Virtual Websphere z/OS User Group

New Stuff in Liberty - Better security messages connecting to the Angel

By David Follis posted Fri September 28, 2018 11:31 AM

During startup a Liberty server will try to connect to an Angel. If it finds one, it might not be allowed to connect due to security restrictions. Or if it can connect, it might not be allowed to some functions controlled by the Angel - again due to security restrictions. It could be that this is exactly what you wanted. Some servers perhaps shouldn't be allowed access or are allowed, but only to some specific functions.

On the other hand, you might want them to have access and need to figure out why it isn't working. In this case you might go looking for ICH408I messages to help you determine what entity you need to which you need to grant access. Prior to you couldn't get those messages because Liberty indicated, through the SAF API, that they shouldn't be issued. That's changed.

If you update the parameters used to start the Angel to specify SAFLOG=Y then the Angel code that interacts with SAF will honor it and you will get ICH408I messages for failures to connect to the Angel, failures to have access to features, and failures trying to validate the profile prefix. That should be helpful in determining why a server isn't getting access to the features/functions that it needs from the Angel. But wait, read the next paragraph or aren't done.

But what about a server that you are happy with? You know perfectly well that it doesn't have access to those entities and you don't really need messages every time the server starts reminding you of it. In that case you'll be glad the <safCredentials/> element in those server's server.xml has a new attribute called suppressAuthFailureMessages which defaults to true. That will keep those messages for servers you are happy with from coming out (it is the default because we assume servers you already have set up are set up the way you want and you don't suddenly want messages letting you know that :-)

But that means that to figure out why a new server can't get to the features it needs, you not only need to specify SAFLOG=Y to the Angel, but also set this new safCredentials attribute to false so the ICH408I messages you just turned on aren't suppressed.

See the writeup for PI96910 for more details.