Action: Activate the RACF SURROGAT class and perform the necessary RACF definitions for non-password clients.
The id that CCS Apache Tomcat is running as will need READ access to BPX.SRV.userid. That is documented in the MTC - Content Viewer Security Requirements section of the CA View installation documentation.
Also, even though you may have SECURITY=INIT it's still a good idea to make sure View fix RO99032 is applied.
In this case, a Tomcat upgrade allowed lots more messages to come through, including when logging into Content Viewer. A non-APF authorized module was mentioned. Once APF authorization was accomplished, there was no longer problem.