Use this information if you are experiencing errors after security is enabled.
For general
tips on diagnosing and resolving security-related problems, see the
topic Troubleshooting
the security component.
If the user
registry configuration, user ID, and password appear correct, use
the WebSphere® Application Server trace to determine
the cause of the problem. To enable security trace, use the com.ibm.ws.security.*=all=enabled trace
specification.
If a user who is supposed to have access to a resource does not, a configuration step is probably missing. Review Authorizing access to administrative roles.
If the user
is granted required roles, but still fails to access the secured resources, enable security trace,
using com.ibm.ws.security.*=all=enabled as the
trace specification. Collect trace information for further resolution.
Error Message: CWSCJ0314E: Current® Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information. {0}Permission/:{1}Code/:{2}{3}Stack Trace/:{4}Code Base Location/:{5}The Java security manager checkPermission method has reported a SecurityException exception .
The reported exception might be critical to the secure system. Turn on security trace to determine the potential code that might have violated the security policy. Once the violating code is determined, verify if the attempted operation is permitted with respect to Java 2 Security, by examining all applicable Java 2 security policy files and the application code.
For a review of Java security policies, see the Java 2 Security documentation at http://java.sun.com/j2se/1.3/docs/guide/security/index.html.
This error can result from installing the Java Message Service (JMS) API sample and then enabling security. You can follow the instructions in the Configure and Run page of the corresponding JMS sample documentation to configure the sample to work with WebSphere Application Server security.
You can verify the installation of the message-driven bean sample by launching the installation program, selecting Custom, and browsing the components which are already installed in the Select the features you like to install panel. The JMS sample is shown as Message-Driven Bean Sample, under Embedded Messaging.
You can also verify this installation by using the administrative console to open the properties of the application server that contains the samples. Select MDBSamples and click uninstall.
This error message can result from selecting Lightweight Third Party Authentication (LTPA) as the authentication mechanism, but not generating the LTPA keys. The LTPA keys encrypt the LTPA token.
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet: java.security.AccessControlException: access denied (java.io.FilePermission /WebSphere/V6R1M0/AppServer/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
For an explanation of Java 2 security, how and why to enable or disable
it, how it relates to policy files, and how to edit policy files,
see the Java 2 security topic
in the information center navigation. The topic explains that Java 2
security is not only used by this product, but developers can also
implement it for their business applications. Administrators might
need to involve developers, if this exception is created when a client
tries to access a resource that is hosted by WebSphere Application Server.
CWSCJ0189E: Caught ParserException while creating template for application policy profile_root/config/cells/cell_name/nodes/node_name/app.policy
CWSCJ0189E: Caught ParserException while creating template for application policy /WebSphere/V6R1M0/AppServer1/profiles/profile_name/config/cells/cell_name/nodes/node_name/app.policy.
CWSCJ0189E: Caught ParserException while creating template for application policy profile_root/config/cells/cell_name/nodes/node_name/app.policy
Permission: app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:app_server_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar } Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete ) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:/app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:/app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
Permission: /WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:/WebSphere/AppServer/installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission /WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:/WebSphere/AppServer/lib/securityimpl.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:/WebSphere/AppServer/lib/securityimpl.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
Permission: profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar } Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete ) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.) Permission: profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.) Permission: profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root /installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
If there are any syntax errors in the policy file or the ra.xml file, correct them with the policytool. Avoid editing the policy manually, because syntax errors can result.
Make sure the users matching the pattern exist in the registry. Contact your service representative if the problem persists.This additional information might not provide a clear user action if the user account repository is corrupted or the user loses connectivity between WebSphere Application Server and an external user account repository. The external user account repository, which is referred to as a repository in this document, might be a Lightweight Directory Access Protocol (LDAP) product.
When you create a new profile using either the Profile Management tool or the command-line manageprofiles utility, an error message displays that indicates either partial success or failure. The error message, which is located in the install_dir/logs/manageprofiles/profile_name_create.log file, might point to an error in either the generateKeysforSingleProfile task or the generateKeysForCellProfile task.
The Profile Creation tool and the manageprofiles utility invoke several tasks. The generateKeysForSingleProfile task is invoked when you create a stand-alone application server or a deployment manager profile. The generateKeysForCellProfile task is invoked when you create a cell profile. Both of these tasks are the first tasks to invoke the wsadmin commands. Although the log indicates an error in one of these tasks, the error might actually result from a wsadmin command failure and not an error in the security tasks.
To determine the actual cause of the problem, review the information that is provided in the following log files:
In some instances, some security roles might not be immediately available when you deploy a secured application where LDAP has Tivoli Access Manager enabled.
"Exception: java.lang.OutOfMemoryError"
com.tivoli.pd.as.jacc.DBRefresh=0 com.tivoli.pd.as.jacc.AuthTableRemoteMode=yes com.tivoli.pd.as.rbpf.NoUncheckedRoles=true
This helps when embedded Tivoli Access Manager is re-configured
com.tivoli.pd.as.jacc.DBRefresh=0 com.tivoli.pd.as.jacc.AuthTableRemoteMode=yes com.tivoli.pd.as.rbpf.NoUncheckedRoles=true
appsvr-dbrefresh=0
appsvr-mode=remote
If security is not enabled either with zPMT dialogs or with ISPF customization dialogs immediately at installation time of the WebSphere Application Server for z/OS, the RACF definitions will not have been completely generated. When security is enabled later using the administrative console, a missing RACF statement prevents the WebSphere Application Server control region from starting. Review APAR PK36598 for more details on resolving this problem.