Cannot sign in to ZOWE with RACF Credentials
Article ID: 210767
Updated On:
Products
Issue/Introduction
Installed ZOWE v1.18.0 (downloaded from Zowe.org) with Node.js v12.20.1. enter ZOWE login screen using the following URL:
https://host:port/ZLUX/plugins/org.zowe.zlux.bootstrap/web/index.html
The following errors appear in the job job:
2021-03-03 21:47:41.375 <ZWED:66276> ZWESVUSR WARN (_zsf.proxy,proxy.js:121)
ZWED0040W - Callservice: Service call failed.
Error: connect ECONNREFUSED XXX.X.X.X:XXX
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1150:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: 'XXX.X.X.X',
port: XXXX
2021-03-03 21:47:41.379 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338)
APIML login has failed:
2021-03-03 21:47:41.380 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339)
Error: connect ECONNREFUSED host:port
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1150:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: 'host',
port: 'port'
2021-03-03 21:47:41.381 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:264)
APIML query error: connect ECONNREFUSED XXX.XX.XXX:XXXX
2021-03-03 21:47:41.383 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338)
APIML login has failed:
2021-03-03 21:47:41.383 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339)
Error: connect ECONNREFUSED XXX.XX.XXX:XXX
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1150:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: 'XXXX',
port: XXX
2021-03-03 21:47:41.383 <ZWED:83952370> ZWESVUSR WARN (_zsf.auth,webauth.js:328)
ZWED0003W - k#Soab#OUq#uUI0X##IfHnF#AF4#aYm#: Session security call authenticate
failed for auth handler org.zowe.zlux.auth.safsso.
Plugin response: {"success":false,"reason":"Unknown","error":{"message":
"APIML connect ECONNREFUSED host:port"},"apiml":true,"zss":true,"sso":false,"canChangePassword":true}
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
FSUM7422 node is not found
Environment
Release : 3.0
Component : ZOWE 1.18
Cause
In ZWESVUSR SYSOUT, there are several hardware error:
2021-03-15 16:33:06.729 <ZWEADS1:main:33621965> ZWESVUSR ERROR (o.s.b.SpringApplication) Application run failed
com.ibm.crypto.hdwrCCA.provider.JCECCARuntimeException: Hardware error from call CSNBOWH returnCode 8 reasonCode 16000
After reviewing the SYSLOG for the systems where we are running ZWESVSTC, found several RACF error messages related to ICSF and TCPIP:
USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
EZB.NETSTAT.XXXX.TCPIP.CONN CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
FROM EZB.NETSTAT.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
EZB.NETSTAT.XXXX.TCPIP.CONN CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
FROM EZB.NETSTAT.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFOWH CL(CSFSERV )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFIQF CL(CSFSERV )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFRNGL CL(CSFSERV )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFEDH CL(CSFSERV )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFPKI CL(CSFSERV )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFPKG CL(CSFSERV )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFDSG CL(CSFSERV )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFDSV CL(CSFSERV )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
CSFEDH CL(CSFSERV )
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
Resolution
RACF admin grant ZWESVUSR access rights for resources CSNBOWH and CSNBRNGL in the class CSFSERV, recycle the ZWESVSTC task .
To access the ZLinux URL (ZOWE login screen) - user RACF ID must belong to IZUUSER (z/OS MF) group.
Feedback
