Content Viewer - Problems accessing repositories, Error CAHVS0262E

Document ID : KB000122947
Last Modified Date : 21/12/2018
Show Technical Document Details
Issue:
We setup Content Viewer for a customer who runs RACF and we are facing some issues. We are able to logon to Content Viewer and the admin part of the webgui works well. It is setup so that it is controlled by RACF and we have been able to setup repositories, but as soon as we try to access a repository to view reports, we are prompted to enter credentials again but get the message Invalid credentials. The same credentials work when logging on to Content Viewer. There are no RACF messages in the task (TOMCATPR), but in the Java log (STDOUT) we see the logon fail. The customer's CA View database is set to SECURITY=INIT.
Why do I get the error,  CAHVS0262E Logon (guid) failed (returnValue -1, returnCode 139, reasonCode 199753946) for user xNNNNNNN?
Cause:
The error is indicated by the message: CAHVS0262E Logon (guid) failed (returnValue -1, returnCode 139, reasonCode 199753946) for user xNNNNNNN

Before Content Viewer can connect to View it needs to make a SAF security call to logon as the user. The CAHVS0262E message reports the result of the SAF call (done via IBM service BPX1TLS). 

Here is the meaning of those values from the IBM documentation: 
- Return code 139 (x'8B') is EPERM which means the operation was not permitted. 
- Reason code 199753946 (x'0BE800DA') is JRSurrogateUndefined which means: 
The RACF SURROGAT class has not been activated or no SURROGAT class profile has been defined for the client.
Resolution:

Action: Activate the RACF SURROGAT class and perform the necessary RACF definitions for non-password clients. 

The id that CCS Apache Tomcat is running as will need READ access to BPX.SRV.userid.  That is documented in the MTC - Content Viewer Security Requirements section of the CA View installation documentation.

Also, even though you may have SECURITY=INIT it's still a good idea to make sure View fix RO99032 is applied.


In this case, a Tomcat upgrade allowed lots more messages to come through, including when logging into Content Viewer. A non-APF authorized module was mentioned. Once APF authorization was accomplished, there was no longer problem.