SAF authorization failure

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
Jeanno78
Posts: 3
Joined: Thu Sep 12, 2019 3:06 am

SAF authorization failure

Post by Jeanno78 » Tue Sep 17, 2019 4:18 am

Hello,

I'm trying to configure Tomcat to use SAF/RACF for user authentication and authorization. So I've downloaded from http://dovetail.com/downloads/tomcat/index.html the lastest T:Z 8.5.0 and installed it on a z/os 2.3 system with Java 8.
Tomcat starts correctly and I'm then able to connect to http://host:port.
When I try with http://host:port/manager, I'm prompted to provide my RACF userid/password to logon, but I'm then denied to access the manager page (http 403). And I've no message in the tomcat's joblog or in the system's syslog which could help me in determining the root cause.

For info:
- the userid running Tomcat does have read access to FACILITY(BPX.SERVER)
- all libraries with modules loaded by Tomcat are program controlled
- the realm points to SafRoleDatabase in SERVXML
- the roles are defined in SAFROLES as followed

<role rolename="manager-gui" safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
<role rolename="manager-script" safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
<role rolename="manager-jmx" safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
<role rolename="manager-status" safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>

I precise that the userid I use to connect to tomcat does have read access to BPX.SUPERUSER (checked with the Saftest program I found in your download section, http://dovetail.com/downloads/misc/index.html)
And I'm sure the RACF database is well addressed because when I don't provide the right password for my userid, I received an error message ICH408I in the tomcat's joblog indicating that an invalid password has been entered.

I tried to start tomcat in debug/trace mode but that didn't give me any relevant info. I cautiously followed the SAF instructions in the documentation, so I'm not sure what I may have missed.
Is there anything else that needs to be set up to make it work?

Thanks for your help.

Jean-Noel

dovetail
Site Admin
Posts: 1910
Joined: Thu Jul 29, 2004 12:12 pm

Re: SAF authorization failure

Post by dovetail » Thu Sep 19, 2019 3:33 pm

1) Please post the output from your Tomcat job:

JES2 Jobjog (DD:JESYSMSG), DD:STDOUT, DD:STDERR

2) Are there any system error messages on the console? especially those related to PROGRAM CONTROL ?

Jeanno78
Posts: 3
Joined: Thu Sep 12, 2019 3:06 am

Re: SAF authorization failure

Post by Jeanno78 » Sat Sep 21, 2019 8:15 pm

Hi,

No, there's no message in the syslog related to the tomcat server. I had some program control issues at first but it was fixed after setting the extended attributes to some dlls.

JVMJZBL2004N Log level has been set to: D
JVMJZBL1001N JZOS batch Launcher Version: 2.4.8 2018-09-27
JVMJZBL1002N (C) Copyright IBM Corp. 2005, 2016
JVMJZBL1028I Region requested = 0K, Actual below/above limit = 8M / 320M, MEMLIMIT=2048M
JVMJZBL1053I OS Release R26.00 Machine 3906
JVMJZBL1036D Spawned child shell process with PID: 270917
JVMJZBL1005I Output from DD:STDENV config shell script:
JVMJZBL1006I MAIL = /usr/mail/
JVMJZBL1006I JAVA_PROPAGATE = NO
JVMJZBL1006I PATH = /bin:/usr/lpp/java/current/bin:
JVMJZBL1006I IBM_JAVA_ZOS_TDUMP = NO
JVMJZBL1006I IBM_JAVA_OPTIONS = -Xms64m -Xmx128m -Dfile.encoding=ISO8859-1 -Dcatalina.base=/u/g201099/tomcat -Dcatalina.home=/u/g201099/tomcat -Djava.io.tmpdir=/u/g201099/tomcat/temp -Djava.protocol.handler.pkgs=com.dovetail.jzos.url|com.ibm.crypto.provider -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/u/g201099/tomcat/conf/logging.properties
JVMJZBL1006I _C89_CLIB_PREFIX = SYS1
JVMJZBL1006I _CXX_PLIB_PREFIX = SYS1
JVMJZBL1006I _CC_PLIB_PREFIX = SYS1
JVMJZBL1006I _BPX_SPAWN_SCRIPT = YES
JVMJZBL1006I _ = /bin/env
JVMJZBL1006I CLASSPATH = /usr/lpp/java/current/lib/tools.jar:/u/g201099/tomcat/bin/bootstrap.jar:/u/g201099/tomcat/bin/tomcat-juli.jar:/u/g201099/tomcat/bin/zos-url.jar:
JVMJZBL1006I LANG = C
JVMJZBL1006I LIBPATH = /lib:/usr/lib:/usr/lpp/java/current/bin:/usr/lpp/java/current/lib/s390x:/usr/lpp/java/current/lib/s390x/j9vm:/usr/lpp/java/current/bin/classic:
JVMJZBL1006I _CXX_CLIB_PREFIX = SYS1
JVMJZBL1006I _BPX_SHAREAS = YES
JVMJZBL1006I _CC_CLIB_PREFIX = SYS1
JVMJZBL1006I JAVA_DUMP_HEAP = false
JVMJZBL1006I _C89_PLIB_PREFIX = SYS1
JVMJZBL1006I JAVA_HOME = /usr/lpp/java/current
JVMJZBL1006I TZ = GMT0BST-1,M3.5.0,M10.5.0
JVMJZBL1006I MANPATH = /usr/man/%L
JVMJZBL1006I NLSPATH = /usr/lib/nls/msg/%L/%N
JVMJZBL1006I PWD = /
JVMJZBL1012I Java Virtual Machine created. Version information follows:
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 8.0.5.25 - pmz6480sr5fp25-20181030_01(SR5 FP25))
IBM J9 VM (build 2.9, JRE 1.8.0 z/OS s390x-64-Bit Compressed References 20181029_400846 (JIT enabled, AOT enabled)
OpenJ9 - c5c78da
OMR - 3d5ac33
IBM - 8c1bdc2)
JVMJZBL1027I Using output encoding: IBM-1047
JVMJZBL1016I MVS commands are ENABLED
JVMJZBL1023N Invoking org.apache.catalina.startup.Bootstrap.main()...
JVMJZBL1056I Arguments to main...
JVMJZBL1057I start
org.apache.catalina.startup.Bootstrap.init Loading startup class
org.apache.catalina.startup.Bootstrap.init Setting startup class properties
org.apache.catalina.startup.Bootstrap.load Calling startup class public void org.apache.catalina.startup.Catalina.load(java.lang.String[])
org.apache.catalina.startup.Catalina.initNaming Setting naming prefix=org.apache.naming
org.apache.catalina.startup.Catalina.createStartDigester Digester for server.xml created 138
org.apache.catalina.core.ContainerBase.addChildInternal Add child StandardHost[localhost] StandardEngine[Catalina]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio2-31443"]
org.apache.catalina.startup.Catalina.load Initialization processed in 8079 ms
org.apache.catalina.core.NamingContextListener.lifecycleEvent Bound StandardServer[-1]
org.apache.catalina.core.NamingContextListener.createNamingContext Creating JNDI naming context
org.apache.catalina.core.NamingContextListener.addResource Adding resource ref SafRoleDatabase ResourceRef[className=org.apache.catalina.UserDatabase,factoryClassLocation=null,factoryClassName=org.apache.naming.factory.ResourceFactory,{type=description,content=z/OS SAF Role Database},{type=scope,content=Shareable},{type=auth,content=Container},{type=singleton,content=true},{type=factory,content=com.dovetail.zos.tomcat.SafRoleDatabaseFactory},{type=readonly,content=true},{type=pathname,content=conf/saf-roles.xml}]
org.apache.catalina.core.StandardService.startInternal Starting service Catalina
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.6
org.apache.catalina.startup.HostConfig.start HostConfig: Processing START
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /u/g201099/tomcat/webapps/ROOT
org.apache.catalina.core.ContainerBase.addChildInternal Add child StandardContext[] StandardEngine[Catalina].StandardHost[localhost]
org.apache.catalina.startup.ContextConfig.init ContextConfig: Initializing
org.apache.catalina.startup.ContextConfig.processContextConfig Processing context [] configuration file [file:/u/g201099/tomcat/conf/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Successfully processed context [] configuration file [file:/u/g201099/tomcat/conf/context.xml]
org.apache.catalina.core.StandardContext.startInternal Starting ROOT
org.apache.catalina.core.StandardContext.startInternal Configuring default Resources
org.apache.catalina.core.StandardContext.startInternal Processing standard container startup
org.apache.catalina.loader.WebappLoader.startInternal Starting this Loader
org.apache.catalina.loader.WebappClassLoaderBase.findResource findResource(logging.properties)
org.apache.catalina.loader.WebappClassLoaderBase.findResource --> Resource not found, returning null
org.apache.catalina.startup.ContextConfig.configureStart ContextConfig: Processing START
org.apache.catalina.startup.ContextConfig.configureStart Context [] will parse web.xml and web-fragment.xml files with validation:false and namespaceAware:false
org.apache.catalina.core.StandardContext.setPublicId Setting deployment descriptor public ID to 'null'
org.apache.catalina.startup.ContextConfig.configureStart Pipeline Configuration:
org.apache.catalina.startup.ContextConfig.configureStart org.apache.catalina.core.StandardContextValve
org.apache.catalina.startup.ContextConfig.configureStart ======================
org.apache.catalina.core.NamingContextListener.lifecycleEvent Bound StandardEngine[Catalina].StandardHost[localhost].StandardContext[]
org.apache.catalina.core.NamingContextListener.createNamingContext Creating JNDI naming context
org.apache.catalina.core.StandardContext.startInternal No manager found. Checking if cluster manager should be used. Cluster configured: [false], Application distributable: [false]
org.apache.catalina.core.StandardContext.startInternal Configured a manager of class [org.apache.catalina.session.StandardManager]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
org.apache.catalina.core.StandardContext.listenerStart Configuring application event listeners
org.apache.catalina.session.StandardManager.doLoad Start: Loading persisted sessions
org.apache.catalina.session.StandardManager.doLoad Loading persisted sessions from SESSIONS.ser
org.apache.catalina.session.StandardManager.doLoad No persisted data file found
org.apache.catalina.core.StandardContext.startInternal Starting completed
org.apache.catalina.startup.HostConfig.addWatchedResources Watching WatchedResource '/u/g201099/tomcat/webapps/ROOT/WEB-INF/web.xml'
org.apache.catalina.startup.HostConfig.addWatchedResources Watching WatchedResource '/u/g201099/tomcat/conf/web.xml'
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /u/g201099/tomcat/webapps/ROOT has finished in 1,980 ms
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /u/g201099/tomcat/webapps/host-manager
org.apache.catalina.startup.ContextConfig.init ContextConfig: Initializing
org.apache.catalina.startup.ContextConfig.processContextConfig Processing context [/host-manager] configuration file [file:/u/g201099/tomcat/conf/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Successfully processed context [/host-manager] configuration file [file:/u/g201099/tomcat/conf/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Processing context [/host-manager] configuration file [file:/u/g201099/tomcat/webapps/host-manager/META-INF/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Successfully processed context [/host-manager] configuration file [file:/u/g201099/tomcat/webapps/host-manager/META-INF/context.xml]
org.apache.catalina.core.StandardContext.startInternal Starting host-manager
org.apache.catalina.core.StandardContext.startInternal Configuring default Resources
org.apache.catalina.core.StandardContext.startInternal Processing standard container startup
org.apache.catalina.core.StandardContext.setPublicId Setting deployment descriptor public ID to 'null'
org.apache.catalina.startup.ContextConfig.authenticatorConfig Configured an authenticator for method BASIC
org.apache.catalina.startup.ContextConfig.configureStart Pipeline Configuration:
org.apache.catalina.startup.ContextConfig.configureStart org.apache.catalina.authenticator.BasicAuthenticator
org.apache.catalina.startup.ContextConfig.configureStart org.apache.catalina.core.StandardContextValve
org.apache.catalina.startup.ContextConfig.configureStart ======================
org.apache.catalina.core.NamingContextListener.lifecycleEvent Bound StandardEngine[Catalina].StandardHost[localhost].StandardContext[/host-manager]
org.apache.catalina.core.NamingContextListener.createNamingContext Creating JNDI naming context
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present
org.apache.catalina.core.StandardContext.startInternal No manager found. Checking if cluster manager should be used. Cluster configured: [false], Application distributable: [false]
org.apache.catalina.core.StandardContext.startInternal Configured a manager of class [org.apache.catalina.session.StandardManager]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
org.apache.catalina.core.StandardContext.listenerStart Configuring application event listeners
org.apache.catalina.session.StandardManager.doLoad Start: Loading persisted sessions
org.apache.catalina.session.StandardManager.doLoad Loading persisted sessions from SESSIONS.ser
org.apache.catalina.session.StandardManager.doLoad No persisted data file found
org.apache.catalina.loader.WebappClassLoaderBase.loadClass loadClass(org.apache.jasper.servlet.JspServlet, false)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Delegating to parent classloader1 java.net.URLClassLoader@6663139b
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Loading class from parent
org.apache.catalina.core.StandardContext.startInternal Starting completed
org.apache.catalina.startup.HostConfig.addWatchedResources Watching WatchedResource '/u/g201099/tomcat/webapps/host-manager/WEB-INF/web.xml'
org.apache.catalina.startup.HostConfig.addWatchedResources Watching WatchedResource '/u/g201099/tomcat/conf/web.xml'
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /u/g201099/tomcat/webapps/host-manager has finished in 538 ms
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /u/g201099/tomcat/webapps/manager
org.apache.catalina.startup.ContextConfig.init ContextConfig: Initializing
org.apache.catalina.startup.ContextConfig.processContextConfig Processing context [/manager] configuration file [file:/u/g201099/tomcat/conf/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Successfully processed context [/manager] configuration file [file:/u/g201099/tomcat/conf/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Processing context [/manager] configuration file [file:/u/g201099/tomcat/webapps/manager/META-INF/context.xml]
org.apache.catalina.startup.ContextConfig.processContextConfig Successfully processed context [/manager] configuration file [file:/u/g201099/tomcat/webapps/manager/META-INF/context.xml]
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/manager]] to [STARTING_PREP]
org.apache.catalina.core.StandardContext.startInternal Starting manager
org.apache.catalina.core.StandardContext.startInternal Configuring default Resources
org.apache.catalina.core.StandardContext.startInternal Processing standard container startup
org.apache.catalina.loader.WebappLoader.startInternal Starting this Loader
org.apache.catalina.core.StandardContext.setPublicId Setting deployment descriptor public ID to 'null'
org.apache.catalina.startup.ContextConfig.authenticatorConfig Configured an authenticator for method BASIC
org.apache.catalina.startup.ContextConfig.configureStart Pipeline Configuration:
org.apache.catalina.startup.ContextConfig.configureStart org.apache.catalina.authenticator.BasicAuthenticator
org.apache.catalina.startup.ContextConfig.configureStart org.apache.catalina.core.StandardContextValve
org.apache.catalina.startup.ContextConfig.configureStart ======================
org.apache.catalina.core.NamingContextListener.lifecycleEvent Bound StandardEngine[Catalina].StandardHost[localhost].StandardContext[/manager]
org.apache.catalina.core.NamingContextListener.createNamingContext Creating JNDI naming context
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present
org.apache.catalina.core.StandardContext.startInternal No manager found. Checking if cluster manager should be used. Cluster configured: [false], Application distributable: [false]
org.apache.catalina.core.StandardContext.startInternal Configured a manager of class [org.apache.catalina.session.StandardManager]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
org.apache.catalina.core.StandardContext.listenerStart Configuring application event listeners
org.apache.catalina.session.StandardManager.doLoad Start: Loading persisted sessions
org.apache.catalina.session.StandardManager.doLoad Loading persisted sessions from SESSIONS.ser
org.apache.catalina.session.StandardManager.doLoad No persisted data file found
org.apache.catalina.loader.WebappClassLoaderBase.loadClass loadClass(org.apache.jasper.servlet.JspServlet, false)
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Delegating to parent classloader1 java.net.URLClassLoader@6663139b
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Loading class from parent
org.apache.catalina.core.StandardContext.startInternal Starting completed
org.apache.catalina.startup.HostConfig.addWatchedResources Watching WatchedResource '/u/g201099/tomcat/webapps/manager/WEB-INF/web.xml'
org.apache.catalina.startup.HostConfig.addWatchedResources Watching WatchedResource '/u/g201099/tomcat/conf/web.xml'
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /u/g201099/tomcat/webapps/manager has finished in 490 ms
org.apache.catalina.startup.EngineConfig.start EngineConfig: Processing START
org.apache.catalina.mapper.Mapper.addHost Registered host [localhost]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [default] in Context [] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [jsp] in Context [] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Context [] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [default] in Context [/host-manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [jsp] in Context [/host-manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [HostManager] in Context [/host-manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [HTMLHostManager] in Context [/host-manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Context [/host-manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [Status] in Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [default] in Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [jsp] in Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [JMXProxy] in Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [HTMLManager] in Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Wrapper [Manager] in Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerContext Register Context [/manager] for service [StandardService[Catalina]]
org.apache.catalina.mapper.MapperListener.registerHost Register host [localhost] at domain [null] for service [StandardService[Catalina]]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [https-jsse-nio2-31443]
org.apache.catalina.startup.Catalina.start Server startup in 3311 ms
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /manager/html
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
org.apache.catalina.core.StandardWrapper.allocate Returning non-STM instance
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "admin" with realm "com.dovetail.zos.tomcat.SafRealm"
Failed to authenticate user: 'admin'. error message: EDC5143I No such process. errno=143 errno2=0x90c05dd JrNoUserID - No userid found.
org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate user "admin" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
org.apache.catalina.core.StandardWrapper.allocate Returning non-STM instance
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /manager/html
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
org.apache.catalina.core.StandardWrapper.allocate Returning non-STM instance
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /manager/html
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'G201017' with type 'BASIC'
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles SafPrincipal[G201017, Realm[SafRealm]]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: manager-gui
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test
org.apache.catalina.core.StandardWrapper.allocate Returning non-STM instance


Thanks

dovetail
Site Admin
Posts: 1910
Joined: Thu Jul 29, 2004 12:12 pm

Re: SAF authorization failure

Post by dovetail » Mon Sep 23, 2019 9:36 am

I don't think that you are really getting to the role checking, since it doesn't appear that you are able to authentication the user (check userid/password) with SAF/RACF:

Code: Select all

org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test

Jeanno78
Posts: 3
Joined: Thu Sep 12, 2019 3:06 am

Re: SAF authorization failure

Post by Jeanno78 » Tue Sep 24, 2019 2:40 am

This part of log relates to an attempt I made to log into the manager webpage with an invalid password, to check/confirm that the link with SAF/RACF was working.
But if you look at the end of the joblog I sent, you will see another attempt, with the right password:

org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user "G201017" with realm "com.dovetail.zos.tomcat.SafRealm"
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'G201017' with type 'BASIC'
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles SafPrincipal[G201017, Realm[SafRealm]]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: manager-gui
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test

And this time, it's the accessControl() part that failed.

I don't understand why the manager-gui role can't be found, since it's defined in the SAFROLES member

********************************* Top of Data **********************************
<?xml version='1.0' encoding='IBM-1047'?>
<!--
This XML fragment is included from $CATALINA_BASE/conf/saf-roles.xml.
If you are using the Tomcat "SafRoleDatabase", then this is where you
define your J2EE roles and how they map to SAF(RACF) entities.
It is not used at all with the default Tomcat "MemoryUserDatabase".
-->
<!-- The manager role is used by the Tomcat manager webapp -->
<role rolename="manager-gui"
safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
<role rolename="manager-script"
safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
<role rolename="manager-jmx"
safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
<role rolename="manager-status"
safclass="FACILITY" safentity="BPX.SUPERUSER" saflevel="READ"/>
******************************** Bottom of Data ********************************

Post Reply