Cannot sign in to ZOWE with RACF Credentials

book

Article ID: 210767

calendar_today

Updated On:

Products

CA Brightside

Issue/Introduction

Installed ZOWE v1.18.0 (downloaded from Zowe.org) with Node.js v12.20.1.  enter ZOWE login screen using the following URL: 

https://nwrd.ipc.us.aexp.com:8543/ZLUX/plugins/org.zowe.zlux.bootstrap/web/index.html

The following errors appear in the job job: 

2021-03-03 21:47:41.375 <ZWED:66276> ZWESVUSR WARN (_zsf.proxy,proxy.js:121) 
ZWED0040W - Callservice: Service call failed.  
Error: connect ECONNREFUSED 127.0.0.1:8542
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1150:16) {
errno: 'ECONNREFUSED',                                             
code: 'ECONNREFUSED',                                              
syscall: 'connect',                                                
address: '127.0.0.1',                                              
port: 8542                                                         

2021-03-03 21:47:41.379 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338) 
APIML login has failed:
2021-03-03 21:47:41.380 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339)  
Error: connect ECONNREFUSED 148.173.253.140:7554
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1150:16) {
errno: 'ECONNREFUSED',                                             
code: 'ECONNREFUSED',                                              
syscall: 'connect',                                                
address: '148.173.253.140',                                        
port: 7554                                                         

2021-03-03 21:47:41.381 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:264) 
APIML query error: connect ECONNREFUSED 148.173.253.140:7554
2021-03-03 21:47:41.383 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338) 
APIML login has failed:
2021-03-03 21:47:41.383 <ZWED:83952370> ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339)  
Error: connect ECONNREFUSED 148.173.253.140:7554
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1150:16) { 
errno: 'ECONNREFUSED',                                              
code: 'ECONNREFUSED',                                               
syscall: 'connect',                                                 
address: '148.173.253.140',                                         
port: 7554                                                          

2021-03-03 21:47:41.383 <ZWED:83952370> ZWESVUSR WARN (_zsf.auth,webauth.js:328)
 ZWED0003W - k0Soab5OUq5uUI0X12IfHnF5AF41aYm0: Session security call authenticate 
failed for auth handler org.zowe.zlux.auth.safsso. 
Plugin response: {"success":false,"reason":"Unknown","error":{"message":
"APIML connect ECONNREFUSED 148.173.253.140:7554"},"apiml":true,"zss":true,"sso":false,"canChangePassword":true}
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
EZZ2385I Access to Netstat -c denied - SAF RC is 00000008
FSUM7422 node is not found                               

 

Cause

In ZWESVUSR sysout, there are several hardware error: 

 2021-03-15 16:33:06.729 <ZWEADS1:main:33621965> ZWESVUSR ERROR (o.s.b.SpringApplication) Application run failed
 com.ibm.crypto.hdwrCCA.provider.JCECCARuntimeException: Hardware error from call CSNBOWH returnCode 8 reasonCode 16000

After reviewing the SYSLOG for the systems where we are running ZWESVSTC, found several RACF error messages related to ICSF and TCPIP: 

USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
   EZB.NETSTAT.NWRD.TCPIP.CONN CL(SERVAUTH)
   INSUFFICIENT ACCESS AUTHORITY
   FROM EZB.NETSTAT.** (G)
   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   ) 

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER        
  EZB.NETSTAT.DIPN.TCPIP.CONN CL(SERVAUTH)                     
  INSUFFICIENT ACCESS AUTHORITY                                
  FROM EZB.NETSTAT.** (G)                                      
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )                                                                    

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
  CSFOWH CL(CSFSERV )                                  
  INSUFFICIENT ACCESS AUTHORITY                        
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
  CSFIQF CL(CSFSERV )                                  
  INSUFFICIENT ACCESS AUTHORITY                        
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )      

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER
  CSFRNGL CL(CSFSERV )                                 
  INSUFFICIENT ACCESS AUTHORITY                        
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

 ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER      
   CSFEDH CL(CSFSERV )                                        
   WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED 
   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   ) 

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER         
  CSFPKI CL(CSFSERV )                                           
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED    
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )               

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER       
  CSFPKG CL(CSFSERV )                                         
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED  

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER      
  CSFDSG CL(CSFSERV )                                        
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED 
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )                  

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER     
  CSFDSV CL(CSFSERV )                                       
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )           

ICH408I USER(ZWESVUSR) GROUP(ZWEADMIN) NAME(ZOWE SERVER      
  CSFEDH CL(CSFSERV )                                        
  WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED 
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

Environment

Release : 3.0

Component : ZOWE 1.18

Resolution

RACF admin grant ZWESVUSR access rights for resources CSNBOWH and CSNBRNGL in the class CSFSERV, recycle the ZWESVSTC task . 

To access the ZLinux URL (ZOWE login screen) - user RACF ID must belong to IZUUSER (z/OS MF) group.