ACF2 JWT Token configuration, getting IRRSIA00_Create error when using JWT token

Products

ACF2 - z/OS

Issue/Introduction

Configuring JWT Tokens, when testing logins using JWT token, encountering this error:

00000180 com.ibm.ws.logging.internal.impl.IncidentImplI
FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.security.saf.SAFException:
CWWKS2902E: SAF service IRRSIA00_CREATE did not succeed due to a parameter list error.
SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000004.
com.ibm.ws.security.credentials.saf.internal.SAFCredentialsServiceImpl 966" at ffdc_22.02.18_14.22.14.0.log

It seems to be related to a parameter list error, how to verify JWT Token and IDMAP processing to troubleshoot this? Would this parameter be in the source or the destination?

When using IDMAPDN(*), is there is any way to capture the IDMAPDN that’s being captured for the login with JWT token?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

A dump from the initACEE call shows there is an IDID as input not a JWT token. It may be that some application is accepting a JWT token and creating an IDID from the information and passing the IDID rather than the JWT token.

For example to configure an IDMAP User Profile Record record like this:

SET PROFILE(USER) DIVISION(IDMAP)
IDMAPDN(cn=User,o=Company,c=CC) IDMAPRN(https://host.xxx.xxx.xxx) IDLABEL(User for JWT)

When using the IDMAPDN(*), a site can capture the IDMAPDN that’s being for the login with JWT token using the ACFRPTOM report. When the distinguished name and registry name of the distributed user are passed in the IDID_area parameter of an initACEE call, the names are shown on the ACF2 ACFRPTOM report. Sample ACFRPTOM JCL follows:

//REPORT EXEC PGM=ACFRPTOM
//SYSPRINT DD SYSOUT=*
//* RECMAN DDS SHOULD POINT TO SMF
//RECMAN1 DD DISP=SHR,DSN=SYS1.MAN1
//RECMAN2 DD DISP=SHR,DSN=SYS1.MAN2
//RECMAN3 DD DISP=SHR,DSN=SYS1.MAN3
//SYSIN DD *
TITLE(ACFRPTOM)
DETAIL
/*

Note that for initACEE calls the GSO UNIXOPTS PROCESS|NOPROCESS controls whether to cut SMF records for UNIX system services including initACEE.

A TSO, ACF, SHOW UNIXOPTS can be done to check to see if 'PROCESS_ACTIVE: YES|NO. To change from NO to YES the following can be done to trace initACEE tracing:

ACF
SET CONTROL(GSO)
CHANGE UNIXOPTS PROCESS
F ACF2,REFRESH(UNIXOPTS)

Turning on the PROCESS in UNIXOPTS will provide IDMAPDN that’s being for the login with JWT token as shown in the following output:

initACEE         CICSXXX  XXXGROUP       10253           1   0      0      0
04/14/22  22.104   13.29.28 CICSXXX           TEST     TEST                
Successful - Logging active by Trace/Audit options                         
 Function: Create    Attribute flags: 02000000                             
 Userid: USER01    Applid: APPLXXXX                                      
 Password: NO   Passphrase: NO   Certificate: NO   ACEE Addr: YES          
 IDID User DN:                                                             
 USER001                                                                  
 IDID Registry Name:                                                        
 https://itest.az.gov.wep                                                  

initACEE         CICSXXX  XXXGROUP       10253           1   0      0      0
04/14/22  22.104   13.28.14 CICSXXX           TEST     TEST                
Successful - Logging active by Trace/Audit options                         
 Function: Create    Attribute flags: 02000000                             
 Userid: USER001    Applid: APPLXXXX                                       
 Password: NO   Passphrase: NO   Certificate: NO   ACEE Addr: YES          
 IDID User DN:                                                             
 WEPYLEND                                                                  
 IDID Registry Name:                                                       
 https://host.xxx.xxx.xxx