After enabling global security, there was a degradation in performance. See Enabling global security for information about using the unrestricted policy files.
If none of these steps solves the problem, check to see if the problem has been identified and documented using the links in Diagnosing and fixing problems: Resources for learning.
If you do not see a problem that resembles yours, or if the information provided does not solve your problem, contact IBM support for further assistance.
Log files
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: MYHOSTNAME/aServerID SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt. NTLocalDomainRegistryImpl has been initialized SecurityCompo A CWSCJ0202A: Admin application initialized successfully SecurityCompo A CWSCJ0203A: Naming application initialized successfully SecurityCompo A CWSCJ0204A: Rolebased authorizer initialized successfully SecurityCompo A CWSCJ0205A: Security Admin mBean registered successfully SecurityCompo A CWSCJ0243A: Security service started successfully SecurityCompo A CWSCJ0210A: Security enabled true
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: MYHOSTNAME/aServerID SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security. registry.nt.NTLocalDomainRegistryImpl has been initialized Authenticatio E CWSCJ4001E: Login failed for badID/<null> javax.security.auth.login.LoginException: authentication failed: bad user/password
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: LTPA SASRas A CWWSA0004I: Principal name: MYHOSTNAME/anID SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt. NTLocalDomainRegistryImpl has been initialized SecurityServe E CWSCJ0237E: One or more vital LTPAServerObject configuration attributes are null or not available. The attributes and values are password : LTPA password does exist, expiration time 30, private key <null>, public key <null>, and shared key <null>.
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: MYHOSTNAME/aServerId SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. SASRas E CWWSA0026E: [SecurityTaggedComponentAssistorImpl.register] Exception connecting object to the ORB. Check the SSL configuration to ensure that the SSL keyStore and trustStore properties are set properly. If the problem persists, contact support for assistance. org.omg.CORBA.OBJ_ADAPTER: ORB_CONNECT_ERROR (5) - couldn't get Server Subcontract minor code: 4942FB8F completed: No
Using SDSF
+BBOM0001I com_ibm_authMechanisms_type_OID: No OID for this mechanism. +BBOM0001I com_ibm_security_SAF_unauthenticated: WSGUEST. +BBOM0001I com_ibm_security_SAF_EJBROLE_Audit_Messages_Suppress: 0. +BBOM0001I com_ibm_userRegistries_type: security:LocalOSUserRegistry. +BBOM0001I com_ibm_userRegistries_CustomUserRegistry_realm: NOT SET, 278 DEFAULT=CustomRealm. +BBOM0001I com_ibm_userRegistries_LDAPUserRegistry_realm: NOT SET, 279 DEFAULT=LDAPRealm. +BBOM0001I com_ibm_ws_logging_zos_errorlog_format_cbe: NOT SET, 280 DEFAULT=0. +BBOM0001I com_ibm_CSI_claim_ssl_sys_v2_timeout: NOT SET, DEFAULT=100. +BBOM0001I com_ibm_CSI_claim_ssl_sys_v3_timeout: 600. +BBOM0001I com_ibm_CSI_claimClientAuthenticationtype: 283 SAFUSERIDPASSWORD. +BBOM0001I com_ibm_CSI_claimClientAuthenticationRequired: 0. +BBOM0001I com_ibm_CSI_claimClientAuthenticationSupported: 1. +BBOM0001I com_ibm_CSI_claimIdentityAssertionSupported: 0. +BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeCert: 0. +BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeDN: 0. +BBOM0001I com_ibm_CSI_claimIdentityAssertionTypeSAF: 0. +BBOM0001I com_ibm_CSI_claimKeyringName: WASKeyring. +BBOM0001I com_ibm_CSI_claimMessageConfidentialityRequired: 0. +BBOM0001I com_ibm_CSI_claimMessageIntegrityRequired: NOT SET, 292 DEFAULT=1. +BBOM0001I com_ibm_CSI_claimMessageIntegritySupported: NOT SET, 293 DEFAULT=1. +BBOM0001I com_ibm_CSI_claimSecurityCipherSuiteList: NOT SET. +BBOM0001I com_ibm_CSI_claimSecurityLevel: HIGH. +BBOM0001I com_ibm_CSI_claimStateful: 1. +BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSRequired: 0. +BBOM0001I com_ibm_CSI_claimTransportAssocSSLTLSSupported: 1. +BBOM0001I com_ibm_CSI_claimTLClientAuthenticationRequired: 0. +BBOM0001I com_ibm_CSI_claimTLClientAuthenticationSupported: 1. +BBOM0001I com_ibm_CSI_perform_ssl_sys_v2_timeout: NOT SET, 301 DEFAULT=100. +BBOM0001I com_ibm_CSI_perform_ssl_sys_v3_timeout: 600. +BBOM0001I com_ibm_CSI_performClientAuthenticationtype: 303 SAFUSERIDPASSWORD. +BBOM0001I com_ibm_CSI_performClientAuthenticationRequired: 0. +BBOM0001I com_ibm_CSI_performClientAuthenticationSupported: 1. +BBOM0001I com_ibm_CSI_performIdentityAssertionRequired: 0. +BBOM0001I com_ibm_CSI_performIdentityAssertionSupported: 0. +BBOM0001I com_ibm_CSI_performKeyringName: WASKeyring. +BBOM0001I com_ibm_CSI_performMessageConfidentialityRequired: 0. +BBOM0001I com_ibm_CSI_performMessageConfidentialitySupported: 1. +BBOM0001I com_ibm_CSI_performMessageIntegrityRequired: 1. +BBOM0001I com_ibm_CSI_performMessageIntegritySupported: 1. +BBOM0001I com_ibm_CSI_performSecurityCipherSuiteList: NOT SET. +BBOM0001I com_ibm_CSI_performSecurityLevel: HIGH. +BBOM0001I com_ibm_CSI_performStateful: 1. +BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSRequired: 0. +BBOM0001I com_ibm_CSI_performTransportAssocSSLTLSSupported: 1. +BBOM0001I com_ibm_CSI_performTLClientAuthenticationRequired: 0. +BBOM0001I com_ibm_CSI_performTLClientAuthenticationSupported: 0. +BBOM0001I com_ibm_CSI_rmiInboundPropagationEnabled: 1. +BBOM0001I com_ibm_CSI_rmiOutboundLoginEnabled: 0. +BBOM0001I com_ibm_CSI_rmiOutboundPropagationEnabled: 1. +BBOM0001I security_assertedID_IBM_accepted: 0. +BBOM0001I security_assertedID_IBM_sent: 0. +BBOM0001I security_disable_daemon_ssl: NOT SET, DEFAULT=0. +BBOM0001I security_kerberos_allowed: 0. +BBOM0001I security_local_identity: WSGUEST. +BBOM0001I security_remote_identity: WSGUEST. +BBOM0001I security_sslClientCerts_allowed: 0. +BBOM0001I security_sslKeyring: NOT SET. +BBOM0001I security_sslType1: 0. +BBOM0001I security_userid_passticket_allowed: 1. +BBOM0001I security_userid_password_allowed: 0. +BBOM0001I security_zOS_domainName: NOT SET. +BBOM0001I security_zOS_domainType: 0. +BBOM0001I security_zSAS_ssl_repertoire: SY1/DefaultIIOPSSL. +BBOM0001I security_EnableRunAsIdentity: 0. +BBOM0001I security_EnableSyncToOSThread: 0. +BBOM0001I server_configured_system_name: SY1. +BBOM0001I server_generic_short_name: BBOC001. +BBOM0001I server_generic_uuid: 457 *** Message beginning with BBOO0222I apply to Java WebSphere Security *** +BBOO0222I: SECJ6004I: Security Auditing is disabled. +BBOO0222I: SECJ0215I: Successfully set JAAS login provider 631 configuration class to com.ibm.ws.security.auth.login.Configuration. +BBOO0222I: SECJ0136I: Custom 632 Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been initialized +BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: 633 com.ibm.ws.security.core.SAFAuthorizationTableImpl
General approach for troubleshooting security-related issues
SASRas A CWWSA0001I: Security configuration initialized. SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM SASRas A CWWSA0003I: Authentication mechanism: SWAM SASRas A CWWSA0004I: Principal name: BIRKT20/pbirk SASRas A CWWSA0005I: SecurityCurrent registered. SASRas A CWWSA0006I: Security connection interceptor initialized. SASRas A CWWSA0007I: Client request interceptor registered. SASRas A CWWSA0008I: Server request interceptor registered. SASRas A CWWSA0009I: IOR interceptor registered. NameServerImp I CWNMS0720I: Do Security service listener registration. SecurityCompo A CWSCJ0242A: Security service is starting UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt. NTLocalDomainRegistryImpl has been initialized SecurityCompo A CWSCJ0202A: Admin application initialized successfully SecurityCompo A CWSCJ0203A: Naming application initialized successfully SecurityCompo A CWSCJ0204A: Rolebased authorizer initialized successfully SecurityCompo A CWSCJ0205A: Security Admin mBean registered successfully SecurityCompo A CWSCJ0243A: Security service started successfully SecurityCompo A CWSCJ0210A: Security enabled true
Trace: 2005/05/06 17:27:31.539 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: printProperties SourceId: com.ibm.ws390.orb.CommonBridge Category: AUDIT ExtendedMessage: BBOJ0077I java.security.policy = /WebSphere/V6R0M0/AppServer/profiles/default/pr Trace: 2005/05/06 17:27:31.779 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: printProperties SourceId: com.ibm.ws390.orb.CommonBridge Category: AUDIT ExtendedMessage: BBOJ0077I java.security.auth.login.config = /WebSphere/V6R0M0/AppServer/profiles/default/pr Trace: 2005/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.SecurityDM SourceId: com.ibm.ws.security.core.SecurityDM Category: INFO ExtendedMessage: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Secur red successfully: true. Trace: 2005/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Securit d successfully: true. Trace: 2005/05/06 17:27:41.054 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.audit.AuditServiceImpl SourceId: com.ibm.ws.security.audit.AuditServiceImpl Category: AUDIT ExtendedMessage: BBOO0222I: SECJ6004I: Security Auditing is disabled. Trace: 2005/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0309I: Java 2 Security is disabled. Trace: 2005/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0309I: Java 2 Security is disabled. Trace: 2005/05/06 17:27:42.239 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.auth.login.Configuration SourceId: com.ibm.ws.security.auth.login.Configuration Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.securit Configuration. Trace: 2005/05/06 17:27:42.253 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider clas Trace: 2005/05/06 17:27:42.254 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class. Trace: 2005/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0240I: Security service initialization completed successfully Trace: 2005/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0240I: Security service initialization completed successfully Trace: 2005/05/06 17:27:42.952 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.objectpool.ObjectPoolService SourceId: com.ibm.ws.objectpool.ObjectPoolService Category: INFO ExtendedMessage: BBOO0222I: OBPL0007I: Object Pool Manager service is disabled. Trace: 2005/05/06 17:27:53.512 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0136I: Custom Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been init Trace: 2005/05/06 17:27:55.229 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.role.PluggableAuthorizationTableProxy SourceId: com.ibm.ws.security.role.PluggableAuthorizationTableProxy Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTab Trace: 2005/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0243I: Security service started successfully Trace: 2005/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0243I: Security service started successfully Trace: 2005/05/06 17:27:56.482 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl Category: INFO ExtendedMessage: BBOO0222I: SECJ0210I: Security enabled true Trace: 2005/05/06 17:27:56.483 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp at line: 932 error message: BBOO0222I: SECJ0210I: Security enabled true
For more information on enabling trace, see Enabling trace.
For more information on enabling trace, see Working with Trace
Web requests have a completely different code path than EJB requests. Also, there are different security features for Web requests than for EJB requests, requiring a completely different body of knowledge to resolve. For example, when using the LTPA authentication mechanism, the single signon feature (SSO) is available for Web requests but not for EJB requests. Web requests involve HTTP header information not required by EJB requests due to the protocol differences. Also, the Web container (or servlet engine) is involved in the entire process. Any of these components could be involved in the problem and all should be considered during troubleshooting, based on the type of request and where the failure occurs.
Secure EJB requests heavily involve the ORB and Naming components since they flow over the RMI/IIOP protocol. In addition, when work flow management (WLM) is enabled, other behavior changes in the code can be observed. All of these components interact closely for security to work properly in this environment. At times, trace in any or all of these components might be necessary to troubleshoot problems in this area. The trace specification to begin with is SASRas=all=enabled:com.ibm.ws.security.*=all=enabled. ORB trace is also very beneficial when the SAS/Security trace does not seem to pinpoint the problem.
The Secure Socket Layer (SSL) is a totally distinct separate layer of security. Troubleshooting SSL problems are usually separate from troubleshooting authentication and/or authorization problems. There are many things to consider. Usually, SSL problems are first time setup problems because the configuration can be difficult. Each client must contain the server's signer certificate. During mutual authentication, each server must contain the client's signer certificate. Also, there can be protocol differences (SSLv3 vs. TLS), and listener port problems related to stale IORs (i.e., IORs from a server reflecting the port prior to the server restarting).
SSLConnection: install <com.ibm.sslite.e@3ae78375> >> handleHandshakeV2 <com.ibm.sslite.e@3ae78375> >> handshakeV2 type = 1 >> clientHello: SSLv2. SSL client version: 3.0 ... ... ... JSSEContext: handleSession[Socket[addr=null,port=0,localport=0]] << sendServerHello. SSL version: 3.0 SSL_RSA_WITH_RC4_128_MD5 HelloRandom ... ... ... << sendCertificate. << sendServerHelloDone. >> handleData <com.ibm.sslite.e@3ae78375> >> handleHandshake <com.ibm.sslite.e@3ae78375> >> handshakeV3 type = 16 >> clientKeyExchange. >> handleData <com.ibm.sslite.e@3ae78375> >> handleChangeCipherSpec <com.ibm.sslite.e@3ae78375> >> handleData <com.ibm.sslite.e@3ae78375> >> handleHandshake <com.ibm.sslite.e@3ae78375> >> handshakeV3 type = 20 >> finished. << sendChangeCipherSpec. << sendFinished.
Trace security
CSIv2 CORBA Minor Codes
Whatever exceptions might occur within the security code on either the client or server, the eventual exception will become a CORBA exception. So any exception that occurs gets "wrapped" by a CORBA exception, because the CORBA architecture is used by the security service for its own inter-process communication. CORBA exceptions are generic, and indicate a problem in communication between two components. CORBA minor codes are more specific, and indicate the underlying reason that a component could not complete a request.
The following shows the CORBA Minor codes which a client can expect to receive after executing a security-related request such as authentication. It also includes the CORBA exception type that the minor code would appear in.
The following exception shows an example of a CORBA exception where the minor code is 49424300. From the table below, this minor code indicates Authentication Failure. Typically, a descriptive message is also included in the exception to assist in troubleshooting the problem. Here, the detailed message is "Exception caught invoking authenticateBasicAuthData from SecurityServer for user jdoe. Reason: com.ibm.WebSphereSecurity.AuthenticationFailedException" which indicates that the authentication failed for user "jdoe".
The completed field in the exception indicates whether the method was completed or not. In the case of a NO_PERMISSION, the method should never get invoked, so it will always be "completed:No". Other exceptions which are caught on the server side could have a completed status of "Maybe" or "Yes".
org.omg.CORBA.NO_PERMISSION: Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: Major Code[0] Minor Code[0] Message[Exception caught invoking authenticateBasicAuthData from SecurityServer for user jdoe. Reason: com.ibm.WebSphereSecurity.AuthenticationFailedException] minor code: 49424300 completed: No at com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason. map_auth_fail_to_minor_code(PrincipalAuthFailReason.java:83) at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.receive_request (CSIServerRI.java:1569) at com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest (InterceptorManager.java:739) at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:398) at com.ibm.rmi.iiop.ORB.process(ORB.java:313) at com.ibm.CORBA.iiop.ORB.process(ORB.java:1581) at com.ibm.rmi.iiop.GIOPConnection.doWork(GIOPConnection.java:1827) at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:81) at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:91) at com.ibm.ws.util.CachedThread.run(ThreadPool.java:149)
The following table shows the CORBA Minor codes which a client can expect to receive after executing a security-related request such as authentication. It also includes the CORBA exception type that the minor code would appear in.
Minor code name | Minor code value (in hex) | Exception type (all in the package of org.omg.CORBA .*) | Minor code description | Retry performed (when authenticationRe tryEnabled=true) |
AuthenticationFailed | 49424300 | NO_PERMISSION | This is a generic authentication failed error. It does not give any details about whether the userid or password is invalid. Some registries can choose to use this type of error code, others might choose to use the next three types which are more specific. | Yes |
InvalidUserid | 49424301 | NO_PERMISSION | This occurs when the registry returns bad userid. | Yes |
InvalidPassword | 49424302 | NO_PERMISSION | This occurs when the registry returns bad password. | Yes |
InvalidSecurityCredentials | 49424303 | NO_PERMISSION | This is a generic error indicating that the credentials are bad for whatever reason. It could be that they don't have the right attributes set. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). |
InvalidRealm | 49424304 | NO_PERMISSION | This occurs when the REALM in the token received from the client does not match the server's current realm. | No |
ValidationFailed | 49424305 | NO_PERMISSION | A validation failure occurs when a token is sent from the client or server to a target server but the token format or the expiration is invalid. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). |
CredentialTokenExpired | 49424306 | NO_PERMISSION | This is more specific about why the validation failed. In this case, the token has a absolute lifetime, and this lifetime has expired. Therefore, it is no longer a valid token and cannot be used. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). |
InvalidCredentialToken | 49424307 | NO_PERMISSION | This is more specific about why the validation failed. In this case, the token cannot be decrypted or the data within it is not readable. | Yes, if client has BasicAuth credential (token based credential was rejected in the first place). |
SessionDoesNotExist | 49424308 | NO_PERMISSION | This indicates that the CSIv2 session does not exist on the server. Typically, a retry occurs automatically and will successfully create a new session. | Yes |
SessionConflictingEvidence | 49424309 | NO_PERMISSION | This indicates that a session already exists on the server which matches the context_id sent over by the client, however, the information provided by the client for this EstablishContext message is different from the information originally provided to establish the session. | Yes |
SessionRejected | 4942430A | NO_PERMISSION | This indicates that the session referenced by the client has been previously rejected by the server. | Yes |
SecurityServerNotAvailable | 4942430B | NO_PERMISSION | This error occurs when the server cannot contact the security server (whether local or remote) in order to authenticate or validate. | No |
InvalidIdentityToken | 4942430C | NO_PERMISSION | This error indicates that identity cannot be obtained from the identity token when Identity Assertion is enabled. | No |
IdentityServerNotTrusted | 4942430D | NO_PERMISSION | This indicates that the server id of the sending server is not on the target server's trusted principal list. | No |
InvalidMessage | 4942430E | NO_PERMISSION | This indicates that the CSIv2 message format is invalid for the receiving server. | No |
AuthenticationNotSupported | 49421090 | NO_PERMISSION | This error occurs when a mechanism does not support authentication (very rare). | No |
InvalidSecurityMechanism | 49421091 | NO_PERMISSION | This is used to indicate that the specified security mechanism is not known. | No |
CredentialNotAvailable | 49421092 | NO_PERMISSION | This indicates a credential is not available when it is required. | No |
SecurityMechanismNotSupported | 49421093 | NO_PERMISSION | This error occurs when a security mechanism specified in the CSIv2 token is not implemented on the server. | No |
ValidationNotSupported | 49421094 | NO_PERMISSION | This error occurs when a mechanism does not support validation (such as LocalOS). This error should not occur since the LocalOS credential is not a forwardable credential, therefore, validation should never need to be called on it. | No |
CredentialTokenNotSet | 49421095 | NO_PERMISSION | This is used to indicate the token inside the credential is null. | No |
ServerConnectionFailed | 494210A0 | COMM_FAILURE | This error is used when a connection attempt fails. | Yes (via ORB retry) |
CorbaSystemException | 494210B0 | INTERNAL | This is a generic CORBA specific exception in system code. | No |
JavaException | 494210B1 | INTERNAL | This is a generic error that indicated an unexpected Java exception occurred. | No |
ValueIsNull | 494210B2 | INTERNAL | This is used to indicate that a value or parameter passed in was null. | No |
EffectivePolicyNotPresent | 494210B3 | INTERNAL | This indicates that an effective policy object for CSIv2 is not present. This object is used to determine what security configuration features have been specified. | No |
NullPointerException | 494210B4 | INTERNAL | This is used to indicate that a NullPointerException was caught in the runtime. | No |
ErrorGettingClassInstance | 494210B5 | INTERNAL | This indicates a problem loading a class dynamically. | No |
MalFormedParameters | 494210B6 | INTERNAL | This indicates parameters are not valid. | No |
DuplicateSecurityAttributeType | 494210B7 | INTERNAL | A duplicate credential attribute has been specified during the set_attributes operation. | No |
MethodNotImplemented | 494210C0 | NO_IMPLEMENT | A method invoked has not been implemented. | No |
GSSFormatError | 494210C5 | BAD_PARAM | This indicates that a GSS encoding or decoding routine has thrown an exception. | No |
TagComponentFormatError | 494210C6 | BAD_PARAM | This indicates that a tag component cannot be read properly. | No |
InvalidSecurityAttributeType | 494210C7 | BAD_PARAM | This indicates an attribute type specified during the set_attributes operation is an invalid type. | No |
SecurityConfigError | 494210CA | INITIALIZE | A problem exists between the client and server configuration. | No |
For current information available from IBM Support on known problems and their resolution, see the IBM Support page.
IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.
Related tasks
Troubleshooting by task
Related reference
Troubleshooting installation problems