Using the wsadmin steps below to generate a new LTPA token
is successful for a Base-only environment. However, in a federated cell
environment, this causes a failure due to a token mismatch.
- Generate the new token using the generateKeys method in wsadmin
connected to the dmgr process:
set secAdmin [$AdminControl queryNames
WebSphere:type=SecurityAdmin,process=dmgr,*]
$AdminControl invoke $secMbean generateKeys <password>
- Save and Synchronize.
The following error appears in the SystemOut.log of the NodeAgent:
[9/9/04 8:49:57:932 CEST] 33e327d3
JaasLoginHelp A SECJ4034I: Token Login failed. If the failure is due to an
expiring token, verify the system date and time of the WebSphere nodes are
synchronized or consider increasing the token timeout value.
Authentication mechanism system.LTPA and exception is
[9/9/04 8:49:58:189 CEST] 33e327d3 RoleBasedAuth E SECJ0306E: No received
or invocation credential exist on the thread. The Role based authorization
check will not have an accessId of the caller to check. The parameters
are: access check method sync on resource NodeSync and module NodeSync.
The stack trace is java.lang.Exception: dump thread stack for debugging
at com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess
(RoleBasedAuthorizerImpl.java:282)
at
com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:1285)
at
com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:656)
at com.ibm.ws.management.connector.AdminServiceDelegator.invoke
(AdminServiceDelegator.java:130)
at java.lang.reflect.Method.invoke(Native Method)
at com.ibm.ws.management.connector.soap.SOAPConnector.invoke
(SOAPConnector.java(Compiled Code))
at com.ibm.ws.management.connector.soap.SOAPConnector.service
(SOAPConnector.java(Compiled Code))
at com.ibm.ws.management.connector.soap.SOAPConnection.handleRequest
(SOAPConnection.java:55)
at
com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:615)
at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:439)
at
com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:672)
The generateKeys methods update both the configuration and runtime,
causing a token mismatch between the dmgr and the NodeAgent during
synchronization.
|