Special Configuration Steps When Using Identity Only and LDAP

About this task

When using identity only in combination with WebSphere Application Server for z/OS and LDAP you may need to perform additional manual configuration steps; this is regardless of whether configuration is done via the WebSphere Application Server for z/OS Administrative Console or the configure target. With this combination you may find that WebSphere Application Server for z/OS fails to start successfully and this is due to the need to add a WebSphere Application Server for z/OS -generated username to the login module exclude list property (exclude_usernames) described in Add the Login Module. In this case of WebSphere Application Server for z/OS failing to start there will be a SECJ0270E error message in the SystemOut.log file prior to the failure.

These are the steps needed to resolve this error:

Procedure

  1. Identify the username that is causing WebSphere Application Server for z/OS start to fail. Configure the login module trace as described in Logging the Authentication Process (in regard to the configure target) or Add the Login Module (in regard to configuring via the Administrative Console), and restart WebSphere Application Server for z/OS. With the login module trace running, prior to the SECJ0270E error in the SystemOut.log file, the trace data will identify the failing username with a record like this: 
    SystemOut     O Username: server:MyNodeCell_MyNode_CuramServer

    Where "MyNode" is the node name, "MyNodeCell" is the cell name, and "CuramServer" is the WebSphere Application Server for z/OS server name. Following the login module trace data will be the error, which will look like this:

    SECJ0270E: Failed to get actual credentials.
   The exception is javax.security.auth.login.LoginException:
   Context: MyNodeCell/nodes/MyNode/servers/CuramServer,
   name: curamejb/LoginHome:
   First component in name curamejb/LoginHome not found.
  2. Specify the failing username in the login module exclude_usernames property in the WebSphere Application Server for z/OS configuration. Since WebSphere Application Server for z/OS is failing to start you cannot make this change via the Administrative Console and you must edit the WebSphere Application Server for z/OS configuration file directly. In the WebSphere Application Server for z/OS configuration file system edit config\cells\MyNodeCell\security.xml, which will have three occurrences of the exclude_usernames property (one for each alias); e.g.: 
    <options xmi:id="Property_1301940482165"
   name="exclude_usernames"
   value="websphere,db2admin"
   required="false"/>

    You must modify the three occurrences to include the newly identified username from the trace entry above; e.g.:

    <options xmi:id="Property_1301940482165"
   name="exclude_usernames"
   value="websphere,db2admin,server:MyNodeCell_MyNode_CuramServer"
   required="false"/>

    Note that in the exclude_usernames occurrences the id attribute will vary per your system configuration and the comma separator in the example value attribute represents the default curam.security.usernames.delimiter value, which may be different in your case.

  3. Restart WebSphere Application Server for z/OS.
Parent topic: Security Configuration