Problems when deploying security

, ,
1

I had previously, with Douglas Kelly’s help, deployed the Natural RPC Server using the re-entrant ADALNKR-based nucleus to run 10 tasks, which I understood was required if I want to use security and dynamic library logons. We’re now trying to make use of security for the first time, and to avoid this error:

0020 0379 API: Inconsistent Security Installation

I modified the Broker attributes to now specify:

DEFAULTS = BROKER


SECURITY=YES

However, when I tried to bring up the Natural RPC Server, it dies with this error:

M *** LOGON to Broker ETB103 failed
M 00080002 Access Denied user profile not defined

I thought maybe I needed to also uncomment out this block:

DEFAULTS = SECURITY
CHECK-IP-ADDRESS = NO
ERRTXT-MODULE = NA2MSG1
IGNORE-STOKEN = NO
INCLUDE-CLASS = YES
INCLUDE-NAME = YES
INCLUDE-SERVICE = YES
PROPAGATE-TRUSTED-USERID = NO
SAF-CLASS = NBKSAG
SECURITY-LEVEL = AUTHORIZATION
TRACE-LEVEL = 3
TRUSTED-USERID = NO
UNIVERSAL = NO
WARN-MODE = NO

But now I just get this error:

M *** LOGON to Broker ETB103 failed
M 00080002 Kein Zugriff. Benutzerprofil undefiniert

My Natural RPC Server startup messages show:

M *** Initialize a Natural RPC server at 2017-06-20 10:30:43
M *** with name SRV1
M *** on host CH40
M *** under z/OS 02.01.00
M *** Natural nucleus version : 8.2.6
M *** Natural system file version : 8.2.6.7
M *** Natural RPC version : 8.2.6.3
M *** Highest supported RPC protocol: 2040
M *** SYSIDL version : 8.2.0.0
M *** Natural server library : WS-LIB
M *** Natural server user ID : DBA
M *** Natural server ETID :
M *** Natural security activated : Yes
M *** Logon data required (LOGONRQ) : No
M *** System file settings
M *** FUSER = ( 100 , 17 )
M *** FNAT = ( 100 , 16 )
M *** FSEC = ( 100 , 18 )
M *** Steplib settings
M *** WS-LIB ( 100 , 17 )
M *** OE ( 100 , 17 )
M *** PROD ( 100 , 17 )
M *** SRWEB ( 100 , 17 )
M *** VSSYSTEM ( 100 , 17 )
M *** DBSYSTEM ( 100 , 17 )
M *** SYSIDL ( 100 , 16 )
M *** SYSRPC ( 100 , 16 )
M *** SYSEXT ( 100 , 16 )
M *** SYSLIBS ( 100 , 16 )
M *** SYSTEM ( 100 , 17 )
M *** SYSTEM ( 100 , 16 )
M *** Natural security settings according to RPC server profile
M *** Timestamp related ETID : -
M *** Logon mode : N
M *** Mixed case passwords : N
M *** Domain separator :
M *** Service protection : *
M *** Parameters for transport
M *** Server (SRVNAME): SRV1
M *** Node (SRVNODE): ETB103
M *** User ID (SRVUSER): DBA
M *** Buffer (MAXBUFF): 40775680 bytes
M *** Version (ACIVERS): 9
M *** Code page (CPRPC) : N/A
M *** Retries (SRVRTRY)
M *** number : 0
M *** interval : 60
M *** Wait time (SRVWAIT): 0
M *** Terminate (SRVTERM): NEVER
M EntireX Broker Stub NATETB23 Version=09.10.0.00, Highest API Supported=10
M *** Natural server environment successfully initialized at 10:30:43
M *** LOGON to Broker ETB103 failed
M 00080002 Kein Zugriff. Benutzerprofil undefiniert
MC *** Initialization aborted at 10:30:43

I played around with the default NatRPC NSC profile but didn’t seem to make any difference. Please advise what I am missing.

Thanks!

-Brian

2

Hi Brian,

I have the impression that you want to use Natural Security, but you enabled EntireX Security. Please clarify.

Kind regards,
Rolf

3

Hi Rolf,

I wish to use Natural Security and have a calling client pass in a userid & password that will be validated against NSC. I thought because of the error:

0020 0379 API: Inconsistent Security Installation

…that this would be resolved by turning on EntireX Security.

From your reply, I am guessing EntireX Security is only for RACF (or ACF2 or Top Secret) and not for NSC? And my problem is I am starting the Natural RPC Server with an NSC id that is only defined to NSC and not to RACF?

I can set the attribute parms back to disable EntireX Security then, but how do I then resolve the original error?

The security header parms I have them send are:

soapenv:Header
urn:EntireX

OE
true
false
******
C360USR
true
</urn:EntireX>
</soapenv:Header>

Would just changing the one:

     <exx-use-security>false</exx-use-security>

…fix this?

-Brian

4

Hi Brian,
Yes, you should disable EntireX Security in the attribute file and in the XML listener settings.

EntireX Security: all Broker clients and servers have to provide a userid and password which is then checked by the Broker against the OS security system (RACF in your case)
Natural Security: all RPC clients have to provide an RPC userid and RPC password which is passed to the Natural RPC Server which checks this against Natural Security.

Kind regards,
Rolf

5

I just tried what I was guessing in the HTTP tester in Designer and I seem to have gotten past that initial error.

Now I am getting:

XML Runtime Exception 2000 0087 Internal error. Caused by:java.lang.IllegalArgumentException: WaitTime: wrong argument 180

This seems to come from where in generating the web service, I had them override defaults and entered a Default Wait Time of 180. It doesn’t like that for some reason.

I can fix that for now but it shouldn’t allow the creation of a service that will cause an error.

Thanks,

Brian

6

Use 180S or 180M - whatever you want.

7

Ohhhh… I have to specify the S for seconds.

Would be nice if Designer would validate that for me - thanks for catching that!

-Brian