At the same time as working on this problem I am trying to get JWT working.... Ive undo my JWT changes, and ran the command you gave and it gives me
< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 24 Jul 2025 07:36:15 GMT
< Allow: OPTIONS,GET,HEAD,POST,HEAD,HEAD
< Content-Length: 287
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for this URL.</p>
<hr>
<address>IBM_HTTP_Server Server at 10.1.1.2 Port 80</address>
</body></html>
* Connection #0 to host 10.1.1.2 left intact
_____________________________
I tried raising a thread on this forum and I now get
Original Message:
Sent: Wed July 23, 2025 01:14 PM
From: Hiren Shah
Subject: Undocumented rc 500 - 3 - 37
Hi Colin,
You reported two issues here.
To resolve first issue, you explicitly specified IP Address as hostname in izuprmxx. With that you are able to make progress invoking Console REST API. As you identified root cause is the incorrect specification in IPNOD in ADCD image. You could update ADCD.Z31B.TCPPARMS(ZPDTIPN1) with correct IP address (i.e. 10.1.1.2) instead of 172.26.1.2 and then issue F RESOLVER,REFRESH,SETUP= ADCD.Z31B.TCPPARMS(GBLRESOL). This will allow you to fall back to remove explicit IP address in HOSTNAME parm in IZUPRMxx.
Second problem you are raising is invoking REST API without any credential returns Response code 500 (server error). We would expect 401 in this case. I tried curl request and I am getting 401 as expected. As John mentioned, some how you are getting LTPA token from cache? Can you try curl request from terminal?
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "cmd": "d a,l", "sol-key": "JES"}' --insecure 'https://"MYHOSTNAME"/zosmf/restconsoles/consoles/defcn' --verbose
* upload completely sent off: 36 bytes
< HTTP/1.1 401 Unauthorized
< X-Powered-By: Servlet/3.1
< WWW-Authenticate: Basic realm="defaultRealm"
< Content-Language: en-US
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 0
< Date: Wed, 23 Jul 2025 17:10:19 GMT
------------------------------
Hiren Shah Senior Technical Staff Member (z/OSMF)
Original Message:
Sent: Wed July 23, 2025 07:51 AM
From: Colin Paice
Subject: Undocumented rc 500 - 3 - 37
Hi Akhil,
MVS TCP/IP NETSTAT CS 3.1 TCPIP Name: TCPIP 11:51:33
Home address list:
LinkName: LOOPBACK
Address: 127.0.0.1
Flags:
IntfName: TAP0
Address: 10.1.1.2
Flags: Primary
IntfName: TAP1
Address: 10.1.2.6
Flags:
IntfName: LOOPBACK6
Address: ::1
Type: Loopback
Flags:
Unavailable IPv6 Home addresses:
IntfName: JFPORTCP6
Address: 2001:db8:8::9
Type: Global
Reason: Duplicate address detection pending start of interface
Address: 2001:db8::9
Type: Global
Reason: Duplicate address detection pending start of interface
Address: 2001:7::4
Type: Global
Reason: Duplicate address detection pending start of interface
Address: 2400::1
Type: Global
Reason: Duplicate address detection pending start of interface
------------------------------
Colin Paice
Retired
Retired
Stromness
Original Message:
Sent: Wed July 23, 2025 05:13 AM
From: Akhil Anand
Subject: Undocumented rc 500 - 3 - 37
@Colin Paice
Thanks Colin for sharing the logs.
Need one more help. Can you issue this TSO command in your system:
NETSTAT HOME
And can you please share the output with us? I want to see the list of all active interfaces and IP addresses in your system with their flags.
Regards
Akhil Anand
------------------------------
Akhil Anand
Original Message:
Sent: Wed July 23, 2025 04:36 AM
From: Colin Paice
Subject: Undocumented rc 500 - 3 - 37
HOSTNAME(10.1.1.2)
HTTP_SSL_PORT(10443)
INCIDENT_LOG UNIT('SYSALLDA')
/* JAVA_HOME('/usr/lpp/java/J11.0_64') */
JAVA_HOME('/usr/lpp/java/J8.0_64/J21.0_64')
/* KEYRING_NAME('IZUKeyring.IZUDFLT') */
/* KEYRING_NAME('TN3270') */
KEYRING_NAME('CCPKeyring.IZUDFLT')
LOGGING('*=info')
RESTAPI_FILE ACCT(ACCT# ) REGION(65536) PROC(IZUFPROC)
COMMON_TSO ACCT(ACCT# ) REGION( 50000)PROC(IZUFPROC)
SAF_PREFIX('IZUDFLT')
CLOUD_SAF_PREFIX('IYU')
SEC_GROUPS USER(IZUUSER),ADMIN(IZUADMIN),SECADMIN(IZUSECAD)
SESSION_EXPIRE(15)
TEMP_DIR('/tmp')
CSRF_SWITCH(ON)
SERVER_PROC('IZUSVR1')
ANGEL_PROC('IZUANG1')
AUTOSTART('CONNECT')
AUTOSTART_GROUP('IZUDFLT')
/* AUTOSTART_GROUP('NONE') */
/* USER_DIR('/global/zosmf') */
USER_DIR('/u/tmp/zosmfc')
UNAUTH_USER(IZUGUEST)
WLM_CLASSES DEFAULT(IZUGHTTP)
LONG_WORK(IZUGWORK)
CSRF_SWITCH(OFF)
/* Uncomment the following statement and any plugins that
are desired */
PLUGINS( INCIDENT_LOG )
/* COMMSERVER_CFG, */
/* WORKLOAD_MGMT */
/* RESOURCE_MON, */
/* CAPACITY_PROV, */
/* SOFTWARE_MGMT, */
/* SYSPLEX_MGMT, */
/* ISPF) */
------------------------------
Colin Paice
Retired
Retired
Stromness
Original Message:
Sent: Wed July 23, 2025 04:24 AM
From: Colin Paice
Subject: Undocumented rc 500 - 3 - 37
Hi,
Sorry its taken so long...
I get
Response From Service
reason: POST returns error: Error 500: java.lang.NullPointerException: Cannot invoke "java.lang.String.toUpperCase()" because the return value of "com.ibm.zoszmf.util.auth.ZmfContext.getUserName()" is null
return-code: 3
reason-code: 16
------------------------------
Colin Paice
Retired
Retired
Stromness
Original Message:
Sent: Thu July 10, 2025 09:40 AM
From: John Czukkermann
Subject: Undocumented rc 500 - 3 - 37
Colin,
Could you please post your IZUG logs? I'm looking for the log from when z/OSMF was started and then the log content for the successful certificate request and the failed non-certificate request.
Could you also please post your IZUPRM member?
Thank you, John
------------------------------
John Czukkermann
IBM Corporation, Poughkeepsie, NY
czuk@us.ibm.com
Original Message:
Sent: Thu July 10, 2025 09:37 AM
From: John Czukkermann
Subject: Undocumented rc 500 - 3 - 37
Hi again Colin, This is in reply the NullPointerException when ZmfContext.getUserName() does a String.toUpperCase() on what it expects to be the authenticated z/OS user ID for the request.
I don't understand how that request got through without requiring some kind of auth header providing the user credentials. Unless the prior certificate auth somehow resulted in an LTPA2 token that didn't have an actual user ID associated with it.
When a request is handed to z/OSMF by Liberty, it passes the associated HttpServletRequest, which includes the remote user (ID). ZmfContext is using that value and trying to upper case it. So in this case the remote user associated with the request is null.
This doesn't make any sense to me.
John
------------------------------
John Czukkermann
IBM Corporation, Poughkeepsie, NY
czuk@us.ibm.com
Original Message:
Sent: Sat June 28, 2025 01:07 PM
From: Colin Paice
Subject: Undocumented rc 500 - 3 - 37
After several rabbit holes, I found the problem.
In my IZUPRMCM I had not specified HOSTNAME, and this was picking up the value HOSTNAME S0W1.DAL-EBIS.IHOST.COM from somewhere.
in the IZUG0.log was
2025-06-28T07:26:36.337Z|00000089|com.ibm.zoszmf.config.security.listener.Bootstrap|contextDestroyed
INFO:IZUSAINTL000: The Security Configuration Assistant Application is started
Ýtx:¨
2025-06-28T07:26:37.348Z|000000B0|com.ibm.zoszmf.consoles.tsoconnect.Connection|run
WARNING:exception when run as server:
java.net.SocketTimeoutException: Connect timed out
at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:551)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
at java.base/java.net.Socket.connect(Socket.java:751)
at java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:304)
at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:178)
at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:531)
at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:636)
at java.base/sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
When I added HOSTNAME(10.1.1.2) and restarted z/OSMF it all started to work.
________________________________________________________
I could use certififcates to map to a userid and it worked. If I had no userid, and no certificate I got
curl -X PUT --header Content-Type: application/json --header Accept: application/json --insecure -d { "cmd": "d a,l", "sol-key": "JES" } https://10.1.1.2:10443/zosmf/restconsoles/consoles/COLINNO
{"reason":" POST returns error: Error 500: java.lang.NullPointerException: Cannot invoke "java.lang.String.toUpperCase()" because the return value of "com.ibm.zoszmf.util.auth.ZmfContext.getUserName()" is null","return-code":3,"reason-code":16}
and the trace had
INFO:LTPAToken2 is: null
Ýtx0000000000000127:null@10.1.0.2 (PUT) /zosmf/restconsoles/consoles/COLINNO?null¨
2025-06-28T17:02:59.754Z|0000008D|com.ibm.zoszmf.util.web.rest.AbstractRestServlet|processTransaction()
SEVERE:IZUG802E: An error occurred. Error: "java.lang.NullPointerException"
com.ibm.zoszmf.util.CommonException: IZUG802E: An error occurred. Error: "java.lang.NullPointerException"
com.ibm.zoszmf.util.web.rest.AbstractRestServlet.processTransaction(AbstractRestServlet.java:386)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
java.base/java.lang.Thread.run(Thread.java:1595)
+-> java.lang.NullPointerException: Cannot invoke
"java.lang.String.toUpperCase()" because the return value of
"com.ibm.zoszmf.util.auth.ZmfContext.getUserName()" is null
com.ibm.zoszmf.util.tso.servlet.TsoServicesServlet$TsoStartHandler.handlePost(TsoServicesServlet.java:804)
com.ibm.zoszmf.util.web.rest.AbstractRestServlet.processTransaction(AbstractRestServlet.java:329)
com.ibm.zoszmf.util.web.rest.AbstractRestServlet.doPost(AbstractRestServlet.java:190)
------------------------------
Colin Paice
Retired
Retired
Stromness
Original Message:
Sent: Thu June 26, 2025 09:32 AM
From: Colin Paice
Subject: Undocumented rc 500 - 3 - 37
Hi John,
I cant raise a case as I run on zD&T with ADCD on z86 hardware.
I get the 3,17 even if I stop CEA.
I thought the problem may have been permission related, so I reran the z/OSMF security jobs and now I get
reason: Timeout when creating TSO address space for console IBMUSER
return-code: 2
reason-code: 21
_____________
I turned on as many traces as I knew, and nothing obvious jumped out at me.
In the 3,17 problem the last few entries of the trace ( attached) are
1 Trace: 6/22/25, 11:54:50:936 GMT? t=8c2418 key=P8 (3009003)
Description: Exit: ntv_setThreadSecurityEnvironment
safServiceResult: data_address=00000053_d7bfe958, data_length=20
setStatusCode(sc): Status code: 500
I dont get the reason: { "reason": "POST TSO/E Service returns null.", "return-code": 3, "reason-code": 17} in the trace
I stopped CEA - but that made no difference.
I expect it is a simple set up problem ( but I am good at falling over bugs). If you can give a hint where to look, I can keep looking
Colin
------------------------------
Colin Paice
Retired
Retired
Stromness
Original Message:
Sent: Wed June 25, 2025 08:41 AM
From: John Czukkermann
Subject: Undocumented rc 500 - 3 - 37
Hi Colin,
Could you please open a case with IBM Support. You can use the Diagnostic Assistant desktop application to capture a copy of the z/OSMF and Liberty logs to include in the case. It is possible that the TSO proc that z/OSMF is configured to use is incorrect, so you can check that.
Thank you,
John Czukkermann
------------------------------
John Czukkermann
IBM Corporation, Poughkeepsie, NY
czuk@us.ibm.com
Original Message:
Sent: Tue June 17, 2025 10:21 AM
From: Colin Paice
Subject: Undocumented rc 500 - 3 - 37
I am trying to use a console request through z/OSMF.
With
https://10.1.1.2:10443/zosmf/restconsoles/consoles/colin
I get the following. The link to the doc gives code 500 rc 3 reason 14 and code 500 rc 3 reason 18 .... ,but not 17.
Please can someone tell me where to find what this means.
Response Body
{ "reason": "POST TSO/E Service returns null.", "return-code": 3, "reason-code": 17}
------------------------------
Colin Paice
Retired
Retired
Stromness
------------------------------