IBM z/OS Management Facility (z/OSMF)

IBM z/OSMF

IBM z/OSMF

The IBM z/OS Management Facility framework improves programmer productivity by using simplified, streamlined and automated tasks. This easier-to-use functionality reduces both programmer training time and the learning curve.

 View Only

  • 1.  z/OSMF, TSO/E API Security Issue

    Posted Fri September 16, 2022 10:50 AM
    Hello Fellows!
    Can anyone on earth give me some help on the zOSMF Security/Configuration issue i am struggling for weeks.

    I have just moved from z/OS 2.4 to 2.5 and decided to try z/OSMF (I am newcomer on it, z/OSMF I mean).

    Everything is working fine, except for the services that need to start a TSO session, ISPF and Console. For these cases I got the Messages :

    1. For Console:
    he request cannot complete because an error occurred. Error: "Error message returned. Return code: 3. Reason code: 30. Error detail: Error happened in TSO/E address space, error description: IZUG567E, JUAREZ, IZUSVR, TSO"
    2. For ISPF
    IZUG567E, JUAREZ, IZUSVR, ISPF
    IZUG567E
    Sep 9, 2022, 2:27:34 PM

    Both services send us to the same point : the message IZUG567E, that reads
    IZUG567E  The request was rejected because the user ID logged-in-user-ID that was used to log into z/OSMF does not match the user ID requestor-user-ID that was used to start the requested-tasktask.

    I will appreciate very much any help 









    ------------------------------
    Juarez Almeida
    ------------------------------


  • 2.  RE: z/OSMF, TSO/E API Security Issue

    Posted Mon September 19, 2022 07:31 AM
    Hi, Daniel,

    Thanks for trying z/OSMF and letting us know the issue.

    Could you please open the Security Configuration Assistant task in z/OSMF Desktop, open the Services tab and validate if there are any missing security settings for TSO/E Address Space Services, z/OS Operator Consoles and z/OSMF ISPF for your user ID?

    If there are missing security settings, please fix them and try again.

    If the error still happens, please check if there was any error log recorded in z/OSMF log files when the error happened. The location of z/OSMF log files is /global/zosmf/data/logs, and the latest one is IZUG0.log.

    Thanks.
    Li Qi.

    ------------------------------
    QI LI
    ------------------------------

    Original Message


  • 3.  RE: z/OSMF, TSO/E API Security Issue

    Posted Fri September 23, 2022 04:22 PM
    Hey Li,

    Thanks for your quick response.

    Apologise for the delay. I prepared the reply in the same day, but I suppose I made some mistake when posting.  So, I went over the test again.

    Just to be in the safe side and making your help easier, I have just restarted the STCs CEA, CFZCIM, IZUANG1 and IZUSVR1.

    All security settings are cleared (failed box checked). See messages below :
    . IZUSA0002I Validation processing completed for ID juarez.
    . No result in this tab under current filter settings.

    Tried ISPF service and have got the same message : 
    . IZUG567E, JUAREZ, IZUSVR, ISPF  /  IZUG567E Sep 23 2022, 5:05:58 PM

    See below the log exerpt:
     
    INFO:IZUD9018I: Initialization of the z/OSMF Software Management task is complete.                                          
    [tx:]                                                                                                                       
    2022-09-23T20:03:03.473Z▵0000004B▵com.ibm.zoszmf.dm.rest.listener.Bootstrap▵contextInitialized(ServletContextEvent)
    INFO:IZUG852I: Archive manifest file at URL "wsjar:file:/usr/lpp/zosmf/installableApps/izudDm.ear/IzudDmRest.war!/META-INF/M
    [tx:]                                                                                                                       
    2022-09-23T20:03:04.354Z▵0000004B▵com.ibm.zoszmf.dm.swupd.Bootstrap▵contextInitialized()                                    
    INFO:IZUG852I: Archive manifest file at URL "wsjar:file:/usr/lpp/zosmf/installableApps/izudDm.ear/IzudDmSwUpd.war!/META-INF/
    [tx:]                                                                                                                       
    2022-09-23T20:03:04.853Z▵00000048▵com.ibm.zoszmf.util.data.applinker.ALManagerImpl▵putEventType                             
    INFO:The event type to be registered is consistent with the existing one. Nothing to overwrite.                             
    [tx0000000000000011:*izubootstrap*]                                                                                         
    2022-09-23T20:04:17.810Z▵00000087▵com.ibm.zoszmf.navigation.servlet.GetLogoServlet▵loadWelcomeContents()                  
    INFO:File: /global/zosmf/data/customWelcome.properties not available.                                                       
    [tx:]                                                                                                                       
    2022-09-23T20:04:33.561Z▵00000035▵com.ibm.zoszmf.util.data.ObjectHandleProperty▵ObjectHandleProperty()                    
    INFO:Init with ObjectHandleProperty, root path /global/zosmf/configuration/settings/                                        
    [tx0000000000000022:juarez@GFSE (GET) /zosmf/settings/zosmf/feedback?version=1.0.0]                                         
    2022-09-23T20:05:53.299Z▵0000006D▵com.ibm.zoszmf.util.data.ObjectHandleProperty▵ObjectHandleProperty()                      
    INFO:Init with ObjectHandleProperty, root path /global/zosmf/configuration/settings/                                        
    [tx0000000000000034:juarez@10.0.0.179 (GET) /zosmf/settings/user/com.ibm.zoszmf.ispf/ISPF/webispf?dojo.preventCache=16639635
    2022-09-23T20:05:58.650Z▵0000007A▵com.ibm.zoszmf.ispf.util.DojoMessageList▵makeMessageFromExceptionAndLog                   
    SEVERE:IZUG567E, JUAREZ, IZUSVR, ISPF                                                                                       
    com.ibm.zoszmf.ispf.util.IspfServletException: IZUG567E, JUAREZ, IZUSVR, ISPF                                               
       com.ibm.zoszmf.ispf.session.TsoAddrSpc.assertOSThreadIdentity(TsoAddrSpc.java:399)                                       
       com.ibm.zoszmf.ispf.session.TsoAddrSpc.<init>(TsoAddrSpc.java:130)                                                       
       com.ibm.zoszmf.ispf.session.TsoAddrSpcMgr.createTsoAddressSpace(TsoAddrSpcMgr.java:172)                                  
       com.ibm.zoszmf.ispf.session.TsoController.startTsoWithCmd(TsoController.java:120)                                        
       com.ibm.zoszmf.ispf.servlet.TsoServlet$4.handlePut(TsoServlet.java:455)                                                  
       com.ibm.zoszmf.ispf.rest.AbstractRestServlet.processTransaction(AbstractRestServlet.java:264)                            
       com.ibm.zoszmf.ispf.rest.AbstractRestServlet.doPut(AbstractRestServlet.java:162)                                         
       javax.servlet.http.HttpServlet.service(HttpServlet.java:710)                                                             
       javax.servlet.http.HttpServlet.service(HttpServlet.java:790)                                                             
       com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1258)                                         
       com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:746)                                    
       com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:443)                                    
       com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:183)                                
       com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:94)                                     
       com.ibm.zoszmf.util.auth.CSRFwithWLFilter.doFilter(CSRFwithWLFilter.java:192)                                          
    ….
    ….
       java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)                                          
       java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)                                          
       java.lang.Thread.run(Thread.java:830)                                                                                    
    [tx0000000000000036:juarez@10.0.0.179 (PUT) /zosmf/webispf/tso?proc=IKJACCNT&chset=697&cpage=1047&rows=204&cols=160&rsize=50
    2022-09-23T20:06:56.741Z▵000000B2▵com.ibm.zoszmf.util.log.servlet.UILoggerServlet▵UILoggerServlet::doPost()                 
    SEVERE: [2022-09-23T20:05:52.943Z] IzuUICommon/izuUILogger/log4js.js: Could not retrieve logger level from the server.  Set 
    [tx000000000000003B:juarez@10.0.0.179 (POST) /zosmf/IzuUICommon/UILoggerServlet?preventCache=1663963542937]    

    Kind Regards


    ------------------------------
    Daniel Simis Ehrl
    ------------------------------

    Original Message


  • 4.  RE: z/OSMF, TSO/E API Security Issue

    Posted Mon September 26, 2022 11:14 PM

    Hi, Daniel,

    Thanks for sharing the information.

    You can find the explanation of IZUG567E here: https://www.ibm.com/docs/en/zos/2.4.0?topic=izug599-izug567e, the issue could be:

     

    The z/OSMF SyncToOSThread allowed option is not enabled on your system. For the proper functioning of z/OSMF, the SyncToOSThread allowed option must be enabled and properly configured on your system.

     

    Below is the link for enabling syncToOSThread:

    https://www.ibm.com/docs/en/was-liberty/core?topic=SSD28V_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_synctoosthread.html

     

    Could you please check if you have granted the server permission to perform syncToOSThread operations? z/OSMF Security Configuration Assistant can be used to check it quickly:


    Besides the above security settings, z/OSMF has defined a role mapper which maps server ID to user IDs in izuUsers group. Missing that security configuration will result in role mapping failures.

    To make the user mapping work, it requires the following security configuraiton

    RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)

    PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)

    As a short summary, please check the following two security settings.

    One is BBG.SYNC.<profilePrefix> profile in the FACILITY class and another one is IZUDFLT.*.izuUsers profile in EJBROLE class.

    Thanks.



    ------------------------------
    QI LI
    ------------------------------

    Original Message


  • 5.  RE: z/OSMF, TSO/E API Security Issue

    Posted Mon October 03, 2022 02:17 PM
    HI Qi Li,

    Good News, everything is working fine!

    I went over all RACF authorisations; they were all ok.

    When I was preparing a robust documentation to send you, I came across a relevant fact: the RACF CLASS FACILITY was not RACLIST.

    SETR RACLIST CLASSES =  ACCTNUM APPL CDT CONSOLE CSFKEYS CSFSERV DIGTCERT      facility ?
                            DIGTCRIT DIGTNMAP DIGTRING DSNR EJBROLE FCICSFCT       
                            FIELD FSACCESS JESSPOOL LOGSTRM OPERCMDS PTKTDATA      
                            PTKTVAL RDATALIB REALM SDSF SERVAUTH SERVER STARTED    
                            SURROGAT TSOAUTH TSOPROC UNIXPRIV WBEM XCSFKEY         
                            ZMFAPLA ZMFCLOUD       

    I fixed it up, restarted IZUSRV1 and bingo.

    Thanks a lot; appreciated very much your help.


    ------------------------------
    Daniel Simis Ehrl
    ------------------------------

    Original Message


  • 6.  RE: z/OSMF, TSO/E API Security Issue

    Posted Sat October 08, 2022 12:13 AM
    Hi, Daniel,

    Great news! I'm glad the issue was fixed!

    ------------------------------
    QI LI
    ------------------------------

    Original Message


Related Content