Access problems after enabling security
What kind of error are you seeing?
I cannot access all or part of the administrative
console or use the wsadmin tool after enabling security
- If you cannot access the administrative console, or view
and update certain objects, look in the logs of the application server which hosts the administrative
console page for a related error message.
Note: You will need to use the administrative
console to complete the next two items. If you are having a problem accessing
the administrative console, you will have to turn off security and restart
the administrative console. To turn off security, enter the following command
at the system command prompt:
wsadmin.sh -conntype NONE
When the system command prompt reappears, enter: securityoff
Restart
the Deployment Manager after you turn off security.
- You might not have authorized your ID for administrative tasks. This
problem is indicated by errors such as:
- [8/2/02 10:36:49:722 CDT] 4365c0d9 RoleBasedAuth A SECJ0305A: Role
based authorization check failed for security name MyServer/myUserId, accessId
MyServer/S-1-5-21-882015564-4266526380-2569651501-1005 while invoking method
getProcessType on resource Server and module Server.
- Exception message: "ADMN0022E: Access denied for the getProcessType
operation on Server MBean"
- When running the command: wsadmin -username j2ee -password j2ee:
WASX7246E: Cannot establish "SOAP" connection to host "BIRKT20" because of
an authentication failure. Please ensure that user and password are correct
on the command line or in a properties file.
To grant an ID administrative authority, from the administrative console,
click System Administration > Console Users and validate that the ID
is a member. If it is not, add the ID with at least monitor access privileges,
for read-only access.
- Check that the enable_trusted_application flag is set
to true. To check the enable_trusted_application flag,
from the Administrative Console, click Security > Global Security > Custom
Properties > Enable Trusted Application and verify that it is set to true.
I cannot access a Web page after enabling security
When
secured resources are not accessible, probable causes include:
The client cannot access an enterprise bean
after enabling security
If client access to an enterprise bean fails
after security is enabled:
- Review the steps for securing and granting access to resources.
- Browse the server logs for errors relating to enterprise
bean access and security. Look up any errors in the message table.
Errors
similar to Authorization failed for /UNAUTHENTICATED while invoking resource securityName:/UNAUTHENTICATED;accessId:UNAUTHENTICATED
not granted any of the required roles roles indicate
that:
- An unprotected servlet or JavaSever Page (JSP) file accessed a protected
enterprise bean. When an unprotected servlet is accessed, the user is not
prompted to log in and the servlet runs as UNAUTHENTICATED. When the servlet
makes a call to an enterprise bean that is protected the servlet fails.
To
resolve this problem, secure the servlet that is accessing the protected enterprise
bean. Make sure the runAs property for the servlet is set
to an ID that can access the enterprise bean.
- An unauthenticated Java client program is accessing an enterprise bean
resource that is protected. This situation can happen if the file read by
the sas.client.props properties file used by the client program does
not have the securityEnabled flag set to true.
To
resolve this problem, make sure that the sas.client.props file on
the client side has its securityEnabled flag set to true.
Errors similar to Authorization failed for valid_user while
invoking resource securityName:/username;accessId:xxxxxx not granted
any of the required roles roles indicate that a client attempted
to access a secured enterprise bean resource, and the supplied user ID is
not assigned the required roles for that enterprise bean.
- Check that the required roles for the enterprise bean resource are accessed.
View the required roles for the enterprise bean resource in the deployment
descriptor of the Web resource.
- Check the authorization table and make sure that the user or the group
that the user belongs to is assigned one of the required roles. You can view
the authorization table for the application that contains the enterprise bean
resource using the administrative console.
- If you are using LOCALOS and SAFAuthorization, check
the SAF EJBROLEs setup. Specifically, verify that
- the EJBROLE class has been activated.
- The role has been defined to SAF.
- The userid has been permitted to the role.
- The class was refreshed after the permit operation.
Client program never gets prompted when accessing
secured enterprise bean
Even though it appears security is enabled
and an enterprise bean is secured, it can happen that the client executes
the remote method without prompting. If the remote method is protected, an
authorization failure results. Otherwise, execute the method as an unauthenticated
user.
Possible reasons for this problem include:
- The server with which you are communicating might not have security enabled.
Check with the WebSphere Application Server administrator to ensure that the
server security is enabled. Access the global security settings from within
the Security section of the administrative console.
- The client does not have security enabled in the sas.client.props file.
Edit the sas.client.props file to ensure the property com.ibm.CORBA.securityEnabled is
set to true.
- The client does not have a ConfigURL specified. Verify that the property com.ibm.CORBA.ConfigURL is
specified on the command line of the Java client, using the -D parameter.
- The specified ConfigURL has an invalid URL syntax, or the sas.client.props that
is pointed to cannot be found. Verify that the com.ibm.CORBA.ConfigURL property
is valid, for example, similar to the file:/WebSphere/AppServer/properties/sas.client.props file
on Windows systems. Check the Java documentation for a description of URL
formatting rules. Also, validate that the file exists at the specified path.
Cannot stop an application server, node manager,
or node after enabling security
If you use command line utilities
to stop WebSphere Application Server processes, apply additional parameters
after enabling security to provide authentication and authorization information.
After enabling single signon, I cannot log on
to the administrative console
This problem occurs when single signon
(SSO) is enabled, and you attempt to access the administrative console using
the short name of the server, for example http://myserver:9090/admin.
The server accepts your user ID and password, but returns you to the log on
page instead of the administrative console.
To correct this problem,
use the fully qualified host name of the server, for example http://myserver.mynetwork.mycompany.com:9090/admin.

Troubleshooting by task: What are you trying to do?

Errors after enabling security
Searchable topic ID:
rtrb_secprobs
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/rtrb_secprobs.html