We are getting the following random sFTP job abends :
IEA989I SLIP TRAP ID=XEC6 MATCHED. JOBNAME=XXXXXXXX, ASID=007D.
BPXP023I THREAD 1AC7A60000000001, IN PROCESS 50462871, WAS 168
TERMINATED BY SIGNAL SIGINT, SENT FROM THREAD
1AC7950000000001, IN PROCESS 33686189, UID 550383, IN JOB XXXXXXXX.
IEF450I UMATO001 *OMVSEX - ABEND=SEC6 U0000 REASON=0000FF02 169
TIME=14.30.36
The jobs themselves work and report rc=0, but the SEC6 abends are evident in the syslog and appear to be random. I've found the following http://www-01.ibm.com/support/docview.w ... sg1OA24067 which talks about switching to ICSF hardware for random number generation. What we are wondering is whether setting the environment variable "export _ZOS_SSH_PRNG_CMDS_TIMEOUT=" might be a possible fix? I can see a few SEC6 abends on the forum already but they appear to be more general setup errors. Anyone experienced these abends?
SEC6 abends
Re: SEC6 abends
Its hard to tell without further diagnosis -
- what address space is taking the abend? (is it Co:Z SFTP or the IBM Ported Tools /bin/ssh ?) If the latter, you may want to open a problem with IBM
- are you getting IBM Ported Tools OpenSSH messages that indicate a problem?
- are you using ssh-rand-helper?
- what address space is taking the abend? (is it Co:Z SFTP or the IBM Ported Tools /bin/ssh ?) If the latter, you may want to open a problem with IBM
- are you getting IBM Ported Tools OpenSSH messages that indicate a problem?
- are you using ssh-rand-helper?
Re: SEC6 abends
Hi,
We have now implemented export _ZOS_SSH_PRNG_CMDS_TIMEOUT=xxxxx and this does solve the problem. What I've noticed is that on systems where ICSF is running we don't seem to see the message "Seeding PRNG from /usr/lib/ssh/ssh-rand-helper" and we also don't see the SEC6 abends.
If I stop ICSF and run a sFTP job with export _ZOS_SSH_PRNG_CMDS_TIMEOUT=1 on our test systems we get message FOTS1945 ssh-rand-helper child produced insufficient data and RC=255. If I set export _ZOS_SSH_PRNG_CMDS_TIMEOUT=100 we see the SEC6 abends. The default for _ZOS_SSH_PRNG_CMDS_TIMEOUT is 1000 (e.g. 1 sec). We have set this value higher than 1 sec to avoid the SEC6 abends. Note this environment variable only seems to apply the OpenSSH V1.2.
We are wondering whether we should run ICSF for better performance/throughput on any LPAR that runs sFTP. Is there any documentation or white papers on this?
We have now implemented export _ZOS_SSH_PRNG_CMDS_TIMEOUT=xxxxx and this does solve the problem. What I've noticed is that on systems where ICSF is running we don't seem to see the message "Seeding PRNG from /usr/lib/ssh/ssh-rand-helper" and we also don't see the SEC6 abends.
If I stop ICSF and run a sFTP job with export _ZOS_SSH_PRNG_CMDS_TIMEOUT=1 on our test systems we get message FOTS1945 ssh-rand-helper child produced insufficient data and RC=255. If I set export _ZOS_SSH_PRNG_CMDS_TIMEOUT=100 we see the SEC6 abends. The default for _ZOS_SSH_PRNG_CMDS_TIMEOUT is 1000 (e.g. 1 sec). We have set this value higher than 1 sec to avoid the SEC6 abends. Note this environment variable only seems to apply the OpenSSH V1.2.
We are wondering whether we should run ICSF for better performance/throughput on any LPAR that runs sFTP. Is there any documentation or white papers on this?
Re: SEC6 abends
We recommend that you avoid using ssh-rand-helper all together:
http://dovetail.com/docs/pt-quick-inst- ... nst-random
And with IBM OpenSSH 1.3, you MUST do this.
http://dovetail.com/docs/pt-quick-inst- ... nst-random
And with IBM OpenSSH 1.3, you MUST do this.