LTPA keys generated using wsadmin can cause management process failures in a federated cell environment
 Technote (troubleshooting)
 
Problem(Abstract)
When using wsadmin to generate new Lightweight Third-Party Authentication (LTPA) tokens for use in a IBM® WebSphere® Application Server federated cell environment, it is important to use the correct commands. Commands that work in a Base-only environment can cause management process failures due to a token mismatch in a federated cell environment.
 
Cause
Using the wsadmin steps below to generate a new LTPA token is successful for a Base-only environment. However, in a federated cell environment, this causes a failure due to a token mismatch.
  1. Generate the new token using the generateKeys method in wsadmin connected to the dmgr process:

    set secAdmin [$AdminControl queryNames WebSphere:type=SecurityAdmin,process=dmgr,*]
    $AdminControl invoke $secMbean generateKeys <password>

  2. Save and Synchronize.

    The following error appears in the SystemOut.log of the NodeAgent:
[9/9/04 8:49:57:932 CEST] 33e327d3 JaasLoginHelp A SECJ4034I: Token Login failed. If the failure is due to an expiring token, verify the system date and time of the WebSphere nodes are synchronized or consider increasing the token timeout value. Authentication mechanism system.LTPA and exception is
[9/9/04 8:49:58:189 CEST] 33e327d3 RoleBasedAuth E SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method sync on resource NodeSync and module NodeSync. The stack trace is java.lang.Exception: dump thread stack for debugging
at com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess
(RoleBasedAuthorizerImpl.java:282)
at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:1285)
at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:656)
at com.ibm.ws.management.connector.AdminServiceDelegator.invoke
(AdminServiceDelegator.java:130)
at java.lang.reflect.Method.invoke(Native Method)
at com.ibm.ws.management.connector.soap.SOAPConnector.invoke
(SOAPConnector.java(Compiled Code))
at com.ibm.ws.management.connector.soap.SOAPConnector.service
(SOAPConnector.java(Compiled Code))
at com.ibm.ws.management.connector.soap.SOAPConnection.handleRequest
(SOAPConnection.java:55)
at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:615)
at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:439)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:672)

The generateKeys methods update both the configuration and runtime, causing a token mismatch between the dmgr and the NodeAgent during synchronization.

 
Resolving the problem
Use the genKeys method instead, which updates the configuration only. This is the same method used by the administrative console.

The next time the administrative processes are recycled, the new token is used for administration authorization.

Refer to the Information Center for more details about these methods:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?
topic=/com.ibm.websphere.wbifz.doc/info/wbifz/javadoc/mbean/SecurityAdmin.html
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Administrative Scripting Tools (for example: wsadmin or ANT)
Operating system(s): Windows
Software version: 5.1.1
Software edition:
Reference #: 1179549
IBM Group: Software Group
Modified date: Sep 13, 2004