IBM Support

API request using SAF authentication fails with HTTP response 401 after upgrade

Question & Answer


Question

After upgrading to z/OS Connect EE 3.0.11.0 and starting my server. I invoked an API passing a basic authentication header with credentials that I expect to be authenticated using SAF (RACF), but the request failed with HTTP response 401.

messages.log includes the following messages:

  • CWWKB0122I: This server is connected to the default angel process.

  • CWWKB0104I: Authorized service group SAFCRED is not available.

  • CWWKS2932I: The unauthorized version of the SAF user registry is activated. Authentication will proceed using unauthorized native services.

  • FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.security.registry.RegistryException: Unix System Service __passwd failed for user with errno 157 (EMVSERR) and errno2 x90c02af com.ibm.ws.security.registry.saf.internal.SAFRegistry 121" at ffdc_yy.MM.dd_hh.mm.ss.s.log CWWKS1100A: Authentication did not succeed for user ID MYUSER. An invalid user ID or password was specified.

This worked successfully, before I upgraded from z/OS Connect EE 3.0.10.0 to 3.0.11.0.

Answer

z/OS Connect EE 3.0.11.0 updates the level of the WebSphere Liberty Profile it ships to 18.0.0.2. WebSphere Liberty Profile 18.0.0.2 updated the level of the angel process to version 8.

For a z/OS Connect EE server to be able to access the z/OS authorized services (for example SAFCRED to perform SAF authentication), it must connect to an angel process running WebSphere Liberty Profile at the same level or higher.

  1. Ensure that the angel process is running the updated version of z/OS Connect EE 3.0.11.0 (so that it is using WebSphere Liberty Profile 18.0.0.2). See the z/OS Connect EE V3 product documentation: Securing -> Configuring the Liberty Angel process and z/OS authorized services for more details.

  2. Restart the z/OS Connect EE server and check that messages.log contains the following message: CWWKB0103I: Authorized service group SAFCRED is available.

  3. Invoke the API again, the SAF authentication should now be successful.

Regards, Sue
IBM z/OS Connect EE Test

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNPJM","label":"IBM z\/OS Connect"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

zCEE

Document Information

Modified date:
14 February 2023

UID

dwa1461522

Page Feedback