EJBROLES are not being validated with z/OS Connect using ACF2

Article Id: 107853

Status: Published

Updated On: 25-07-2018 11:41

Products:

CA ACF2 , CA ACF2 - DB2 Option , CA ACF2 for zVM , CA ACF2 - z/OS , CA ACF2 - MISC

Issue/Introduction:

We are configuring security for Z/OS Connect with SAF registries. Included in that are EJBROLES

EJBROLES not being validated. The rules have been written that don't seem to work. The z/OS Connect trace shows errors.

3:00] 00000053 id=dc0f1dbc ibm.ws.security.authorization.saf.internal.SAFRoleMapperImpl < getProfileFromRole Exit
BAQDEV01.zos.connect.access.roles.zosConnectAccess
[7/19/18 19:16:59:796 GMT-03:00] 00000053 id=0a2b8be7 urity.authorization.saf.internal.SAFAuthorizationServiceImpl > checkAccess Entry
[email protected]:LXXL18:ASSERTED:LXXL18
[[email protected],len=8
|0000| C5D1C2D9 D6D3C500

03:00] 00000053 id=c399b451 .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl < isUserInRole Exit
false
[7/19/18 19:16:59:868 GMT-03:00] 00000053 id=c399b451 .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl < isUserInRole Exit

Environment:

Release:
Component: ACF2MS

Resolution:

EJBROLES use the RACROUTE FASTAUTH call. In ACF2, rules for FASTAUTH calls must be in a globally resident directory.

SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-REJB)
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(EJB)

This will load the rules into resident storage, as will any IPL.