z/OSMF error message CWWKS1100A: Authentication did not succeed for user ID U453280. An invalid user ID or password was specified with CA Top Secret

book

Article ID: 130510

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Receiving the following z/OSMF messags:

ÝAUDIT ¨ CWWKS1100A: Authentication did not succeed for user ID xxxxxxxx. An invalid user ID or password was specified.

from z/OSMF after applying PI96930.

Environment

Release:
Component: TSSMVS

Resolution

This IBM link explains that some new functionality added by the APAR is why the problem is occurring.

IZUSVR needs to be given the PROFILE IZUSECAD so it will have the proper authorization to change ownership of the /global/zosmf/configuration/workflow/izu.provisioning.security.config.properties file.

The security violation is not occurring on the z/OS side of things but the USS side of things, so a TSSOERPT will need to be run to get more details.

Try:

TSS ADD(IZUSVR) PROFILE(IZUSECAD).

This assumes the same name is used in RACF GROUPS for Top Secret PROFILES. Recycle the server per the link which states the following:

********************************************************************************************************************

The Solution
- Connect IZUSVR to the IZUSECAD group
- Stop the server
- DELETE the existing /global/zosmf/configuration/workflow/izu.provisioning.security.config.properties file
- Restart the server and the properties file will get re-created with the correct ownership and permissions.

When the server restarts, it will change group ownership to IZUSECAD and should IZUG202E and IYURM0041E error messages show up in the future, these should be investigated immediately. This could be a sign of potential malicious attempts to escalate user privileges. Ensure the content of the /global/zosmf/configuration/workflow/izu.provisioning.security.config.properties has not been changed to point to a security configuration REXX exec other than what the system security administrators have specified. Restore the ownership and permissions to the required values identified in the logged messages. *******************************************************************************************************************