-formed XML document. CKR1349 XML field element name name at ddname line number same as element set by MERGELIST NAME=name at ddname line number Explanation: XML output is done in the form of structured XML elements that have an optional mergelist-level element name defined by the MERGELIST DD= parameter, field-level subelements with the element name defined by the (SORT)LIST field names. These cannot be the same in a well-formed XML document. Severity: 12 CKR1350 FILEFORMAT=XML is incompatible with DISPLAY at ddname line number Explanation: The NEWLIST indicated by ddname and linenumber has been directed to build an interactive display with its output, which is incompatible with FILEFORMAT=XML. Severity: 12 CKR1351 Unexpected return code nn dec during LISTCAT of DSNPREF=pref Explanation: This message indicates that an unexpected return code was received from the catalog SVC 26. Contact IBM Software Support. Severity: 12 Severity: 12 CKR1352 CKR1347 XML element name set by MERGELIST NAME=name same as root set by DD=ddname at ddname line number Explanation: XML output is done in the form of structured XML elements that have a root element name defined by the NEWLIST DD= parameter, and optional mergelist-level subelements with the element name defined by the MERGELIST NAME= parameter. These cannot be the same in a well-formed XML document. Severity: 12 CKR1348 XML field element name name invalid XML name - at ddname line number Explanation: XML output is done in the form of structured XML elements that have an element name defined by the (SORT)LIST field names. Hence the name must conform to rules for XML names: it cannot start with "XML", with a digit, or with a hyphen, and it cannot contain national characters. Severity: 12 Explanation: This message indicates that an abend occurred while performing the indicated catalog search processing. Severity: 12 CKR1353 Messages Guide ALLOC DSNPREF=prefix adds DSN=dsn Explanation: This message indicates that an ALLOC DSN= request was added based on a match with the DSNPREF parameter. Note that this message will not be issued if an ALLOC DSN= request was already present, either explicitly requested or previously matched by a different DSNPREF. Severity: 00 CKR1354 ALLOC DSNPREF is mutually exclusive with DD - at ddname line number Explanation: It is not supported to specify a DDname for a generic request like DSNPREF; individual DDnames will be generated for each matching data set name. Severity: 12 244 Unexpected abend during LISTCAT of DSNPREF=pref CKR1355 • CKR1364 CKR1355 Skipping SMF file with RECFM=F or U ddname dsn Explanation: An ALLOC TYPE=SMF was done resulting in a data set that does not have the proper record format for an SMF data set. Specifically, RECFM=F and RECFM=U data sets are not supported by the SMF reader. The severity of this message is only 8 to help easy exploitation of ALLOC TYPE=SMF DSNPREF= by automatically skipping unsuitable data sets. Severity: 08 CKR1356 ALLOC DELETE only supported with TYPE=SMF/TYPE=ACCESS/deftype DSN=/DSNPREF= - at ddname line number Explanation: This message indicates the DELETE keyword is not allowed on the current ALLOCATE statement because it may only be used for allocations by data set names of TYPE=SMF, TYPE=ACCESS or DEFTYPE defined types. Severity: 12 CKR1357 Delete requested for ddname dsn Explanation: This message indicates that the final disposition of the indicated file allocated to the indicated data set will be changed to DELETE while the file is freed. Severity: 00 CKR1358 authorized by SAF to exploit this. The SAF class is installation defined in the CKRSITE module. Severity: 00 CKR1361 Explanation: This message indicates that CKRCARLA was called with APF authorization active (for example, by CKRCARLX or C2POLICE), but that the user was not explicitly authorized by SAF to exploit his. This is not allowed. Either obtain a permit to the indicated SAF resource or directly invoke CKRCARLA (which has AC(0) and hence will run without APF authorization). The SAF class is installation defined in the CKRSITE module. Severity: 12 CKR1362 Severity: 12 DSNPREF cannot be longer than 43 delimiter at ddname line number Severity: 12 APF mode disallowed, no READ access to class CKR.CKRCARLA.APF Explanation: This message indicates that CKRCARLA was called with APF authorization active (for example, by CKRCARLX or C2POLICE), but that the user was not explicitly denied access by SAF to exploit his. Either obtain a permit to the indicated SAF resource or directly invoke CKRCARLA (which has AC(0) and hence will run without APF authorization). The SAF class is installation defined in the CKRSITE module. CKR1363 Explanation: This message indicates that the maximum length of a data set prefix is 43 characters. Use DSN= with a 44 character name. CKR.CKRCARLA.APF in class class not defined. APF mode disallowed. Need to specify DDNAME= or MEMBER= on XML_STYLESHEET=IMBED - at ddname line number Explanation: This message indicates that an XML_STYLESHEET=IMBED() statement is coded, which does not specify a DDNAME= or MEMBER= statement. You need to specify at least one of these. Severity: 12 CKR1359 Skipping record number of length size because SMF cannot be >32KB in ddname volser dsn Explanation: SMF is being read from an LRECL=X data set and has now encountered a record length greater than fits into the Record Descriptor Word of any SMF record mapping. So this proves the record is not an SMF record, and the record will be skipped. Severity: 08 CKR1360 Running in APF mode, READ access to class CKR.CKRCARLA.APF CKR1364 type LXAT record corrupt on SYSTEM system Explanation: An LXAT record from the CKFREEZE for the system indicated was found to be corrupted. Information found in the structured repeat group described with the LX field for newlist type=PC might be erroneous. If this message reoccurs after the CKFREEZE has been refreshed, contact IBM Software Support. Severity: 08 Explanation: This message indicates that CKRCARLA was called with APF authorization active (for example, by CKRCARLX or C2POLICE), and that the user was Chapter 5. CKR messages 245 CKR1365 • CKR1379 CKR1365 Option option incompatible with COMPRESS - at ddname line Explanation: This message indicates an option or command not supported in combination with a compressed output file. Severity: 12 CKR1366 Compressed output from original to compressed bytes (factor factor), file ddname pathname Explanation: This suppressible message lists the original and compressed data size for each COMPRESS=GZIP output file, and the reduction factor achieved. Severity: 00 CKR1369 number InfoStorage records read for complex [version]; resource rules totalled number entries Explanation: This message is only issued for an ACF2 infostorage database and indicates the number of records that were read, as well as the total number of rule lines that were present in the resource rule records present among the read infostorage records. Severity: 00 CKR1370 Extended template block n for entity e not found in ICBTEMP for seq s ddname volser dsname Explanation: This message indicates that a pointer to a template extension was found in a template block, but not the corresponding information in the template block array. Contact IBM Software Support. The message can be suppressed in the mean time. Severity: 16 CKR1374 Explanation: This message indicates that the XSLT stylesheet specified by the XML_STYLESHEET=IMBED() statement cannot be opened. Check if the file is correctly allocated, and the member exists. Severity: 08 CKR1375 Generic string longer than 255 Explanation: A string was specified that contained generics and was longer than 255 characters. This is not supported. Change the query and resubmit it. Severity: 08 CKR1376 Unload output LRECL=nnnn must at least be 23472, LRECL=X,RECFM=VBS preferred file [(redirected CKRUNLOU)] ddname [path | volser dsname] Explanation: This message indicated that an unloaded security database requires a minimum record length of 23472. Even then, records may get truncated. The recommended LRECL specification is: LRECL=X,RECFM=VBS 246 Messages Guide Cannot find close tag </xsl:stylesheet> in stylesheet from file ddname volser dsn Explanation: The XSLT stylesheet specified by the XML_STYLESHEET=IMBED() statement does not appear to contain an </xsl:stylesheet> element. An XSLT stylesheet used for imbedding by zSecure must have the <xsl:stylesheet> open tag and </xsl:stylesheet> close tag as the only elements on separate lines to be recognized. Severity: 08 CKR1377 XML_STYLESHEET=IMBED is incompatible with XML_DTD at ddname line number Explanation: An imbedded XSLT stylesheet cannot contain a DTD. Severity: 12 CKR1378 Severity: 12 CKR1372 Cannot find open tag <xsl:stylesheet> in stylesheet from file ddname volser dsname Explanation: The XSLT stylesheet specified by the XML_STYLESHEET=IMBED() statement does not appear to contain an <xsl:stylesheet> element. An XSLT stylesheet used for imbedding by zSecure must have the <xsl:stylesheet> open tag and </xsl:stylesheet> close tag as the only elements on separate lines to be recognized. Severity: 20 CKR1371 Cannot open stylesheet from file ddname volser dsname A member name is required to read from PDS ddname volser dsn :severity: 8 Explanation: The data set which has been specified on the XML_STYLESHEET=IMBED() statement is partitioned, but no member has been specified. CKR1379 CERTIFICATE_KEYUSAGE value incorrect - "value" at ddname line number Explanation: The only values that are valid on the CERTIFICATE_KEYUSAGE field are: HANDSHAKE, DOCSIGN, DATAENCRYPT, CERTSIGN, digitalSignature, nonRepudiation, keyEncipherment, CKR1380 • CKR1390 dataEncipherment, keyAgreement, keyCertSign, cRLSign, and encipherOnly. Verify your query and resubmit. but the file in question was not allocated with an ALLOC command with a FILEDESC or PATH specification. The output will not be compressed. Severity: 12 Severity: 04 CKR1380 ENCODING=UTF-8 for e-mail can only be used with OUTPUTFORMAT=ATTACH at ddname line number Explanation: UTF-8 encoded reports can only be e-mailed as attachments. Supply OUTPUTFORMAT=ATTACH or remove ENCODING=UTF-8. Severity: 12 CKR1381 The same DD ddname cannot be used both for e-mail and normal reporting at ddname line number Explanation: The indicated CARLa statement specifies or implies the same report DD-name as an earlier statement, but these specifications are incompatible because one specifies an e-mail destination while the other requests a normal report. Severity: 12 CKR1382 CKR1385 Explanation: One or more lines in the specified XML output file have been truncated which can lead to missing or broken tags. This can render the resulting XML document unusable. Increase the LRECL specified for the file (files allocated for XML output by the program itself have a worst case scenario LRECL of 6600) and rerun the query. Severity: 08 CKR1386 Explanation: When the program is running in restricted or PADS mode, selection through the indicated keyword is not allowed. The program is running in restricted mode either because of a reason shown in a CKR0031 message or because SIMULATE RESTRICT was specified. This condition is considered a syntax error (severity 12). If an ALLOWRESTRICT modifier explicitly indicates that the query must be executed anyway, this message is issued as a warning (severity 4) to remind you that the indicated field is treated as missing. See also CKR0170. Severity: 12 File option CAPS cannot be used with XML or UTF-8 output at ddname line number Explanation: File option CAPS cannot be used with FILEFORMAT=XML or ENCODING=UTF-8. Severity: 12 CKR1388 File option NULLS cannot be used with XML output at ddname line number Explanation: File option NULLS conflicts with the automatic filtering of control characters by the XML processing. You cannot use this file option with FILEFORMAT=XML. Severity: 04 or 12 Severity: 12 CKR1383 CKR1389 ALLOC TYPE=TSS_ATF file skipped because not licensed - ddname volume dsn E-mail and LIST output are incompatible at ddname line number Explanation: E-mailing LIST output is not supported. Use SORTLIST instead. CKR1387 Restricted mode does not allow SELECT keyword keyword at ddname line number XML file may be unusable due to insufficient LRECL - ddname volser dsn(member) Non-PADS access required to read type data, skipping file vol dsn(member) Explanation: An ALLOC TYPE=TSS_ATF statement for the indicated data set is ignored because IBM Security zSecure Audit for Top Secret is not installed or has been disabled in IFAPRDxx.. Explanation: A data set to which only conditional (PADS) access was granted was requested for type input. Unconditional read access is needed to read DEFTYPE data. The data set is not processed. Severity: 00 Severity: 08 CKR1384 COMPRESS=GZIP requested for ddname but file specification is incompatible ignored Explanation: This message indicates that GZIP compression was specified for the ddname indicated, CKR1390 Non-PADS access required for unrestricted SMF, skipping file vol dsn(member) Explanation: When reading SMF files in unrestricted mode, only data sets to which unconditional READ Chapter 5. CKR messages 247 CKR1391 • CKR1399 access is granted are valid. For the data set mentioned only conditional (PADS) READ was granted. The data set is skipped. Severity: 08 CKR1391 Undefined division division or undefined field field Explanation: The explicit request for field field from division division is not valid. This may be either because the field is not defined for the requested division, or because the division is not defined for any infostorage record type. You can use the FDE primary command to find out which combinations of residence type, division, and field name are valid. Severity: 12 CKR1392 Field field not defined for residence type residence type Explanation: No Field Definition Entry was found for the requested field in any Record Structure Block associated with the requested residence type. You can use the FDE primary command to find out which combinations of residence type, division, and field name are valid. Severity: 12 CKR1396 Explanation: This message is only issued for an ACF2 infostorage database and indicates the number of records for which processing was skipped. Processing is skipped for infostorage records of subtypes that aren't yet supported in the current release. Severity: 00 CKR1398 Severity: 12 CKR1399 Field field not defined for residence type residence type and division division Severity: 12 Division division not defined for residence type residence type Explanation: The requested combination of division and residence type is invalid. You can use the FDE primary command to find out which combinations of residence type, division, and field name are valid. Severity: 12 CKR1395 Undefined residence type residence type Explanation: The requested residence type does not exist. You can use the FDE primary command to find out which combinations of residence type, division, and field name are valid. Severity: 12 248 Corrupted/truncated QUAA for system system record number of ddname volser dsn Explanation: The QUAA record that was taken from the CKFREEZE file is truncated because the LRECL of the CKFREEZE is too small. User response: Consider increasing the LRECL size. Explanation: The Record Structure block for the requested residence type and division does not contain a Field Definition Entry for the requested field. You can use the FDE primary command to find out which combinations of residence type, division, and field name are valid. CKR1394 FUNCTION=MERGE input present for complex complex but FUNCTION=MAIN input is missing Explanation: A RACF database or unload is allocated to complex complex as a MERGE input source, however there is no equivalent MAIN database or unload specified. Verify your allocations and rerun the query. Severity: 08 CKR1393 number InfoStorage records skipped for complex [version] Messages Guide CKR1400 • CKR1410 Messages from 1400 to 1499 CKR1400 Running on an unsupported version vv.rr.mm of z/OS, results are unpredictable - please upgrade Explanation: This message indicates that zSecure is being run on an operating system level that it is not supported on. The results are unpredictable. Upgrade zSecure to the proper version. Severity: 04 CKR1401 Running on a no longer supported version vv.rr.mm of z/OS, some product features may fail Explanation: This version of zSecure is not supported on the operating system level that you are running it on. Some (newer) product features may fail. On the other hand, typically older reports will keep working, but there is no support if they do not. Severity: 04 CKR1402 Running on an unsupported OS product name, results are unpredictable Explanation: The current operating system is not recognized by this version of zSecure, and not supported. Severity: 04 CKR1403 Analyzing an unsupported version vv.rr.mm of z/OS, results are unpredictable - please upgrade Explanation: This message indicates that a system snapshot is being analyzed from an operating system level that it is not supported on this version of zSecure. The results are unpredictable. Upgrade zSecure to the proper version. Severity: 04 CKR1405 Live SMF suppressed because more SMF data sets requested than can be processed Explanation: As long as not all TYPE=SMF data sets matching the DSNPREF specification can been processed together with all live SMF data sets, processing of live SMF is suppressed. This is done to ensure that SMF records can be processed in chronological order (if the data set names reflect the chronological order, and contain SMF records that are older than the live SMF). Severity: 08 CKR1406 More than 4 SUBSYS parms not supported before token at ddname line number Explanation: The SUBSYS keyword of the ALLOC CARLa command supports only 4 subparameters. If you need more, contact IBM Software Support. Severity: 12 CKR1407 ALLOC SUBSYS is not supported with PATH/FILEDESC/CMSFILE/GETPROC/ SMFSTREAM/DSNPREF - at ddname line number Explanation: The SUBSYS specification cannot be used together with other input source designations than DSN=. Severity: 12 CKR1408 IFAQUERY return area too small. Omitted nnn log stream records. Explanation: Even after passing the required length in a second call, there is still not sufficient space to store the SMF log stream data. Contact IBM Software Support. Severity: 08 CKR1404 Processing 100 SMF data sets, nnn ALLOC DSNPREF matches left for a subsequent run Explanation: This message indicates that an ALLOC DSNPPREF statement for TYPE=SMF yielded more than 100 data set name matches. Only the alphabetically first 100 will be processed. If the DELETE operand is also on, a subsequent run will pick up the next 100 data sets. To ensure optimal processing, you should ensure that for each system, the alphabetical order of the SMF data set names matches the chronological order of the SMF records. Severity: 08 CKR1409 Unexpected return code from IFAQUERY. SMF log stream information is not collected. rc=hhhhhhhhhhh hex rsn=hhhhhhhhhhh hex Explanation: Failure to obtain SMF log stream data. Contact IBM Software Support. Severity: 16 CKR1410 ALLOC TYPE=SMFSTREAM is not supported with PATH/FILEDESC/ CMSFILE/GETPROC/DSNPREF - at ddname line number Explanation: The TYPE=SMFSTREAM specification Chapter 5. CKR messages 249 CKR1411 • CKR1420 cannot be used together with other input source designations than DSN=. Severity: 12 CKR1411 Cannot determine active SMF log streams for system system Explanation: When active SMF allocation is requested while SMF log streams are used and IBM Security zSecure runs in non-APF mode, a CKFREEZE file containing the SMF log stream settings must be connected. You have not connected a CKFREEZE file, or it is a CKFREEZE file made using an older zSecure Collect. Severity: 04 CKR1412 Started processing TYPE=ACCESS pads file ddname volser dsn Explanation: This message indicates that the processing of ACCESS input file ddname has started. In addition, it can indicate in pads by the text PADS that access to the data was allowed through a conditional access. Non-PADS access required to read ACCESS data, skipping file vol dsn(member) Explanation: ACCESS data sets can only be read when unconditional READ access is granted. For the data set mentioned only conditional (PADS) READ was granted. Reading the data set is skipped. Severity: 8 CKR1414 nn ACCESS records processed, nn ACCESS records selected for TYPE=ACCESS (nn%) Severity: 0 CKR1417 Expected Custom FIELD Type instead of cccc Explanation: CARLa has encountered a DEFINE statement similar to the following: DEFINE yourname SUBSELECT(CSTYPE=cccc). The value cccc is expected to be one of these values: Num, Char, Hex, or Flag, but in fact it is not. User response: Correct the CARLa code and specify the correct Custom Format Type value. Severity: 12 The value of CFDEF fields CFFIRST and CFOTHER must be ALPHA, ALPHANUM, ANY, NONATBC, NONATNUM, or NUMERIC - "value" at ddname line number Explanation: This message indicates that the value you specified for a field did not match the field type expected by the program. User response: Select the appropriate value for the field. CKR1419 CSTYPE value must be CHAR, NUM, FLAG, or HEX - "value" at ddname line number Explanation: This message indicates that the value you specified for a field did not match the field type expected by the program. User response: Select the appropriate value for the field. ALLOC TYPE=ACCESS file skipped because not licensed - ddname volume dsn Explanation: An ALLOC TYPE=ACCESS statement for the indicated data set is ignored because IBM Security zSecure Admin is not installed or has been disabled in IFAPRDxx. Severity: 0 250 Severity: 08 Severity: 12 Explanation: This message indicates the number of ACCESS records that were processed and the number and percentage that were selected. CKR1415 Inconsistent CFDEF definitions for profile Explanation: This message indicates that, during a database merge, a CFIELD profile is found present in both the source database and the current database. In that case, merge requires these profiles to have identical CFDEF segments. The indicated profiles do not have identical CFDEF segments. CKR1418 Severity: 0 CKR1413 CKR1416 Messages Guide Severity: 12 CKR1420 system abend code code(text) in UNLOAD processing. Dynamic Parse Table not processed. Explanation: There has been an abend while writing the Dynamic Parse Table during UNLOAD processing. This will not affect other UNLOAD processing. However, the resultant UNLOAD file will not include a complete Dynamic Parse Table and hence may cause errors or omissions if used to examine Custom Fields. CKR1421 • CKR1429 User response: Review the JESLOG and SYSPRINT output from CKRCARLA to determine if this is associated with other errors or messages. If you cannot resolve the problem, contact IBM Software Support. CKR1426 Severity: 04 A NEWLIST TYPE=ip_newlist_type request was issued, but no TCP/IP stack configuration data are available. Might be caused by old or non-APF CKFREEZE Explanation: SUPPRESS SMF command was used to explicitly suppress SMF processing. Explanation: This message is generated by the NEWLIST TYPE=ip_newlist_type, which is one of the TCP/IP stack configuration reports. It indicates that a TCP/IP stack configuration report was requested, but the stack configuration data were not available. Check the CKFREEZE file used. The TCP/IP stack configuration report requires an APF-authorized zSecure Collect run with a focus including zSecure Audit. The version of zSecure Collect should be at least 1.11 in order to produce a CKFREEZE file with the requested information. The version employed to create the CKFREEZE file can be found in the SYSPRINT, in message CKR0132. Severity: 00 Severity: 00 CKR1421 Multi-line WTO output beyond line 10 was suppressed for newlist name source Explanation: A multi-line WTO that exceeds 10 lines was created by the newlist. A maximum of 10 lines can be output so the excess lines were suppressed. Severity: 04 CKR1422 CKR1423 All SMF processing suppressed. Value range only allowed with = before type "value" at ddname line number Explanation: This messages indicates that a value range was found with an operator that does not support it. The only operator that can be used with a value range is the equality operator. User response: Change the operator or do not use a range. Severity: 12 CKR1424 No numeric symbolic name found and no default at ddname line line. Explanation: The parser expects a number or a symbolic name of type NUM, however, a non-numeric string was found. No SYMBOLIC NUM name=value statement was encountered in CARLa before this statement. Symbolic names are case insensitive, but each name has a maximum length of 24. If your CARLa must cope with both presence and absence of a SYMBOLIC definition, you can specify a default value behind a vertical bar such as name|value instead of just name. Severity: 12 CKR1425 Password phrase must be quoted. Explanation: The password phrase value is missing the required quotation marks. User response: Update the password phrase value to include the quotes, for example, 'password phrase'. CKR1427 NEWLIST TYPE=ip_newlist_type CKFREEZE data incomplete or corrupted Explanation: This message is generated by the NEWLIST TYPE=ip_newlist_type, which is one of the TCP/IP stack configuration reports. It indicates that a CKFREEZE file is incomplete or corrupted. Contact IBM Software Support. Severity: 20 CKR1428 NEWLIST TYPE=ip_newlist_type requires CKFREEZE Explanation: This message is generated by the NEWLIST TYPE=ip_newlist_type, which is one of the TCP/IP stack configuration reports. It indicates that a TCP/IP stack configuration report was requested, but no CKFREEZE file was used. The report requires a CKFREEZE file. Check your JCL or your set of input files. Severity: 08 CKR1429 jobtag CICS dictionary invalid <system> <date time> at ddname line recno Explanation: This message indicates that the CICS dictionary record for the system system written at the indicated date and time is not valid. This CICS dictionary record does not match the CICS performance records written for the same jobtag. Severity: 12 Severity: 12 Chapter 5. CKR messages 251 CKR1430 • CKR1438 CKR1430 CICS SMF dictionary system truncated dictionary ignored at ddname line recno. Explanation: The SMF record containing the CICS performance record dictionary was truncated. This might happen while copying to a data set with a specified LRECL that is too small. error that generated the CKF1434 message has been resolved. If CKR1434 is present by itself, add the FUNCTION=BASE option to the security database allocation statement. Severity: 12 Severity: 00 CKR1435 CKR1431 Field FAILLOAD value must be BADSIGONLY, ANYBAD, or NEVER "badvalue" source Explanation: This message indicates that a value for the FAILLOAD field was not recognized. User response: Provide one of the values listed in the message, or remove reference to the field. Severity: 12 FUNCTION=BASE cannot be specified for more than one security database. Explanation: FUNCTION=BASE must identify the "standard" security database that compare functions must compare against. It is not allowed to request two security databases to serve as the base. You can identify one security database, for example, UNLOAD, and one system (CKFREEZE) in that same complex as a base. User response: Remove FUNCTION=BASE until only one security database has this specification left. Severity: 12 CKR1432 Field SIGAUDIT value must be BADSIGONLY, ANYBAD, SUCCESS, ALL, or NONE - "badvalue" source Explanation: This message indicates that a value for the SIGAUDIT field was not recognized. User response: Provide one of the values listed in the message, or remove reference to the field. Severity: 12 CKR1433 CKRSTORF.CKRSIDID: Duplicate IDID entry userid label flags filter complex complex version Explanation: A duplicate distributed identity filter (RACMAP) was found mapping to the indicated userid with the indicated label. The duplicate is ignored. This message can be suppressed. Severity: 20 CKR1436 FUNCTION=BASE cannot be specified for more than one system. Explanation: FUNCTION=BASE must identify the "standard" system that compare functions must compare against. It is not allowed to request two systems to serve as the base. You can identify one security database, for example, UNLOAD, and one system (CKFREEZE) in that same complex as base. User response: Remove FUNCTION=BASE until only one security system has this specification left. Severity: 12 CKR1437 COMPAREOPT BASE/BY/COMPARE is not supported for field name source. Explanation: Comparison is not supported for this field. User response: Use another field. CKR1434 FUNCTION=BASE on CKFREEZE file ddname system system [version] requires F=BASE on security database complex complex Explanation: A system has been specified as a base to compare against, but the security complex for the system has not been specified. Both the system and the security complex are required for the comparison process. This message can also be caused as a side effect of trying to give multiple complexes the same name, which generates a CKR1472 message. User response: If message CKR1472 is present along with CKR1434, resolve the CKR1472 message first. Then, run the comparison process again to see if the 252 Messages Guide Severity: 12 CKR1438 FUNCTION=BASE only supported for TYPE=CKFREEZE/UNLOAD/RACF/ ACF2*/CKRCMD - error detected before token at ddname line number Explanation: This file type cannot be used as a base for comparison. The FUNCTION=BASE specification is allowed for security databases, CKFREEZE files, and command files. User response: Do not specify FUNCTION=BASE for this TYPE. Severity: 12 CKR1439 • CKR1447 CKR1439 Language lng is not valid in the LANGUAGE statement at source Explanation: While parsing a LANGUAGE statement, English (ENG, ENU) is not a valid override language. Parsing continues, but the run is cancelled. User response: Choose a different language. Severity: 12 CKR1440 LANGUAGE ln2 at source2 does not match the first LANGUAGE statement of ln1 Explanation: While parsing a LANGUAGE statement, a language lng2 which is different from the first language found lng1 has been located. Parsing continues but the run is cancelled. Each CKRCARLA run can only translate to one language (or not translate). User response: Perform translation to different languages in two separate runs. PREAMBLE to a member included under option CO. Severity: 12 CKR1444 Complex name used for system smfid records in ddname volser dsn Explanation: This message is issued once for each system ID smfid that the user is allowed to see in each ACCESS input file processed. The message is issued to help you understand unexpected failures. For example, when generating access monitor commands in AM.8.2 with incomplete sets of input or user-specified complex names, the message identifies which complex (RACF database) accesses in the file are to be attributed. In this message, the complex name is followed by the VERSION if VERSION is specified in the ALLOC command.. User response: If you have unexpected failures when running access monitor commands from menu option AM.8.2, review this message to find out the problem. Severity: 00 Severity: 12 CKR1445 CKR1441 Translation for "original" was "translation1" overridden by "translation2" at source Explanation: While parsing a LANGUAGE statement, more than one translation was found for the same string or value. The last one prevails. User response: Validate that the last translation is the one you want. Occurrence only valid in named NEWLIST sections, not in TYPE section at source Explanation: Occurrence is only valid for FIELD clauses in a named NEWLIST section of a LANGUAGE statement, not in a FIELD clause in a TYPE section. User response: Remove the occurrence designator or move the statement to a NEWLIST clause. User response: Select the appropriate value for the field. CKR1446 Symmetric key exportable value must be (BY)ANY, (BY)LIST, or (BY)NONE "value" at ddname line number Explanation: This message indicates that the value you specified for a field did not match the field type expected by the program. User response: Select the appropriate value for the field. Severity: 12 Severity: 12 CKR1443 Explanation: This message indicates that the value you specified for a field did not match the field type expected by the program. Severity: 12 Severity: 00 CKR1442 Asymmetric key usage value must be (NO)SECUREEXPORT, (NO)HANDSHAKE, or a combination of them - "value" at ddname line number LANGUAGE statements must precede the use of any NEWLIST or field name at source Explanation: In the CARLa input, LANGUAGE statements can only be used before the first use of a field, newlist, or more generally, anything involving strings that might need to be translated. CKR1447 nn SMF subrecords read, nn selected (nn%) Explanation: This message indicates the number of SMF subrecords read and the number and percentage that were selected. Severity: 00 User response: Move LANGUAGE statement to or imbed it earlier in the CARLa input stream, or move CARLa that performs output processing in the SETUP Chapter 5. CKR messages 253 CKR1448 • CKR1457 CKR1448 Duplicate COMPAREOPT TYPE=type NAME=name retaining version source Explanation: A COMPAREOPT definition can only occur once. User response: Change name of either one, or delete one of the definitions. Severity: 12 CKR1453 FORMAT name name is not supported for language translation at source Explanation: A FORMAT name has been detected unsupported for language translation. Parsing continues, but the run is cancelled. User response: Remove the FORMAT clause or change the format name. Severity: 12 CKR1449 Duplicate COMPAREOPT field name name source also used source CKR1454 PREFIXLEN must be in range 29...70 Explanation: A COMPAREOPT field name list should list a field name at most once. Explanation: The print option PREFIXLEN must be smaller than 71 and greater than 28. User response: Delete duplicate name. Severity: 12 Severity: 12 CKR1455 CKR1450 COMPAREOPT NAME=DEFAULT is reserved source. Explanation: The COMPAREOPT name DEFAULT is reserved for automatic generation. It may be generated automatically with ALLOC FUNCTION=BASE. User response: Choose a different name. Severity: 12 CKR1451 COMPAREOPT NAME=name type=type not defined source Explanation: A COMPAREOPT referred to by PRINT / OPTION / NEWLIST must be defined in a COMPAREOPT statement before it is needed in a NEWLIST, DISPLAY or SORTLIST statement. Scan of entire segment is not allowed in restricted mode - at ddname line number Explanation: When the program is running in restricted or PADS mode, scanning the entire profile segment is not allowed. The program is running in restricted mode either because of a reason shown in a CKR0031 message or because SIMULATE RESTRICT was specified. This condition is considered a syntax error (severity 12). If an ALLOWRESTRICT modifier explicitly indicates that the query must be executed anyway, this message is issued as a warning (severity 4) to remind you that the indicated field is not found. See also CKR0170. Severity: 04 or 12 CKR1456 NEWLIST name suffix suffix is invalid, ".DISPLAY" is the only valid suffix at source. User response: Add the missing COMPAREOPT statement before you refer to the name with "COMPAREOPT=". Also the newlist "TYPE=" specification on NEWLIST and COMPAREOPT must match. Explanation: If a NEWLIST name is suffixed, the only valid suffix is ".DISPLAY"; the run is cancelled. Severity: 12 Severity: 12 CKR1452 Translation translation1 overridden with translation2 User response: Correct or remove the name suffix. CKR1457 PREFIXLEN value val is not in the range of 29 to 70 at source. Explanation: While parsing a LANGUAGE statement, more than one translation was found for the same string or value. The last translation prevails. Explanation: The prefix length specified on the LANGUAGE statement must be greater than 28 and smaller than 71. User response: Validate that the last translation is what you want. User response: Either specify a value from 29 to 70 inclusive, or remove the PREFIXLEN specification from the LANGUAGE statement to let the prefix length default to the value of the print option PREFIXLEN. Severity: 00 Severity: 12 254 Messages Guide CKR1458 • CKR1469 CKR1458 Selection on field is only supported for EXISTS and MISSING - at ddname line number Explanation: This field is only supported in a select clause for the EXISTS and MISSING functions. Severity: 12 CKR1459 Logon ID logon_id has no access to the group that started task task_id is assigned to in complex [version] Explanation: The GSO STC record assigns a logonid and optional group ID based on the started task ID if no matching STC logonid is found within the logonid database. Under CA ACF2 r12, before a started task is assigned the group ID defined in its associated GSO STC record, a validation call is made to verify that the assigned logonid defined in the STC record has access to the group ID. To grant a logonid access to the assigned group ID, a resource rule must be written under the TGR resource type. 'VERIFY STC' performs that validation and issues this message if logon ID has no access to the group (if one is defined). Severity: 04 CKR1461 Converting requested key to UTF-8 for class yielded excessive length lengthrequestedkeyconvertedkey Severity: 12 Explanation: This message is issued due to a REMOVE USER= command. In order to remove userid, its identity mappings must be deleted first, hence RACMAP DELMAPs are generated for each. Severity: 00 CKR1463 Incomplete COMPAREOPT - TYPE and NAME are required source Explanation: A COMPAREOPT statement requires both a name and type to identify it. One or both parameters are missing. User response: Add missing parameters. Severity: 12 User response: Change TYPE to the desired type and repeat the DEFINE statement for every desired type. Severity: 12 CKR1466 WHERE clause not allowed for define name TYPE= * source Explanation: WHERE clause is not allowed for A DEFINE TYPE=* for the indicated variable name. Only the indicated types are allowed for TYPE=*. User response: Either remove the WHERE clause or repeat the DEFINE for every type needed, specifying an explicit newlist type. Severity: 12 Functions like lookup not allowed for define name TYPE=* source Explanation: DEFINE TYPE=* for the indicated variable name was done specifying a function like substring, WORD, lookup, and so on. These are not allowed with TYPE=*. User response: Either remove the functions or repeat the DEFINE for every type needed, while specifying an explicit newlist type. Severity: 12 CKR1468 Remove racmap userid label label output RACMAP DELMAP Define TYPE=*name only allowed for COMPARE_RESULT, COMPARE_CHANGES, COUNT, and SUMCOUNT source Explanation: A DEFINE TYPE=* for the indicated variable name was an unsupported type. Only the indicated types are allowed for TYPE=*. CKR1467 Explanation: A KEY=requestedkey specification occurred on a selection statement for a class with UTF-8 keys (for example, IDIDMAP). Indexed database read could not convert the request into a valid UTF-8 profile key to look for. The request is shown in EBCDIC; the conversion result is shown in hexadecimal. CKR1462 CKR1465 Warning: TYPE=* define for variable name source overrides TYPE=type define source2 Explanation: This suppressible message warns that a previous definition of a variable is being superseded by a TYPE=* definition. The earlier definition may still be in use for prior newlists. If a specific type is indicated, it also overrides a global type-specific DEFINE of that type for the same variable name. This message is issued for every newlist type where a global variable has been instantiated with the same name. Subsequent references to the variable name will no longer use the overridden definitions. Severity: 00 CKR1469 COMPAREOPT keyword1 must be specified before token at ddname line number Explanation: TYPE must come before BY, COMPARE, Chapter 5. CKR messages 255 CKR1470 • CKR1478 or BASE on a COMPAREOPT statement. NAME must come before BASE. Severity: 12 User response: Add or move TYPE and NAME keywords before BY, COMPARE, and BASE parameters. CKR1475 Severity: 12 Explanation: This message indicates that an input file designated as TYPE=ACCESS contains a record that is shorter than allowed for TYPE=ACCESS files. If too many errors are found in the input file, message CKR1477 will follow this message. CKR1470 Field field value invalid expression is not a valid numeric expression at origin line line Explanation: The parser expects a field value to contain a valid numeric expression. Either a decimal number or a numeric symbolic expression can be used in this context. Severity: 12 Unexpected short ACCESS record at source You can suppress this message using the SUPPRESS command. User response: Verify that you specified the proper data set and TYPE on the ALLOC statement for TYPE=ACCESS, or on the SETUP input files panel. Severity: 16 CKR1471 Resource simulation class class is not supported - source Explanation: Classes that assign a nonstandard meaning to the member list are not supported for resource simulation. This restriction applies to classes such as CONNECT, DIGTNMAP, DIGTCERT, DIRACC, DIRAUTH, FSSEC, FSOBJ, GLOBAL, GMBR, GROUP, IDIDMAP, NDSLINK, NODES, NODMBR, NOTELINK, PMBR, PROGRAM, RACFVARS, RVARSMBR, SCDMBR, SECDATA, SECLABEL, SECLMBR, UNIXMAP, USER, VMBR, VMEVENT, VMXEVENT, VXMBR. The DATASET class is not supported either. User response: For the DATASET class, you can use the SIMULATE SENSITIVE command for resource simulation. Severity: 12 CKR1472 Complex name cannot have both FUNCTION=BASE and MAIN This message can also cause subsequent CKR1434 messages. User response: Use different complex names for FUNCTION=BASE and (the default function) FUNCTION=MAIN. Severity: 12 Missing COMPARE and no default for COMPAREOPT TYPE= Explanation: The COMPARE parameter is missing on the indicated COMPAREOPT statement. A default COMPARE value is not defined for the newlist type. User response: Add a COMPARE parameter. 256 Messages Guide Unsupported ACCESS record type xx at source Explanation: The message indicates that an input file designated as TYPE=ACCESS contains an unrecognized record ID xx. If too many errors are found, message CKR1477 will follow this message. You can suppress this message using the SUPPRESS command. User response: Verify that you specified the proper data set and TYPE on the ALLOC statement for TYPE=ACCESS, or on the SETUP input files panel. Severity: 16 CKR1477 Explanation: If you want to compare two versions of the same security database, use different complex names. If you use the same complex name, you cannot distinguish the output of one database version from the other. CKR1474 CKR1476 Excessive errors in TYPE=ACCESS input; skipping rest of file at source Explanation: This message indicates that more than 100 errors were found in a file designated as TYPE=ACCESS. The rest of the file will be skipped. You can suppress this message using the SUPPRESS command. User response: Verify that you specified the proper data set and TYPE on the ALLOC statement for TYPE=ACCESS, or on the SETUP input files panel. Severity: 16 CKR1478 COMPARE_CHANGES not supported on SUMMARY Explanation: The results of a comparison process are returned by the COMPARE_CHANGES variable. To report the COMPARE_CHANGES results, you must use the SORTLIST or DISPLAY commands; you cannot use the SUMMARY command. Severity: 12 CKR1479 • CKR1487 CKR1479 SYSLOG is not supported under VM Explanation: Writing a SYSLOG message to a UNIX SYSLOG receiver is not directly supported under z/VM. User response: Run this CARLa under z/OS. Severity: 12 CKR1483 Syslog alert n has more than 1 line, name source syslog_line_1 syslog_line_2 Explanation: Notification that a syslog alert sends only the first line. User response: Change the alert to reduce it to one line. Severity: 12 CKR1480 Sendto for syslog alert n sockdesc m failed UNIX error, name source Explanation: Indicates that the UNIX sendto service failed with the indicated error. User response: Correct the error and try again. Severity: 12 CKR1481 Sending syslog alert n to addr port port on sockdesc n, name source syslog_line Explanation: Indicates the destination for an alert. It also shows the syslog message EBCDIC encoding. However, the information is sent in UTF-8 format. The addr format corresponds to the IP stack for creating the socket descriptor. If the IPv6 stack is available, IPv4 address are mapped to the IPv6 socket and shown in the following format: ::FFFF:n.n.n.n where n.n.n.n is the IPv4 address. The following examples show the different message formats for IPv4 and IPv6: Message for an IPv4 address mapped to an IPv6 stack: CKR1481 00 Sending syslog alert 0 to ::FFFF:127.0.0.1 port 514 on sockdesc 0, IPV6V4 at SYSIN line 6 Message for an IPv6 stack: CKR1481 00 Sending syslog alert 0 to ::1 port 514 on sockdesc 0, IPV6V4 at SYSIN line 6 Message for an IPv4 stack: CKR1481 00 Sending syslog alert 0 to 127.0.0.1 port 514 on sockdesc 0, IPV4LCL at SYSIN line 6 Severity: 00 CKR1482 IPv4 socket call for syslog failed UNIX error Explanation: An attempt was made to establish an IPv4 socket with the UNIX socket service, but this attempt failed with the indicated diagnostic information. User response: See the z/OS UNIX System Services Messages and Codes reference manual available from the z/OS Internet Library. Severity: 12 CKR1485 IPv4 syslog socket close failed UNIX error Explanation: An attempt was made to close an IPv4 socket, but this attempt failed with the indicated diagnostic information. User response: See the z/OS UNIX System Services Messages and Codes reference manual available from the z/OS Internet Library. Severity: 12 CKR1486 ipstack socket call for syslog system abend abend-reason (description) Explanation: Indicates that the IPv4 or IPv6 socket call has failed. The ipstack address is either IPv4 or IPv6 depending on the type of socket being created. For additional information about the abend code, see the Communications Server IP and SNA Codes manual available from the z/OS Internet Library. Severity: 12 Empty syslog alert n, name source Explanation: An empty line or no line at all was encountered in a request to send a syslog message. User response: Correct the CARLa used to generate the syslog message, and try again. Severity: 12 CKR1484 CKR1487 ipstack syslog sockdesc n Explanation: The ipstack address is either IPv4 or IPv6, depending on the IP stack used for the SYSLOG socket descriptor. If the IPv6 stack is unavailable, the socket descriptor uses an IPv4 stack and is limited to using IPv4 addresses. The following examples show the different message formats for IPv6 and IPv4: CKR1487 00 IPv6 syslog sockdesc 0 CKR1487 00 IPv4 syslog sockdesc 0 Severity: 00 Chapter 5. CKR messages 257 CKR1488 • CKR1497 CKR1488 CMSMODE is only valid with DSN/DA/DATASET - before token AT ddname LINE number Explanation: This message indicates that in z/VM, the CARLa ALLOC statement for the RACF database requires a DSN, DA, or DATASET parameter when using the CMSMODE parameter. Severity: 12 CKR1489 CMSMODE is mutually exclusive with VOL/UNIT - before token AT ddname LINE number Explanation: This message indicates that in z/VM, the CARLA ALLOC statement incorrectly specified the V, VOL, VOLSER, VOLUME, U or UNIT allocation parameter with the CMSMODE parameter for the RACF database data set. The CMSMODE parameter can only be used to allocate files with the DSN, DA, or DATASET parameters Severity: 12 CKR1490 CMSMODE is required with DSN/DA/DATASET under VM - before token AT ddname LINE number Severity: 12 MEMBER specification not allowed under VM - before token AT ddname LINE number Explanation: This message indicates that in z/VM, the CARLa ALLOC statement incorrectly specified a member in the DSN, DA, or DATASET parameter for the RACF database. Severity: 12 CKR1492 Return code values: 2 See the prior server-error CKN message. The message is prefixed by the ZSECSYS name of the server. 4 Did not all fit in buffer 8 Unsupported function 12 Caller not authorized as client 16 Parameters not valid User response: Look for CKN* server messages before this message, and follow their guidance. For return codes greater than 2, search the support site for information on CKR1494 and the indicated return code. Restart the server to see if the problem disappears. Severity: 0 CKR1495 Explanation: This message indicates that in z/VM, the CARLa ALLOC statement did not specify the CMSMODE parameter for the RACF database data set. CKR1491 Message CKR2351 is also present if it the server is required for the query. CMSMODE is only valid under VM before token AT ddname LINE number Explanation: This message indicates that in z/OS, the CARLa ALLOC statement incorrectly specified the CMSMODE parameter for the RACF database data set. This parameter can only be used in z/VM. Severity: 12 Explanation: This message indicates that the CARLa query could have a benefit from accessing the zSecure Server, but did not find an active server with the indicated server token. Message CKR2351 is also present if it the server is required for the query. User response: Verify that the server token is correct in SETUP RUN when running the ISPF user interface. If the token is correct, ensure that the server is still running. Restart the server if it is not running. Severity: 0 CKR1497 zsec_parm can be any of the following settings: v ZSECNODE=. v ZSECNODE=* Client connection to server failed RC=decnum Explanation: This message indicates that the CARLa query could have a benefit from accessing the zSecure Server, but the attempt to contact the server failed with the indicated return code. For example, some fields might have been specified but could not be verified. 258 Unable to resolve local node for zsec_parm Explanation: The CKR1497 message is issued when the ZSECNODE or ZSECSYS parameter specifies either "*" or "." and the node table cannot resolve any node or system values for the selected server. In this case, processing should not continue. The issuance of this message usually indicates that the multi-system server cannot process requests at this time. v ZSECSYS=. CKR1494 There is no server active with SERVERTOKEN=name Messages Guide v ZSECSYS=* Severity: 12 CKR1498 • CKR1505 CKR1498 Options DD and SYSLOG are mutually exclusive Explanation: You cannot specify both DD (DDNAME,FILE,F) and SYSLOG on a NEWLIST statement. User response: Ensure that the NEWLIST statement has either a DD (DDNAME,FILE,F) or SYSLOG parameter, but not both. Severity: 12 CKR1499 CKRSVPUT sync error - waiting for file ddname open but finding ddname2 for clientno Explanation: This message indicates that an error occurred in communication with a remote CKRCARLA through the zSecure Server. User response: Use fewer remote files at the same time. Severity: 20 Messages from 1500 to 1599 CKR1500 Invalid $ANYMISSINGMIGC in program: volser dsname Explanation: This message indicates an internal error in VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 CKR1501 CKRPUTV: calltype call for fieldtype field fieldaddr fieldname defined at ddname line number Explanation: The field indicated by fieldaddr fieldname cannot be stored again. Contact IBM Software Support. Severity: 24 CKR1502 CKRPRMSG.CKRM385: Message msgid has unexpected member entry of type eyecatcher for class profile Explanation: Contact IBM Software Support. Particularly valuable information in case of this error would be the msgid and what member list the indicated profile actually has. The first four letters of the msgid indicate the function that is partially failing, for example, 'VPRM' for VERIFY PERMIT. E-mailed XML document DD ddname should use ENCODING=UTF-8 Explanation: The z/OS SMTP server automatically translates e-mail from EBCDIC to ASCII. When you use the default ENCODING=EBCDIC for e-mailed XML documents, this results in an ASCII document containing a header describing the document as EBCDIC encoded. Such XML document may not be parseable by your XSLT processor. You are advised to use ENCODING=UTF-8 for XML documents. User response: This error is likely caused by a corruption of the CKFREEZE or UNLOAD data set. If the CKFREEZE or UNLOAD data set has been sorted, or records have been dropped or altered in some way, then errors of this kind can occur. It is also possible that insufficient memory is allocated to the address space where the data set is being processed. If you cannot resolve the problem, contact IBM Software Support. Severity: 20 Errors in Dynamic Parse Table. text, Table Part = nn, SYSTEM=ssssssss, DDNAME=dddddddd Explanation: There has been an error in reconstructing the Dynamic Parse Table. In the message, the text value can be one of the following values: v "Sequence error": indicates that the records found do not have sequential record numbers. v "Address mismatch" indicates that the records do not have matching originating addresses in them. v "Length mismatch" indicates that the records do not have the expected lengths within them. v "Pointer error" indicates that during the adjusting of internal pointers, an internal address was found to be outside the table bounds. Severity: 04 CKR1504 This error has occurred during the reading of the CKFREEZE or an UNLOAD data set . Dynamic Parse Table records have been found in the data set but the attempt to reconstruct the table from the records has failed. As a result of this message, no Dynamic Parse Table will be built from this input file. This will affect the processing of RACF custom fields. CKR1505 Severity: 24 CKR1503 Explanation: It was not possible to obtain storage to rebuild the Dynamic Parse Table, while processing a CKFREEZE data set or an UNLOAD data set. The values ssssssss and dddddddd help identify the CKFREEZE or UNLOAD data set being processed. The value nnnnnn is the requested size of storage for the table in bytes. Unable to obtain storage for Dynamic Parse Table. Size=nnnnnn, SYSTEM=ssssssss, DDNAME=dddddddd v "Buffer overrun" indicates that during the build of the table, an attempt was detected to write past the end of the Dynamic Parse Table area. Chapter 5. CKR messages 259 CKR1506 • CKR1515 The value nn identifies the section of the table last processed. The values ssssssss and dddddddd help identify the data set being processed. CKR1511 CKRFMTC.PRTFLD: Called with invalid index for fieldname source Explanation: This is an internal error message. This error has occurred during the reading and processing of the CKFREEZE or an UNLOAD data set. Dynamic Parse Table records have been found in the file but the attempt to reconstruct the table from the records has failed. As a result of this message no Dynamic Parse Table will be built from this input file. This will affect the processing of RACF custom fields. User response: This error is likely to be caused by a corruption of the CKFREEZE or UNLOAD data set. If the CKFREEZE or UNLOAD data set has been sorted, or records have been dropped or altered in some way, then errors of this kind can occur. It is also possible that insufficient memory is allocated to the address space where the data set is being processed. If you cannot resolve the problem, contact IBM Software Support. Severity: 20 CKR1506 CSDATA keyword name name longer than 8 characters. Ignoring keyword. Explanation: The dynamic parse table mentions a custom field longer than 8 characters. This keyword will be ignored. User response: Search the IBM support web site for information on the message. If you cannot resolve the problem, contact IBM Software Support. Severity: 24 CKR1512 Explanation: To provide the correct escaping of characters for XML output, zSecure tried to find the hexadecimal value of the hash character in the CCSID. The CCSID is specified by the CARLa option MY_CCSID. The conversion routine returned a null string or a string longer than 1 byte, which is unexpected. User response: Verify that the CCSID used on MY_CCSID is valid and that z/OS Support for Unicode is active and has the appropriate tables loaded. Severity: 24 CKR1513 Severity: 20 CKR1507 procedure called with invalid CSTD length length Explanation: An internal error in custom field processing occurred. Contact IBM Software Support. Severity: 24 [email protected]: Unexpected returned length length of hash character translation 'string' act_rec_length bytes read from CKFREEZE, expected_rec_length expected. Record: recid of CKFREEZE Explanation: An error has occurred if the actual NMI record length does not equal the expected NMI record length for the record (recid) that was read from the specified CKFREEZE data set (CKFREEZE). User response: Use this message to troubleshoot unexpected record truncation or I/O errors. Severity: 08 CKR1509 CKRMODF OTYPCSD Internal error. Reason Explanation: An internal error occurred in the overtype processing of custom fields. Contact IBM Software Support. Severity: 24 CKR1510 Incomplete INFO data returned- missing DNAM block Explanation: This message indicates an unexpected condition in node information data returned from the server. User response: If you do not miss information, ignore the message. If you miss information, look for the message on the IBM support web site. If you cannot find information about the message, contact IBM Software Support. Severity: 4 260 Messages Guide CKR1515 Duplicate sensitivity "senstype" on SIM CLASS=class RESOURCE=resname complex complex system system Explanation: This message is issued when a SIMULATE CLASS statement conflicts with a built-in sensitivity. This is an internal error. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 24 CKR1516 • CKR1559 CKR1516 Unexpected object type type Explanation: This message indicates that an internal error occurred. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 24 CKR1517 Error: no more space available in SEGCBIT field Explanation: This message can be caused by a corrupted RACF database being used, or by a program internal error. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 20 Explanation: All messages in this range are internal error messages generated as a result of internal consistency checking. Contact IBM Software Support. Severity: 24 Buffer name too small for ',(PROFILE,0)) Explanation: The named buffer is used for line command processing. It is too small to contain one profile name. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 24 CKR1554 CKR1555 CKRXINIT.CKRDBPUT function for ddname returned RC=rc - issuing USER ABEND 1555 Explanation: This message indicates that a CKRCARLA instance running as a server received a severe error while communicating with a client about RACF data being sent for ddname. An error this severe (rc is 12 or higher) is not recoverable. The server issues user ABEND 1555 to produce a summary dump. User response: Contact IBM Software Support. Severity: 20 CKR1556 CKRXINIT.CKRDBPUT: Unknown function code code for ddname Explanation: This message indicates that the routine to send RACF data from a server CKRCARLA instance to a client was invoked with an unintelligible function request in regard to ddname. The request is ignored. This message is followed by message CKR0809. You can suppress these messages. Severity: 24 CKR1518...CKR1519 message CKR1520 Severity: 20 CKRXINIT.CKRDBPUT OPEN for ddname returned RC=rc - issuing USER ABEND 1554 Explanation: This message indicates that a CKRCARLA instance running as a server received a severe error while communicating with a client about RACF data to be sent for ddname. An error this severe (rc is 12 or higher) is not recoverable. The server issues user ABEND 1554 to produce a summary dump. User response: Contact IBM Software Support. CKR1557 CKROUNIT.TLSDINIT: Conversion of fieldname1 to UTF-8 is not supported field fieldname2 at ddname line number. Explanation: This message can be suppressed; no conversion will be done. (Fieldname2 is the requested field, fieldname1 is the actual database field. They might differ if fieldname2 is a defined variable.) User response: Submit an error report and contact IBM Software Support. Severity: 24 CKR1558 CKROUNIT.TLSDINIT: Conversion of fieldname1 to EBCDIC is not supported field fieldname2 at ddname line number. Explanation: This message can be suppressed; no conversion will be done. (Fieldname2 is the requested field, fieldname1 is the actual database field. They might differ if fieldname2 is a defined variable.) User response: Submit an error report and contact IBM Software Support. Severity: 24 CKR1559 CKRLKPP.CKRIDID: Repeat group restriction for fieldname1 is not supported - field fieldname2 defined at ddname line number Explanation: Fieldname2 will show up empty in the generated report. This message can be suppressed. Chapter 5. CKR messages 261 CKR1560 • CKR1596 (Fieldname2 is the requested field, fieldname1 is the actual database field. They might differ if fieldname2 is a defined variable.) User response: Submit an error report and contact IBM Software Support. Severity: 24 CKR1560 Severity: 20 CKR1565 Unknown NDEI format - RRSF information is unavailable. Explanation: RRSF definitions could not be read. User response: Contact IBM software support. No support for simultaneous I/O to files file1 and file2 Explanation: This message documents that the zSecure Server does not support simultaneous I/O to different RACF databases on a remote server. The program issues user abend 1560. Severity: 08 CKR1566 DIRLIST parameter error. ZERRMSG=error_message Explanation: This message indicates that an internal error occurred while calling the DIRLIST service. User response: Modify the query to access only one security database per target server. User response: See the Electronic Support Web site for possible maintenance associated with this message. Severity: 20 If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. CKR1561 CKRSVPUT expects SVPUT instead of WKQR address type flags Severity: 24 Explanation: This is an internal error message. User response: Look for the message ID on the IBM support web site. If you do not find a solution, contact IBM Software Support. Severity: 24 CKR1562 CKRSVPUT unexpected function nn Explanation: This is an internal error message. It is followed by user abend 1562. User response: Look for the message ID on the IBM support web site. If you do not find a solution, contact IBM Software Support. CKRSVPUT invalid WKQRTYPE nn instead of file level SVPUT WKQR address type flags Explanation: This is an internal error message. User response: Look for the message ID on the IBM support web site. If you do not find a solution, contact IBM Software Support. Severity: 24 CKR1564 No support for simultaneous I/O to files FILE1 and FILE2 Explanation: This message documents that the zSecure Server does not support simultaneous I/O to different recipients over one remote file. The program issues user abend 1564. User response: Modify the query to perform fewer simultaneous I/O operations per target server. 262 Messages Guide ACCESS I/O stalled Explanation: Something is wrong in the TYPE=ACCESS I/O scheduler. This error is followed by user abend 1567. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 24 CKR1587 Severity: 24 CKR1563 CKR1567 CKAOUNIX.CKAFAID: Follow-on call with invalid token for auditid fileauditid system system complex complex index index Explanation: An unexpected condition occurred when a UNIX file audit ID was used to determine a path name and the resolution failed. Resolution is done, for example, to improve the quality of the path names in SMF reports. The system and complex names identify the CKFREEZE. This message can be suppressed. Follow the procedure that is described in “Contacting IBM Software Support” on page 469 to contact IBM Software Support. Severity: 24 CKR1596 CKRINLT: Called with invalid CALLTYPE type Explanation: Something is wrong in the newlist type input parser. The TYPE= specification is not recognized. User response: See the Electronic Support Web site for CKR1597 • CKR1702 possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Format unresolved for fieldname at ddname line number Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1597 CKR1598 procedure parm eyecatcher not name Explanation: Verification of the calling parameters for procedure failed. Contact IBM Software Support. CKR1599 CKROUNIT internal error: OUTFSLCT without OUTFDEFV Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 Messages from 1600 to 1699 CKR1600 message Explanation: This message is issued in response to debugging options. If you need information about this message, contact IBM Software Support. Severity: 00 CKR1601 jobtag uses [derived|later] CICS dictionary [<system> <date time>] at ddname line recno Explanation: This informational message indicates the record that contains the CICS performance record dictionary that is used by all CICS performance records in the jobtag. The later flag value means that this record was written after the CICS performance records themselves. The derived flag value means that the SMF does not contain a matching CICS dictionary for the jobtag. In this case, a dictionary is derived from the performance records. For a derived dictionary, the message does not indicate the system date, time, and record number. Severity: 00 CKR1698 Elapsed/CPU x.xxxxxx/y.yyyyyy total e.eeeeee/c.cccccc msg mmmmmm Explanation: This message is written in response to a DEBUG PERFORM request, and gives the elapsed and CPU time since the previous CKR1698 (or program start for the first message), followed by the total elapsed and CPU time since program start. The times are in seconds with 6 digit accuracy to yield microseconds. The last part of the message gives the ISPF status message number. If the program was running as an ISPF application, there is a continuation line giving the actual content of the ISPF message as it would have been displayed on the screen if you had SUPPRESS MSGTIMER active. The CKR1698 messages and continuation lines are written independently of the SUPPRESS MSGTIMER setting. For an ISPF application, the elapsed time will include all the time the program was waiting for the user to issue commands. Severity: 00 Severity: 00 CKR1699 CKR1602..1697 message Explanation: These messages are in response to debugging options. If you need information about these messages, contact IBM Software Support. message Explanation: This message is in response to debugging options. If you need information about this message, contact IBM Software Support. Severity: 00 Messages from 1700 to 1799 CKR1700 C2ARULE: record record corrupted: offset out of Reconstruction Table Explanation: The indicated access rule record has an unexpected layout. It is probably corrupted. Contact IBM Software Support. unexpected layout. It is probably corrupted. Contact IBM Software Support. Severity: 20 CKR1702 Severity: 20 CKR1701 C2ARULE: record record corrupted: offset out of Dictionary Explanation: The indicated access rule record has an C2ARULE: record record corrupted: offset out of Data area Explanation: The indicated access rule record has an unexpected layout. It is probably corrupted. Contact IBM Software Support. Severity: 20 Chapter 5. CKR messages 263 CKR1703 • CKR1712 CKR1703 CKRPUTV.CKRPTCLS: Too many repeat group entries in staging area for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: While closing repeat group field an unexpectedly large number of repeat group entries was detected. This should have been prevented by earlier processing (see CKR1051). Contact IBM Software Support. The indicated record will show the field as empty. Severity: 24 CKR1704 CKRPRMSG.CKRM301: Message msgid has unexpected WHEN clause of type eyecatcher for DATASET profile volume Explanation: Contact IBM Software Support. Particularly valuable information in case of this error would be the msgid and what WHEN clauses the indicated profile actually has. The first four letters of the msgid indicate the function that is partially failing, for example, 'VPRM' for VERIFY PERMIT. Severity: 24 CKR1705 CKRPRMSG: Message msgid has unexpected WHEN clause of type eyecatcher for class profile Explanation: Contact IBM Software Support. Particularly valuable information in case of this error would be the msgid and what WHEN clauses the indicated profile actually has. The first four letters of the msgid indicate the function that is partially failing, for example, 'VPRM' for VERIFY PERMIT. Severity: 24 CKR1706 CKRPRMSG.CKRWPGM: Message msgid for PROGRAM profile with unexpected WHEN clause of type eyecatcher - hexvalue Explanation: Contact IBM Software Support. Particularly valuable information in case of this error would be the msgid and what WHEN clauses the indicated PROGRAM profile actually has. The first four letters of the msgid indicate the function that is partially failing, for example, 'VPRM' for VERIFY PERMIT. Severity: 24 CKR1707 CKRDDC: Undefined calltype hexvalue Explanation: Contact IBM Software Support. Severity: 24 CKR1708 Explanation: The indicated segment is not defined. Contact IBM Software Support. Severity: 20 CKR1709 Messages Guide CKATUID: RACFid UGID ugid NOT FOUND IN TUID TREE Explanation: A problem was encountered while building a look up tree from UNIX UIDs to RACF user IDs or from UNIX GIDs to RACF groups. This message will be followed by user ABEND 16. Contact IBM Software Support. Severity: 24 CKR1710 CKRCFV: Directory level error in system complex: from currdepth to newdepth for device dev at directoryname Explanation: A CKFREEZE record was encountered indicating an impossible directory switch in the file system dump being processed. The rest of the file system dump will be skipped. Contact IBM Software Support. The system and complex names identify the CKFREEZE; dev is the device number of the file system; directoryname is the last qualifier of the directory being switched to. Severity: 20 CKR1711 CKRCFV: Directory tree backup problem (number levels to go) in system complex for device dev at directoryname Explanation: A problem was encountered during a directory switch in a file system dump. Contact IBM Software Support. The rest of the file system dump will be skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; directoryname is the last qualifier of the directory being switched to. Severity: 24 CKR1712 CKRCFV: Parent directory locate problem in system complex for device dev at directoryname Explanation: A problem was encountered during a directory switch in a file system dump. Contact IBM Software Support. The rest of the file system dump will be skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; directoryname is the last qualifier of the directory being switched to. Severity: 24 264 CKRDDC: GENERAL SEGMENT segment not defined in TSEG CKR1713 • CKR1722 CKR1713 CKRCFV: Directory entry locate problem in system complex for device dev at directoryname Explanation: A problem was encountered during a directory switch in a file system dump. Contact IBM Software Support. The rest of the file system dump will be skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; directoryname is the last qualifier of the directory being switched to. Severity: 20 Severity: 20 CKR1718 CKRCFV: Too many directory entries in directory system complex: pathname Explanation: The indicated directory appeared to have more directory entries than the supported directory array size allowed (currently more than a million). The rest of the file system dump is skipped. Contact IBM Software Support. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the problem directory. Severity: 20 CKR1714 CKRCFV: Directory entry record truncated in system complex for device dev at filename Explanation: A truncated CKFREEZE record for a UNIX directory entry was encountered. The record will be skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; filename is the (possibly truncated) last qualifier of the file being skipped. Severity: 16 CKR1719 CKRCFV: Link locate problem in system complex for symlinkname Explanation: A CKFREEZE record for a symlink was found, but the specified symlinkname does not occur as a directory entry in the directory currently being processed for this system. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; symlinkname is the last qualifier of the symlink. Severity: 20 CKR1715 CKRCFV: Empty relative name in system complex at pathname Explanation: A CKFREEZE record for a UNIX directory entry was encountered specifying an empty relative name. Contact IBM Software Support. The record will be skipped. The system and complex names identify the CKFREEZE; pathname is the absolute pathname for this record. Severity: 20 CKR1716 CKRCFV.CKRTDIRC: HFS root directory without '.' for system complex: mountpoint Explanation: On root directory close for the file system dump being processed it was noticed that no '.' entry had been processed (describing the characteristics of the root directory itself). Contact IBM Software Support. The root directory and the rest of the file system are discarded. The system and complex names identify the CKFREEZE; mountpoint is the absolute pathname for the file system's mount point. CKR1720 CKRCFV: Link contents but no link in system complex for linktarget Explanation: A CKFREEZE record with symlink contents was found, but no record with the symlink it pertains to (or that record was discarded--see CKR1717 and CKR1719). Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; linktarget is the pathname the symlink evaluates to. Severity: 20 CKR1721 CKRCFV: Directory entry attributes missing in system complex for pathname Explanation: A CKFREEZE record with symlink contents was found, but the directory entry associated with it is incomplete. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the symlink. Severity: 20 Severity: 20 CKR1722 CKR1717 CKRCFV: Link record but no current directory system complex: symlinkname Explanation: A CKFREEZE record for a symlink was found, but no directory is being processed on this system. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; symlinkname is the last qualifier of the symlink. CKRCFV: Directory entry but no HFS selected in system complex: filename Explanation: A CKFREEZE record for a UNIX directory entry was encountered, but no file system dump had been started on the system. Contact IBM Software Support. The record is skipped and any subsequent CKFREEZEs records belonging inside a file system dump preceding the next explicit file system Chapter 5. CKR messages 265 CKR1723 • CKR1733 dump start are skipped as well. The system and complex names identify the CKFREEZE; filename is the last qualifier of the file being skipped. Severity: 20 CKR1723 CKRCFV: Directory entry but no directory selected in system complex for device dev: filename Explanation: A CKFREEZE record for a UNIX directory entry was encountered, but no directory had been selected. Contact IBM Software Support. The rest of the file system dump is skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; filename is the last qualifier of the file being skipped. CKRCFV.CKRTDIRC: Directory close but no HFS selected for system complex noticed at record number Explanation: When winding up processing for the current UNIX directory, the indication what file system to add the directory to appeared missing. Contact IBM Software Support. The rest of the file system (if any) is skipped. The system and complex names identify the CKFREEZE; number is the record number in that CKFREEZE currently being processed (or possibly indicates an end of file condition). Severity: 20 CKR1728 CKRCFV.CKRTDIRC: Missing HFS for system complex: mountpoint Explanation: When winding up processing for the current UNIX directory, the file system to add the directory to appeared missing. Contact IBM Software Support. The rest of the file system is skipped. The system and complex names identify the CKFREEZE; the mountpoint identifies the file system's mount point, below which information will be missing. Severity: 24 CKR1726 CKRCFV: Previous directory not closed on open in system complex: pathname Explanation: When starting on the construction of a new UNIX directory, the previous one appeared to be unclosed. Contact IBM Software Support. The previous directory is closed before processing continues in an attempt to recover from this unexpected condition. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the directory being opened. Severity: 24 266 Messages Guide CKRFTRDN: Illegal call type type Explanation: Contact IBM Software Support. Severity: 24 Illegal extended relocate section type smftype in DD dd RecNo number type type Explanation: In the SMF record (record type smftype) indicated by the DD and recordnumber an illegal data type was encountered. This extended relocate section will be skipped. Any reports concerning this record might be incomplete. This message is usually the result of a corruption in the indicated record. Severity: 20 CKR1731 Severity: 24 CKR1725 Illegal FLTRNAME value in profile key : fieldvalue Explanation: This message indicates that the FLTRNAME field of the profile mentioned did not contain the character used to separate the issuers and subjects distinguished names (hex 4A). This is probably the result of a corrupted RACF database. CKR1730 Severity: 20 CKR1724 CKR1727 CKRPUTV.CKRPTSRT: Missing sort routine for fieldaddr fieldname defined at ddname line number Explanation: The indicated repeat group field is in a special format and requires a special sort routine but none has been provided. Contact IBM Software Support. The repeat group will not be sorted. Severity: 24 CKR1732 module: Called with invalid column fieldaddr fieldname defined at ddname line number Explanation: The ACL or CONNECTS explode routine noticed that the column passed to it did not have the correct format. Contact IBM Software Support. Severity: 24 CKR1733 CKRXPLD: Storage leak for column fieldaddr fieldname defined at ddname line number Explanation: The ACL explode routine noticed that the column passed to it would not free the exploded ACLs stored to it. Contact IBM Software Support. Severity: 24 CKR1734 • CKR1745 CKR1734 CKRPUTV.CKRDELST: Cannot separately delete type field fieldaddr fieldname defined at ddname line number Explanation: The record delete routine was called to delete a field for a column that has nothing stored to it. If type is linked it is an alias of another column. If type is internal it is an auxiliary column. Contact IBM Software Support. Severity: 24 resulting location was not a directory. Contact IBM Software Support. Severity: 24 CKR1740 TMNT without THFS at callid for system system : TMNTaddr. hexvalue; mountpoint Explanation: A mount point without associated file system was encountered. Contact IBM Software Support. Severity: 24 CKR1735 routine: Called for type field fieldaddr fieldname defined at ddname line number Explanation: routine was called for an unsupported column type. If type is linked, it is an alias of another column. If type is hidden or internal, it is not supposed to yield any output. The routine can be CKRPUTV.CKRIRPT (repeat group open) or CKRPUTV.CKRPTCLS (repeat group close). Contact IBM Software Support. Severity: 24 CKR1736 CKRPRTFL.CKRGETV: Flush for type field fieldaddr fieldname defined at ddname line number Explanation: The get value routine was called to flush the cache for a column that has no cache. If type is linked it is an alias of another column. If type is internal it is an auxiliary column. Contact IBM Software Support. Severity: 24 CKR1737 CKR1741 CKRCFV: Directory switch but no HFS selected in system complex: directory Explanation: A CKFREEZE record for a UNIX directory switch was encountered, but no file system dump had been started on the system. Contact IBM Software Support. The record is skipped and any subsequent CKFREEZEs records belonging inside a file system dump preceding the next explicit file system dump start are skipped as well. The system and complex names identify the CKFREEZE; directory is the last qualifier of the directory being switched to. Severity: 20 CKR1742 Missing SDIR array at callid for system system: TMNTaddr TDIRaddr; mountpoint . Explanation: A file system without top level subdirectory search structure was encountered. Contact IBM Software Support. Severity: 24 CKAOUDSN: Unexpected profile type type for volume dsname CKR1743 Missing inner root at callid for system system: TMNTaddr; mountpoint Explanation: Contact IBM Software Support. The PROFILE field in TYPE=DSN will be missing for this data set. Explanation: A file system without root directory was encountered. Contact IBM Software Support. Severity: 24 Severity: 24 CKR1738 CKAOUDSN: Missing TVOL for volume dsname Explanation: Contact IBM Software Support. The following fields in TYPE=DSN may be erroneously false, blank or missing for this data set: IS_MOUNTED, IS_MIGRATED, IN_VTOC, IN_VVDS, REAL_DSNAME, REAL_VOLUME, UNITTYPE, BOX_SERIAL. Severity: 24 CKR1739 CKR1744 Explanation: A UNIX file without attributes was encountered. Contact IBM Software Support. Severity: 24 CKR1745 CKAOUNIX: Parent is not a directory filetype system TMNTaddr TDIRaddr DIREaddr filename ; dev directory Explanation: During UNIX pathname resolution following a '..' (parent) specification, it turned out the Missing TATT at callid for system system: TMNTaddr TDIRaddr DIREaddr filename ; dev directory ADDTHOM: Missing INODE index for system system mount point mountpoint Explanation: Contact IBM Software Support. In TYPE=UNIX newlists the HOME_OF field and AUDITCONCERN may be incomplete, and AUDITPRIORITY may be too low for files in the indicated file system. Chapter 5. CKR messages 267 CKR1746 • CKR1755 Severity: 24 CKR1746 CKR1751 ADDTHOM: Missing INODE index entry inode for system system mount point mountpoint Explanation: Contact IBM Software Support. In TYPE=UNIX newlists the HOME_OF field and AUDITCONCERN may be incomplete, and AUDITPRIORITY may be too low for files in the indicated file system with the reported inode. CKRCFV: UNIX ACL record but no current directory for system complex device dev at filename Explanation: A CKFREEZE record with a UNIX ACL was encountered, but no directory was being processed. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; filename is the last qualifier of the file the ACL belongs to. Severity: 20 Severity: 24 CKR1752 CKR1747 Missing HFS up link at callid from DIREaddr1 on system system while processing DIREaddr2 relativepathname Explanation: A root directory entry DIRE1 could not be related to its file system. This may cause the path evaluation for DIRE2 to fail, which may cause incorrect output for the ATTR, AUDITCONCERN and AUDITPRIORITY fields. Contact IBM Software Support. CKRCFV: UNIX ACL locate problem in system complex for device dev at filename Explanation: A CKFREEZE record with a UNIX ACL was encountered that did not belong to directory being processed. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; filename is the last qualifier of the file the ACL belongs to. Severity: 20 Severity: 24 CKR1753 CKR1748 Missing up link at callid from volume FSname on system system while processing DIREaddr2 relativepathname Explanation: The indicated file system does not appear to be mounted on some directory on this system as expected. This may cause the path evaluation for DIRE2 to fail, which may cause incorrect output for the ATTR, AUDITCONCERN and AUDITPRIORITY fields. Contact IBM Software Support. Severity: 24 CKR1749 Explanation: Contact IBM Software Support. Severity: 24 CKR1750 Explanation: A CKFREEZE record with a UNIX ACL was encountered, but the directory entry associated with it is incomplete. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the file the ACL belongs to. Severity: 20 CKR1754 Orphan instance in program : volser datasetname complex complex [version] CKRCFV: Mount info but no mount point selected for system complex noticed at record number Explanation: A CKFREEZE record with mount point information was encountered that could not be related to a preceding mount point. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; number is the record number in that CKFREEZE currently being processed. Severity: 20 Messages Guide CKRCFV: UNIX ACL record entry name truncated for system complex for device dev at filename Explanation: A truncated CKFREEZE record with a UNIX ACL was encountered. The record will be skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system; filename is the last qualifier of the file the ACL belongs to. Severity: 16 CKR1755 CKRCFV: UNIX ACL record but no mount point selected for system complex pathname Explanation: A CKFREEZE record with a UNIX ACL was encountered, but no file system was being processed. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; pathname is the relative pathname of the file the ACL belongs to. Severity: 24 268 CKRCFV: Directory entry attributes missing in system complex for pathname CKR1756 • CKR1767 CKR1756 CKRCFV: UNIX ACL record has unexpected eyecatcher eyecatcher for system complex pathname CKR1761 CKRCFV: Duplicate UNIX type ACL in system complex for pathname Explanation: A CKFREEZE record with a UNIX ACL was encountered, but the ACL record was not recognized. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the file the ACL belongs to. Explanation: A second CKFREEZE record with a UNIX ACL of the indicated type was encountered for the same file. The type can be access, default or fdefault. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE. pathname is the absolute pathname of the file. Severity: 20 Severity: 20 CKR1757 CKRCFV: UNIX ACL record has unexpected version version for system complex pathname Explanation: A CKFREEZE record with a UNIX ACL was encountered, but the ACL record version was not recognized. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the file the ACL belongs to. Severity: 16 CKR1758 CKRCFV: UNIX ACL record has no ACL entries for system complex pathname CKR1762 Explanation: No outstanding I/O was found, yet waiting for I/O on an unload complex. Contact IBM Software Support. Severity: 24 CKR1763 Severity: 24 CKR1764 Severity: 20 Severity: 24 CKRCFV: UNIX ACL record truncated for system complex pathname Explanation: A CKFREEZE record with a UNIX ACL was encountered, but the ACL record was too small to contain all the entries it declared to contain. Only the entries actually contained in the record are processed. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the file the ACL belongs to. Severity: 16 CKR1760 CKRCFV: UNIX ACL record but no current directory for system complex device dev Explanation: A CKFREEZE record with a UNIX ACL was encountered for the mount point root itself , but the corresponding directory could not be located. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; dev is the device number of the file system. Severity: 24 Internal error - database I/O stalled Explanation: No outstanding I/O was found, yet waiting for I/O on a non-unload complex. Contact IBM Software Support. Explanation: A CKFREEZE record with a UNIX ACL was encountered, but the ACL record was too small to contain any entries. Contact IBM Software Support. The record is skipped. The system and complex names identify the CKFREEZE; pathname is the absolute pathname of the file the ACL belongs to. CKR1759 Internal error - database I/O stalled Internal error - database I/O stalled Explanation: No complex was found with pending I/O. Going ahead anyway, but this may cause synchronization problems or no profile selection. Contact IBM Software Support. CKR1765 Internal error - no OUTS for fieldaddr fieldname defined at ddname line number Explanation: This message indicates a failure in FIELD restrict processing. Contact IBM Software Support. Severity: 24 CKR1766 Internal error - no OUTS for fieldaddr1 fieldname1 lookup for fieldaddr2 fieldname2 defined at ddname line number Explanation: This message indicates a failure in FIELD restrict processing. Contact IBM Software Support. Severity: 24 CKR1767 Internal error- no OUTS for display1 OUTF fieldaddr fieldname defined at ddname line number Explanation: This message indicates a failure in FIELD restrict processing. Contact IBM Software Support. Severity: 24 Chapter 5. CKR messages 269 CKR1768 • CKR1781 CKR1768 Internal error- no OUTS for display2 OUTF fieldaddr fieldname defined at ddname line number CKR1775 Invalid $NOVTOC in program: volser dsname Explanation: This message indicates a failure in FIELD restrict processing. Contact IBM Software Support. Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 Severity: 24 CKR1769 CKRRDVAL internal error: inconsistent call: parameter area Explanation: Verification of the calling parameters for CKRRDVAL failed. Contact IBM Software Support. Severity: 20 CKR1776 Invalid $ANYMISSINGVTOC in program: volser dsname Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 CKR1770 Orphan iplvol in program : member complex complex [version] CKR1777 Explanation: Contact IBM Software Support. Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 CKR1771 CKRPRLST.DTMODS2: No OUD2 found for fieldaddr fieldname defined at ddname line number Explanation: An error occurred while determining the buffer length for modification of a field on the detail display (with overriding length 0). Contact IBM Software Support. Severity: 24 CKR1772 Invalid $NOVTOC in program: volser dsname Duplicate vol/dsn combination in program profile program: volser dsname complex complex version Severity: 24 CKR1778 Missing $ANYMISSINGVTOC or $ANYMISSINGMIGC in program: volser dsname Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 CKR1779 Invalid $NOTMOUNTED in program: volser dsname Explanation: This message indicates an internal error in VERIFY PROGRAM or VERIFY PGMEXIST processing. It may point to an inconsistency in the security database. Contact IBM Software Support. Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 20 Severity: 24 CKR1773 Missing TVOL for program: volser dsname complex complex [version] CKR1780 Invalid $VTOCUNREADABLE in program: volser dsname Explanation: This message indicates an internal error in the VERIFY PROGRAM or VERIFY PGMEXIST processing. Contact IBM Software Support. Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 Severity: 24 CKR1774 Invalid instance in program: volser dsname complex complex [version] CKR1781 Invalid $NOVTOC in program: volser dsname Explanation: This message indicates an internal error in the VERIFY PROGRAM or VERIFY PGMEXIST processing. Contact IBM Software Support. Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. Severity: 24 Severity: 24 270 Messages Guide CKR1782 • CKR1791 CKR1782 Invalid $NOVTOC in program: volser dsname Explanation: This message indicates an internal error in the VERIFY PROGRAM processing. Contact IBM Software Support. condition); contact IBM Software Support. Severity: 20 (or 0) CKR1788 Severity: 24 CKR1783 CKROUNIT internal error OUTF$SLFN$LOOKUP without TLUD for fieldname ddname line number Explanation: An unrecoverable error occurred while processing fieldname. Contact IBM Software Support. Severity: 24 CKR1784 Non-SLFN lookup fieldname Explanation: A lookup was attempted for fieldname, but the required structures were not present. Contact IBM Software Support. Severity: 24 CKR1785 ADDTHOM: No free INODE index entry inode for system system mount point pathname Explanation: Contact IBM Software Support. In TYPE=UNIX newlists the HOME_OF field and AUDITCONCERN may be incomplete, and AUDITPRIORITY may be too low for files in the indicated file system with the reported inode. CKR1786 routine: No THOM for IHOM hexaddr dev device inode inode Explanation: Contact IBM Software Support. In TYPE=UNIX newlists the HOME_OF field and AUDITCONCERN may be incomplete, and AUDITPRIORITY may be too low for files in the indicated file system with the reported inode. Severity: 24 CKR1787 Explanation: The indicated device (a file system) has the same audit ID as another device that was encountered earlier. Lookups from file audit IDs to files in this file system will either fail or yield erroneous results that point to the other device. The system and complex names identify the CKFREEZE. This message can be issued when multiple HFS or ZFS files have the same file system audit ID. See the overview of the zFS audit identifier in the zFS administration guide in the z/OS documentation for guidelines on how to implement the unique auditid capability in your z/OS UNIX environment. You can use the MOUNT report in RE.U.R to look up information about the device. You can use OPTION MSGRC=(1788,rc) to change the severity of the message. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 20 (unless changed by the MSGRC parameter of the OPTION statement) CKR1789 Severity: 24 CKRCFV: File audit id mismatches inode in system complex for device dev: filename Explanation: The file audit ID checked for the indicated file has an unexpected layout. Lookups from file audit ids to files in this file system will not be performed. The system and complex names identify the CKFREEZE; filename is the last identified of the file checked, which is in the root directory of the indicated device. When this message is issued for a zFS file system for a z/OS release that is not supported, this message is issued with severity 0 (informational). Otherwise, it is issued with severity 20 (unsupported CKRCFV: File system audit id auditid not unique on system system complex device dev unindexed CKRCKGF.CKRUSRG: Called for invalid tag tag (dec) Explanation: The USR subselection routine encountered an unintelligible request. Contact IBM Software Support. Severity: 24 CKR1790 CKRSEL.CKRCOMFV: Called for invalid tag tag (dec) Explanation: The normal ACL (early) subselection routine encountered an unintelligible request. Contact IBM Software Support. Severity: 24 CKR1791 CKRSEL.CKRC2MFV: Called for invalid tag tag (dec) Explanation: The conditional ACL (early) subselection routine encountered an unintelligible request. Contact IBM Software Support. Severity: 24 Chapter 5. CKR messages 271 CKR1792 • CKR1901 CKR1792 routine: No literal stored for fieldaddr fieldname defined at ddname line number Explanation: The cache for a field that is supposed to have a fixed value is empty. The field will show up empty. Contact IBM Software Support. CKRPUTV.CKRDELST function: Unfinished restage - now at TLST recordaddr Explanation: During the indicated delete list function for the indicated record it was noted that a preceding restage function had failed to complete. Contact IBM Software Support. Severity: 24 CKR1794 CKRPRTFL.CKRGETV function: Unfinished restage - now at fieldaddr fieldname defined at ddname line number Severity: 24 Severity: 24 Explanation: A restage request for field fails, because the current program state does not allow the restage; the field will show up empty. Contact IBM Software Support. CKRPRTFL.CKRGETV: No staging area for fieldaddr fieldname defined at ddname line number Explanation: A restage request for field fails, because the required staging area has not been allocated; the field will show up empty. Contact IBM Software Support. Severity: 24 CKR1799 CKRPRTFL.CKRGETV: Not ready for restage of fieldaddr fieldname defined at ddname line number CKRPRTFL.CKRGETV: Cannot restage fieldaddr fieldname for record recordaddr1 while staging recordaddr2 defined at ddname line number Explanation: A restage request for field fails, because the same field is still being staged for a different record; the field will show up empty. Contact IBM Software Support. CKR1798 Explanation: During the indicated get value function for the indicated field it was noted that a preceding restage function had failed to complete. Contact IBM Software Support. CKR1795 Severity: 24 CKR1797 Severity: 24 CKR1793 Explanation: A restage request for field1 fails, because the staging area is being used for field2; field1 will show up empty. Contact IBM Software Support. CKRPRTFL.CKRGETV: Staging area too small for fieldaddr fieldname defined at ddname line number Explanation: A restage request for field fails, because the required staging area is too small; the field will show up empty. Contact IBM Software Support. Severity: 24 Severity: 24 CKR1796 CKRPRTFL.CKRGETV: Cannot restage fieldaddr1 fieldname1 while staging fieldaddr2 fieldname2 defined at ddname line number Messages from 1800 to 1899 CKR1800...CKR1899 message Explanation: These messages are in response to debugging options. If you need information about these messages, contact IBM Software Support. Severity: 00 Messages from 1900 to 1999 CKR1900 Nonzero RDJFCB return code RACFDB complex complex Explanation: The RDJFCB SVC returned a nonzero return code for one of the CKRACFnn files. Contact IBM Software Support. 272 Messages Guide Severity: 16 CKR1901 CKREPNDF: PERM$OWN PERMXREF not TRID complex complex version Explanation: Contact IBM Software Support. CKR1902 • CKR1916 Severity: 24 Severity: 24 CKR1902 CKREPNDF: PERMXREF invalid with NONDEFAULT complex complex version CKR1910 Explanation: Contact IBM Software Support. Severity: 24 CKR1903 CKROUGRP: PERMXREF invalid with OUTOFGROUP on complex complex version CKRVPRM.CHKSTPR: STARTED profile but VERIFY STC active; type type call for id id Explanation: VERIFY PERMIT processing for STARTED profiles detected it should not have been called for the reported STARTED profile because VERIFY STC is also active. Contact IBM Software Support. Severity: 24 Explanation: Contact IBM Software Support. CKR1911 Severity: 24 Undefined ID identity without PERM Explanation: Contact IBM Software Support. CKR1904 CKRPRTFL.CKRGETV: Value pointer is NIL for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. Severity: 24 CKR1912 Undefined ID identity PERM w/o XREF Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1905 CKROURPT: PERMXREF points to PERM CKR1913 Explanation: Contact IBM Software Support. CKRVPRM: No PERMXREF handling for type Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1906 CKRSPERM called with nil CKRELEM Explanation: Contact IBM Software Support. Severity: 24 CKR1907 CKRSTNVD: Secondary volume empty CKRELEM Severity: 24 Severity: 24 CKR1915 TRID missing group from TRCO user/group Explanation: Contact IBM Software Support. CKRSTPDA Secondary volume finds empty CKRELEM Explanation: Contact IBM Software Support. Severity: 24 CKR1916 Severity: 24 CKR1909 Unknown error message type for volser datasetname Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. CKR1908 CKR1914 routine: WHERE clause improperly treated for fieldaddr fieldname defined at ddname line number Explanation: Contact IBM Software Support. The indicated field is a 'late' field that contains a WHERE clause. A true result for the clause was not properly handled. The resulting variable instance will probably be empty. routine can be CKRPUTV or CKRPUTV.CKROUCLS depending when the erroneous condition was noted. CKRFSTC: no default group found for user at member procedure under profile profile Explanation: This internal error is issued when no default group is found for a STARTED profile with a valid STUSER user but no STGROUP specification during processing for task procedure. VERIFY STC will further ignore this condition, REPORT STC will report the undefined user being used. Contact IBM Software Support. Severity: 24 Chapter 5. CKR messages 273 CKR1917 • CKR1933 CKR1917 Unsupported comparand type bbbb CKR1926 Explanation: Contact IBM Software Support. CKRSTPMB with invalid CKRELEM type complex complex version Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1918 Premature end-of-file on ddname reading blk nnn computed last block is mmm CKR1927 Explanation: Contact IBM Software Support. Severity: 20 CKR1919 Explanation: Contact IBM Software Support. Internal error: TGDAQUAL=0 for profile Explanation: Contact IBM Software Support. Severity: 24 CKR1928 Severity: 24 CKR1920 TNVR for TPMB not TNVD or TGDA but xxxx - dsname vol system sys complex complex version CKRFLD internal error searching field Explanation: Contact IBM Software Support. TNVR not TNVD or TGDA but xxxx dsname vol system sys complex complex version Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1929 CKR1921 CKRCFV: Mount record truncated for UNIX device dev in system system complex complex Explanation: A CKFREEZE mount record was found specifying a mount point path that was longer than fit in the record. The mount point path is truncated, but processing continues. Explanation: The base segment for general resource profiles appears to be undefined in this RACF database. Indexed database read processing cannot guarantee complete output for the RACMAP_REGISTRY field. A run with SUPPRESS INDEX might provide more complete output. Severity: 20 Severity: 16 CKR1922 CKRXINIT.CKRDIDID: GENERAL BASE not defined in TSEG CKRSTELM called invalidly CKR1930 CKROURPT missing PERMWHEN on key Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1923 CKRSPERM1 unsupported - field CKR1931 Explanation: Contact IBM Software Support. CKROURPT no PERMWHEN support for type on key Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1924 CKRSPERM2 unsupported - field Explanation: Contact IBM Software Support. Severity: 24 CKR1925 CKR1932 Explanation: Contact IBM Software Support. GET$PMB: invalid program program referred for volser - datasetname Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1933 Messages Guide Internal error: mcat processed also on system for system catvol catname Explanation: Contact IBM Software Support. Severity: 24 274 CKROURPT PERMWHEN expected type1 found type2 CKR1934 • CKR1949 CKR1934 No connected ctlg catname for system cluster CKR1942 TNVR not TNVD/TGDA/NOPR but type - volume dsname complex complex [version] Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1935 Dircat w/o ctlg catname for system cluster name CKR1943 type internal error: string [ at ddname and RecNo number ] Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1936 TNVR has no sys sections, skipped volume dsname CKR1944 CKRVPRM TRID address invalid id to name Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1937 CKROURPT Unknown report type type CKR1945 Explanation: Contact IBM Software Support. Severity: 24 CKR1938 Section missing for type hexlength #sys=number #cmplx=number - issuing abend 1938 Explanation: This message may hamper operation if you try to analyze an old CKFREEZE file or an incomplete CKFREEZE file. If this is not the case, contact IBM Software Support. CKRACTM: CKRGETV returned RC=rc for fieldaddr fieldname; TLST recordaddr; token token defined at ddname line number Explanation: The action-on-modify routine was unable to retrieve the previous value of the indicated field. Contact IBM Software Support. The modify action will fail. Severity: 24 CKR1946 routine merged TLST invalid Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1939 More than one DATASET profile for dataset volume dsname CKR1947 Explanation: Contact IBM Software Support. Severity: 24 CKR1940 Explanation: Contact IBM Software Support. Tape volumes in unexpected profile type typ1 and typ2 complex complex version Explanation: Volume serials were encountered in unexpected profile types (for example, in a generic TAPEVOL profile). Contact IBM Software Support. Severity: 24 CKR1941 CKRPRTFL.CKRGETV: Unknown cache method xx for fieldaddr fieldname; TLST recordaddr defined at ddname line number Missing default group for defined user id complex complex [version] Severity: 24 CKR1948 CKRCFV: Directory entry during HFS switch for system complex to mountpoint Explanation: A CKFREEZE record for a UNIX directory entry was encountered while the start of a new file system dump had not completed yet. Contact IBM Software Support. The rest of the file system dump is skipped. Severity: 20 Explanation: Contact IBM Software Support. Severity: 24 CKR1949 CKRCFV: Duplicate HFS dump for system complex FSvolser FSdatasetname Explanation: A file system dump was encountered while a dump for that file system had already been processed before. Contact IBM Software Support. This Chapter 5. CKR messages 275 CKR1950 • CKR1963 file system dump is skipped. CKR1957 Severity: 20 CKR1950 Internal error - beadcont address . hexvalue * char-value * Explanation: Contact IBM Software Support. CKRPRTFL.CKRGETV: Unknown function call number for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1958 CKR1951 CKRPUTV.CKRPTCLS: Invalid repeat close for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. The indicated field for the indicated record will not be stored. CKR1952 Explanation: Contact IBM Software Support. Severity: 24 CKR1959 Severity: 24 CKRPUTV: Invalid element length length for fieldaddr fieldname defined at ddname line number CKRPRTFL.CKRGETV: Invalid token token requested for fieldaddr fieldname; TLST recordaddr; fn code; cachetoken defined at ddname line number CKRPRTFL.CKRGETV: Link is NIL for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. Severity: 24 Explanation: Contact IBM Software Support. CKR1960 Severity: 24 CKR1953 CKRPATT: nil MGEN at pattern field CKRPRTFL.CKRGETV: Cache invalid for link from fieldaddr1 fieldname to fieldaddr2; TLST recordaddr; flg flags defined at ddname line number Explanation: Contact IBM Software Support. Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1954 CKRPRTFL: Unknown format outputformat for fieldaddr fieldname at ddname line number CKR1961 Explanation: Contact IBM Software Support. Severity: 24 CKR1955 Explanation: Contact IBM Software Support. CKRPUTV: Unknown storage method xx requested for fieldaddr fieldname defined at ddname line number Severity: 24 CKR1962 Explanation: Contact IBM Software Support. Severity: 24 CKR1956 CKRPRTFL.CKRGETV: Unknown storage method xxyy for fieldname; TLST recordaddr; OUTFs fieldaddr1 fieldaddr2 defined at ddname1 line number1 at ddname2 line number2 CKRPUTV: Unknown repeat group storage method xx requested for fieldaddr fieldname defined at ddname line number Explanation: Contact IBM Software Support. CKRPRTFL.CKRGETV: Repeat group address is NIL for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. Severity: 24 CKR1963 Severity: 24 CKRPRTFL.CKRGETV: Repeat group entry length 0 for fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. Severity: 24 276 Messages Guide CKR1964 • CKR1976 CKR1964 CKRPRTFL.CKRGETV: a b/c entries in fieldaddr fieldname; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. CKR1970 routine: Invalid list header - TLHD listaddr. hexvalue * charvalue * Explanation: Contact IBM Software Support. Severity: 24 Severity: 24 CKR1971 CKR1965 CKRPRTFL.CKRGETV: Decompress of xx for fieldaddr fieldname via yy (zz) failed; TLST recordaddr defined at ddname line number Explanation: Contact IBM Software Support. routine: Invalid list line - TLST recordaddr. hexvalue * charvalue * Explanation: Contact IBM Software Support. This message is followed by user ABEND 16. If the message is suppressed, processing continues. Severity: 24 Severity: 24 CKR1972 CKR1966 SMF record number length discrepancy between RDW (len1) and input routines (len2) in ddname volser dsn Explanation: The length returned by the SMF input routines differs from the length seen in the SMF record's RDW. The record will be skipped. Contact IBM Software Support. Severity: 24 CKR1967 Explanation: Contact IBM Software Support. The problem may possibly be circumvented by specifying SUPPRESS INDEX or BDAMQSAM. Severity: 24 CKR1973 CKRPRTFL.CKRGETV: Record descriptor mismatch for fieldaddr fieldname: descriptor1; TLST recordaddr: descriptor2 defined at ddname line number Explanation: Contact IBM Software Support. CKRDEXB: Requested rel blk block not in cache start-end for ddname volser dsname CKRSTPL.CKRCLST: For a MERGELIST the primary TLHD must be supplied Explanation: Contact IBM Software Support. If this error occurs the output records may appear in the wrong sort order. Severity: 24 Severity: 24 CKR1974 CKR1968 CKRPUTV: Entry length actual instead of expected for fieldaddr fieldname defined at ddname line number Explanation: The indicated field was supposed to have values of a fixed length as indicated by expected, but an entry with length actual was encountered. Due to the chosen storage method the entry cannot be stored now. If you are running zSecure for RACF, refer to the documentation for the VARLEN output modifier in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for information about troubleshooting the problem in the database. If the error is not found in the database or you are running zSecure on another platform, contact IBM Software Support. Severity: 16 CKR1969 Explanation: Apparently two repeat groups are being constructed at the same time. This is not supported and the "nested" calls for field1 are ignored, i.e., the values are discarded. Contact IBM Software Support. Severity: 24 CKR1975 CKRXINIT: no key/mask/class Explanation: Contact IBM Software Support. The problem may possibly be circumvented by specifying SUPPRESS INDEX or BDAMQSAM. Severity: 24 CKROUNIT: Unknown summary statistic xx for fieldname at ddname line number Explanation: Contact IBM Software Support. Severity: 24 CKRPUTV: Late call for fieldaddr1 fieldname1 but repeat group open for fieldaddr2 fieldname2 defined at ddname line number CKR1976 CKRXINIT: key has length 0 Explanation: Contact IBM Software Support. The problem may possibly be circumvented by specifying SUPPRESS INDEX or BDAMQSAM. Severity: 24 Chapter 5. CKR messages 277 CKR1977 • CKR1989 CKR1977 CKRDIXB: in cache not found Explanation: Contact IBM Software Support. The problem may possibly be circumvented by specifying SUPPRESS INDEX or BDAMQSAM. Severity: 24 CKR1985 Severity: 24 CKR1978 Ready RFDS but state is state Explanation: Contact IBM Software Support. Severity: 24 CKR1979 CKRLKPP: Unspecified kind of repeat group restriction for fieldaddr fieldnamedefined at ddname line number Explanation: An error occurred when processing the indicated field. The field will not be output. This message can be suppressed. Contact IBM Software Support. Severity: 24 CKRPUTV.CKRIRPT: Late open for fieldaddr1 fieldname1 but repeat group open for fieldaddr2 fieldname2 defined at ddname line number Explanation: The area used for building repeat groups and constructing late columns is explicitly opened for field1, but it should have been closed for field2 first; the close processing for field2 will be performed now before the requested open processing in an attempt to recover from this condition. Contact IBM Software Support. Severity: 24 CKR1986 CKRPUTV.CKRPTSRT: Unexpected element size size for fieldaddr fieldname defined at ddname line number Explanation: There appears to be something wrong with repeat group field; the current repeat group will not be sorted. Contact IBM Software Support. Severity: 24 CKR1980 CKRLKPP: Unintelligible request xx for fieldaddr fieldname defined at ddname line number in type CKR1987 Explanation: Contact IBM Software Support. Severity: 24 CKR1981 CKRPATT: undefined generic type to be added to MTAB Explanation: Contact IBM Software Support. Severity: 24 CKR1982 CKRPUTV: Early call for late field fieldaddr fieldname defined at ddname line number Explanation: The indicated field is supposed to be constructed in a later stage; this call is ignored. Contact IBM Software Support. Severity: 24 CKR1984 routine: Invalid column - OUTF fieldaddr. hexvalue * charvalue * Explanation: Contact IBM Software Support. This message is followed by user ABEND 16. If the message is suppressed, processing continues. 278 Severity: 24 C2ARULE: backward reference found at first entry Severity: 24 CKR1983 Explanation: Apparently there are multiple fieldvalues for a single record, but the field is not declared as a repeat group. The secondary values will be discarded. Contact IBM Software Support. CKR1988 Explanation: Contact IBM Software Support. Messages Guide CKRPUTV: Multi-valued non-repeat field fieldaddr fieldname defined at ddname line number CKRPUTV.CKRDELST function: Record recordaddr still open for output for fieldaddr fieldname defined at ddname line number Explanation: The indicated delete list function would delete a record that is still under construction. Since a later write to an already deleted record could wreak havoc and recovery from this condition would be complicated and iffy, user ABEND 16 will be issued. Contact IBM Software Support. Severity: 24 CKR1989 routine: Record descriptor descriptor not ready for printing fieldaddr fieldname Explanation: The request to print the indicated field is not honored, because that column is part of a record type for which no record appears to be being printed at this time. Contact IBM Software Support. Severity: 24 CKR1990 • CKR1999 CKR1990 CKRPUTV: Literal already stored for fieldaddr fieldname defined at ddname line number CKR1996 CKRPUTV.CKRDELST: MERGELIST error - TLHD queryaddr ix queryindex TLST recordaddr ix recordindex Explanation: The indicated fieldcolumn is a literal, so a secondary value for it was not expected. Contact IBM Software Support. Explanation: The delete record routine encountered a problem in a MERGELIST. Contact IBM Software Support. Severity: 24 Severity: 24 CKR1991 CKRSMRY: Internal length length for fieldaddr fieldname defined at ddname line number Explanation: The indicated column fieldname is a summary statistic but has an unsupported length. No output is being generated. Contact IBM Software Support. CKRCKGS: No default group for userid in complex Explanation: The default group for the indicated userid in the indicated complex appears to be missing. No CKG.SCP.ID resource name can be constructed for this userid. The CKGRACF scope determination may be off. Contact IBM Software Support. CKR1993 Severity: 24 CKAOUTRU: Unexpected SCOP eyecatcher Explanation: Contact IBM Software Support. Severity: 24 CKRCFV: Directory switch during HFS switch for system complex to mountpoint Explanation: A CKFREEZE record for a UNIX directory switch was encountered while the start of a new file system dump had not completed yet. Contact IBM Software Support. The rest of the file system dump is skipped. Severity: 20 CKR1999 Severity: 24 CKRLKUP: No function indicated for fieldaddr fieldname; TLST recordaddr call type xx defined at ddname line number Explanation: Contact IBM Software Support. CKR1998 Severity: 24 CKR1992 CKR1997 CKRCFV: Directory switch before HFS root for system complex mountpoint Explanation: A CKFREEZE record for a UNIX directory switch was encountered while the root directory contents had not been seen yet. Contact IBM Software Support. The rest of the file system dump is skipped. Severity: 20 CKR1994 CKRCKGS.CKRIMPL: Invalid USRC (len=len) - data for fieldaddr fieldname; TLST recordaddr Explanation: The data found for the indicated field in the indicated record does not have the expected USRC format. Contact IBM Software Support. Severity: 24 CKR1995 CKRPUTV.CKRPTCLS: Invalid empty repeat close for fieldaddr fieldname defined at ddname line number; TLST recordaddr Explanation: The indicated field was first stored, and then processed yielding an empty column, while no storage method precautions were taken to allow this. This message will be followed by user ABEND 16. Contact IBM Software Support. Severity: 24 Chapter 5. CKR messages 279 CKR2200 • CKR2210 Messages from 2200 to 2299 CKR2200 Input open type abend code-reason (stock description) file description CKR2206 Specify either COMPLEX or STANDARD with RULE or RULE_SET source. Explanation: This message indicates a failure to open an input file. A stock description is printed for the most common abend codes. You can look up the abend code and reason code or look in the job log for an associated IEC, ICH, or IRR message. Explanation: The SITE_SEVERITY statement has two mutually exclusive forms; either you overrule a rule (set) severity, or you assign a higher or lower importance for a security database (complex). The file description shows the file name and a data set name or UNIX path name, or indicates that file description is a remote file or storage buffer. User response: Split the SITE_SEVERITY statement into two SITE_SEVERITY statements, or add a RULE or RULE_SET parameter behind STANDARD. Severity: 16 Severity: 12 CKR2201 Located dsn as realdsn on volume Explanation: This message indicates that a data set name passed by the user was actually an alias name. The real data set name and volume serial are shown. For further processing, the alias name is replaced by the real data set name. Severity: 00 CKR2207 SITE_SEVERITY STANDARD name not found source. Explanation: A SITE_SEVERITY statement refers to a standard name that was not found. Keep in mind that standard names are case sensitive. User response: Check the spelling of the standard name. Severity: 04 CKR2202 Conflicting jobname jobname1 found for ASID asid. Jobname jobname2 was previously defined for the same ASID. CKR2208 SITE_SEVERITY RULE_SET "name" not found source Explanation: A conflicting job name has been found while processing address space information. See the Electronic Support Web site for possible maintenance. If you cannot find applicable maintenance, contact IBM Software Support. Explanation: A SITE_SEVERITY statement was found referring to a rule set that was not in any of the imbedded standards. This can be a typing error or the standard was intentionally omitted in this run. Severity: 08 User response: If the standard was not intentionally omitted, add the standard or correct the typing error. CKR2204 Missing STANDARD name on SITE_SEVERITY source. Explanation: When specifying a RULE or RULE_SET name, you must also identify the STANDARD name using the STANDARD() keyword. RULE and RULE_SET names are only unique within a standard. User response: Add STANDARD parameter. Severity: 12 CKR2205 Severity: 4 CKR2209 Explanation: A SITE_SEVERITY statement was found referring to a rule that was not in any of the imbedded standards. This can be a typing error or the standard was intentionally omitted in this run. User response: If the standard was not intentionally omitted, add the standard or correct the typing error. Duplicate SITE_SEVERITY statement source, also source2. Explanation: The rule, rule set, standard, complex, or system was also identified in another SITE_SEVERITY statement. User response: Change or delete one of the SITE_SEVERITY statements. Severity: 12 Severity: 4 CKR2210 Messages Guide Id userid: Nesting level depth exceeded for XSGP source group in complex[version] Explanation: ACF2 cross-reference source group records support a maximum of 25 nesting levels. The record identified in this message exceeds this maximum. Further processing for this record is aborted. Severity: 20 280 SITE_SEVERITY RULE "name" not found source CKR2211 • CKR2219 CKR2211 N/A test not supported behind OTHERWISE - testsource Explanation: A TEST N/A statement cannot be part of a TEST OTHERWISE chain. User response: Put each N/A TEST in its own rule. N/A not supported for type=type because not SYSTEM or COMPLEX based - test source Explanation: The TEST N/A feature defines to which systems and complexes a rule set is applicable. The indicated newlist type does not have the SYSTEM or COMPLEX field as part of the key and hence cannot influence applicability of the rule set to a system or complex. User response: Use a different domain newlist type or use the RULE EXEMPT clause instead of TEST N/A. Severity: 12 CKR2213 N/A tests and non-N/A tests cannot be in same rule name source Explanation: A rule cannot have a mixture of TEST N/A statements and other TEST statements. This is because rules that determine non-applicability of systems or complexes must all be evaluated first, before any other test from any rule set is done. User response: To combine TEST N/A and normal TESTs in a rule set, you must assign them to a different rule name. They can be part of the same rule set. Severity: 12 CKR2214 N/A test not supported for count test without SUMMARY on the DOMAIN test source Explanation: The TEST N/A feature defines to which systems and complexes a rule set is applicable. When you test the count of records for a newlist without doing a SUMMARY on SYSTEM or COMPLEX (or both), there is no way to attribute that to a speciifc system or complex. User response: Add a SUMMARY(SYSTEM COMPLEX VER COUNT) or a SUMMARY(COMPLEX VER COUNT) clause to the DOMAIN specification for the RULE DOMAIN. Severity: 12 Rule set setname at ddname1 line number1 already defined at ddname2 line number2 in standard stdname VER(version) Explanation: A RULE_SET must have a unique name within the STANDARD version. User response: Change one of the names of the two rule sets with the same name in the specified standard. Severity: 12 CKR2212 CKR2215 Severity: 12 CKR2216 Inconsistent CONCERN for sensitivity "senstype" ignored Explanation: This message is issued if multiple concern texts are generated for risk. Only one concern text per sensitivity type (risk) is stored. This message is expected to be very rare; normally a message CKR2386 is issued instead. User response: Review your SIMULATE CLASS commands, and define a unique sensitivity type to every access level / concern text combination. If no SIMULATE CLASS command is involved, see the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. Severity: 08 CKR2217 Field type type not supported for field field Explanation: This message indicates that the indicated field was used for SELECT/EXCLUDE processing; the field can only be used for output in the current NEWLIST type. The NEWLIST types for which this error message may occur support the selection of strings, bitfields, and numbers. Some field types, such as time zones, can only be used for output. Severity: 12 CKR2218 CKFCOLL parameters for source Explanation: This message is issued in response to a SHOW CKFIN command and shows, for each CKFREEZE data set, the input parameters to CKFCOLL in subsequent lines. Severity: 0 CKR2219 CKFCOLL messages for system[version] in source Explanation: This message is issued in response to a SHOW CKFMSG command and shows, for each CKFREEZE data set, the messages issued by CKFCOLL in subsequent lines. Chapter 5. CKR messages 281 CKR2220 • CKR2227 Severity: 0 CKR2220 CKFREEZE created on system without type=type entitlement - source Explanation: This message is issued when a CARLa script requests newlist types that were not entitled on the system where a snapshot was taken with CKFCOLL. User response: Do not try to run non-entitled reports, or extend the entitlement for the system where the CKFCOLL program was run to take a snapshot, and run CKFCOLL again there. considered APF authorized after all, because it is not the volume SMS status but a bit in the format 1/8 DSCB that determines APF status. To improve analysis of older CKFREEZE files, CKRCARLA considers the data set as APF authorized. Because of the incorrect use of the volume status, the PDS directory was not automatically dumped in the CKFREEZE. As a result, the R_AC1, R_PGM, R_PADS newlists might be incomplete. This message is issued only if load module analysis is required for the CARLa query, and DEBUG APF was specified. Severity: 4 Severity: 16 CKR2225 CKR2221 Cannot open site banner file ddname volser dsname Explanation: This message indicates that the site-defined USS table banner file specified by the SITE_BANNER option cannot be opened. Check whether the file is correctly allocated, and whether the member exists. Severity: 16 Requested report requires CKFREEZE file for system smfid [version] Explanation: This message indicates that a VERIFY or NEWLIST was requested, but no CKFREEZE was connected for the indicated system. This message is suppressible, but if you suppress the message, the results are unpredictable. User response: Rerun with appropriate CFREEZE files allocated. Severity: 16 CKR2222 A member name is required to read from file ddname volser dsname Explanation: A SITE_BANNER option was present referring to a PDS(E) data set, but the member to be read from that data set was not specified. Add the correct member to the SITE_BANNER option and resubmit the query. Severity: 16 CKR2223 Concat number nnn of MSTR ddname ddname system smfid [version] larger than supported maximum 127 Explanation: The CKRCARLA program does not support more than 127 data sets in a MSTR ddname IEFPDSI or IEFJOBS concatenation. User response: See the Electronic Support Web site for possible maintenance associated with this message. If you cannot find applicable maintenance, follow the procedures described in “Contacting IBM Software Support” on page 469 to report the problem. CKR2226 CKFREEZE smfid [version] too incomplete for requested report - source Explanation: This message indicates that a VERIFY or NEWLIST was requested, but the available CKFREEZE for the indicated system was restricted in content such that the VERIFY or NEWLIST has insufficient information. This message is suppressible, but if you suppress the message, the results are unpredictable. The message is followed by an indication of which CKFCOLL options caused the incomplete information. The severity of the message is 4 if only a tape catalog was missing, to enable an analysis for DASD only. However, running a VERIFY NOTEMPTY might then generate commands to remove profiles that cover uncataloged tape data sets. User response: Create CKFREEZE files with appropriate content (not specifying the options indicated) for the VERIFY function needed and rerun with those CFREEZE files allocated. Severity: 16 or 4 Severity: 20 CKR2227 CKR2224 APF data set dsn marked SMS in VTOC for volume volser but volume not SMS managed on system system version; members might be missing in report Explanation: This message is issued if the CKFREEZE file marked a data set as non APF because the volume is not SMS managed. However, the data set is 282 Messages Guide COMPLIANT, NONCOMPLIANT, and N/A mutually exclusive - test source Explanation: TEST N/A defines to which systems and complexes a rule set is applicable, while TEST COMPLIANT and TEST NONCOMPLIANT explicitly define a result as compliant or noncompliant. These test features are mutually exclusive. CKR2228 • CKR2305 User response: To combine TEST N/A and normal TESTs in a rule set, you must assign them to a different rule name. They can be part of the same rule set. Severity: 12 Explanation: This message indicates that only domain merges with 2 newlist types are supported, not more. This message is suppressible, but results are unpredictable in that case. Severity: 12 CKR2228 DDNAME=ddname not allowed for e-mail. DDNAME=C2REMAIL required. Explanation: A ddname different than C2REMAIL is specified, using the MAILTO option. Use C2REMAIL instead. Severity: 12 CKR2229 SUMMARY cannot be combined with merge, domain domain where Explanation: This message indicates that it is not possible to combine SUMMARY on the DOMAIN with multiple newlist types on the SELECT parameter. User response: Remove SUMMARY from the DOMAIN or remove a newlist type from the DOMAIN SELECT. Severity: 12 CKR2230 Domain merge only supports 2 types, not number, domain domain where CKR2231 Password support for special characters not enabled on current system Explanation: The source database in a merge operation allows special characters in passwords, but the current database does not. If passwords are copied from the source database to the current database, users with a password containing special characters will not be able to login using this password. Severity: 0 CKR2232 Current system does not support KDFAES encryption Explanation: The source database in a merge operation uses the KDFAES encryption algorithm for password hashing, but the current database does not. Commands will not be generated to copy passwords from the source database to the current database. Severity: 0 Messages from 2300 to 2399 CKR2300 Adding ALLOC TYPE=CKFREEZE ZSECNODE=zsecnode ACTIVE [COMPLEX=complex] Severity: 0 CKR2303 Complex name complex assigned to danem volser dsname Explanation: This message indicates that a small recent CKFREEZE will be obtained from remote zSecure Server for the indicated node. This action is taken if the input set of ALLOC statements does not provide a plausible alternative. Explanation: This message documents the complex name assigned to the unload file. The assignment is not based on a matching security database name; that occurrence would issue message CKR2347 instead. Severity: 0 Severity: 0 CKR2301 Adding ALLOC TYPE=CKFREEZE ZSECSYS=zsecsys ACTIVE [COMPLEX=complex] Explanation: This message indicates that a small recent CKFREEZE will be obtained from the remote zSecure Server identified in the message. This action is taken if the input set of ALLOC statements does not provide a plausible alternative. Severity: 0 CKR2302 CKR2304 Explanation: This message documents that a snapshot was linked to a security database (complex) name based on the indicated RACF data set name. Severity: 0 CKR2305 Complex name complex assigned to ddname volser dsname Explanation: This message indicates which complex name was assigned to an unload operation. Complex complex assigned for RACF data set volser dsname of ddname system system [version] Complex complex assigned by default to ddname system system [version] Explanation: This message indicates the default system was assigned to a main or base-function security database and the complex name and version were inherited. For more information about the default system, see the DEFAULT command. Chapter 5. CKR messages 283 CKR2306 • CKR2317 Severity: 0 CKR2306 CKR2312 Complex complex FUNC=MERGE assigned by default to ddname system system [version] Explanation: This message indicates the default system was assigned to a security database and the complex name was inherited. For more information about the default system, see the DEFAULT command. Severity: 0 CKR2307 Explanation: This message indicates that a complex (without a security database) was added because of an explicitly specific COMPLEX= parameter on another file. Severity: 0 file system system [version] matches normal function complex complex Explanation: This message documents that the indicated snapshot file is used for a main or base-function complex because it has the same complex and version name. Severity: 0 ddname system system [version] matches normal function complex complex Explanation: This message documents that the indicated snapshot is linked to the indicated complex name because the complex and version name match. Severity: 0 CKR2314 Severity: 0 CKR2308 Explanation: This message documents that a snapshot was linked to a main or base function RACF security database (complex) name based on the indicated RACF data set name. CKR2313 Complex complex added because named on ALLOC for file ddname Non-merge complex complex for RACF data set volser dsname matches ddname system system [version] Switched to sequential mode on remote database complex Explanation: This message is issued on a CKRCARLA client when a server instance decides to switch reading the database to sequential mode for the indicated complex. This message follows message CKR1314, which is issued because of the high number of requests on the server side for the last data set in a database. This message is not issued if the client initiates the transition to sequential mode. Severity: 00 CKR2309 ALLOC TYPE=CKFREEZE ACTIVE system system [version] uses complex complex Explanation: This message documents which complex was assigned to an explicitly specified active ALLOC TYPE=CKFREEZE ACTIVE. Severity: 0 CKR2310 ddname system system [version] matches any function complex complex Explanation: This message documents that the indicated snapshot is linked to the indicated complex name because the complex and version name match. Severity: 0 CKR2311 Non-merge complex complex for security db volser dsname matches ddname system system [version] Explanation: This message documents that a snapshot was linked to a main or base-function security database (complex) name based on the indicated security-database data set name. Severity: 0 284 Messages Guide CKR2315 Complex complex for security db volser dsname matches ddname system system [version] Explanation: This message documents that a snapshot was linked to a security database (complex) name with any function, based on the indicated security data set name. Severity: 0 CKR2316 Complex complex for RACF data set volser dsname matches ddname system system Explanation: This message documents that a snapshot was linked to a RACF database (complex) name with any function, based on the indicated RACF data set name. Severity: 0 CKR2317 ddname system system [version] implicit allocation defaults to complex complex Explanation: This message documents that the indicated complex name was assigned to the indicated system because there was no better match. CKR2318 • CKR2324 Severity: 0 CKR2318 ddname system system [version] no matching security database, creating complex complex Explanation: This message documents that a new complex was created to contain the indicated system snapshot because no match was found. Note: The use of the ONLYAT option requires the RACF Special attribute. Severity: 4 CKR2322 Severity: 0 CKR2319 is undefined on one system in the RRSF configuration is defined on another system in the RRSF configuration. dd