z/OS Connect Certificate signon gets: ACF01097/Request failed authentication 401

book

Article ID: 196863

calendar_today

Updated On:

Products

CA ACF2

Issue/Introduction

Using a certificate to signon onto z/OS Connect with an ACF2 CERTMAP record gets the following errors:

InBound STATUS: Appl Control RULE: ATTLS_ZEE-Server 5 ACTIONS: gAct5 eAct5 ZEE-Server cAct5 ZEE-Server

ACF01097 NO USERID SPECIFIED ON SYSTEM ENTRY VALIDATION REQUEST

Request failed authentication ... 401

Resolution

The signon failure with a certificate can fail if theACF2 GSO CERTMAP certificate mapping record does not match the certificate.
Note the following sentence in the ACF2 documentation under IDNFILTR:

"If IDNFILTR is specified and only a portion of the issuer's name is used as the filter, SDNFILTR must not be specified."

If you set up a CERTMAP record with both IDNFILTR and SDNFILTR, you must specify the complete IDN in the IDNFILTR field. This is consistent with the RACF mapping of certificates. Here is a snippet from the RACF Security Administrator's Guide explaining how the mapping is done. Note that all supported mappings with both IDN and SDN require the complete IDN:

The following values are used in sequence to search for a matching certificate name filter:

1. subject's-full-name.issuer's-full-name
2. subject's-partial-name.issuer's-full-name
3. subject's-full-name
4. subject's-partial-name
5. issuer's-full-name
6. issuer's-partial-name

As soon as a matching certificate name filter is found, the user ID associated with the filter is used to
identify the user of the certificate. Note that searching is not done for the following values:

subject's-full-name.issuer's-partial-name
subject's-partial-name.issuer's-partial-name

Additional Information

For details on the ACF2 GSO CERTMAP record see section: "Certificate Name Filtering Options (CERTMAP)" in the ACF2 documentation.