IBM Support

Liberty JVM server does not log EJBROLE access failure with SAF authorization

Question & Answer


Question

What can be done to change LOG=NONE to LOG=ASIS for a Java (TM) EE application being run within a Liberty JVM server in CICS Transaction Server for z/OS (CICS TS)? The Liberty server makes EJBROLE checks to ensure the end user is authorized to use the application. However, these security checks are being made with LOG=NONE. Therefore, the SAF authorization problems are not being logged.

SAF trace shows the security checks are being made out of module DFHKEATT.

Answer

Update the safAuthorization element in the Liberty server.xml configuration file to specify racRouteLog="ASIS". For example:

 <safAuthorization id="saf" racRouteLog="ASIS"/> 

For further details review topic safAuthorization - SAF Authorization (safAuthorization) in the WebSphere Application Sever for z/OS Liberty documentation

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"Liberty","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNPJM","label":"IBM z\/OS Connect"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server;zCEE

Document Information

Modified date:
14 February 2023

UID

dwa1415924