Tomcat v8.5 SAF error

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
gngrossi
Posts: 35
Joined: Sat Mar 06, 2010 6:10 pm

Tomcat v8.5 SAF error

Post by gngrossi » Fri Nov 15, 2019 2:12 pm

Getting 403 Access Denied when trying to access the Tomcat manager application using the SAF Realm.
Followed the documented steps in Section 4 in http://dovetail.com/docs/tomcat/tz-doc.pdf

From the Tomcat logs directory

- - [15/Nov/2019:12:03:37 -0600] "GET / HTTP/1.1" 200 7857
- - [15/Nov/2019:12:03:37 -0600] "GET /tomcat.gif HTTP/1.1" 200 2066
- - [15/Nov/2019:12:03:37 -0600] "GET /asf-logo-wide.gif HTTP/1.1" 200 5866
- - [15/Nov/2019:12:03:37 -0600] "GET /tomcat-power.gif HTTP/1.1" 200 2376
- - [15/Nov/2019:12:03:37 -0600] "GET /favicon.ico HTTP/1.1" 200 21630
- - [15/Nov/2019:12:03:42 -0600] "GET /manager/html HTTP/1.1" 401 2473
- XXXXXXXX [15/Nov/2019:12:03:55 -0600] "GET /manager/html HTTP/1.1" 403 3195


No messages in the z/OS job log or the system log.

I was able to see a RACF ICH408I invalid password message after testing with an bad password.

Running Tomcat as a batch job on z/OS v2.3 using Java8 64-bit.

RACF
PERMIT EJBROLE TCAT.DEV.MANAGER ID(XXXXXXXX) ACCESS(READ)

Tomcat SAFROLES

<!-- The manager role is used by the Tomcat manager webapp -->
<role rolename="admin-gui"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>

<role rolename="admin-script"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>

<role rolename="manager-gui"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>

<role rolename="manager-script"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>

<role rolename="manager-jmx"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>

<role rolename="manager-status"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>


Any suggestions?
Thanks.

Post Reply