EJBROLES are not being validated with z/OS Connect using ACF2
search cancel

EJBROLES are not being validated with z/OS Connect using ACF2

book

Article ID: 107853

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

We are configuring security for Z/OS Connect with SAF registries. Included in that are EJBROLES

EJBROLES not being validated.  The rules have been written that don't seem to work.  The z/OS Connect trace shows errors. 

3:00] 00000053 id=xxxxxx ibm.ws.security.authorization.saf.internal.SAFRoleMapperImpl < getProfileFromRole Exit 
BAQDEV01.zos.connect.access.roles.zosConnectAccess 
[7/19/18 19:16:59:796 GMT-03:00] 00000053 id=0a2b8be7 urity.authorization.saf.internal.SAFAuthorizationServiceImpl > checkAccess Entry 
SAFCredentialImpl@b828c87e:xxxxxxx:ASSERTED:xxxxxxx
[B@fb68dad5,len=8 

03:00] 00000053 id=c399b451 .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl < isUserInRole Exit 
false 
[7/19/18 19:16:59:868 GMT-03:00] 00000053 id=c399b451 .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl < isUserInRole Exit 

Environment

Release:
Component: ACF2MS

Resolution

EJBROLES use the RACROUTE FASTAUTH call.  In ACF2, rules for FASTAUTH calls must be in a globally resident directory.
 
SET CONTROL(GSO) 
CHANGE INFODIR TYPES(R-REJB)
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(EJB)
 
This will load the rules into resident storage, as will any IPL.