search cancel

ACF2 JWT Token configuration, getting IRRSIA00_Create error when using JWT token

book

Article ID: 240255

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Configuring JWT Tokens, when testing logins using JWT token, encountering this error:

00000180 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.security.saf.SAFException: CWWKS2902E: SAF service IRRSIA00_CREATE did not succeed due to a parameter list error. SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000004. com.ibm.ws.security.credentials.saf.internal.SAFCredentialsServiceImpl 966" at ffdc_22.02.18_14.22.14.0.log

It seems to be related to a parameter list error, how to verify JWT Token and IDMAP processing to troubleshoot this? Would this parameter be in the source or the destination?

When using IDMAPDN(*), is there is any way to capture the IDMAPDN that’s being captured for the login with JWT token?


Thank you.

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

A dump from the initACEE call shows there is an IDID as input not a JWT token. It may be that some application is accepting a JWT token and creating an IDID from the information and passing the IDID rather than the JWT token.

For example to configure an IDMAP User Profile Record record like this:

SET PROFILE(USER) DIVISION(IDMAP)
IDMAPDN(CPFAAWKT) IDMAPRN(https://itest.az.gov.wep) IDLABEL(User for JWT)

When using the IDMAPDN(*), a site can capture the IDMAPDN that’s being for the login with JWT token using the ACFRPTOM report. When the distinguished name and registry name of the distributed user are passed in the IDID_area parameter of an initACEE call, the names are shown on the ACF2 ACFRPTOM report. Sample ACFRPTOM JCL follows:

//REPORT  EXEC PGM=ACFRPTOM                
//SYSPRINT DD SYSOUT=*    
//* RECMAN DDS SHOULD POINT TO SMF                
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1       
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2       
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3       
//SYSIN    DD *                            
TITLE(ACFRPTOM)                            
DETAIL                                     
/*        

Note that for initACEE calls the GSO UNIXOPTS PROCESS|NOPROCESS controls whether to cut SMF records for UNIX system services including initACEE.

A TSO, ACF, SHOW UNIXOPTS can be done to check to see if 'PROCESS_ACTIVE: YES|NO. To change from NO to YES the following can be done to trace initACEE tracing:

ACF
SET CONTROL(GSO)
CHANGE UNIXOPTS PROCESS
F ACF2,REFRESH(UNIXOPTS)

Turning on the PROCESS in UNIXOPTS will provide IDMAPDN that’s being for the login with JWT token as shown in the following output:

initACEE         CICS123  TSTGROUP       10253           1   0      0      0
04/14/22  22.104   13.29.28 CICS123           CPFT     CPFT                
Successful - Logging active by Trace/Audit options                         
 Function: Create    Attribute flags: 02000000                             
 Userid: DDB11XYZ    Applid: AAFZDFTT                                      
 Password: NO   Passphrase: NO   Certificate: NO   ACEE Addr: YES          
 IDID User DN:                                                             
 WEPYLEND                                                                  
 IDID Registry Name:                                                        
 https://itest.az.gov.wep                                                  

initACEE         CICS123  TSTGROUP       10253           1   0      0      0
04/14/22  22.104   13.28.14 CICS123           CPFT     CPFT                
Successful - Logging active by Trace/Audit options                         
 Function: Create    Attribute flags: 02000000                             
 Userid: DDB11XYZ    Applid: AAFZDFTT                                       
 Password: NO   Passphrase: NO   Certificate: NO   ACEE Addr: YES          
 IDID User DN:                                                             
 WEPYLEND                                                                  
 IDID Registry Name:                                                       
 https://itest.az.gov.wep