when attempting to generate a PassTicket via Zowe APIML, the generation failed with error
" ZWEAG141 The generation of the PassTicket failed. Please supply a valid user and application name, and check that corresponding permissions have been set up."

The error manifested only when the key used to generate the PassTicket was SSIGNON(KEYENCRYPTED(..)) or SSIGNON(EPTKEYLABEL(...)). It did not manifest when using SSIGNON(KEYMASKED(...))

Zowe APIML

It has been determined that Zowe APIML interaction with ICSF, specifically to the fact that KEYENCRYPTED and EPTKEYLABEL keys are maintained in ICSF datasets. The following error messages in z/OS SYSLOG:

CSV042I REQUESTED MODULE <module-name> NOT ACCESSED. THE MODULE IS NOT PROGRAM CONTROLLED                                                 

ICH422I THE ENVIRONMENT CANNOT BECOME UNCONTROLLED.

BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR SERVER (BPX.SERVER) PROCESSING.   

Note**The error messages are NOT RACF violations and do not reference neither the Zowe APIML started task for the Zowe User IDs... in other words, they are easily missed unless you are looking for them!

Define the CSF modules as controlled:

RALTER PROGRAM ADDMEM('SYS1.CSF.SCSFMODO'/'******'/NOPADCHK)
RALTER PROGRAM ADDMEM('SYS1.CSF.SCSFMOD1'/'******'/NOPADCHK)
RALTER PROGRAM ADDMEM('SYS1.CSF.SCSFSTUB'/'******'/NOPADCHK)
SETROPTS REFRESH WHEN (PROGRAM)

Zowe APIML performs a "checkPermission" for "FACILITY", "IRR.RAUDITX". It appears that checkPermission enables USS PROGRAM CONTROL which, together with the existence of "FACILITY BPX.SERVER" profile forces Zowe APIML to stay PROGRAM CONTROLLED at all the times.

When Zowe APIML tries to load modules that are not PROGRAM CONTROLELLED, USS stops the action and issues messages CSV042I, ICH422I, BPXP014I. The approach used to solve the issue was to define the CSF programs as PROGRAM CONTROLLED so that USS does not preventing the Loading.