search cancel

Enabling MFA in CSM results in java.lang.SecurityException: PassTicket generation error.

book

Article ID: 187365

calendar_today

Updated On:

Products

Mainframe Software Manager (Chorus Software Manager) CHORUS SOFTWARE MANAGER

Issue/Introduction

Caused by: java.lang.SecurityException: PassTicket generation error.

We made the changes to MSM and set up MFA for this task in RACF as per the instructions to configure MFA as noted below: 

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/traditional-management/ca-chorus-software-manager/6-1/administrating/configuring-ca-csm/configure-multi-factor-authentication.html

Then recycled the MSMTCSRV task after and was about to logon to MSM using my password and a MFA generated number but when I click on the SMP/E tab I got a failure. Attached is the error txt file that was generated

SecurityException  Additional Diagnostic Data:
A severe error has occurred on the server - SecurityException.
Please contact CA support.Exception Details=================
com.ca.mf20.errors.SystemError: SecurityException
Attached Diagnostic Text: A severe error has occurred on the server - SecurityException.Please contact CA support.
at com.ca.mf20.errors.BaseErrorFactory.getBaseErrorFor(BaseErrorFactory.java:166)
at com.ca.mf20.ui.msm.csi.server.api.AbstractCsiApi.logAndGetThrowable(AbstractCsiApi.java:81)
at com.ca.mf20.ui.msm.csi.server.api.CsiApi.getCsiList(CsiApi.java:241)
at com.ca.mf20.ui.msm.csi.server.CsiSrvcImpl.getCsiList(CsiSrvcImpl.java:205)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:561)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:265)
at com.ca.mf20.ui.foundation.server.servlet.MSMRemoteServiceServlet.processCall(MSMRemoteServiceServlet.java:120)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:305)
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.ca.mf20.ui.foundation.server.SecurityFilter.doFilter(SecurityFilter.java:83)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.ca.mf20.ui.foundation.server.GWTCacheControlFilter.doFilter(GWTCacheControlFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1164)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:634)
at java.lang.Thread.run(Thread.java:809)Caused by: java.lang.SecurityException: PassTicket generation error.
at com.ca.mf20.zos.services.security.impl.AbstractSecurityManager.getUserCredentials(AbstractSecurityManager.java:380)
at com.ca.mf20.zos.services.security.impl.AbstractSecurityManager.getUserCredentials(AbstractSecurityManager.java:333)
at com.ca.mf20.zos.services.security.impl.ZOsSecurityManager.getUserCredentials(ZOsSecurityManager.java:549)
at com.ca.mf20.zos.services.security.impl.DefaultUserCredentialsService.getUserCredentials(DefaultUserCredentialsService.java:29)
at com.ca.mf20.zos.services.security.impl.DefaultUserCredentialsProvider.getUserCredentials(DefaultUserCredentialsProvider.java:55)
at com.ca.mf20.zos.api.security.executor.PrivilegedExecutorService.submitForCurrentUser(PrivilegedExecutorService.java:216)
at com.ca.mf20.zos.services.security.impl.ZOsSecurityManager.submitForCurrentUser(ZOsSecurityManager.java:245)
at com.ca.mf20.zos.services.security.impl.DefaultDoAsUserService.submitForCurrentUser(DefaultDoAsUserService.java:53)
at com.ca.mf20.sis.csiman.SmpeRepositoryManager.getRepositories(SmpeRepositoryManager.java:887)
at com.ca.mf20.sis.csiman.SmpeRepositoryManager.getRepositories(SmpeRepositoryManager.java:864)
at com.ca.mf20.sis.csiman.services.impl.csis.DefaultManagedCsisService.getAllValidCsis(DefaultManagedCsisService.java:63)
at com.ca.mf20.sis.csiman.services.impl.csis.DefaultManagedCsisService.getAllCsis(DefaultManagedCsisService.java:82)
at com.ca.mf20.ui.msm.csi.server.api.CsiApi.getCsiList(CsiApi.java:217) ... 33 moreCaused by: SafRc=8, racfRc=8 racfRsn=16
at com.ibm.eserver.zos.racf.IRRPassTicket.generate(IRRPassTicket.java:227)
at com.ca.mf20.zos.services.security.impl.SynchronizedPassTicketGenerationServiceImpl$PassTicketThread.run(SynchronizedPassTicketGenerationServiceImpl.java:47)

 

Environment

Release : 6.0

Component : CHORUS SOFTWARE MANAGER

Resolution

MFA requires passtickets.
 
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/traditional-management/ca-chorus-software-manager/6-1/administrating/configuring-ca-csm/configure-multi-factor-authentication.html
 This says:
Be sure to set up PassTickets before configuring Multi-Factor Authentication. Configure Multi-Factor Authentication for CA ACF2 for z/OS and CA Top Secret for z/OS.
 
Also refer to:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.azfi100/azf_passticket_users.htm
 
The exception you are getting is:
Caused by: java.lang.SecurityException: PassTicket generation error.
 
When you are logging in it is trying to generate a passticket.
 
To simply use passwords or passphrases up to 63 characters with CSM just be sure CSM is at least at build 150 instead of using MFA.