Configuring JWT Tokens, when testing logins using JWT token, encountering this error:
00000180 com.ibm.ws.logging.internal.
FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.security.saf.
CWWKS2902E: SAF service IRRSIA00_CREATE did not succeed due to a parameter list error.
SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000004.
com.ibm.ws.security.
It seems to be related to a parameter list error, how to verify JWT Token and IDMAP processing to troubleshoot this? Would this parameter be in the source or the destination?
When using IDMAPDN(*), is there is any way to capture the IDMAPDN that’s being captured for the login with JWT token?
Release : 16.0
Component : ACF2 for z/OS
A dump from the initACEE call shows there is an IDID as input not a JWT token. It may be that some application is accepting a JWT token and creating an IDID from the information and passing the IDID rather than the JWT token.
For example to configure an IDMAP User Profile Record record like this:
When using the IDMAPDN(*), a site can capture the IDMAPDN that’s being for the login with JWT token using the ACFRPTOM report. When the distinguished name and registry name of the distributed user are passed in the IDID_area parameter of an initACEE call, the names are shown on the ACF2 ACFRPTOM report. Sample ACFRPTOM JCL follows:
//REPORT EXEC PGM=ACFRPTOM
//SYSPRINT DD SYSOUT=*
//* RECMAN DDS SHOULD POINT TO SMF
//RECMAN1 DD DISP=SHR,DSN=SYS1.MAN1
//RECMAN2 DD DISP=SHR,DSN=SYS1.MAN2
//RECMAN3 DD DISP=SHR,DSN=SYS1.MAN3
//SYSIN DD *
TITLE(ACFRPTOM)
DETAIL
/*
Note that for initACEE calls the GSO UNIXOPTS PROCESS|NOPROCESS controls whether to cut SMF records for UNIX system services including initACEE.
A TSO, ACF, SHOW UNIXOPTS can be done to check to see if 'PROCESS_ACTIVE: YES|NO. To change from NO to YES the following can be done to trace initACEE tracing:
ACF
SET CONTROL(GSO)
CHANGE UNIXOPTS PROCESS
F ACF2,REFRESH(UNIXOPTS)
Turning on the PROCESS in UNIXOPTS will provide IDMAPDN that’s being for the login with JWT token as shown in the following output:
initACEE CICSXXX XXXGROUP 10253 1 0 0 0
04/14/22 22.104 13.29.28 CICSXXX TEST TEST
Successful - Logging active by Trace/Audit options
Function: Create Attribute flags: 02000000
Userid: USER01 Applid: APPLXXXX
Password: NO Passphrase: NO Certificate: NO ACEE Addr: YES
IDID User DN:
USER001
IDID Registry Name:
https://itest.az.gov.wep
initACEE CICSXXX XXXGROUP 10253 1 0 0 0
04/14/22 22.104 13.28.14 CICSXXX TEST TEST
Successful - Logging active by Trace/Audit options
Function: Create Attribute flags: 02000000
Userid: USER001 Applid: APPLXXXX
Password: NO Passphrase: NO Certificate: NO ACEE Addr: YES
IDID User DN:
WEPYLEND
IDID Registry Name:
https://host.xxx.xxx.xxx