MFA login works the first time then no other users can sign on with MFA Web Viewer 14.0
search cancel

MFA login works the first time then no other users can sign on with MFA Web Viewer 14.0

book

Article ID: 248320

calendar_today

Updated On:

Products

Output Management Web Viewer

Issue/Introduction

MFA works the first time and 1 user gets into reports, then no other users could sign on with MFA with RACF
Also happens with ACF2

Environment

Release : 14.0

Component : Output Management Web Viewer

RACF

ACF2

TSS

Cause

The MFA logon is being rejected because the user does not have access to RCAS RSA.OMVSAPPL.

OMVSAPPL is the applid associated with the call to check the user's credentials.  Web Viewer does not set the applid so it relies on the system default.  According to the IBM documentation, the system default depends on whether a security environment has been created:

- If a security environment has not yet been created the applid defaults to null.

- Once a security environment has been created the applid defaults to OMVSAPPL.

In Web Viewer, the security environment for the user is created when a repository is selected.  So for Web Viewer when the task is started:

- If no user has selected a repository yet the applid is null.

- Once any user has selected a repository the applid is OMVSAPPL.

Your rules allow the null applid and reject the OMVSAPPL applid.  Thus, you are able to use MFA until any user has selected a repository and the applid becomes OMVSAPPL. 

While it's possible to update the security rules to allow OMVSAPPL, doing so also affects any other product that also uses (or defaults to) OMVSAPPL as the applid.

Resolution

Web Viewer has been enhanced to allow a site specified applid.  

The PTF for a configurable Applid in Web Viewer has been published as LU06974.

See the online documentation at Support for a Configurable APPLID - PTF LU06974

The specified applid will be used for the following calls:

Credential validation

Change password

Create security environment

As these are SAF calls, the applid will be set regardless of which ESM you are using – ACF2, Top Secret or RACF.

With this change the applid will no longer be dependent on whether or not a security environment has been created – it will always be the specified applid.

If not specified, the applid will default to OMVSAPPL for compatibility with Web Viewer r14.0 as it is today.

------------------------------------------------------------------------------------------------------------

Note that the fix includes updates to both the CVDELOAD load library and the web-viewer.war file.  The updated CVDELOAD load library must be used by your application server at the same time the updated web-viewer.war/web-viewer.ear file is deployed to your application server.  See the holddata in the test fix.

With the test fix applied you will now be able to set the APPLID used by Web Viewer r14 for the following SAF security calls:

-Validating the user supplied credentials.

- User requested change password.

- Creating a security environment for the user.

The APPLID can be configured by setting the WV_SECURITY_MAINFRAME_APPLID environment variable in the environment context of the application server. If not specified, the APPLID will default to OMVSAPPL for compatibility with Web Viewer r14 prior to this enhancement.

As you have security rules in your environment to prevent the use of MFA for OMVSAPPL you will need to set the WV_SECURITY_MAINFRAME_APPLID environment variable to use an APPLID that is appropriate for your environment.

For CCS Tomcat, you can set the WV_SECURITY_MAINFRAME_APPLID environment variable by updating the STDENV DD in your CCS Tomcat started task.  For example, to set an APPLID of WEBVWR add the following to your STDENV DD:

export WV_SECURITY_MAINFRAME_APPLID="WEBVWR"