Build Dedicated Sernet Started Task

This section tells you how to build a Sernet started task to act as a dedicated ChangeMan ZDD server.

In the diagram on Dedicated ZDD Server Sernet A is a dedicated ChangeMan ZDD server. ZDD clients connect to Sernet A to access data sets, jobs and Unix files, and to access ChangeMan ZMF 2 and ZMF 3 that run on the same LPAR.

This chapter tells you how to build a dedicated ZDD server like Sernet A in the diagram on Dedicated ZDD Server.

If you want to prepare an existing ChangeMan ZMF server for access through a separate ChangeMan ZDD server, see Connect to ChangeMan ZMF.

If you want to reconfigure an existing ChangeMan ZMF server to also act as a ChangeMan ZDD server, see Add ChangeMan ZDD to ChangeMan ZMF.

Step 1: Allocate Custom Libraries

Allocate a set of libraries for customized SERCOMC components. The following table shows an example of vendor libraries and their corresponding custom libraries.

Vendor Libraries	Custom Libraries
...SERCOMC.VvRrMm.ASMSRC	...SERCOMC.VvRrMm.CUSTOM.ASMSRC
...SERCOMC.VvRrMm.CLIST	...SERCOMC.VvRrMm.CUSTOM.CLIST
...SERCOMC.VvRrMm.CNTL	...SERCOMC.VvRrMm.CUSTOM.CNTL
...SERCOMC.VvRrMm.LOAD	...SERCOMC.VvRrMm.CUSTOM.LOAD

Recommendations for allocating CUSTOM libraries:

Choose data set names that comply with your data center standards.
Use the same RECFM and LRECL as the corresponding vendor library.
You may optimize the BLKSIZE parameter.
For simplicity, allocate SPACE=(CYL,(1,1,75)).

Step 2: APF Authorize Vendor and Custom Load Libraries

Add these libraries to the APF list:

Vendor SERCOMC LOAD library that you unloaded from the download image or distribution CD.
Custom LOAD library that you allocated in the previous step.

You can use the SETPROG system command to add these libraries to a dynamic APF list. If you use a static APF list, you must IPL before you can execute some of the subsequent steps in the installation process.

Step 3: Apply ChangeMan ZDD License

Apply the license you received from Micro Focus to enable ChangeMan ZDD. Refer to the SER10TY User’s Guide for instructions on how to apply the license.

Note

ChangeMan ZDD 8.1 requires a new license key.

The load modules, JCL, and other components that run SER10TY are included in the SERCOMC libraries unloaded from the download image or the distribution CD.

Step 4: Allocate SER#PARM TCP/IP Address File

Sernet uses a PDS or PDSE file to store TCP/IP addresses and port numbers for Micro Focus Serena applications. See SER#PARM DD Statement.

Caution

Do not use the SER#PARM library for any other purpose. Sernet opens this library for output, which can interfere with other uses of the file.

If you already have a Sernet started task running in your enterprise, and the library in the SER#PARM DD statement is available through shared DASD, you should use that library in the new Sernet started procedure you are building here.

If you do not have an existing SER#PARM library available, allocate a PDS(E) with these characteristics:

DSN=node.SERNET.TCPIPORT            * Recommended last node 
DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)   * Let SMS set BLKSIZE SPACE=(CYL,(1,10,30))

Sernet automatically creates a #SERx member (where “x” is the Sernet subsystem ID).

Step 5: Define XMLSPACE VSAM LDS

XML Services use a VSAM Linear Dataset (LDS) to map the relationships between XML schemas and DSECTS used for fixed-format control blocks and copybooks. This data sets is referenced by the XMLSPACE DD statement in the Sernet started procedure.

Execute this procedure to define and populate the XMLSPACE VSAM LDS.

Note

This step also creates a sequential MAPDATA dataset used by the XML prototype tool XMLSERV.

Copy member XMLLOAD from the vendor SERCOMC CNTL library to your custom SERCOMC CNTL library.
Edit member XMLLOAD in your custom CNTL library.

a. Code your JOB statement at the top.

b. In step RECEIVE, change DSN node placeholder somnode in the RECEIVE command INDS parameter to point to your vendor SERCOMC CNTL library.

c. Change all other occurrences of DSN node placeholder somnode to create dataset names that comply with your local naming conventions. Keep the last node name of MAPDATA.
Submit JCL member XMLLOAD.

Examine the job output for problems:

a. Example of SYSTSPRT from job step RECEIVE:

```
READY
DELETE 'CMNTP.S6.V810.SERCOMC.MAPDATA'
IDC3012I ENTRY CMNTP.S6.V810.SERCOMC.MAPDATA NOT FOUND+
IDC3009I ** VSAM CATALOG RETURN CODE IS 8 - REASON CODE IS IGG0CLEG-42
IDC0551I ** ENTRY CMNTP.S6.V810.SERCOMC.MAPDATA NOT DELETED
IDC0014I LASTCC=8
READY
RECEIVE INDS('CMNTP.S0.V810T06.SERCOMC.CNTL(XMLDATA)')
INMR901I Dataset DDNAME.MAPDATA from BATCHTSO on NODENAME
INMR906A Enter restore parameters or 'DELETE' or 'END' +
INMR908A The input file attributes are: DSORG=SEQUENTIAL, RECFM=F, BLKSIZE=4096,
INMR909A You may enter DSNAME, SPACE, UNIT, VOL, OLD/NEW, or RESTORE/COPY/DELETE
INMR001I Restore successful to dataset 'CMNTP.S6.V810.SERCOMC.MAPDATA'
READY
END
```

b. Browse member XMLDATA in your SERCOMC CNTL library. Note the date and time in this line of text near the top of the data set:

`SERNET XML Dsect Cross Reference. Created: 26 Jan 2011 02:23:40`

Then browse the new MAPDATA file and look for the same text at the top of that file. The date and time should be the same as in the XMLDATA member.

c. Examine the job JESMSGLG to verify that job step LOAD completed with RC=00.

Step 6: Build Sernet Started Procedure

Execute these steps to build JCL for a Sernet instance

In your custom CNTL library, create a member for the Sernet started procedure. Name the member according to the conventions you established in Sernet Started Task Name
Copy the contents of model JCL member SERVER in the vendor SERCOMC CNTL library into the new Sernet started procedure member in your custom CNTL library.
If you will store Sernet keyword options in a PDS or PDSE library member (see Passing Parameters to Sernet, do the following:

a. Code keyword option DDNAME=ddname in the PARM= parameter for program SERVER.

b. Allocate a PDS or PDSE library with RECFM=FB and LRECL=80.

c. Add a ddname DD statement to the started procedure, and code the DSN to point to the library that you allocated and the member where you will store Sernet keyword options.
In the STEPLIB DD statement:

a. Delete CMNZMF libraries.

b. Change the SERCOMC.CUSTOM.LOAD library name to point to the custom LOAD library you created in Step 1: Allocate Custom Libraries.

c. Change the SERCOMC.LOAD library name to point to the vendor LOAD library you created in Step 3: Expand PDS Libraries with RECEIVE respectively.
If you use a PDS to store licenses applied with the SER10TY License Manager (see Step 3: Apply ChangeMan ZDD License, add a SERLIC DD statement to point to your license PDS.
Change the SER#PARM DD statement to point the PDS(E) that you created in Step 4: Allocate SER#PARM TCP/IP Address File
Change the XMLSPACE DD statement to point to the VSAM LDS that you created and populated in Step 5: Define XMLSPACE VSAM LDS.
Create a GDG index for SYSMDUMP datasets. (See SYSMDUMP DD Statement Change the SYSMDUMP DD statement to point to the new GDG DSN (+1).
Add Sernet keyword options to the PARM= parameter for program SERVER or to the keyword option PDS member. See Sernet Options For ChangeMan ZDD. Adjust the \&ID and \&OPT symbolic parameters as needed.
Add ddnames that are required to resolve conflicts between Sernet and other software tools in use at your site. See Software Conflicts.
Install the Sernet procedure in a system PROCLIB.

Step 7: Set Up Job Notification

The Job Notification facility of Sernet sends job completion messages to a user’s workstation for jobs that they submit through ChangeMan ZDD.

Note

Job Notification does not add messages to batch jobs submitted by ChangeMan ZMF, even though you may use ChangeMan ZDD to initiate ChangeMan ZMF jobs.

To enable Job Notification in a ChangeMan ZDD server, you set up a mainframe JCL fragment that is automatically appended onto JCL submitted from ChangeMan ZDD.

Execute these steps to set up the Job Notification JCL fragment

Copy member $SERNTFY from the vendor SERCOMC CNTL library into your custom CNTL library.
Edit member $SERNTFY in the custom library. Change the STEPLIB statement to point to the vendor SERCOMC load library you coded in the STEPLIB for the Sernet started procedure.
Copy the updated $SERNTFY member from your custom CNTL library into a system PROCLIB.

Step 8: Set Up Job Review

See Job Review for more information about the Job Review facility.

As delivered in Sernet 7.1.1, Sernet allows read access to JES jobs that are not owned by the userid. Cancel/purge/requeue are restricted to jobs owned by the userid.

Since access to JES jobs is normally controlled by resource classes JESJOBS and JESSPOOL, regardless of whether SEREX003 is activated, we recommend that you disable this exit. To disable the exit, do one of the following:

Use Sernet keyword option EX003=NO.
Customize the exit as described in source code comments at the top of the program.

Step 9: Configure Your Security System

Regardless of the security system you use, these are the tasks you must perform to set up a dedicated ZDD server.

Set switches in local security routine SERLCSEC.
Identify the Sernet instance to your security system as a started task and assign a user ID.
Permit data set access to files in the Sernet started procedure.
Set security for accessing USS file systems.
Define OMVS segments for access to TCP/IP functions.
Optionally restrict logon to the ZDD server.

...

Customize SERLCSEC

SERLCSEC establishes the security environment for the user's subtask in Sernet so that the subtask runs with the authority of the logged on user.

If you use RACF or CA ACF2, you can use the switch settings in program SERLCSEC that are delivered in the LOAD library unloaded from the download image or the distribution CD.

Many CA Top Secret customers can run with the SERLCSEC switch settings that we deliver. However, if you are using the CA Top Secret security system and you have too many security violations, set the bit switch for \&LOGSVIO to zero.

Execute these steps to change switch \&LOGSVIO for CA Top Secret

Copy the source for program SERLCSEC from the vendor SERCOMC ASMSRC library to your custom ASMSRC library.

Edit SERLCSEC to change the \&LOGSVIO switch. See the insert/delete below.

ID          SOURCE LINES
----+----1----+----2----+----3----+----4----+----5----+----6----+----7--
*--------------------------------------------------------------------
* BELOW IS WHERE THE USER CAN TAILOR THE SOURCE CODE FOR THE SHOP
*--------------------------------------------------------------------
&VERFYID SETB 1         (YES)   SAF user ID verification
I - &LOGSVIO SETB 0     (NO)    security violation logging
D - &LOGSVIO SETB 1     (YES)   security violation logging
&LOGSEL SETB 0          (NO)    .selective logging (by calling pgm)
*--------------------------------------------------------------------
*ACF2 batch ids are specified in a user modifiable table
*     'F ACF2BAT WORD 1' will find the start of this table.
*     Please modify it as necessary.
*--------------------------------------------------------------------
* Notes:
*     #1 If &VERFYID is set to '1' in a Top Secret (TSS) shop,
*        the started task must be set up as a MULTIUSER FACILITY.
*     #2 &LOGSVIO must be set to '1' for &LOGSEL to have any affect.
*        If selective logging is selected, the logging is determined
*        by the calling program from products like XCH, CMN and CMW.
*--------------------------------------------------------------------

Copy model JCL member ASSEMBLE from the vendor CNTL library to your custom CNTL library, edit the JCL, and submit it to assemble and link the SERLCSEC source in your custom ASMSRC library into your custom LOAD library.
If the return code from the assemble and link job is zero:
1. Compare the directory entries for SERLCSEC in your custom LOAD library to the directory entries for SERLCSEC in the vendor LOAD library.
2. If they are not identical, adjust the assemble and link options in the ASSEMBLE job, and submit the job again.
If you assemble and link SERLCSEC after you start a ChangeMan ZDD server, shut down the Sernet started task and start it again to have the exit modifications take effect.

Configure RACF

The steps listed here provide examples specific to IBM Security Server RACF for accomplishing security setup tasks. The following conventions are used in these examples:

SERPROC is the member name of the started procedure.
SERTASK is the jobname assigned to the started task when procedure member
SERPROC is started. See Step 6: Build Sernet Started Procedure.
SERUSER is the RACF user ID for all Sernet instances. If you want different RACF authority for different Sernet instances, assign a unique user ID to each.

This section is not intended to be an authoritative reference for RACF command syntax. Your security administrator should be aware of the intent of each step and should adjust the sample command syntax if necessary.

Define the user ID that will be assigned to the Sernet started task:

ADDUSER SERUSER NAME('SERNET') OWNER(owner userid) + 
     DFLTGRP(group name) DATA('SERNET STARTED TASK')

Add each Sernet instance to the STARTED class to associate the started task with the user ID. Use the following command:
```
RDEF STARTED SERPROC.SERTASK STDATA(USER(SERUSER) + 
    GROUP(groupname))
SETROPTS RACLIST(STARTED) REFRESH
```
Note

With RACF 2.1 and higher, you may define started procedures to the STARTED class rather than adding them to the RACF Started Procedure Table, which requires an IPL. The STARTED class must be active at your site.
In the STARTED class, specify both the started procedure member name and the jobname assigned in the START command.See Sernet Started Task Names. You can use a wild card for the jobname:
```
RDEF STARTED SERPROC.\*\* STDATA(USER(SERUSER) GROUP(groupname))

or

RDEF STARTED SERPROC.SER\* STDATA(USER(SERUSER) GROUP(groupname))
```

Configure CA Top Secret

The steps listed here provide examples specific to CA Top Secret for accomplishing security setup tasks. The following conventions are used in these examples:

SERPROC is the member name of the started procedure.
SERACID is the name of ACID associated with the Sernet instance.
SERFAC is the name of Multiuser Facility created for the Sernet instance.

This section is not intended to be an authoritative reference for CA Top Secret command syntax. Your security administrator should be aware of the intent of each step and should adjust the sample command syntax if necessary.

Define the Sernet server as a Multiuser Facility, using one of the dummy facility entries in the Facilities Matrix Table. See the CA Top Secret User Guide for information on how to add a new facility. For example:
```
FACILITY(USERxx=NAME=SERFAC)
FACILITY(SERFAC=PGM=SER) 
FACILITY(SERFAC=NOASUBM) 
FACILITY(SERFAC=LCFCMD) 
FACILITY(SERFAC=UIDACID=7)
```
Execute a TSS refresh to implement this parameter change, or perform a temporary change until the next refresh or IPL by executing this command:
```
TSS MODIFY FACILITY(USERxx=NAME=SERFAC)
```

After the above TSS command has been completed, query CA Top Secret to verify that the definition is correct.

TSS MODIFY FAC(SERFAC)

The following messages are from a successful installation:

TSS9550I FACILITY DISPLAY FOR SERFAC
TSS9551I INITPGM=SER ID=T TYPE=013
TSS9552I ATTRIBUTES=INUSE,ACTIVE,SHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXDEF
TSS9552I ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
TSS9552I ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
TSS9552I ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR,NOIMSXTND
TSS9553I MODE=FAIL DOWN=GLOBAL LOGGING=INIT,MSG
TSS9554I UIDACID=8 LOCKTIME=000 DEFACID=*NONE* KEY=8
TSS9556I MAXUSER=03000 PRFT=003
TSS0300I MODIFY FUNCTION SUCCESSFUL

Create a CA Top Secret Started Task (STC):

TSS CREATE(SERACID) TYPE(USER) NAME('SERACID STC FOR SERNET') 
FACILITY(STC,BATCH,SERFAC) DEPT(NAME) PASS(NOPW,0)

Add the new STC to the Started Task Table:

TSS ADD(STC) ACID(SERACID) PROCNAME(SERPROC)

Add the SERFAC to the userids:
```
TSS ADD(SERACID) FACILITY(SERFAC)
```
Note

Repeat this command for each user that requires this access, or put it in a profile to which users are attached.

For more information, refer to the CA Top Secret OS Reference Guide Volume 3, Section: TSS Command Function.

Configure CA ACF2

The steps listed here provide examples specific to CA ACF2 for accomplishing the security setup tasks. The following conventions are used in these examples:

SERUSER is the Sernet logon ID.
SERPROC is the started procedure name.

This section is not intended to be an authoritative reference for CA ACF2 command syntax. Your security administrator should be aware of the intent of each step and should adjust the sample command syntax if necessary.

Change the ACF2 Global System Options (GSO) to associate a logon ID with started tasks. Set up a default logon ID to allow all started tasks to come up successfully. From the TSO command processing option, enter the following commands:
```
ACF2
SET CONTROL(GSO)
INSERT ACFSTCID (Set up default logon ID for started tasks) 
OPTS STC (To have privilege of started task)
```
Set up SERUSER as unique logon ID for Sernet. From the TSO command processing option enter the following commands:
```
ACF2
SET CONTROL(GSO)
INSERT SERUSER (To insert a new logon ID) 
OPTS STC (To have privilege of started task)
```
To give ChangeMan ZMF enough dataset access to perform its functions, add non-cancel authority NONCNCL or PREFIX(********).
Add a TSO ID:
```
ACF SET LID
INSERT SERPROC JOB STC ACC-SRCE(STCINRDR) MUSASS
```
Note

MUSASS means multiple-user single address space system.

Caution

Verify that this ID is not assigned to a user as a TSO logon ID.

Add the following version-dependent definition to the environment: For ACF2 Version 6.x:

SET C(GSO)
INSERT CLASMAP.CMN 
RESOURCE(CMN) 
RSRCTYPE(CMN) 
INSERT SAFDEF.CMN001 
ID(CMN001) 
PROGRAM(SER-) 
RB(SVC109)
RACROUTE(REQUEST=AUTH CLASS=CMN)

Activate the resource type SER.ACF2
```
SET RESOURCE(SER)
```

...

Permit Data Set Access

Permit data set access to the user ID assigned to the ZDD server started task:

READ access to all of the data sets coded in the ZDD server started procedure, except...
UPDATE access to the data set in the SER#PARM DD statement.
ALTER access to the data set in the SYSMDUMP DD statement.

Permit User Access to JES Output

Some SerNet services may write messages as JES output, while running under the security environment of the logged on user. As such, if the JESSPOOL class is activated, all users must be allowed UPDATE access to any JESSPOOL profiles that control JES output produced by the started task. For JESSPOOL profiles, UPDATE access only allows users to write messages to JES SYSOUT. It does not allow any other type of updates to JES spool files, such as re-queuing, deleting, holding, or releasing output, all of which require ALTER access.

JESSPOOL profiles are defined using the following model:

nodeid.userid.jobname.jobid.ddsid.dsname

nodeid: Name of local JES NJE node
userid: User ID of started task
jobname: Job name of started task

You can define any suitable JESSPOOL profile that covers the started task output with a universal access of UPDATE. For example, the following would secure all of the output files produced by the started task user ID.

*.STCUSER.**

A profile named like this would secure the output by started task name:

*.*.STCNAME.**

Set Security for USS File Systems

If you want to use ChangeMan ZDD to access HFS files in Unix System Services on the mainframe, you must make additional entries in your security system.

The instructions here describe commands for z/OS Security Server RACF. If you use CA ACF2 or CA Top Secret, consult with your security administrator to determine the actions they must take in those security systems to accomplish the same objectives.

In the commands that follow, the following conventions are used:

SERUSER is the user-id assigned to the Sernet / ZMF started task.

SERGRP is the RACF group assigned to the Sernet / ZMF started task.

Assign a non-zero UID to SERUSER by manually assigning the next available value:
```
ALTERUSER SERUSER OMVS(UID(xxx))
```

Permit access for SERUSER to two resources so it can manage HFS in USS:

PERMIT BPX.SERVER CLASS(FACILITY) ID(SERUSER) ACCESS(UPDATE) 
PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ID(SERUSER) 
ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH 
SETROPTS RACLIST(UNIXPRIV) REFRESH

Ensure that the SERUSER default group SERGRP has a GID:
```
ALTERGROUP SERGRP OMVS(GID(YYY))
```

...

Define OMVS Segments For TCP/IP

Most user IDs requiring access to TCP/IP functions must have an OMVS segment.

To satisfy this requirement for the ChangeMan ZDD server and for ZDD users, do one of the following:

Define an OMVS RACF segment for the userid of the ZDD server and for each ZDD user.

or
Use the default OMVS segment support provided by RACF and z/OS UNIX for users and groups.

Note

You may have already defined an OMVS segment for the ZDD server user ID in Set Security for USS File Systems.

See "Requirement for an OMVS segment" in the z/OS Communications Server IP Configuration Guide.

Restrict Logon to ZDD

As described in How ChangeMan ZDD Security Works, ChangeMan ZDD respects the mainframe security controls provided by your security system when a ZDD user works with files, jobs, and job output.

In addition, you can require explicit permission at the user ID and group ID level to logon to a ZDD server.

Execute these steps to restrict logon to a ZDD server:

Code Sernet keyword option CONNECTCHECK(YES) in one of these locations on a Sernet instance that is acting as a ZDD server:
- The PARM= parameter for program SERVER in the Sernet started procedure.
- The data set coded at the ddname that is specified in the DDNAME=ddname keyword option in the PARM= parameter. (The default value for this keyword option is CONNECTCHECK(NO).)

Define a FACILITY class profile:

SERENA.CONNECT.sysname.XCHsubsys

 Where:

 *sysname* is the four-character SMF ID of the LPAR where the Sernet instance runs

 *subsys* is the one-character subsystem ID of the Sernet started task

Permit READ access to the FACILITY class to user IDs and group IDs to allow logon.

Step 10: Add PassTicket Support In Sernet

RACF PassTickets are a requirement for mainframe clients connecting via TCP/IP.

Note

RACF PassTickets are not a requirement for ChangeMan ZDD or ChangeMan ZMF for Eclipse. These PassTickets are the result of the RACF Secure Signon Function and eliminate the need for clients to provide a password or passphrase that needs to be sent over a network. Additional information on PassTickets can be found in the ‘Using the Secured Signon Function’ section of the IBM-supplied ‘Security Server RACF Security Administrator's Guide’.

PassTickets are application-specific so a Sernet-generated PassTicket is only valid for connecting to a Sernet started task. Each PassTicket is valid for approximately ten minutes from the time it is issued and can only be used once.

RACF Administration Required

Activate the PTKTDATA class by entering:

SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)

Refresh the PTKTDATA class by entering:
```
SETROPTS RACLIST(PTKTDATA) REFRESH
```

Create a profile in the PTKTDATA class by entering:

RDEFINE PTKTDATA SERNET SSIGNON(*user_must_choose*) APPLDATA(’NO 
REPLAY PROTECTION’)

...

Note

The value of SERNET in the above RDEFINE command is mandatory and should not be altered. You must provide the SSIGNON specification.

The SERSET Utility

Support for PassTickets in Sernet is provided via the execution of the SERSET utility. Each time the ChangeMan started task is brought up, during the initialization process, the SETSET utility gets invoked. This caters for the case where clients connect to a started task running on the same LPAR.The SERSET utility will always be automatically invoked by every Sernet started task during initialization. This caters to the case where clients connect to a started task running on the same LPAR.

However the SERSET utility can also be executed as a batch utility. We provide a new member called SERSET in the delivered SERCOMC CNTL library. If you have a situation where users are signing onto the started task from other LPARs, then you need to run the SERSET batch job once per LPAR after IPL, this will provide support for the PassTickets.

Generating a PassTicket

Sernet generates PassTickets when SERCLIEN calls SERXPTIK. The generation process requires authorization (key zero) so SERXPTIK executes as a PC routine and the sole purpose of the SERSET utility is to implement this routine.

For SERCLIEN to generate a PassTicket SERCLIEN only needs to know the PC number associated with SERXPTIK. To find this number SERCLIEN retrieves two system-level tokens, as follows:

SerNet.PTickTok – this contains the SerNet.PTickX value.

SerNet.PTickX – this contains the PC number.

Note

The X in this token name corresponds directly to the TOKEN= value established when SERSET runs

Failures in PassTicket Generation

SERXPTIK calls the routine anchored in field RCVTPTGN of the RACF CVT. Errors will be returned to the caller of SERCLIEN with the following message:

SER6035E Passticket generation failed, RCVTPTGN RC=nnnn

RCVTPTGN and its accompanying return codes are documented under “Using the service to generate a PassTicket” in the RACF Macros and Interfaces manual.

TOKEN =Operand of SERSET

The SERSET member of the SERCOMC CNTL library contains an EXEC card that reads:

PTICKET EXEC PGM=SERSET,REGION=2M,PARM='TOKEN= '

The default value for TOKEN is A so this effectively reads:

PTICKET EXEC PGM=SERSET,REGION=2M,PARM='TOKEN=A'

When the JCL executes one of two message sequences will normally ensue:

SER1704I CSVDYLPA loaded SERXPTIK @ xxxxxxxx 
SER1708I SerNet.PtickA token created 
SER1708I SerNet.PtickTok token created 
SER1709I Passticket support enabled

This sequence will appear when SERSET first executes after an IPL. It shows the loading of SERXPTIK and the creation of the two system-level tokens.

SER1701I Passticket support previously enabled under 'A' suffix

This message will appear when SERSET executes every other time after an IPL. It signifies that SerNet.PTickTok points at SerNet.PTickA and that the latter contains the PC number associated with SERXPTIK.

Refreshing SERXPTIK

SERXPTIK is loaded into common storage by SERSET. By design, it’s a very small piece of code that should rarely change but, even so, on occasion it may need to be refreshed without an IPL.

To do this, rerun SERSET ensuring it will pick up the new version of SERXPTIK from STEPLIB and specifying a different TOKEN= value. For example, specifying TOKEN=B will result in the following message sequence:

SER1704I CSVDYLPA loaded SERXPTIK @ xxxxxxxx 
SER1708I SerNet.PtickB token created
SER1708I SerNet.PtickTok token created 
SER1709I Passticket support enabled

Once this has executed SerNet.PTickTok will point at SerNet.PTickB and this will cause SERCLIEN to invoke the new version of SERXPTIK [via a different PC number].

The TOKEN= parameter will accept any value from A-Z and 0-9 but any use beyond A and, rarely, B would be highly unusual.

Step 11: Start the Sernet Instance

Use a START command to start a Sernet instance. Variations of the START command include:

S SERPROC1
S SERPROC.SERTASK2,ID=2
S SERPROC,JOBNAME=SERTASK3,ID=3

See Sernet Started Task Names for a discussion of the START command and Sernet started task names.

Messages

Sernet messages and SER10TY License Manager messages are displayed in the SERPRINT sysout dataset for the Sernet started task. Sernet messages are explained in Sernet Messages.

SER0800I SerNet - Initialization in progress: CSA=0000E000
SER0801I Execution parameters specified:
SER0801I DDNAME=PARMLIB
SER0801I   < DDNAME: PARMLIB
SER0801I     SUBSYS=$
SER0801I     XCH=61
SER0801I     SDNOTIFY=010
SER0801I >
LIC0034I ChangeMan ZDD licensed to SERENA - Blue Hill CPU
SER0660I Unix services are available
SER0821I XCH (ChangeMan ZDD) licensed
SER1000I XCH    TCP/IP environment active at 10.35.11.100..61
SER1001I XCH    TCP/IP local host name: C001
SER08I Address Space Manager active
SER0833I XML Data Space Manager active
SER0810I SerNet server "$" initialized and ready for communications
SER0824I Attempting to load PAN#1 to determine if feature present; Please ignore any associated
          CSV003I message.

...

SER0826I PAN#1 not found
SER0824I Attempting to load LIBR to determine if feature present; Please ignore any associated
          CSV003I message.
SER0826I LIBR not found

Already Started

Each Sernet instance started on an LPAR must be assigned a unique subsystem ID. If you attempt to start a Sernet instance with a subsystem ID that is the same as a Sernet instance that is already running, an error message is displayed.

SER0822E SerNet already active for subsystem ID "$" - Terminating

Step 12: Stop the Sernet Instance

There are several ways to bring down a Sernet started task. The recommended method is to do an orderly termination with a SHUTDOWN modify command. You can specify a grace period with the SHUTDOWN command to allow users to save their work and logoff.

The following table lists some variations of the SHUTDOWN command.

Shutdown Command	Result
F SERs,SHUTDOWN	Orderly shutdown, 5 minute grace period
F SERs,SH	Command abbreviation, same result as SHUTDOWN
F SERsHALT	Alternate command; same result as SHUTDOWN
F SERs,SH,M10	Orderly shutdown, 10 minute grace period
F SERs,SH,30	Orderly shutdown, 30 minute grace period
F SERs,SH,0	Immediate orderly shutdown, 15 second maximum wait

SERs is the started procedure name, the started task identifier, or the JOBNAME specified on the START command. See Sernet Started Task Names.
The keyword SHUTDOWN may be abbreviated SH.
The keyword HALT is equivalent to SHUTDOWN and is provided because IBM® NetView® often uses HALT as the directive to bring down long running systems.
The default grace period is 5 minutes.
Minutes of grace period may be preceded with M to conform with other hour and minute designations.
Grace periods longer than 30 minutes are set back to 30 minutes.
The response is printed at //SERPRINT, as follows:

SER0944I SerNet orderly SHUTDOWN initiated; No grace period; Immediate termination
SER0990I Statistics; Real time:             H09M11S02
SER0991I Statistics; Applications:                  3
SER0992I Statistics; Users attached:                0
SER0993I Statistics; Called count:                  0
SER0994I Statistics; Concurrent max:                0
SER0995I Statistics; Abended:                       0
SER0996I Statistics; Detached inactive:             0
SER0999I SerNet server "$" termination complete, RC=0

Other methods may be used to stop the Sernet started task if the SHUTDOWN command is not successful.

Command	Result
P SERs	Purge all users in session immediately and stop
F SERsABEND	Abend the started task with an S0C3 after closing VSAM files.
CANCEL SERs,DUMP	Cancel the job. Cancel is not recommended because there may be open dialogs along the network and open data sets. Severe damage could result depending on what is occurring at the time the CANCEL is issued.