Running CA AAM successfully in one of our test environments but when we try to start it in another environment  it  immediately terminates.

Immediately after the task start the following is observed in sysout -  "<***>RSA_REQUEST received in JNI... processing...<***>" ..

This happens even if thee is no MFA-segment on this user (or any user) and/or with all GSO factors disabled.

The userid that it tries to logon with is an external user connecting to DB2 distributed. (This may vary from site to site)

Problem occurs every time AAM task is started and since external users connect to DB2 at a high rate we always see the same problem.

Partial extract from from joblog and STDOUT.

13.18.31 STC04425 ---- MONDAY,    xx nnG 20xx ----                                      
13.18.31 STC04425  IEF695I START MFASTC   WITH JOBNAME MFASTC   IS ASSIGNED TO U
13.18.31 STC04425  $HASP373 MFASTC   STARTED                                   
13.18.31 STC04425  ACF9CCCD USERID MFASTC   IS ASSIGNED TO THIS JOB - MFASTC   
13.18.31 STC04425  --S-- MFASTC   19238  13.3086 sys1  
13.18.31 STC04425  IEF403I MFASTC - STARTED - TIME=13.18.31                    
13.18.36 STC04425  MFA00100 MFA Initialization in progress                     
13.18.36 STC04425  MFA00500 WARNING: MFA Dispatching priority is less than 253.
13.18.36 STC04425  MFA00560 No CA PAM PIVCAC Factors are active                
13.18.36 STC04425  MFA00560 No RADIUS Factors are active                       
13.18.36 STC04425  MFA00521 JVMNAME IS: JVMLDM86                               
13.18.40 STC04425  MFA00101 MFA Initialization Complete                        
13.18.42 STC04425  MFA00102 MFA Shutdown in progress                           
13.18.45 STC04425  MFA00103 MFA Shutdown is complete                           
13.18.45 STC04425  BPXM023I (MFASTC)  196                                      
   196             JVMDUMP039I Processing dump event "vmstop", detail "#ffffffff
   196              at yyyy/mm/dd 13:18:45 - please wait.                      
   196                                                                         
13.18.46 STC04425  IEF404I MFASTC - ENDED - TIME=13.18.46                      
13.18.46 STC04425  $HASP395 MFASTC   ENDED - RC=0255     

STDOUT:

 12:18:38,938 |-INFO in ch.qos.logback.classic.LoggerContext[MFA] - Could NOT find resource [logback-test.xml]
 12:18:38,938 |-INFO in ch.qos.logback.classic.LoggerContext[MFA] - Could NOT find resource [logback.groovy]
 12:18:38,939 |-INFO in ch.qos.logback.classic.LoggerContext[MFA] - Found resource [logback.xml] at [file:/system/var/mfa/logback.xml
 ]
12:18:40,299 Entered 'message instanceof MFARequest'
12:18:40,300 Going into receive code
12:18:42,395 ThreadID:20<***>RSA_REQUEST received in JNI... processing...<***>
12:18:42,397 ThreadID:20 -- setting userName from JNI = 'XxXxXxX'                                                        
[
                                                            '...
 12:18:42,397 ThreadID:20 -- setting password from JNI; length = '100'...
 dataItems:com.ca.security.mfa.jni.service.MfaServiceDataItems@a2bb1d0
 12:18:42,398 return code for TOKEN_GET = 0
 12:18:42,399 Entered MFAPutReqInfo(...) for RSA requests
 12:18:42,402 Going into receive code
 12:18:42,402 Entering MFADispatchActor Actor onReceive, message type: class com.ca.security.mfa.akka.messages.MFAPutReqIn
 

Release : 16.0

Component : CA ACF2 for z/OS / AAM

Verify if there is a match on a type SAF rule with a masked $KEY(********).

If the following is observed, It is finding the SAF rule because there is a masked entry in the
CLASMAP:

******** ******** SAF 39 EXT  

Add CASECMFA to the CLASMAP definitions so it looks for a type CAS rule.

Verify a correct RSA rule is present to prevent anyone from being a RSA user.

Either have the following rule or no rule at all (remove any masked $KEY rule).

$KEY(RSA) TYPE(CAS)
- UID(*) PREVENT 

Add CLASMAP:

SET CONTROL(GSO)
INSERT CLASMAP.CASECMFA ENTITYLN(39) RESOURCE(CASECMFA) RSRCTYPE(CAS)
F ACF2,REFRESH(CLASMAP)