Troubleshooting Zowe API ML 401 Error with z/OSMF Swagger Interface
search cancel

Troubleshooting Zowe API ML 401 Error with z/OSMF Swagger Interface

book

Article ID: 435338

calendar_today

Updated On:

Products

Zowe

Issue/Introduction

When attempting to execute a z/OS Management Facility (z/OSMF) API call via the Zowe API Mediation Layer (ML) Swagger interface, the request fails with a 401 Unauthorized error.

Symptoms

  • The API response contains: x-zowe-auth-failure: Unable to obtain a token from z/OSMF service.
  • The error occurs even if the user can successfully log on to the API ML UI.
  • System logs may show ICH408I violation messages indicating an invalid password or authentication failure when Zowe attempts to generate a PassTicket for the target user.

Environment

  • Zowe Version: v3.4 (monolith mode)
  • Authentication Type: SAF
  • Security Manager: RACF or compatible External Security Manager (ESM)

Cause

This issue typically occurs when Zowe is configured to use SAF as the authentication provider but the environment is not correctly set up to generate PassTickets for z/OSMF. In this mode, Zowe must use a PassTicket to authenticate to the z/OSMF instance on behalf of the user.

Common causes include:

  • The ZOSMF APPLID (default is IZUDFLT) PassTicket profile is not defined in the PTKTDATA class.
  • The Zowe started task ID does not have the required permissions to generate PassTickets for the z/OSMF application.
  • The zowe.yaml configuration points to an incorrect z/OSMF application ID (applid).

Resolution

1. Define PTKTDATA Profile

Ensure that the ZOSMF APPLID  profile is defined in the PTKTDATA class to allow PassTicket generation for z/OSMF.

2. Grant Zowe Permissions

Permit the Zowe started task ID (e.g., ZWESVUSRUPDATE access to the PassTicket profile used by z/OSMF.

3. Update Zowe Configuration

Verify that the zowe.yaml file correctly identifies the z/OSMF host, port, and application ID. The applId should typically match the profile name defined in Step 1.

zOSMF: host: [your.zosmf.host] port: [your_port] applId: IZUDFLT

4. Static Service Definition

If you are using a static service definition for z/OSMF, verify that the authentication scheme is set to httpBasicPassTicket.

authentication: scheme: httpBasicPassTicket applid: IZUDFLT

Additional Information

Use the security command in the ISPF syslog to display the z/OSMF server settings. For example, if the z/OSMF started task name is IZUSVR1, issue the following command:

F IZUSVR1,DISPLAY IZU

In the resulting output, locate the SAF_PROFILE line. For instance, a value of SAF_PREFIX(IZUDFTL) indicates that the z/OSMF APPLID is IZUDFTL.

 

Related document: Configuring Zowe to use PassTickets

 

Powered by Wolken Software