C H A P T E R  7

Known Problems and Restrictions

This chapter contains information about known problems or restrictions pertaining to this release of the software. Topics include:

Check the SunSolve web site for patch releases that address these issues.

Built-in and External Security

This section contains important information if you are using either Sun MTP built-in transaction security or Sun MTP Secure integrated with an external security manager (ESM).

System Transaction Security Constraints

The Sun Mainframe Transaction Processing Software Administrator's Guide contains a list of system transactions that are categorized as requiring either unrestricted or controlled transaction security. In this release, however, some of those transactions must be configured to use unrestricted transaction security.

The transactions requiring unrestricted security are as follows:

If built-in transaction security is configured (or the default is used), no changes to the Program Control Table (PCT) are needed, because the system transactions are already set to allow uncontrolled access (security level is set to 1).

If an ESM is configured with Sun MTP Secure, the ESM must be configured so that these transactions have uncontrolled access permissions--that is, with the permissions for the default user ID (KIXSECDFLTUSER).

Clients Lacking Certain ESM Functionality

In this release, the following communications clients are restricted from using certain Sun MTP Secure resource class types when Sun MTP Secure is enabled:

ESM authentication services and all Sun MTP Secure resource class types can be enabled and used except for the following:

ECI User ID Security Information Not Supported

In this release, ECI client applications can only run with default authority. With Sun MTP built-in transaction security, this means that they can only run transactions whose PCT entries are set to security level 1. With Sun MTP Secure (ESM security), they can only access resources permitted to the default user ID (KIXSECDFLTUSER).

Solaris Management Console

Sun MSF and Solaris Management Console (SMC) software cannot coexist if the system-wide java.security configuration file was modified to comment out the line policy.allowSystemProperty=true. The documentation for Sun MSF instructs you to comment out this line, but SMC requires that this line be present.

If you want to run SMC with Sun MSF, do either of the following:

Sun MSF Software

There are two known problems related to the Sun MSF software. These problems will be fixed in the next release of the software, Sun MSF 1.1.

Problem: Sun MSF does not automatically suspend a principal after the specified number of login failures. (Bug 4968068)

Workaround: After setting up the security repository, or if you have an existing repository, use the following database commands to grant permission to the repository end user.

ALTER TABLE Users ADD lastpwchgdate VARCHAR(10);
GRANT UPDATE (suspendflag) ON Users TO user-name;
GRANT UPDATE (lastpwchgdate) ON Users TO user-name;

The user-name variable in this example is the repository end user created by the MakeAnAdministrator tool and defined in the com.sun.emp.security.adapterUser property of the MSFconfg.properties file.

Problem: Sun MSF does not correctly handle password expiration if you use the minimum and maximum days options on the createPrincipal command. (Bug 4963981)

Workaround: There is no workaround for this problem. However, you can set a password expiration date on the createPrincipal command, which is honored.

Special Disk Types

When using Sun MTP on a storage area network (SAN) disk, you might have problems running multiple regions concurrently. This is because Sun MTP uses the UNIX ftok function to identify a region's shared memory segments. The ftok function uses the KIXSYS environment variable to locate the shared memory.

If the $KIXSYS directories are on a SAN disk and the regions have similar patch levels, the ftok function returns the same unique key identifier for each region, which causes the conflict.

For example, if both of these regions are on the same SAN disk, there will be a conflict:

Region1 $KIXSYS - /unikix/mtp/prodsys
Region2 $KIXSYS - /unikix/mtp/testsys

The solution is to have each region's $KIXSYS directory located on local Sun disks. The data files can continue to reside on the SAN disks. If you must have the $KIXSYS directories on a SAN disk, try to use distinctive paths for them, such as:

Region1 $KIXSYS - /unikix/mtp/prodsys
Region2 $KIXSYS - /unikixtest/tmp/testsys

where /unikix and /unikixtest are different mount points.


JCICS does not support 3270 Model 4 and 5 terminal types.