If a user receives an error when attempting to log into z/OSMF, try troubleshooting with
the following steps.
Procedure
- Verify that the user ID is correct and try logging in.
If the user is still not able to log in, continue to the next step.
-
Ensure that the password that is associated with the user ID is correct. If the user is still
not able to log in, continue to the next step.
-
It is possible that the password for the user ID is expired. To check, try logging in to TSO
through an emulator.
-
Ensure that your installation defined the z/OSMF unauthenticated guest user in your external
security manager. This authorization is required so that users can access the z/OSMF Welcome page
prior to login. In a system with RACF®, for example, your
security administrator can use the following commands to create the unauthenticated guest user:
/* Create the z/OSMF unauthenticated USERID */
ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP) OMVS(UID(9011)) +
NAME('zOSMF Unauthenticated USERID') NOPASSWORD NOOIDCARD
/* Permit the z/OSMF unauthenticated USERID access */
PERMIT IZUDFLT CLASS(APPL) ID(IZUGUEST) ACCESS(READ)
/* Permit other users USERID access */
PERMIT IZUDFLT CLASS(APPL) ID(userid) ACCESS(READ)
-
If the user is attempting to log in with a password phrase (pass phrase), your
installation's external security manager might need to be updated to allow mixed case
passwords. In a system with RACF, for example, your security
administrator can use the SETROPTS PASSWORD(MIXEDCASE) option to allow mixed-case passwords at your
installation. After this change is made, you must restart the z/OSMF server.
-
Check the z/OSMF server job log for message BPXP014I with either of the following messages:
ICH420I or BPXP015I. These message pairings indicate that the z/OSMF server did not connect to the
z/OSMF angel process.
- For example:
ICH420I PROGRAM BPXBATSL FROM LIBRARY SYS1.LINKLIB CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
- Or:
BPXP015I HFS PROGRAM /usr/lpp/zosmf/lib/libIzugJni64.so IS NOT MARKED PROGRAM CONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
If these messages appear, check the Liberty log for message CWWKB0117W or CWWKB0118W:
CWWKB0117W: The angel-name angel process is not available. No authorized services
will be loaded. The reason code is 4.
CWWKB0118W: This server is not authorized to connect to the angel-name angel process.
No authorized services will be loaded.
- For message CWWKB0117W, you must start the address space for the angel that is identified in
the message. Then, restart the z/OSMF server address space.
- For message CWWKB0118W, you must grant the z/OSMF server user ID read access to the profile
BBG.ANGEL.proc-name in the SERVER resource class, where
angel-proc is the name of the angel started procedure. Then, restart the z/OSMF
server address space.
By default, the Liberty log is located in the following path
/global/zosmf/data/logs/zosmfServer/logs/messages.log.
What to do next
If none of these steps resolves the problem, contact your system programmer for assistance. The
system programmer should check the z/OSMF log files for messages that indicate that the user ID is
not authorized.
User messages for authentication errors are often general by design to avoid providing malicious
users with valuable information, such as whether a particular user ID is valid. More specific
information about this error might be available to your system programmer in the form of messages
that are written to the operator console or to the operator log. Typically, these problems are
caused by incorrect passwords or user IDs that are revoked.