WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Errors when trying to configure or enable security

What kind of error are you seeing?

For general tips on diagnosing and resolving security-related problems, see the topic Troubleshooting the security component.

If you do not see a problem that resembles yours, or if the information provided does not solve your problem, contact IBM support for further assistance.

"LTPA password not set. validation failed" message displayed as error in the Administrative Console after saving global security settings

This error can be caused if, when configuring WebSphere Application Server security, "LTPA" is selected as the authentication mechanism, and the LTPA password field is not set. To resolve this problem:
  • Select Security >Global Security>Authentication Mechanism > LTPA in the console left-hand navigation pane.
  • Complete the password and confirm password fields.
  • Click OK.
  • Try setting Global Security again.

"Validation failed for user userid. Please try again..." displayed in the Administrative Console after saving global security settings

This typically indicates that a setting in the User Registry configuration is not valid:
  • If the user registry is LocalOS, it is likely that either the server user ID and password are invalid or the server user ID does not have "Act As Part of the Operating System" (for NT) or root authority (for UNIX). The server user ID needs this authority for authentication using the LocalOS user registry.
  • If the user registry is Lightweight Directory Access Protocol (LDAP):
    • Any of the settings that enable WebSphere Application Server to communicate with LDAP might be invalid, such as the LDAP server's user ID, password, host, port, or LDAP filter. When you select Apply or OK on the Global Security panel, a validation routine connects to the registry just as it would during runtime when security is enabled. This is done in order to verify any configuration problems immediately, instead of waiting until the server restarts.
    • Verify whether your LDAP server requires the Bind Distinguished Name (DN) to find the user in the LDAP directory. If the bind distinguished name is required, you must specify a DN instead of a short name. You can specify the bind distinguished name by clicking Security > User Registries > LDAP in the administrative console. For example, you might add cn=root.
    • Sometimes the LDAP server might be down during configuration. The best way to check this is to issue a command line search using a utility such as ldapsearch to search for the server ID. This way you can determine if the server is running and if the server ID is a valid entry in the LDAP. The ldapsearch utility is installed during an LDAP or Lotus Notes installation.
  • If the user registry is Custom, double check that your implementation is in the classpath. Also, check to see if your implementation is authenticating properly.
  • Regardless of registry type, check the User Registries configuration panels to see if you can find a configuration error:
    • Go back to the User Registries configuration panels and retype the password for the server ID.
  • See if there is an obvious configuration error. Double check the attributes specified.

The setupClient.bat or setupClient.sh file is not working correctly

The setupClient.bat file on Windows platforms and the setupClient.sh file on UNIX platforms incorrectly specify the location of the SOAP security properties file.
In the setupClient.bat file, the correct location should be:
set CLIENTSOAP=-Dcom.ibm.SOAP.ConfigURL=file:%WAS_HOME%/properties/soap.client.props
In the setupClient.sh file, the CLIENTSOAP variable should be:
CLIENTSOAP=-Dcom.ibm.SOAP.ConfigURL=file:$WAS_HOME/properties/soap.client.props
In the setupClient.bat and setupClient.sh files, complete the following steps:
  1. Remove the leading / after file:.
  2. Change sas to soap.

Java HotSpot Server VM warning: Unexpected Signal 11 occurred under user-defined signal handler 0x7895710a message occurs in the native_stdout.log file when enabling security on the HP-UX11i platform

After you enable security on HP-UX 11i platforms, the following error in the native_stdout.log file occurs, along with a core dump and WebSphere Application Server does not start:
Java HotSpot(TM) Server VM warning: 
Unexpected Signal 11 occurred under user-defined signal handler 0x7895710a
To work around this error, apply the fixes recommended by HP for Java at the following URL: http://www.hp.com/products1/unix/java/infolibrary/patches.html.

WebSphere Application Server Version 6 is not working correctly with Enterprise Workload Manager (EWLM)

To use WebSphere Application Server Version 6 with Enterprise Workload Manager (EWLM), you must manually update the WebSphere Application Serve server.policy files. For example:
grant codeBase "file:/<EWLM_Install_Home>/classes/ARM/arm4.jar" {
 permission java.security.AllPermission; 
};
Otherwise, you might encounter a Java 2 security exception for violating the Java 2 security permission.

Refer to Configuring server.policy files for more information on configuring server.policy files.

For current information available from IBM Support on known problems and their resolution, see the IBM Support page.

IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.

NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation

If you use CSIv2 inbound authentication, basic authentication is required, and Java clients running with com.ibm.CORBA.validateBasicAuth=true might fail with the following exception:
NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation. Details follow:
If you use CSIv2 inbound authentication, basic authentication is required, and Java™ clients running with com.ibm.CORBA.validateBasicAuth=true might fail with the following exception:

NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation. Details follow:

Context implementation: com.ibm.ws.naming.jndicos.CNContextImpl
Context method: lookupExt
Context name: TestaburgerNode01Cell/nodes/TestaburgerNode01/servers/server1
Target name: SecurityServer
Other data: ""
Exception stack trace: javax.naming.NoPermissionException: NO_PERMISSION exception caught. Root exception is org.omg.CORBA.NO_PERMISSION: vmcid: 0x49421000 minor code: 92 completed: No
...
SECJ0395E: Could not locate the SecurityServer at host/port:9.42.72.27/9100 to validate the userid and password entered. You may need to specify valid securityServerHost/Port in (WAS_INSTALL_ROOT)/properties/sas.client.props file.

To fix this problem, modify the com.ibm.CORBA.validateBasicAuth=false property in the clients.sas.clients.props file and then run the client.




Related tasks
Troubleshooting by task
Troubleshooting by component

Reference topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rtrb_secconfigprobs.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)