Jousma, David wrote:
Just another thought, may or may not fix this problem. But what if you setup
IECIOSxx to EKM NONE, then once up, issue a SETIOS EKM command?
_________________________________________________________________
Dave Jousma
Assistant Vice President, Mainframe Services
[email protected]
1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G
p 616.653.8429
f 616.653.8497
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of
Lizette Koehler
Sent: Monday, February 02, 2009 1:47 PM
To: [email protected]
Subject: Re: Top Secret and EKM
So -
1) IOSAS is setup correctly
2) IOSAS starts well before TSS comes up in the IPL
3) After an IPL the encryption job is run it gets
a) An I/O Error with IOS628E error message
b) Then successfully (without stopping) mounts and encrypts a tape
c) All encryption jobs are now successful
4) This chews up my native tapes since I have so few.
5) I have two EKMSERV running at all times. This did not alleviate the
problem.
Questions:
1) Where or how should TSS be started at IPL time. Is it the first think up
or can it start after JES2?
2) Do you use generic users for IOSAS and OMVS?
CA feels starting TSS before JES2 could help. Yet, I am not sure I see how
that could be better.
"The IOS628E is a result of how the first security call is processed once TSS
is up for an address space that is started before TSS.
There are times when this first call may fail and this has to do with the way we
convert the address space (started before TSS) to use security, particularly with
OMVS. In these circumstances, it is only the first call that fails. After that,
anytime the process is done it should work without having to do anything else."
Any other thoughts? I really hate to have to fix tapes all the time because it
fails. And it is most of the time not periodically.
Lizette
The actual error message is
IOS628E ENCRYPTION ON DEVICE 0A0D HAS FAILED DUE TO OMVS SEGMENT
FAILURE FOR IOSAS
However, once the tape is dropped with the I/O error, the next tape mounted
runs successfully. The job runs to good eoj.
Lizette
Yes, we are a TSS shop using EKM. However, we don’t do any native tape
encryption. All of ours is behind a TS7700 VTS. Sounds likely, however, what
CA is telling you. My suggestion to you is to have more than one EKM Server,
so that at least one is up all the time. If you only run a single production
LPAR, then I guess that is a problem. If you have a development LPAR, I would
consider running EKM there as well.
Didn’t CA tell you exactly what is wrong with the ACID? What is the additional
message text of IOS638E. There appears to be multiple scenarios this message
documents.
I am having an issue with IOSAS and TSS. After an IPL the first job that
requests an encryption of a tape fails with IOS628E. This causes my tape to
have an I/O error and is dismounted. The job then immediately mounts a new
tape and viola it runs to a good EOJ. However, now I have a tape I have to
correct in CA1 and ISMF in order to use it again.
IBM sent me to CA and CA TSS is saying this is due to TSS coming up later than
IOSAS and the ACID is not quiet correct.
Anyone else run into this?
Lizette
PS Sorry if this is a duplicate.
If this didn't work, you might try issuing
d ios,ekm,verify=primary
after TSS is up. This will cause IOS to try and connect to
the EKM server. It will probably fail (like your first tape),
but that may be enough for TSS to setup whatever is needed.
Richard
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
