Troubleshooting

You can't connect to the Okta Gateway or workflow

When you can't connect to the Okta Gateway or workflow, one of the following messages is displayed:

RSO2021E Processing has been aborted as requested by the response header exit.
RC : 262 (x0106)
RSN : 001D0001 - Unknown reason code
SERVICE : 00000007 - HTTP Request
RSO2020E Web Server Response:
RC(404) The requested page or resource was not found
RSO0998I USER TSOUSER1 access denied (OKTA Error) on 06/24/2025 at 12:10:54
Name, Programmer
JOBNAME(JOB1) JOBID(JESJOBID) ASIDX(0001)

Resolution:

Verify that the TOKEN, CONNECTURI and REQUESTURI values in RSOECPRM are correct.

The Okta Gateway doesn't recognize the value resolved by your multifactor authentication identifier (MFAID)

When the Okta Gateway doesn't recognize your MFAID, one of the following messages is displayed:

RSO0991E Authentication Error Response for TSOUSER1
Invalid Okta ID. Please check and try again.
RSO0998I USER TSOUSER1 access denied (OKTA Error) on 06/24/2025 at 12:21:46
Name, Programmer
JOBNAME(JOB1) JOBID(JESJOBID) ASIDX(0001)

Resolution:

Verify that the group or individual user ID has a BMCMFAID custom data field that will resolve to a value recognized by the Okta Gateway.

Important

If you are using a variable value (for example, &WANAME.), make sure that the variable value contains a leading ampersand (&) and a trailing period (.).

The EC for Okta server starts, but no authentication requests are issued

The EC for Okta server might start without any authentication requests in the following scenarios:

The RACF post-processing exit (ICHRIX02) is not enabled. This exit must be in the modifiable link pack area (MLPA) before the RACF startup.
Important
The MLPA program name must be ICHRIX02 from the EC for Okta product library located in the ecoktahlq.RSOLINK product data set.
Resolution:
Verify that ICHRIX02 is in MLPA before the RACF startup. You must customize your SYS1.PARMLIB(IEALPAxx) member and then perform an IPL on the system.
The EC for Okta RACF post-processing dynamic exit (RSORIXEX) has not been added to the dynamic exits table.

Resolution:
1. Issue a F ssid,LISTEXIT command to list the exits in the BMCICHRIX02DYNEX table and their status. If the exit is not present, add it with an operator command.
2. Either issue the SETPROG command either in the z/OS Operator Console or add this command to SYS1.PARMLIB(PROGxx) and IPL. For an example of the SETPROG command, see ecoktahlq.RSOSAMP(EXITADD).
*NONE* or no value is specified in the BMCMFAID custom data field for the group or user ID.

Resolution:
Modify the group or user ID to specify a value for the BMCMFAID custom data field. For examples, see ecoktahlq.RSOSAMP(ALTUSER) or ecoktahlq.RSOSAMP(ALTGROUP)

Your mobile device does not have the Okta application installed, or the Okta application doesn't have the required account defined

When Okta cannot connect to your mobile device or application, one of the following messages is displayed:

RSO0991E Authentication Error Response for TSOUSER1
Okta Verify is not set up for this account. Please configure it to proceed.
RSO0998I USER TSOUSER1 access denied (OKTA Error) on 06/24/2025 at 13:55:23
Name, Programmer
JOBNAME(JOB1) JOBID(JESJOBID) ASIDX(0001)

Resolution:

Contact your Okta Gateway administrator to find out which Okta application and account to install on your mobile device.

On this page