PQ98427: MODIFYING THE LTPA PASSWORD VIA ADMIN CONSOLE CAUSES SYNC TO FAIL AND BROKEN IMAGE FOR THE NODE STATUS. | |||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description When the LTPA password is modified in the admin console, attempting to save and synchronize this change will cause a security exception: BBOO0220E ADMS0005E: Unable to generate synchronization request: javax.management.JMRuntimeException: ADMN0022E: Access denied for the getRepositoryEpoch operation on ConfigRepository MBean due to insufficient or empty credentials. . Also, the node status icon (System Administration > Nodes) will be displayed as a broken image. Further investigation into the DM logs will also show security excpetions: SECJ4034I: Token Login failed. If the failure is due to an expiring token, verify the system date and time of the WebSphere nodes are synchronized or consider increasing the token timeout value. Authentication mechanism system. . As well as: SECJ0306E: No received or invocation credential exist on the thread. The Role based authorization check will not have an accessId of the caller to check. The parameters are: access check method getRepositoryEpoch on resource ConfigRepository and module ConfigRepository.Local fix 1) Copy the DMGR config side security.xml (the CELL level document) to the node side cell level (overwriting the older security.xml). It's a good idea to make a backup of the security.xml you are overwriting. 2) In the node side bin directory, run the command: wsc2n.sh -X This kicks off the transformer tool which will propogate changes from the XML configuration files to the native environment files. 3) Once wsc2n.sh finishes, restart the DMGR and NA.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V5.0 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: Synchronization failed after the LTPA * * password was changed. Several messages * * are displayed in the server log. * * * * BBOO0222I ADMS0016I: Configuration * * synchronization failed. * * * * BBOO0222I SECJ403I: Token Login failed. * * If the failure is due to an expiring * * token, verify the system date and time * * of the WebSphere nodes are synchronized * * or consider increasing the token * * timeout value. * **************************************************************** * RECOMMENDATION: * **************************************************************** The LTPA password was updated on the administrative console. The 'Apply' or 'OK' button was hit. When the changes were saved to the master configuration and the 'Synchronize changes with Nodes' box was checked, the synchronization failed with several messages displayed in the server log. The problem occured because the deployment manager used the current administrator token created with the old LTPA keys to send the sync request to the node agent. The node agent saved the new keys in the runtime and then tried to decrypt the LTPA token with the new keys. The decryption failed.Problem conclusion The problem was fixed by having all servers use the old LTPA keys until the servers are restarted. This was accomplished by updating the deployment manager to not send the message telling the node agent to import the keys. APAR PQ98427 is associated with SERVICE LEVEL W502024 of WebSphere Application Server V5.0 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: PQ98431 Modules/Macros
Publications Referenced
|
Document Information |
Current web document: swg1PQ98427.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ98427
IBM Group: Software Group
Modified date: Mar 1, 2005
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.