Question & Answer
After upgrading to z/OS Connect EE 22.214.171.124 and starting my server. I invoked an API passing a basic authentication header with credentials that I expect to be authenticated using SAF (RACF), but the request failed with HTTP response 401.
messages.log includes the following messages:
CWWKB0122I: This server is connected to the default angel process.
CWWKB0104I: Authorized service group SAFCRED is not available.
CWWKS2932I: The unauthorized version of the SAF user registry is activated. Authentication will proceed using unauthorized native services.
FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.security.registry.RegistryException: Unix System Service __passwd failed for user with errno 157 (EMVSERR) and errno2 x90c02af com.ibm.ws.security.registry.saf.internal.SAFRegistry 121" at ffdc_yy.MM.dd_hh.mm.ss.s.log CWWKS1100A: Authentication did not succeed for user ID MYUSER. An invalid user ID or password was specified.
This worked successfully, before I upgraded from z/OS Connect EE 126.96.36.199 to 188.8.131.52.
z/OS Connect EE 184.108.40.206 updates the level of the WebSphere Liberty Profile it ships to 220.127.116.11. WebSphere Liberty Profile 18.104.22.168 updated the level of the angel process to version 8.
For a z/OS Connect EE server to be able to access the z/OS authorized services (for example SAFCRED to perform SAF authentication), it must connect to an angel process running WebSphere Liberty Profile at the same level or higher.
Ensure that the angel process is running the updated version of z/OS Connect EE 22.214.171.124 (so that it is using WebSphere Liberty Profile 126.96.36.199). See the z/OS Connect EE V3 product documentation: Securing -> Configuring the Liberty Angel process and z/OS authorized services for more details.
Restart the z/OS Connect EE server and check that messages.log contains the following message: CWWKB0103I: Authorized service group SAFCRED is available.
Invoke the API again, the SAF authentication should now be successful.
IBM z/OS Connect EE Test
30 July 2018