Getting 403 Access Denied when trying to access the Tomcat manager application using the SAF Realm.
Followed the documented steps in Section 4 in http://dovetail.com/docs/tomcat/tz-doc.pdf
From the Tomcat logs directory
- - [15/Nov/2019:12:03:37 -0600] "GET / HTTP/1.1" 200 7857
- - [15/Nov/2019:12:03:37 -0600] "GET /tomcat.gif HTTP/1.1" 200 2066
- - [15/Nov/2019:12:03:37 -0600] "GET /asf-logo-wide.gif HTTP/1.1" 200 5866
- - [15/Nov/2019:12:03:37 -0600] "GET /tomcat-power.gif HTTP/1.1" 200 2376
- - [15/Nov/2019:12:03:37 -0600] "GET /favicon.ico HTTP/1.1" 200 21630
- - [15/Nov/2019:12:03:42 -0600] "GET /manager/html HTTP/1.1" 401 2473
- XXXXXXXX [15/Nov/2019:12:03:55 -0600] "GET /manager/html HTTP/1.1" 403 3195
No messages in the z/OS job log or the system log.
I was able to see a RACF ICH408I invalid password message after testing with an bad password.
Running Tomcat as a batch job on z/OS v2.3 using Java8 64-bit.
RACF
PERMIT EJBROLE TCAT.DEV.MANAGER ID(XXXXXXXX) ACCESS(READ)
Tomcat SAFROLES
<!-- The manager role is used by the Tomcat manager webapp -->
<role rolename="admin-gui"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>
<role rolename="admin-script"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>
<role rolename="manager-gui"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>
<role rolename="manager-script"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>
<role rolename="manager-jmx"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>
<role rolename="manager-status"
safclass="EJBROLE" safentity="TCAT.DEV.MANAGER" saflevel="READ"/>
Any suggestions?
Thanks.