Problem | This message indicates that an error occurred while creating a vault instance during initialization of the server. |
User response | The problem may be due to security not being enabled. Either enable security or report the problem. |
Problem | This exception is unexpected. The cause is not immediately known. |
User response | If the problem persists, see problem determination information on the WebSphere Application Server Support page at http://www.ibm.com/software/webservers/appserv/was/support/. |
Problem | This message indicates an internal error occurred while trying to create an instance of LoginHelperImpl. |
User response | The problem may be an out of memory error. Restart the server machine and try again. |
Problem | This message indicates that a reference to the ORB was null. |
User response | The problem may be an out of memory error. Restart the server machine and try again. |
Problem | An internal exception occurred. In all likelihood your server key ring is invalid, does not contain a server certificate, or can't be found. |
User response | Check the SSL configuration to ensure that the SSL keyStore and trustStore properties are set properly. Ensure that the keystore has at least one personal certificate and that the signer for the personal certificate is added to the truststore. Attempt loading the keystore and truststore into WebSphere's IKeyMan and ensure that the file type specified in the configuration (usually JKS) is the correct file type. Make sure the password specified for the keystore and truststore is valid. Use the same password for both keystore and truststore. |
Problem | An internal exception occurred. The probable cause is that a data string processed by the ORB (such as the server's realm/name) contains characters that are not consistent with the code pages supported by the ORB. |
User response | Check the security configuration files to ensure that data strings contain only characters from code pages that are supported by the ORB. |
Problem | This message indicates an internal error occurred while trying to access Current via resolve_initial_references. |
User response | Check to ensure the correct Java class files are in the program classpath. Make sure you are not using the wrong version of SAS.JAR. |
Problem | The outcome of init_security_context is failure. Any reason for a secure association failure with the target server could cause this error. There are times when this is benign such as for method invocations that do not require security. |
User response | Check to ensure the userid/password is valid. Restart the client and retry the operation. |
Problem | The authentication target is not of the type BasicAuth, LocalOS or LTPA. Sometimes only LocalOS or LTPA are valid authentication targets for certain methods. |
User response | Verify that the security configuration has a valid authentication target selected. |
Problem | The credential token is null, expired, or has been tampered with. Since the token is digitally signed, any modification of the bytes in the token will not verify. Typically this error is due to a null token, however. |
User response | Retry the operation after a few minutes. If using request_login for Domino, ensure that Domino/WebSphere SSO is setup correctly. |
Problem | The credential token is null, expired, or has been tampered with. Since the token is digitally signed, any modification of the bytes in the token will not verify. Typically this error is due to a null token, however. |
User response | Retry the operation after a few minutes. If using request_login for Domino, ensure that Domino/WebSphere SSO is setup correctly. |
Problem | This error could occur for one of the following reasons: the credential is null, the credential is not a subtype of org.omg.SecurityLevel2.Credentials, the credential has been marked invalid during a failed login attempt, or while the security server was unavailable. |
User response | Retry the operation. Ensure the program is creating the credential properly before setting it as the invocation credential. You may need to restart the client or server which has the invalid credential. |
Problem | This indicates that the building of the security context failed. Typically the reasons for this are: cannot find the session in the session table, a TCP/IP connection is made instead of an SSL connection, or a Java runtime exception occurred. |
User response | Occasionally, problems with the client and/or server configuration is responsible for these errors. Often it's related to SSL connections not being created. This could be due to invalid settings in the security configuration. The SAS.JAR may not be specified in the classpath or is not the same version as the server. The JDK you are using must also have the JSSE extension classes in /java/jre/lib/ext directory. The java.security file must include the IBMJCE provider. |
Problem | An attempt to communicate with the server failed. The server may be down or the host and port is incorrect. |
User response | Retry the client program after a few minutes wait. |
Problem | An attempt establish a secure association with the server failed with a NO_PERMISSION. |
User response | Retry the client program after a few minutes wait. Ensure that the client program is using the correct version of SAS.JAR in the classpath. |
Problem | The target security retrieved from a security tagged component in the IOR is null. |
User response | Verify that the principalName specified in the server configuration is valid. |
Problem | This indicates that the credentials object being passed to current are not SAS credentials but of some other type or no type was specified. |
User response | Ensure that the client program is correctly following the CORBA programming model. Also, verify that the correct version of SAS.JAR is in the client classpath. |
Problem | A problem occurred while trying obtain the security context object while adding a new security session. This typically occurs while the client is trying to login. |
User response | Try to review the client security configuration file (sas.client.props). If recent changes have been made you may want to undo these changes. |
Problem | This indicates that the client credentials were marked invalid at some point. Some of the reasons they could be marked invalid are: credential token expired, userid/password invalid, security server unavailable so unable to verify the user information. |
User response | Restart the client so that it logs in with new credentials. Once client credentials are marked invalid, they must be thrown away and news ones created. |
Problem | This error indicates that the session key used to lookup the session in the session table has not been found in the session table. This is typically a side effect of another problem such as an invalid credential or a security service is unavailable. |
User response | Retry the operation. If the error repeats itself, restart the client program. Check the client properties to ensure the login information is correct. |
Problem | An attempt to access a security session from the session tables on either the client or the server has failed. This error is typically a side effect of another problem. The session probably has already been deleted or has never been added. |
User response | Check to see if a server process has terminated just prior to receiving these errors. If a process has terminated, restart the process and retry the operation. Verify that the client userid/password is valid. If the login fails, the session will be deleted on the client side and the credentials will be marked invalid. If a retry occurs, you will likely see this error. Restart the client program after verifying the login info. |
Problem | The problem is typically related to the configuration. |
User response | Check security configuration to ensure that the authenticationTarget is set properly. |
Problem | Trying to validate a BasicAuth token which consists of just a userid and password. This should be authenticated not validated. |
User response | Check the client code to ensure it's not calling validate incorrectly. Resubmit the request after waiting a few minutes. |
Problem | Trying to authenticate a BasicAuth token which consists of just a userid and password in either the LTPA or LocalOS PrincipalAuthenticator. |
User response | Check the client code to ensure it's not calling the wrong principal authenticator. Resubmit the request after waiting a few minutes. |
Problem | The userid passed into authenticate was null or invalid. |
User response | Verify the information used to login. Retry the operation with a valid userid. If a properties login is performed, check the properties file to ensure a userid has been set. |
Problem | The userid and/or password passed into authenticate was null. |
User response | Verify the information used to login. Retry the operation with a valid userid and password. If a properties login is performed, check the properties file to ensure a userid and password has been set. |
Problem | The security server cannot be located. Ensure that wssec.jar is located in the classpath. |
User response | The probable cause for this problem is that the class com.ibm.WebSphereSecurityImpl.SecurityServerImpl cannot be located. This is typically in the wssec.jar file. |
Problem | The attempt to authenticate the client has been rejected. Most of the time this is due to an invalid userid/password. Some of the time this is due to a security server being unavailable. |
User response | Check your userid/password to verify the correctness. Retry the operation after a few minutes. |
Problem | Attempting a remote invocation over IIOP using the SWAM authentication mechanism is not supported. |
User response | Retry with the LTPA authentication mechanism configured in Global Security. |
Problem | The credential token associated with the user credential has expired. This typically occurs with LTPA. |
User response | Close the client and login again. |
Problem | The native registry exceptions do not flow to a pure client for security reasons. If your environment is protected, you may enable this feature. |
User response | Set the property "com.ibm.websphere.security.registry.propagateExceptionsToClient=true" from the server's AdminConsole menu: Security -> Global Security -> Custom Properties. |
Problem | This exception is unexpected. The cause is not immediately known. |
User response | If the problem persists, see problem determination information on the WebSphere Application Server Support page at http://www.ibm.com/software/webservers/appserv/was/support/. |
Problem | This message indicates that the attempt at authenticating failed. |
User response | Verify the userid/password is correct. Check the properties file to ensure the login source is valid. If this error occurs on the server, check the server properties to ensure the principalName has a valid realm and userid. |
Problem | This message indicates that the LocalOS credential is trying to access a resource on a node other than the one it was authenticated on. |
User response | Check the user code to determine if there's a naming lookup to another node or an EJB access to another node. |
Problem | The message from the server has been corrupted. This could be due to message tampering or just a power spike causing bytes to get jumbled. |
User response | Retry the operation. Might want to contact your network administrator to see if any network problems occurred during the time of the errors. |
Problem | A message type sent from the server to the client is not a valid message type. Typically this occurs when the server throws an exception during the processing of a request. Typically, the request has not completed. |
User response | Retry the operation after a few minutes. If the problem persists, there should be messages on the server system which may give a better indication of what the problem is. Further tracing on the server may be necessary. |
Problem | A security attribute is a value stored in the credential object such as userid or groupid. Either the type trying to be accessed is not a valid credential attribute type or the attribute being accessed is null. |
User response | Verify the program to ensure that the attribute being accessed is a valid credential attribute. You may need to contact your system administrator to verify that all of the attributes you need have been set in the user registry. |
Problem | The connection type was not SSL, but rather some other type of connection, likely TCPIP. |
User response | Ensure that the security configuration has the SSL keyStore and trustStore properties specified, and that the keystore file has valid, non-expired certificates. |
Problem | The communication direction passed into get_security_features currently only supports org.omg.Security.CommunicationDirection._SecDirectionBoth. |
User response | Ensure the call to get_security_features passes in org.omg.Security.CommunicationDirection._SecDirectionBoth. |
Problem | A security attribute is a value stored in the credential object such as userid or groupid. Either the type trying to be accessed is not a valid credential attribute type or the attribute being accessed is null. |
User response | Verify the program to ensure that the attribute being accessed is a valid credential attribute. You may need to contact your system administrator to verify that all of the attributes you need have been set in the user registry. |
Problem | This error indicates that the same attribute in the credential object is being accessed more than once for a single get_attributes call. |
User response | Verify the program to ensure that the same attribute is not trying to be retrieved more than once at the same time. |
Problem | While calling set_attributes on the credential, the attribute list is null. |
User response | Verify that the list of attributes that is trying to be set is not null. Retry the operation. |
Problem | While calling set_attributes on the credential, the attribute list contains a type which is null. |
User response | Verify that the list of attributes that is trying to be set does not contain a null attribute. Retry the operation. |
Problem | While calling set_attributes on the credential, the attribute list contains a type which is null. |
User response | Verify that the list of attributes that is trying to be set does not contain a null attribute. Retry the operation. |
Problem | A java I/O Exception occurred while trying to close the keyfile. |
User response | Processing should continue. |
Problem | The option specified in standardClaimQOPModels is not valid. Valid options include Authenticity, Integrity, Confidentiality, and Advanced. |
User response | Correct the value specified on the standardClaimQOPModels property if you do not want to use Confidentiality. |
Problem | Valid delegateCredentials property values include None, Simple, Scoped, Traced, and MethodDefined. |
User response | Correct the value specified on the delegateCredentials property. The default is None. |
Problem | The valid range is 0 - 600. |
User response | Correct the value so that it falls between 0 and 600 specified in seconds. |
Problem | The value entered could not be represented as an integer number. |
User response | Correct the value specified in the property so that it is an integer number. |
Problem | The option specified in standardPerformQOPModels is not valid. Valid options include Authenticity, Integrity, Confidentiality, and Advanced. |
User response | Correct the value specified on the standardPerformQOPModels property if you do not want to use Confidentiality. |
Problem | The valid range for SSLCredentialsTimeout property is 0 through 364 days specified in seconds. |
User response | Correct the value specified in the property so that it is in the valid range. |
Problem | The value entered could not be represented as an integer number. |
User response | Correct the value specified in the property so that it is an integer number. |
Problem | The value entered could not be represented as an integer number. |
User response | Correct the value specified in the property so that it is an integer number. |
Problem | The valid range for SSLV3SessionTimeout is 0 through 1 day specified in seconds. |
User response | Correct the value specified so that it is within the valid range. |
Problem | The value entered could not be represented as an integer number. |
User response | Correct the value specified in the property so that it is an integer number. |
Problem | A java runtime exception occurred while processing the security configuration. |
User response | Verify the data entered in the security configuration is valid. |
Problem | Based on the verification level which determines how tightly to verify the configuration, it has been determined that the configuration is not consistent. The verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. The default for com.ibm.CORBA.verificationLevel is Consistency. |
User response | If you get this error, other errors will have preceded it which describe the problems with the configuration. |
Problem | Based on the verification level which determines how tightly to verify the configuration, it has been determined that the configuration is not consistent. The verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. The default for com.ibm.CORBA.verificationLevel is Consistency. |
User response | If you get this error, other errors will have preceded it which describe the problems with the configuration. |
Problem | Based on the verification level which determines how tightly to verify the configuration, it has been determined that the configuration is not consistent. The verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. The default for com.ibm.CORBA.verificationLevel is Consistency. |
User response | If you get this error, other errors will have preceded it which describe the problems with the configuration. |
Problem | The verification results are: Unknown (-1), Success (0), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
User response | If you get anything other than 0, you will have preceding messages which describe the specific problem. |
Problem | This indicates that the security configuration has not been processed. |
User response | Ensure that the security configuration is complete and in the location specified by the com.ibm.CORBA.ConfigURL. This location is typically WASROOT/properties. |
Problem | At least one of the following association options must be set: DCEClientAssociationEnabled, DCEServerAssociationEnabled, SSLTypeIClientAssociationEnabled, SSLTypeIServerAssociationEnabled, LTPAClientAssociationEnabled, LTPAServerAssociationEnabled, LocalOSClientAssociationEnabled, LocalOSServerAssociationEnabled. |
User response | Ensure that at least one of these association options are set. |
Problem | A verification result of ConfigIncomplete (1) has been returned. |
User response | A preceding message will likely tell you the exact reason why it is incomplete. The likely reasons are no Bootstrap Repository location, no association options selected, or the configuration has not been initialized. |
Problem | The verification results are: Unknown (-1), Success (0), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
User response | If you get anything other than 0, you will have preceding messages which describe the specific problem. |
Problem | This indicates an inconsistency in the configuration because a login source of properties needs to have a userid and password specified. |
User response | Specify a userid on com.ibm.CORBA.loginUserid and password on com.ibm.CORBA.loginPassword if you intend to use the login source of properties. |
Problem | This indicates an inconsistency in the configuration because a login source of KeyTable needs to have a KeyTable file specified. |
User response | Specify a KeyTable file on com.ibm.CORBA.keytabFileName if you intend to use the login source of KeyTable. |
Problem | The property com.ibm.CORBA.standardPerformQOPModels is set to advanced, however, the way that the following properties are set are inconsistent: performClientAuthentication, performServerAuthentication, performMessageReplayDetection, performMessageOutOfSequenceDetection, performMessageIntegrity, and performMessageConfidentiality. |
User response | Verify that the above properties are consistent. |
Problem | The property com.ibm.CORBA.standardClaimQOPModels is set to advanced, however, the way that the following properties are set are inconsistent: performClientAuthentication, performServerAuthentication, performMessageReplayDetection, performMessageOutOfSequenceDetection, performMessageIntegrity, and performMessageConfidentiality. |
User response | Verify that the above properties are consistent. |
Problem | This error occurs when there are dependencies between two configuration options and one of the dependencies is not met. For example, if SSL is configured but the keystore file is not. |
User response | The exact reason of the inconsistency will be explained in a preceding message. |
Problem | The verification results are: Unknown (-1), Success (0), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
User response | If you get anything other than 0, you will have preceding messages which describe the specific problem. |
Problem | The verification results are: Unknown (-1), Success (0), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
User response | If you get anything other than 0, you will have preceding messages which describe the specific problem. |
Problem | The property com.ibm.CORBA.performClientAuthentication is set, however, one of the following is not set: SSLTypeIServerAssociationEnabled, SSLTypeIIServerAssociationEnabled, LTPAServerAssociationEnabled, or LocalOSServerAssociationEnabled. |
User response | Ensure that at least one of the server association properties are set to true. |
Problem | The invalid flag on the credential object has been set to true. Typically this is due to the credential being rejected by the server when trying to authenticate. A NO_PERMISSION exception has likely been thrown by the server. |
User response | Login again to get new credentials. Sometimes it is necessary to restart the client and/or server to ensure that you are using new credentials. Once credentials are marked invalid, they cannot become valid again. |
Problem | This error indicates that the client or server configuration properties are not valid or are conflicting. Some properties cannot be set together and still be valid. |
User response | Try to review the client or server security configuration files. If recent changes have been made you may want to undo these changes. |
Problem | While parsing the tagged component, a SystemException occurred. |
User response | Ensure that the server version you are trying to connect to is supported. Make sure the SAS.JAR you are using on the client side is compatible with that of the server. |
Problem | This indicates that the name passed into "resolve_initial_references" in the program is invalid or has not yet been registered. |
User response | Verify that security is enabled in the client/server configuration (com.ibm.CORBA.securityEnabled=true). Check the client program to ensure that a valid name is passed into "resolve_initial_references". |
Problem | On the server side, there must be a set of received credentials when communicating over SSL and Mutual Authentication is enabled. Without the received credentials the server will throw a NO_PERMISSION exception. |
User response | Verify that the client set the credentials properly before invoking the request. Ensure that the correct userid/password was specified when logging in. |
Problem | The message type ASSOC_ACCEPT should not be received at the target server. This might occur due to an exception that occurred on the client which caused a mixup. |
User response | Retry the operation after a few minutes. Check the client configuration to ensure there's nothing out of the ordinary that might be causing an exception to occur. |
Problem | The message type ASSOC_REJECT should not be received at the target server. This might occur due to an exception that occurred on the client which caused a mixup. |
User response | Retry the operation after a few minutes. Check the client configuration to ensure there's nothing out of the ordinary that might be causing an exception to occur. |
Problem | The key used to find the security context is invalid. |
User response | Ensure that the correct SAS.JAR is in the server and client classpath. There might be a mismatch between these files on the client and the server. |
Problem | From the host name, could not convert to the dotted IP address. |
User response | An attempt will be made to use the host name, however, if this fails you'll need to take action. Contact your network administrator to ensure that the hostname and IP address which you have configured on the server is valid. |
Problem | This indicates that the port specified in the server connection data is 0. |
User response | Check the configuration to ensure there is not a property which inadvertently sets the port to something already using it. Stop the server and wait for about 2 minutes before restarting the server so that all ports that were in use will be released. |
Problem | The SecurityTaggedComponentAssistorImpl.class file in the SAS.JAR is not valid. |
User response | Check to ensure you have the same version of SAS.JAR as the server. Check the dates of the file on the server to ensure they match the dates of other JAR files on the server in case a mismatch has occurred. |
Problem | While parsing the tagged component, a SystemException occurred. |
User response | Ensure that the server version you are trying to connect to is supported. Make sure the SAS.JAR you are using on the client side is compatible with that of the server. |
Problem | This indicates that a client is trying to establish a secure association with the server but failed to authenticate. |
User response | Have the client verify that the userid/password specified during login is valid. |
Problem | The public security name is the client's userid. In this case, a userid was not specified. |
User response | The client should specify a userid and password in most cases in order to get authenticated. |
Problem | This error typically occurs when adding a security session on the client or server. |
User response | Try to review the client or server security configuration files. If recent changes have been made you may want to undo these changes. |
Problem | The server credentials could not be found. |
User response | Check the security configuration for com.ibm.CORBA.PrincipalName, com.ibm.CORBA.LoginUserid, and com.ibm.CORBA.LoginPassword properties to ensure they are valid. For the com.ibm.CORBA.PrincipalName, ensure the correct realm is specified in front of the userid (realm/userid). |
Problem | This indicates that a login failed on the server. |
User response | Check the security configuration for com.ibm.CORBA.PrincipalName, com.ibm.CORBA.UserID, and com.ibm.CORBA.Password properties to ensure they are valid. For the com.ibm.CORBA.PrincipalName, ensure the correct realm is specified in front of the userid (realm/userid). |
Problem | A certificate is expired in the keystore. |
User response | Open the keystore and validate the expiration dates on all certificates in the keystore. Remove any expired certs. |
Problem | A certificate is about to expire in the keystore. |
User response | Open the keystore and validate the expiration dates on all certificates in the keystore. Prepare to generate new certificates, if necessary. |
Problem | The credential token is null, expired, or has been tampered with. Since the token is digitally signed, any modification of the bytes in the token will not verify. Typically this error is due to a null token, however. |
User response | Retry the operation after a few minutes. If using request_login for Domino, ensure that Domino/WebSphere SSO is setup correctly. |
Problem | An error occurred while opening the file pointed to by the bootstrapRepositoryLocation property. |
User response | Check the property bootstrapRepositoryLocation in the security configuration to be sure it points to a valid filename and location. If the path is correct, rename the file to allow it to recreate a new file. |
Problem | The file pointed to by BootstrapRepositoryLocation in the security configuration has been corrupted. |
User response | Stop the adminserver, rename this file to anything else, restart your adminserver and the file should get recreated. Try running "java com.ibm.ISecurityUtilityImpl.BootstrapRepository %WAS_ROOT%/etc/secbootstrap" to see if it can be read. Make sure %WAS_ROOT% points to the correct WebSphere install path. |
Problem | The file pointed to by BootstrapRepositoryLocation in the security configuration has been corrupted. |
User response | Stop the adminserver, rename this file to anything else, restart your adminserver and the file should get recreated. Try running "java com.ibm.ISecurityUtilityImpl.BootstrapRepository %WAS_ROOT%/etc/secbootstrap" to see if it can be read. Make sure %WAS_ROOT% points to the correct WebSphere install path. |
Problem | This indicates that security for this ORB has already been initialized and an attempt to initialize it again is occurring. |
User response | The ServiceInit (the call that enables security) will return immediately without reinitializing the security. |
Problem | A Java InputStream read error occurred. |
User response | Retry the operation. |
Problem | The server's host address is null as read from the IOR which the server exported. |
User response | Make sure the version of SAS.JAR is valid for the WebSphere release you are running. Restart the server and try the operation again. |
Problem | Specific values in the IOR that should exist were null. This usually indicates that an exception occurred while trying to read them or there is an interoperability problem with another version of the server. |
User response | Ensure that the client version you are using is supported by the server. Check the SAS.JAR date and size and verify it is the same as that of the server. Check the classpath to ensure it includes the correct version of SAS.JAR. |
Problem | The valid range for the requestCredsExpiration property is 10 minutes through 364 days. |
User response | Correct the value specified in the requestCredsExpiration property so that it is within the valid range. |
Problem | The property com.ibm.CORBA.requestCredsExpiration is smaller than the property com.ibm.CORBA.requestTimeout. The default for com.ibm.CORBA.requestCredsExpiration is infinite (this has no bearing on the LTPA token timeout). The default for com.ibm.CORBA.requestTimeout is 180 seconds. |
User response | If you are setting these properties explicitly, ensure that requestTimeout is smaller than requestCredsExpiration. |
Problem | The security mechanism is not a valid mechanism as defined in the mechanism factory. |
User response | Check the security configuration to ensure the properties are set correctly. Retry the operation. |
Problem | The value passed into the is_valid method is negative. |
User response | Check to ensure the value passed into is_valid is not negative. |
Problem | The credential object passed to the server is not a type which the server supports. |
User response | Ensure that the client authentication target in the client properties is set to a value that the server supports. |
Problem | If the credential is null OR the credential is not a subtype of org.omg.SecurityLevel2.Credentials OR the credential has been marked invalid during a failed login attempt or while the security server was unavailable. |
User response | Retry the operation. Ensure the program is creating the credential properly before setting it as the invocation credential. You may need to restart the client or server which has the invalid credential. |
Problem | A Java runtime exception occurred while a thread was trying to sleep for a specified number of seconds. |
User response | Restart the server. |
Problem | The keyfile entry to the specified realm and security name was not found in the keyfile. |
User response | Ensure that the property com.ibm.ssl.keyStoreFile is pointing to a keyfile which contains the realm and security name which you are looking for. |
Problem | A java runtime exception occurred while decoding the loginPassword property. |
User response | Retype the password on the loginPassword property and restart the program. |
Problem | A java runtime exception occurred while decoding the keystore password property. |
User response | Retype the password on the keystore password property and restart the program. |
Problem | A java runtime exception occurred while decoding the truststore password property. |
User response | Retype the password on the com.ibm. property and restart the program. |
Problem | This is typically a problem in the orb. |
User response | Make sure an orb.properties exists in java/jre/lib directory. |
Problem | The configuration does not allow for an anonymous identity token. |
User response | Make sure the client gets prompted and enters valid credentials. |
Problem | The type of credential is not one that is supported for Identity Assertion. |
User response | Review the client configuration, specifically the authenticationTarget to ensure contains a supported value. |
Problem | The server does not support certificate based credentials. |
User response | In order to communicate with this downstream server using Identity Assertion, the originating client should try a different authentication mechanism such as BasicAuth. |
Problem | The server does not support principal based credentials. |
User response | In order to communicate with this downstream server using Identity Assertion, the originating client should try a different authentication mechanism such as SSL client certificates. |
Problem | The server does not support distinguished name based credentials. |
User response | In order to communicate with this downstream server using Identity Assertion, the originating client should try a different authentication mechanism which is principal based rather than DN based. |
Problem | The server did not set the credentials during bootstrap. |
User response | Try restarting the server. Report the problem to customer support. |
Problem | The server's credentials are invalid. |
User response | Try logging in again and specifying a realm and/or username. |
Problem | A method request could take longer than the credential expiration period. |
User response | Either increase the cache timeout or decrease the ORB request timeout. |
Problem | The password for the hardware crypto device could not be decoded properly. |
User response | Go back to the configuration and retype the password. |
Problem | Valid loginSource options are: prompt, properties, stdin, key file, key table, none. |
User response | Modify the loginSource to contain a valid option. |
Problem | The CSIv2 inbound configuration panel does not have the noted server ID configured correctly. |
User response | Verify that the server ID that is listed in the message is added to the trusted server list in the CSIv2 inbound authentication panel. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | The IOR from the server does not contain a CSIv2 tagged component. |
User response | May need to restart the server, redeploy the object or check the client configuration. |
Problem | The WebSphere implementation does not support SECIOP. |
User response | You cannot communicate to a server over SECIOP. |
Problem | The transport tag is not a recognized or supported transport. |
User response | Find out from the server your are connecting to what transports are supported. |
Problem | Since the client requires SSL and the server does not support it, the connection fails. |
User response | If you are able to connect over TCP/IP (no data signing or encryption), specify SSL supported instead of required. |
Problem | The server does not support SSL client authentication. |
User response | Try using BasicAuth (userid/password) client authentication instead. |
Problem | The server will not authenticate the client using SSL client certificates. |
User response | Try using BasicAuth (userid/password) client authentication instead. |
Problem | The client is not configured to use SSL client certificate authentication. |
User response | Review the client configuration to ensure it is setup to perform SSL client certificate authentication. |
Problem | The client requires SSL confidentiality but the server does not support it. |
User response | Modify the client configuration to not require confidentiality or have the system administrator change the server configuration to support it. |
Problem | The server requires SSL confidentiality but the client does not support it. |
User response | Modify the client configuration to support confidentiality. |
Problem | The client requires SSL Integrity but the server does not support it. |
User response | Modify the client configuration to not require Integrity or have the system administrator change the server configuration to support it. |
Problem | The server requires SSL Integrity but the client does not support it. |
User response | Modify the client configuration to support Integrity. |
Problem | The CSIv2 tagged component did not specify an authentication mechanism. |
User response | Retry the client application or restart the server to re-export the IOR for the object. |
Problem | The server currently will not accept BasicAuth or any other client authentication mechanism. |
User response | Configure the client for SSL client authentication or contact the server administrator. |
Problem | The client currently will not accept BasicAuth or any other client authentication mechanism. |
User response | Configure the client for BasicAuth client authentication or contact the server administrator. |
Problem | The server is supplying an unsupported OID. |
User response | Try using SSL client certificate authentication. |
Problem | The authentication mechanism of the server is not supported by the client. |
User response | Modify the authenticationTarget in the client configuration to something supported by the server. |
Problem | The authentication mechanism of the server is not supported by the client. |
User response | Modify the authenticationTarget in the client configuration to something supported by the server. |
Problem | The authentication mechanism of the server is not supported by the client. |
User response | Modify the authenticationTarget in the client configuration to something supported by the server. |
Problem | A value in the CSIv2 tagged component required for client authentication is null. |
User response | Try using SSL client authentication or contact the system administrator. |
Problem | The receiving server has not configured Identity Assertion. |
User response | Modify the configuration on the receiving server to support Identity Assertion. |
Problem | A naming mechanism is needed to determine how to encode/decode the identity token. |
User response | The receiving server may not support Identity Assertion. Try contacting the system administrator of the receiving server. |
Problem | The target server likely does not support Identity Assertion. |
User response | The target server may need to review how it exports the tagged components. Contact the system administrator of the target server. |
Problem | An exception has occurred while encoding or decoding security information. |
User response | Report this problem to WebSphere support. |
Problem | Valid property values are activelycorrect, passivelycorrect, consistency, and completeness. |
User response | Modify the verification level to match one of these values. |
Problem | The custom authentication mechanism when implements WSSecurityContext interface is having problems being instantiated. |
User response | Review the constructor of this class and make sure the proper class is specified in the configuration. |
Problem | The OID specified in the credential does not have a corresponding WSSecurityContext implementation. |
User response | Ensure that the WSSecurityContext configuration specifies an implementation for this OID. |
Problem | The credential has an OID which does not match the configured authenticationTarget OID. |
User response | Modify the authenticationTarget to support the credential OID. |
Problem | Valid protocol values are ibm, csiv2, and both. |
User response | Correct the protocol property to contain a valid value. |
Problem | The property contains a non-integer value. |
User response | Make sure the property contains a non-integer value. |
Problem | The URL syntax is incorrect. |
User response | Typically, ensure there is only a single / after file: in the URL string. |
Problem | The file pointed to by the ConfigURL may not exist. |
User response | Check the URL syntax and that the file exists in the location specified. |
Problem | The file pointed to by the ConfigURL may not exist. |
User response | Check the URL syntax and that the file exists in the location specified. |
Problem | There is not enough SecurityManager access control to read the ConfigURL property. |
User response | Add more access to the java.security file for this property. |
Problem | This exception is thrown when a particular cryptographic algorithm is requested but is not available in the environment. |
User response | Check the SSL configuration to ensure that a cipher specified is not invalid or a particular provider specified is valid. |
Problem | This is an exception thrown while trying to access a KeyStore. |
User response | Validate the location of the keystore, the password used to access the keystore and the keystore type. |
Problem | This exception is thrown if a key in the keystore cannot be recovered. |
User response | Typically this indicates some kind of corruption in the keystore. Ensure that the keystore type specified is valid. |
Problem | This exception is thrown when a particular security provider is requested but is not available in the environment. |
User response | Check that the keyStoreProvider, trustStoreProvider, and sslContextProvider have valid providers specified. |
Problem | This is the general key management exception, for all operations dealing with key management. Subclasses could include: KeyIDConflict, KeyAuthorizationFailureException, ExpiredKeyException |
User response | Check that the certificates within the keystore are not expired and can all be viewed from within IKeyMan. |
Problem | When client authentication is required at the server, a principal must be sent for the request to be handled. |
User response | Ensure that the client is configured with the correct credentials to issue a request to this server. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | None. |
User response | None. |
Problem | The server credential needs to be refreshed so that the token does not expire. This message indicates that the refresh failed. This could be due to a problem logging into the server to get a new credential token or that the credential has been marked invalid. The expiration time will be set explicitly to correct the problem temporarily. |
User response | Restart the server. |
Problem | This logs any system exception which occurs on the server by the security interceptor or any other interceptor called after the security interceptor. |
User response | Sometimes the exception is normal, such as NO_PERMISSION due to invalid userid/password, other times the exception needs to be reported to customer support. |
Problem | This logs any system exception which occurs on the server by the security request interceptor or any other request interceptor called after the security request interceptor. |
User response | Sometimes the exception is normal, such as NO_PERMISSION due to invalid userid/password, other times the exception needs to be reported to customer support. |
Problem | The configuration on the client is not consistent with the configuration on the server for specific reasons. |
User response | The reasons reported should determine how to resolve the problem. |
Problem | The property specified in setupCmdLine.bat or on the Java command line, com.ibm.CORBA.ConfigURL is invalid. |
User response | Check to ensure the file pointed to exists. |
Problem | Whenever the target realm does not match the current realm, WebSphere Application Server does not send the client request since the target realm might not be trusted. |
User response | Add the realm to the Trusted target realms field in the AdminConsole at Security -> Authentication Protocol -> CSIv2 Outbound Authentication. |
Problem | This maybe due to configuration error or the registered factory did not implement the J2EEAuditEventFactory interface. |
User response | Check your configuration and specifically the configured AuditEventFactory implementation.. |
Problem | This maybe due to configuration error. |
User response | Check your configuration and specifically the configured J2EEAuditEventFactory implementation.. |
Problem | The credentials supplied are either invalid or null. An attempt is made to login as unauthenticated. If the resource is unprotected, the invocation should succeed. |
User response | Verify the userid/password supplied is correct. Try restarting the client program to resolve the problem. Increasing the credential timeout value could reduce the likelihood of this error occurring. |
Problem | The credentials supplied are either invalid or null. An attempt is made to login as unauthenticated. If the resource is unprotected, the invocation should succeed. |
User response | Verify the userid/password supplied is correct. Try restarting the client program to resolve the problem. Increasing the credential timeout value could reduce the likelihood of this error occurring. |
Problem | The type of connection data object is not valid. There may be a problem with the classes which loaded from the classpath. |
User response | Verify the classpath on the client and server both contain the same SAS.JAR and the same SAS e-fixes. |
Problem | This indicates that the session trying to be added has already been added. |
User response | Try to login again. |
Problem | The credentials list passed into init_security_context are null. An unauthenticated request will be attempted. |
User response | If an unauthenticated request is not desired, check the client login userid/password to verify correctness. Review the login source property in the sas.client.props. |
Problem | The standardPerformQOPModels property in the sas.client.props may not be set for mutual authentication. |
User response | If mutual authentication is desired, check the standardPerformQOPModels property so that it is set to authenticity, integrity, or confidentiality. |
Problem | The IOR does not contain a DCE security tag. This tag contains the target security name, mechanism and required quality of protection (QOP). |
User response | Verify that the client program is attempting the access the correct object. This message could be benign if the object method does not require security to be invoked. |
Problem | The IOR does not contain an SSL security tag. This tag contains the port, required quality of protection (QOP) and supported QOP. |
User response | Verify that the client program is attempting the access the correct object. This message could be benign if the object method does not require security to be invoked. |
Problem | This indicates that the attributes stored in the credential cannot be retrieved due to a java runtime exception. |
User response | Restart the client so that new credentials will be created. Check with your user registry administrator to ensure the user data is valid. |
Problem | The IOR does not contain an SSL security compound tag. This tag contains the port, required quality of protection (QOP) and supported QOP, target's client authentication type, realm name and full security name. |
User response | Verify that the client program is attempting the access the correct object. This message could be benign if the object method does not require security to be invoked. |