PI85804: Improve password failure error messages in authnz

Fixes are available

APAR status

Closed as program error.

Error description

The error written by authnz_saf can be mis-leading. For
example, the following error is seen when a userid does not
have permission in class APPL to the profile referenced by
SAFAPPLID:

(163)EDC5163I SAF/RACF extract error. (errno2=0x090C0820):
IHS00011: SAF user XXXXXXXX: authentication failure for "/":
User revoked

In this case, the call that fails is __passwd_applid() and
looking up documentation for this, you can find the error does
mean:
The user does not have appropriate RACF access to either the
SECLABEL, SERVAUTH profile, or APPL.

But unless you know what call fails, you cannot look up what
the errno/errnojr means.  This APAR will add the function calls
to the existing messages as well add a custom message for the
0x08020 case.

Note, ensure you have set this in the IHS envvars file so that
the errno2 is added to the error message:
export _EDC_ADD_ERRNO2=1

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  Users of IBM HTTP Server on z/OS            *
****************************************************************
* PROBLEM DESCRIPTION: Insufficient information provided by    *
*                      the mod_authnz_saf password failure     *
*                      messages.                               *
****************************************************************
* RECOMMENDATION:  Apply this fix if using IHS on z/OS         *
****************************************************************
The error messages did not contain sufficient information to
always determine the cause of the problem.

Problem conclusion

The password failure error messages in mod_authnz_saf have
been improved to include additional information.
This fix is targeted for IBM HTTP Server fix packs:
- 7.0.0.45
- 8.0.0.15
- 8.5.5.13
- 9.0.0.6

Temporary fix

Comments

APAR Information

APAR number
PI85804
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
85P
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-08-11
Closed date
2017-10-12
Last modified date
2017-10-12

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510

Applicable component levels

R700 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"85P","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022

Tips

PI85804: Improve password failure error messages in authnz_saf

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

Document Information

Share your feedback

Need support?