Troubleshooting
Problem
Unable to authenticate a user when trying to access a protected web application in a CICS Liberty JVM server and CICS JESMSGLG log contains message: ICH420I PROGRAM DFHSIP FROM LIBRARY hlq.SDFHAUTH CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED
Symptom
You are using a CICS Liberty JVM server and are attempting to access a secured Liberty web application from a browser.
The Liberty messages.log contains message:
CWWKS1100A: Authentication did not succeed for user ID user. An invalid user ID or password was specified.
and in the CICS JESMSGLG log:
ICH420I PROGRAM DFHSIP FROM LIBRARY hlq.SDFHAUTH CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
Cause
The CICS Liberty JVM server security implementation uses the Liberty angel process to perform authorized security checks. If Liberty is unable to connect to the angel process, it will fail over to using USS security which requires all members in the STEPLIB and DFHRPL concatenations to be program controlled.
Environment
Liberty JVM server
Resolving The Problem
You should not program control your load libraries.
Check that you have configured the Liberty angel process and that it is running.
Ensure that you have the correct security profiles in place.
In CICS 5.3 with Liberty 8.5.5.8 and above, ensure the safRegistry element in server.xml has the enableFailover set to false:
<safRegistry id="saf" enableFailover="false" />
In CICS 5.3 with Liberty 16.0.0.4 and above, add the following property to the JVM profile to force Liberty to require an angel process:
-Dcom.ibm.ws.zos.core.angelRequired=true
Review the Configuring security for a Liberty JVM server section in the CICS documentation.
Review the The Liberty server angel process section in the CICS documentation.
Product Synonym
CICS/TS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
21 June 2018
UID
swg21968554