Profile validation - Revoking user when starting IBM Z Open Editor with COBOL sources already opened

[FALLAI-Denis]

Development environment used

• Z Open Editor version: 5.1.0
• Editor Platform
  • Visual Studio Code
  • Red Hat CodeReady Workspaces
  • Eclipse Che
  • Standalone Theia
• Editor Platform Version: 1.96.0
• Operating System: Windows 10 22H2
• Java Version: Java 17
• Related to RSE API?
  • RSE API Plugin version:
  • Zowe CLI version:
  • Node.js version:
• Logs attached: no

Problem Description

We may have identified a new case of RACF revocation of user accounts.

The problem would be related to the presence of editor(s) open on a COBOL source when starting VS Code and that the RACF password was changed before opening VS Code. The case occurred even with only one COBOL editor/source open.

The problems seem to have started with the upgrade to Zowe Explorer 3.x.x / IBM Z Open Editor 5.x.x.
Before this date, password modification management did not pose any particular problem.
Several users have had the same problem, which seems to rule out improper handling.

Observed behavior

1. VS Code is closed on the user's workstation.
2. The user changes his RACF password with 3270 emulator.
3. The user starts VS Code.
4. The last use of VS Code was made with a Workspace corresponding to a Git repository, and editors on COBOL sources remained open during the previous shutdown of VS Code.
5. IBM Z Open Editor detects that the password has been changed and asks to change it.
6. But the requests to retrieve the Copybooks are still launched in parallel.
7. The password used by IBM Z Open Editor to access the copybooks is not valid, the RACF account is revoked.

The number of parallel requests has its default value: 5.
I analyzed the TSU/IZUFPROC logs, see attachment: CASE465.zip

• first task launched TSU28549: no access to SYS1.PROCLIB
• second task launched TSU28550: access to SYS1.PROCLIB occurs at 07:54:15 after the frst access to a copybook at 07:50:30, probably when validating the user's password entry in VS Code
• third task launched TSU28551: no access to SYS1.PROCLIB
• fourth task launched TSU28552: access to SYS1.PROCLIB occurs at 07:53:34 after the first access to a copybook at 07:50:30, probably when validating the user's password entry in VS Code
• fith task launched TSU28553: no access to SYS1.PROCLIB

See also the z/OSMF log and the problem that seems to correspond to the first access to the Copybook.

See also the sequence in which requests are sent for downloading copybooks:

• from 07:50:30 to 07:53:33: direct access to members, without requesting the list of members
• at 07:53:33: request for the list of members

I have not been able to reproduce the problem with a well-synchronized password: the password validation by searching the SYS1.PROCLIB file is triggered as expected...

[FALLAI-Denis]

PS: IBM Z Open Editor and Zowe Explorer don't use same versions of Zowe SDK modules.

IBM Z Open Editor 5.1.0: use forced versions

"@zowe/core-for-zowe-sdk": "8.0.0",
"@zowe/zos-files-for-zowe-sdk": "8.0.0",
"@zowe/zos-jobs-for-zowe-sdk": "8.0.0",
"@zowe/zos-tso-for-zowe-sdk": "8.0.0",
"@zowe/zos-uss-for-zowe-sdk": "8.0.0",
"@zowe/zos-console-for-zowe-sdk": "8.0.0",
"@zowe/secrets-for-zowe-sdk": "8.0.0",
"@zowe/zowe-explorer-api": "3.0.0",

Zowe Explorer 3.0.3: use min versions

"@zowe/core-for-zowe-sdk": "^8.1.1",
"@zowe/secrets-for-zowe-sdk": "^8.1.0",
"@zowe/zos-files-for-zowe-sdk": "^8.1.1",
"@zowe/zos-jobs-for-zowe-sdk": "^8.1.1",
"@zowe/zosmf-for-zowe-sdk": "^8.1.1",
"@zowe/zowe-explorer-api": "3.0.3",

Some authentication issues seem to have been fixed in Zowe SDK and Zowe Explorer API modules since the release of version 8.0.0 / 3.0.0.

[benjamin-t-santos]

Hi @FALLAI-Denis,
I have not been able to reproduce this problem. I have been testing by closing VS Code with a COBOL source open, changing my password externally, and re-opening the same workspace. For me, copybook resolution does not proceed until I update the credentials via the prompt.

I will continue investigating the issue. In the meantime:

• If one of your users experiences this issue again, try to copy the Z Open Editor output log and attach it to this issue.
• Attaching the ID of the password prompt would be helpful too (does it match the ID of the prompt in the image attached below?).

• Can you share the overall structure of your Zowe Team config? It is unlikely that this is the source of the issue, but I can use this information to assess if there is an issue with how Z Open Editor selects a profile for copybook resolution.

[FALLAI-Denis]

Hi @benjamin-t-santos,

Hello,

The problem continues to occur and seems to be related to opening a VS Code instance with active COBOL editors while the RACF password has been changed.
The problem does not appear if you open a VS Code instance without an active COBOL editor even if the same RACF password has been changed.

We use a zowe.config.json file in the root folder of the workspace, (in fact the zowe.config.json file is included in the Git repository that constitutes the workspace).

The workspace uses local copybooks and remote copybooks.

Z Open Editor does report the password problem, (ID CRRZG533E).
Since the RACF account is revoked, changing the password from VS Code triggers a second error, (no message ID).

Not being able to change the password, (because the user is revoked), keeps looping and you have to kill the VS Code instance to regain control.

Attached is the context of a new problem that occurred today (twice for the same user):

• Z Open Editor log
• Zowe log
• zowe.config.json file
• zapp.yaml file
• workspace settings.json file
• popup screenshots for errors

case465.zip

Procedure used to successfully pass the RACF account lock:

1. Close all VS Code instances
2. Reset the RACF password
3. Disconnect the PC network connection
4. Open a VS Code workspace
5. Close the editor windows
6. Reconnect the PC network connection
7. Force the renewal of the Zowe z/OSMF profile password (by command palette)
8. From there it becomes possible to work on a COBOL editor

Thanks.

[benjamin-t-santos]

Thank you for the updated info.
I found an issue that was filed a month ago against Zowe Explorer: zowe/zowe-explorer-vscode#3360. While not the same situation as you, the user also gets stuck in the credential prompt loop (which stems from Zowe Explorer, hence the prompt not having an ID). I will investigate how this might be related to what you are describing.

[benjamin-t-santos]

The issue has been identified and we are working on a fix.

[FALLAI-Denis]

Hi @benjamin-t-santos,

Would it be possible to have some information on the problem identified in order to see if we can offer a temporary solution to our users? (the number of cases is increasing and the discontent is starting to be heard).

I got new information from our users: they start several instances of VS Code on different workspaces but all with COBOL sources and therefore as many attempts to access z/OS and validate the RACF account...

If the password must be changed then each VS Code instance will send requests to z/OS and each will make a 401 error and (for us) the 4th will revoke the RACF account...

Thank you for your efforts in resolving this issue.

[FALLAI-Denis]

Thank you for the updated info. I found an issue that was filed a month ago against Zowe Explorer: zowe/zowe-explorer-vscode#3360. While not the same situation as you, the user also gets stuck in the credential prompt loop (which stems from Zowe Explorer, hence the prompt not having an ID). I will investigate how this might be related to what you are describing.

FYI: we use "autoStore": true

[benjamin-t-santos]

Before resolving copy statements, Z Open Editor tries to list the SYS1.PROCLIB to ensure a connection can be made to the host. We currently aren't planning to change this behavior in the fix for this issue.

If several instances of VS Code are opened, then this connection test will be performed multiple times. It sounds like, based on your team, if this happens four times the RACF account is revoked. So in your case, opening more than three VS Code instances with open COBOL sources will be problematic.

The bug we are fixing is copybook requests proceeding even if the user gets a 401. You can get around this for now by clicking 'Cancel' on the update credentials prompt presented by Z Open Editor (ID CRRZG5330E). You can then update the credentials of the profile using the Zowe Explorer views, and try copybook resolution again with valid credentials. Do not update them using the prompt modal (that is part of the bug)

[benjamin-t-santos]

@FALLAI-Denis quick question

I got new information from our users: they start several instances of VS Code on different workspaces but all with COBOL sources and therefore as many attempts to access z/OS and validate the RACF account...

Was this something your users were doing before Z Open Editor v5.x.x? If yes, did they experience issues with account revocation when opening >3 VS Code instances with COBOL sources?

Based on how Z Open Editor performs connection tests before copybook resolution, I would expect your user's accounts to be revoked when >3 instances are opened with outdated credentials. If this was not an issue in previous versions, however, then I need to investigate potential regressions with v5.x.x.