BPXP014I when executing COZBATCH

[cmcgavic]

I receive the following messages when attempting to execute COZBATCH:

TSS7236E ENVIRONMENT IS CONTROLLED - UNIX MARK UNCONTROLLED REQUEST
REJECTED
BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR DAEMON (BPX.DAEMON)
PROCESSING.

I've just installed the software and it's my first attempt to use the product. The first time I ran it I got an error on /bin/ssh regarding it needing to be program controlled. I flipped the bit to make it controlled and that eliminated that error, but still get the BPXP014I. We are using CA Top Secret for security.

[dovetail]

I'm not a TSS expert, but there is no reason to program-control /bin/sh under normal circumstances. Perhaps you should undo that and post the errors that you get?

Also - are you running this under a userid that has BPX.DAEMON authority? Try it with a userid that doesn't have this authority to see what happens.

[cmcgavic]

I'm pretty sure that my ID has BPX.DAEMON authority. I ran across something earlier in the afternoon that made it sound like you had to execute without BPX.DAEMON. I'm heading out for the day and will try it first thing in the morning. Thanks for the input.

[cmcgavic]

I was finally able to create an ID without BPX.DAEMON authority and eliminate the obvious errors. Now I get the following:

FOTS2190 Failed to add the host to the list of known hosts (/.ssh/known_hosts).

When I look at te known_hosts file, it appears that an entry is in there for the server IP address I'm attempting to hit.

[cmcgavic]

I've tried tinkering with TSS security, but to no avail. I suppose I'll quit for now and start off in the morning. It is definitely a permission kind of problem.

[cmcgavic]

The unix guy that was giving me a test file had a bad shell. He gave me a new one and after working out a couple of more permission issues with TSS, it worked!!!!

[dovetail]

Glad you got it to work. If you have any "lessons learned" from getting TSS to work and can share here, that would be great. It might help someone else with TSS, since our knowledge is very limited.

[cmcgavic]

For TSS to be used with Co:Z SFTP I did the following:

Created an ACID with the following permissions and OMVS segment. XXXX will most likely be your SYSID. If you don't have the proper permissions, they'll pop up on the z/OS console. 3115 for the UID is arbitrary. Make sure you don't add a profile to the ACID that has any reference to BPX.DAEMON, this will bite you as it did me initially when I was using my TSO ID. You may also need to grant permissions to the datasets you'll be creating with the ACID.

XA DATASET = TCPIP.STANDARD.TCPXLBIN
ACCESS = READ
XA IBMFAC = BPX.SMF
ACCESS = READ
XA SERVAUTH= EZB.NETSTAT.XXXX.TCPIP.ALLCONN
ACCESS = READ
XA SERVAUTH= EZB.NETSTAT.XXXX.TCPIP.ROUTE
ACCESS = READ
XA SERVAUTH= EZB.NETSTAT.XXXX.TCPIP.STATS
ACCESS = READ
----------- SEGMENT OMVS
HOME = /
OMVSPGM = /bin/sh
UID = 0000003115

[robschramm]

This is not so much a Top Secret issue as a SSHD BPX.DAEMON interaction.

see http://www-01.ibm.com/support/docview.w ... sg1OA07837

Problem #1 Change (explanation):
A user invoked ssh from a user id which has READ access to
BPX.DAEMON. A user id which is given READ access to BPX.DAEMON
is supposed to be set up as a protected user id (ie., with the
NOPASSWORD option). This is to prevent a uid 0 user from
working in the shell, because they would be able to perform
unauthenticated setuid's. It appears such a user does have
shell access. The system (or security) administrator should
double-check their security setup.