When using identity only in combination with WebSphere Application Server and LDAP you may need to perform additional manual configuration steps; this is regardless of whether configuration is done via the WebSphere Application Server administrative console or the configure target. With this combination you may find that WebSphere Application Server fails to start successfully and this is due to the need to add a WebSphere Application Server -generated username to the login module exclude list property (exclude_usernames) described in Add the Login Module. In this case of WebSphere Application Server failing to start there will be a SECJ0270E error message in the SystemOut.log file prior to the failure.
These are the steps needed to resolve this error:
SystemOut O Username: server:MyNodeCell_MyNode_CuramServer
Where "MyNode" is the node name, "MyNodeCell" is the cell name, and "CuramServer" is the WebSphere server name. Following the login module trace data will be the error, which will look like this:
SECJ0270E: Failed to get actual credentials. The exception is javax.security.auth.login.LoginException: Context: MyNodeCell/nodes/MyNode/servers/CuramServer, name: curamejb/LoginHome: First component in name curamejb/LoginHome not found.
<options xmi:id="Property_1301940482165" name="exclude_usernames" value="websphere,db2admin" required="false"/>
You must modify the three occurrences to include the newly identified username from the trace entry above; e.g.:
<options xmi:id="Property_1301940482165" name="exclude_usernames" value="websphere,db2admin,server:MyNodeCell_MyNode_CuramServer" required="false"/>
Note that in the exclude_usernames occurrences the id attribute will vary per your system configuration and the comma separator in the example value attribute represents the default curam.security.usernames.delimiter value, which may be different in your case.