| Explanation | When a credential is passed in the body of the request to the authorization server, the requestBody attribute must specify the format of the request. | |
| Action | Specify the requestBody attribute to describe the format of the body. |
| Explanation | z/OS Connect expects the generated token to be returned from the authorization server in a JSON body. You must specify the path to the token so that it can be retrieved and included in the API request from z/OS Connect to the API provider. | |
| Action | Specify a JSON path in the tokenPath attribute to identify where the token is returned in the body. |
| Explanation | z/OS Connect expects the generated token to be returned from the authentication server in the HTTP request body. You must specify the responseFormat attribute so that the returned JWT can be retrieved by z/OS Connect. | |
| Action | Specify a value for the responseFormat attribute on the tokenResponse element. Acceptable values are Text or JSON. |
| Explanation | A token endpoint URL must be specified for the tokenEndpoint attribute so that the request for a JWT can be routed to the authentication server. | |
| Action | Specify a valid value to the tokenEndpoint attribute on the zosconnect_authorizationServer element. |
| Explanation | You must specify the header attribute on the specified element. | |
| Action | Specify a correct value for the header attribute on the specified element. |
| Explanation | z/OS Connect EE failed to access the authentication/authorization server for JWTs/OAuth tokens. | |
| Action | Check the error message for details, inspect the authentication/authorization server logs and correct the configuration. |
| Explanation | An error response is returned from the authentication server. The response body is null. | |
| Action | Contact the administrator of the authentication server for the detailed error reason. |
| Explanation | An error occurred when the z/OS Connect EE server attempted to generate a JWT. | |
| Action | Check the error message for details and correct the configuration in server.xml. |
| Explanation | The value of the specified claims subelement is either not a valid JSON string, or contains XML markup characters. | |
| Action | Either correct the JSON string, or if the JSON string contains XML markup characters, include the JSON string inside a CDATA section so the characters are treated as literals. |
| Explanation | A request was made to clear the token cache and the request was completed successfully. | |
| Action | None. |
| Explanation | The token cache could not be obtained. Authorization tokens will not be cached, which may impact performance. | |
| Action | If problems persist, contact IBM Software Support. |
| Explanation | The jwtAuthenticationTokenRef attribute must specify the id of a zosconnect_oAuthTokenConfig element, and this must define the tokenGeneratorRef and tokenSubject attributes. | |
| Action | Correct the value of jwtAuthenticationTokenRef attribute or correct the definition of the referenced element. |
| Explanation | The value of port attribute should be 0 ~ 65535. | |
| Action | Change the port to a valid value. |
| Explanation | A new attribute named authenticationConfigRef is added in the endpointConnection element to identify the basic or OAuth authentication data to be used for connecting to a remote REST endpoint. The basicAuthRef attribute is deprecated. If the value of both the attributes are set in the zosconnect_endpointConnection element, only the authenticationConfigRef attribute value is used. It is recommended that you use authenticationConfigRef rather than basicAuthRef. | |
| Action | Use the authenticationConfigRef attribute instead of the basicAuthRef attribute. |
| Explanation | The authorization server returned an error status code or did not return a token in the "access_token" parameter. | |
| Action | Check the reason for the failure, correct the error and retry. |
| Explanation | The authServerRef attribute in the zosconnect_oAuthConfig element must be associated with an existent zosconnect_authorizationServer element in the server.xml file. | |
| Action | Ensure the zosconnect_authorizationServer element needed by the OAuth authentication is set and referenced by the authServerRef attribute of the zosconnect_oAuthConfig element correctly. |
| Explanation | The authorization server token endpoint must have an https prefix because the OAuth 2.0 protocol specifies that an authorization server token endpoint must use TLS. | |
| Action | Prefix the tokenEndpoint value with https and configure a TLS connection. |
| Explanation | Parameter username contained in an OAuth access token request can not be null. | |
| Action | Specify a value for the parameter username. |
| Explanation | Parameter password contained in an OAuth access token request can not be null. | |
| Action | Specify a value for the parameter password. |
| Explanation | Parameter client_id contained in an OAuth access token request can not be null. | |
| Action | Specify a value for the parameter client_id. |
| Explanation | Parameter client_secret contained in an OAuth access token request can not be null. | |
| Action | Specify a value for the parameter client_secret. |
| Explanation | z/OS Connect expects the response body to be returned from the authorization server in a JSON format. A response body that is not in a JSON format returns, probably because of the following reasons:1.The value of the tokenEndpoint attribute on the zosconnect_authorizationServer element is not a token endpoint URL. The token endpoint URL can be obtained form the server discovery endpoint: https://[base-server-url]/token. 2.The client or user credentials used for authentication and authorization are invalid. You can specify the credentials in the z/OS application or in the server.xml file. | |
| Action | Ensure a correct token endpoint URL is specified for the tokenEndpoint attribute and the client or user credentials are valid. |
| Explanation | The expiration time specified for the access token exceeds the maximum value that the cache can support. The maximum value is 69 years. If a value that is larger than 69 years is set on the expire_in parameter, the maximum value is used by default. | |
| Action | Ensure the value of the expires_in parameter is equal or smaller than the maximum value. |
| Explanation | The specified parameter is not in the response body that is returned from the authorization server. | |
| Action | Ensure the response body that is returned from the authorization server follows the OAuth 2.0 specification. |
| Explanation | The z/OS Connect server cannot be authenticated as a valid identity or authorized access to the requested resources. | |
| Action | Ensure the credential information used for authentication or authorization is correct. |
| Explanation | z/OS Connect EE API requester encountered an error while processing a request. | |
| Action | Contact the z/OS Connect EE system administrator to check messages.log for the cause of the error. |
| Explanation | An error response is returned from the authentication server, probably because the request for a JWT is invalid. | |
| Action | Check the reason for the failure and correct as required. |
| Explanation | z/OS Connect was unable to retrieve the credentials. They were either not supplied by the calling application or were not specified in the zosconnect_authData element. | |
| Action | Ensure that the communication stub is up to date to pass the credential from the calling application. Check that the user credentials are supplied by the calling application or are specified in the zosconnect_authData element. |
| Explanation | When the authenticationConfigRef attribute references multiple authentication elements, the referenced elements cannot use the same header. | |
| Action | Ensure the authentication elements referenced by the authenticationConfigRef attribute on the zosconnect_endpointConnection element use different headers. |
| Explanation | The z/OS Connect EE server cannot obtain the JWT from the specified header in the response that is returned from the authentication server. | |
| Action | Ensure the token location where the generated JWT is returned in the response and the header attribute are correctly specified. |
| Explanation | The z/OS Connect EE server cannot obtain the JWT from the response body in the response that is returned from the authentication server. | |
| Action | Ensure the token location where the generated JWT is returned in the response body is correctly specified. |
| Explanation | The z/OS Connect EE server cannot obtain the JWT from the JSON string in the response that is returned from the authentication server. | |
| Action | Ensure the token location where the generated JWT is returned in the response and the tokenPath attribute are correctly specified. |
| Explanation | The value of the requestBody attribute must be a valid JSON string. The JSON string must contain the format for how the credential is contained in the body. The format expects variables for user ID and password. If the ${userid} or ${password} syntax is used the values are replaced at runtime with the credentials provided by the calling application. | |
| Action | Specify a valid value for the requestBody attribute. |