Go to main content

6 Troubleshooting

Table 6-1 describes solutions to some problems that you might encounter while using the connector.

Table 6-1 Troubleshooting Tips

Problem Description	Solution
Oracle Identity Manager cannot establish a connection with CA ACF2.	Ensure that the mainframe is running. Verify that the required ports are working. Due to the nature of the Provisioning Agent, the LDAP Gateway must be started first, and then the mainframe JCL started task must be started. This is a requirement based on how TCP/IP operates. Check that the IP address of the server that hosts the LDAP Gateway is configured in the Reconciliation Agent JCL. Read the LDAP Gateway logs to determine if messages are being sent and received. Examine the Oracle Identity Manager configuration to verify that the IP address, admin ID, and admin password are correct. Check with the mainframe platform manager to verify that the mainframe user account and password have not been changed.
The mainframe does not appear to respond.	Check the connection information that you have provided in the IT resource and the acf2Connection.properties file. Check the logs. If any of the mainframe JCL jobs have reached an abnormal end, then make the required corrections and rerun the jobs.
A particular use case does not work as expected.	Check for the use case event in the LDAP Gateway logs. Then check for the event in the specific log assigned to the connector: If the event has not been recorded in either of these logs, then investigate the connection between Oracle Identity Manager and the LDAP Gateway. If the event is in the log but the command has not had the intended change on a mainframe user profile, then check for configuration and connections between the LDAP Gateway and the mainframe. Verify that the message transport layer is working.
The LDAP Gateway fails and stops working	If this problem occurs, then the Reconciliation Agent stops sending messages to the LDAP Gateway. Instead, it stores them in the subpool cache. When this happens, restart the LDAP Gateway instance so that the Reconciliation Agent reads the subpool cache and resends the messages.
The LDAP Gateway is running. However, the Reconciliation Agent fails and stops working	If this problem occurs, then all events are sent to the subpool cache. If the mainframe fails, then all messages are written to the disk. When this happens, restart the Reconciliation Agent instance so that it reads messages from the disk or subpool cache and resends the messages.
The Pioneer STC exits with a SD37 abend	This problem occurred because the dataset sizing for ACF2OUT is incorrect for the number of resource rules used in your environment. This is not a problem with the Pioneer STC, but with your sizing estimates. ACFCMD writes its output to ACF2OUT. As a sizing guideline, a blocksize of 27400 will yield 206 records of 133 bytes each.
The Pioneer STC exits with a S0C4 abend.	This problem possibly occurred because of a conflict between the system settings for the Language Environment (LE) options and what is needed. The LE options that maybe involved are ALL31, HEAP, and STACK. Using a CEEOPTS DD in the job stream may be necessary to over ride set defaults. See Table 6-2 for the three options settings and their effects.
The PIONEER STC exits with S722 abend when DEBUG=Y is set.	This happens because the debugging output from PIONEER can exceed limits that maybe set for JES2/JES3 SYSOUT files. Running with DEBUG=Y is meant to be used only on our request for a short duration to troubleshoot an issue. In all other cases DEBUG=N should be used.
Pioneer requires RACF to make calls to R_ADMIN API when the security subsystem is CA-ACF2.	All ACF2 commands are passed through the RACF API interface (service RADMIN, program = IRRSEQ00). Even though the Security Subsystem is CA-ACF2, the RACF API is still used by Pioneer for making calls to R_ADMIN API. Ensure that you have performed the steps described in the following sections: Section 2.3.6, "Loading and Activating the Exits" Section 2.3.7, "Creating an ACF2 LID for Pioneer and Voyager with Permissions" Section 2.3.8, "Adding Pioneer/Voyager to the Resource Rule Facilities (BPX and IRR)"
The PIONEER STC fails with the following error message: IKJ56231I FILE AUDTLOG NOT ALLOCATED, SYSTEM OR INSTALLATION ERROR+ IKJ56231I TEXT UNIT X'0018' CONTAINS INVALID PARAMETER AUDIT LOG FAILED TO ALLOC RC: 0056360984 BPXWDYN PARMSTR: ALLOC DD(AUDTLOG) SYSOUT(*) MSG(WTP)	Ensure that you specify a SYSOUT value in the PIONEER CONTROL CARD Setting: AUDIT=YES,SYSOUT,CLASS(*) For example: AUDIT=YES,SYSOUT,CLASS(S)

Table 6-2 shows the three options settings and their effects:

Table 6-2 Three Options Settings and their Effects

ALL31	HEAP	STACK	RESULT
OFF	BELOW	BELOW	RC=0
OFF	BELOW	ANYWHERE	Loop
OFF	ANYWHERE	BELOW	S0C4
OFF	ANYWHERE	ANYWHERE	RC=0
ON	BELOW	BELOW	RC=0
ON	BELOW	ANYWHERE	RC=0
ON	ANYWHERE	BELOW	S0C4
ON	ANYWHERE	ANYWHERE	RC=0