Authorization failure when starting the administrative server, Administrative Console, or other Java client

Technote (FAQ)
Problem
When starting up the administrative server, Administrative Console, or other Java™ client, you receive the following error message:

  • For V3.5: "Authorization failed for / while invoking (Home) ClientAccessHome"

  • For V4.0: "Authorization failed for /UNAUTHENTICATED while invoking (Home)ClientAccessHome"

Solution
The following error shows up in the tracefile:

For releases of WebSphere Application Server V3.5

Creating unauthenticated BasicAuth credentials.
3438> Thu Apr 19 09:56:45 CDT 2001 - PrincipalAuthenticatorImpl.createUnauthenticatedCred, Thread[Pooled
ORB request dispatch WorkerThread,5,ORB thread pool]:
Creating unauthenticated credential.
[01.04.19 09:56:45:749 CDT] e1ec6174 SecurityColla A Authorization
failed for / while invoking(Home)ClientAccessHome create


For releases of WebSphere Application Server V4.0, V5.x

Creating unauthenticated credential.
[01.04.19 09:56:45:749 CDT] e1ec6174 SecurityColla A Authorization
failed for /UNAUTHENTICATED while invoking(Home)ClientAccessHome
create


There are a number of things that can cause these messages
  1. If you get this exception when starting up the administrative server this might be as a result of running the server asnon-rootand using the registry of the local operating system instead of using LDAP. In WebSphere® Application Server V3.5.2 and earlier, a bug existed that allowed you to use the local operating system; however, this has been fixed.

  2. If the administrative server starts without any problems, but when you try to start the Administrative Console or other Java™ client you get the Authorization failed for / messages, check to insure that the sas.client.props file has the following setting:

    com.ibm.CORBA.securityEnabled=true

    Also make sure you are using the same SSL key ring and password.

    For example:
    com.ibm.CORBA.SSLKeyRingPassword=WebAS
    com.ibm.CORBA.SSLKeyRing=com.ibm.websphere.DummyKeyring

  3. If there is a space character "" after:

    com.ibm.CORBA.securityEnabled=true

    in the sas.client.props file, the administrative client fails to see the true and defaults to false. This is a bug.

Other things to look for
  • Check that the sas.client.props is using the same SSLServerKeyRing and SSLServerKeyRingPassword password.

    For example:
    com.ibm.CORBA.SSLServerKeyRing=com.ibm.websphere.DummyKeyring
    com.ibm.CORBA.SSLServerKeyRingPassword=WebAS


  • Check that the sas.server.props is using the same SSLClientKeyRing and SSLClientKeyRingPassword.

    For example:
    com.ibm.CORBA.SSLClientKeyRingPassword=WebAS
    com.ibm.CORBA.SSLClientKeyRing=com.ibm.websphere.DummyKeyring


  • Also check that the ConfigURL syntax is correct in the setupCmdLine.bat file for Windows®.

    For example:
    SET CLIENTSAS=-Dcom.ibm.CORBA.ConfigURL=file:/C:/
    WebSphere/AppServer/properties/sas.client.props
    SET SERVERSAS=-Dcom.ibm.CORBA.ConfigURL=file:/C:/
    WebSphere/AppServer/properties/sas.server.props


    orsetupCmdLine.sh for UNIX®:

    For example:
    CLIENTSAS=-Dcom.ibm.CORBA.ConfigURL=file:/opt/WebSphere
    /AppServer/properties/sas.client.props
    export CLIENTSAS
    SERVERSAS=-Dcom.ibm.CORBA.ConfigURL=file:/opt/WebSphere
    /AppServer/properties/sas.server.props
    export SERVERSAS











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Administrative Console (all non-scripting)
Operating system(s): Multi-Platform
Software version: 3.5, 4.0, 5.0
Software edition: Standard, Advanced
Reference #: 1030480
IBM Group: Software Group
Modified date: 2004-04-23