Running CA AAM successfully in one of our test environments but when we try to start it in another environment it immediately terminates.
Immediately after the task start the following is observed in sysout - "<***>RSA_REQUEST received in JNI... processing...<***>" ..
This happens even if thee is no MFA-segment on this user (or any user) and/or with all GSO factors disabled.
The userid that it tries to logon with is an external user connecting to DB2 distributed. (This may vary from site to site)
Problem occurs every time AAM task is started and since external users connect to DB2 at a high rate we always see the same problem.
Partial extract from from joblog and STDOUT.
13.18.31 STC04425 ---- MONDAY, xx nnG 20xx ----
13.18.31 STC04425 IEF695I START MFASTC WITH JOBNAME MFASTC IS ASSIGNED TO U
13.18.31 STC04425 $HASP373 MFASTC STARTED
13.18.31 STC04425 ACF9CCCD USERID MFASTC IS ASSIGNED TO THIS JOB - MFASTC
13.18.31 STC04425 --S-- MFASTC 19238 13.3086 sys1
13.18.31 STC04425 IEF403I MFASTC - STARTED - TIME=13.18.31
13.18.36 STC04425 MFA00100 MFA Initialization in progress
13.18.36 STC04425 MFA00500 WARNING: MFA Dispatching priority is less than 253.
13.18.36 STC04425 MFA00560 No CA PAM PIVCAC Factors are active
13.18.36 STC04425 MFA00560 No RADIUS Factors are active
13.18.36 STC04425 MFA00521 JVMNAME IS: JVMLDM86
13.18.40 STC04425 MFA00101 MFA Initialization Complete
13.18.42 STC04425 MFA00102 MFA Shutdown in progress
13.18.45 STC04425 MFA00103 MFA Shutdown is complete
13.18.45 STC04425 BPXM023I (MFASTC) 196
196 JVMDUMP039I Processing dump event "vmstop", detail "#ffffffff
196 at yyyy/mm/dd 13:18:45 - please wait.
13.18.46 STC04425 IEF404I MFASTC - ENDED - TIME=13.18.46
13.18.46 STC04425 $HASP395 MFASTC ENDED - RC=0255
12:18:38,938 |-INFO in ch.qos.logback.classic.LoggerContext[MFA] - Could NOT find resource [logback-test.xml]
12:18:38,938 |-INFO in ch.qos.logback.classic.LoggerContext[MFA] - Could NOT find resource [logback.groovy]
12:18:38,939 |-INFO in ch.qos.logback.classic.LoggerContext[MFA] - Found resource [logback.xml] at [file:/system/var/mfa/logback.xml
12:18:40,299 Entered 'message instanceof MFARequest'
12:18:40,300 Going into receive code
12:18:42,395 ThreadID:20<***>RSA_REQUEST received in JNI... processing...<***>
12:18:42,397 ThreadID:20 -- setting userName from JNI = 'XxXxXxX'
12:18:42,397 ThreadID:20 -- setting password from JNI; length = '100'...
12:18:42,398 return code for TOKEN_GET = 0
12:18:42,399 Entered MFAPutReqInfo(...) for RSA requests
12:18:42,402 Going into receive code
12:18:42,402 Entering MFADispatchActor Actor onReceive, message type: class com.ca.security.mfa.akka.messages.MFAPutReqIn
Release : 16.0
Component : CA ACF2 for z/OS / AAM
Verify if there is a match on a type SAF rule with a masked $KEY(********).
If the following is observed, It is finding the SAF rule because there is a masked entry in the
******** ******** SAF 39 EXT
Add CASECMFA to the CLASMAP definitions so it looks for a type CAS rule.
Verify a correct RSA rule is present to prevent anyone from being a RSA user.
Either have the following rule or no rule at all (remove any masked $KEY rule).
- UID(*) PREVENT
INSERT CLASMAP.CASECMFA ENTITYLN(39) RESOURCE(CASECMFA) RSRCTYPE(CAS)