The Big APPL
KoelliMungee 060000GR25 Visits (6086)
Why is the APPL class so important for WebSphere on z/OS servers? Well, the APPL class that is active on your SAF (RAC
For example, a new configurator ID for the Administrative Console or a new ID that is used to logon to a Web application are cases where the APPL class is often overlooked, and this can result in a failure to logon.
Let's assume a scenario: A new Web application, that uses form based authentication is deployed to the server. The RACF ID that has been set up for the application is USER1. The application is started, the userid and password are entered, but logon for USER1 fails. We know the password is correct because we can logon to TSO with it. There are no security traces on and we get an error that looks like this in the WebSphere servant region:
BBOO0220E: SECJ0055E: Authentication failed for USER1. The user id or password may have been entered incorrectly or misspelled. The user id may not exist, the account could have expired or disabled. The password may have expired.
After turning on security tracing dynamically and recreating the failure, the servant will show SAF return codes indicating that the ID is missing access to the APPL class. So the questions that should be asked is:
Is there a z/OS security domain (V6.1 and prior) or SAF profile prefix (in V7.0) defined and enabled?
So the joboutput in a V6.1 server might look like:
A V7 joboutput might look like:
This implies the APPL class name is K2 in both cases. If there is no security domain or prefix defined, then there is a default name for the APPL class that is given, for example CBS390. Once this is established, the rest is simple. Check whether this new ID has READ access to this APPL profile. You need to know:
1. What group does the userid belong to?
#1, #2 or both need to be true in order to access the WebSphere z/OS server!
Here are three useful RACF commands for checking APPL class definitions and granting permission to it:
RLIST APPL K2 ALL
I hope I have provided some useful information for you in this post. Please let me know if you have any questions or comments on this and have a great day!