User mapping does not work on ACF2

[achmelo]

Describe the bug
There are multiple problems when trying to use the user mapping service within ZSS. Documentation does not contain all the necessary commands to allow the Zowe server user to use this service which results in an IO error:

IO error while writing, errno=0 reason=0    
                Aborting...

Even when the permission issue is overcome, the mapper returns: 8 8 8 An internal error occurred during RACF processing.

Steps to Reproduce

1. Run Zowe on ACF2
2. Create certificate or DN mapping
3. Try to use certificate for authentication

Expected behavior

Screenshots (if needed)

Logs

Describe your environment

• Zowe version number (Check the Desktop login screen, or manifest.json in the Zowe install folder):
• Install method (pax, smpe, kubernetes, github clone):
• Operating system (z/OS, kubernetes, etc) and OS version:
• Node.js version number (Shown in logs, or via node --version):
• Java version number (Shown in logs, or via java -version):
• z/OSMF version:
• What is the output of log message ZWES1014I:
• Environment variables in use:

Additional context

[1000TurquoisePogs]

I'm trying to find where such a string shows up. Can you remind me which URL you use to cause this?
I'm guessing the error is between what ZSS is asking ACF2, and what ACF2 is doing. So, in addition to identifying that ZSS code, are you able to share ACF2 logs? Maybe it will explain that we've given invalid input, or are missing yet another permission.

[achmelo]

I am calling /certificate/x509/map that uses c/certificateService.c I still haven't found an ACF2 expert that could help me with system logs. The first error was due to missing permissions, there is something more in ICSF that needs to be done. The second error is probably not because of permissions as the user had admin access on the system and was allowed to do anything.

[JoeNemo]

As far as I know R_usermap is a cross-ESM facility, so any problem would be ACF2 specific. So two questions:

1. Does ACF2 support R_usermap ( i think it does)
2. How does one configure it.

I don't think anyone outside of Broadcom on this squad understands question (2).

[achmelo]

We were running tests on ACF2 so at least on certain versions we can say that R_usermap is supported.
To answer the second question, we need to know what services are being used by ZSS. I think that this is not specific to R_usermap, but rather the whole ZSS. It would be good(if possible) to have a list of callable services with any known required permissions. It could make installation more streamlined.

[JoeNemo]

This seems like a doc issue, but about having a list of all permissions required is an interesting and difficult, (and probably necessary) project.

[balhar-jakub]

Based on what I read in the discussion above there are certain versions of ACF2 where the mapping work properly and other where it fails with above mentioned symptom. Is that the case?

And that this behavior happens after the permissions are correctly set. Without them being properly set, we see other problems.

What are the next steps to get this fixed? Do we need something from the ACF2 team? Or is there some implementation change that needs to happen on the API Mediation Layer side? Or do you need some help with changes here in the ZSS?

Do you know the answers? @JoeNemo @achmelo

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, but can be reopened if needed. Thank you for your contributions.