This article describes the issues you might encounter using a Java™ Authorization Contract for Containers (JACC) authorization provider. Tivoli® Access Manager is bundled with WebSphere® Application Server as an authorization provider. However, you also can plug in your own authorization provider.
If you have problems configuring JACC, check the following items:
If the server does not start after JACC is configured, check the following items:
When you click Save, the policy and role information is propagated to the Tivoli Access Manager policy. This process might take some time to finish. If the save fails, you must uninstall the application and then reinstall it.
To access an application after it is installed, you must wait 30 seconds, by default, to start the application after you save.
install_root/java/jre/PdPerm.properties install_root/java/jre/PdPerm.ks profile_root/etc/tam/*
install_root/java/jre/bin/java -classpath "install_root/lib/AMJACCProvider.jar:CLASSPATH" com.tivoli.pd.as.jacc.cfg.CleanSecXML fully_qualified_path/security.xml
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A Tivoli Access Manager exception was caught. Details are: "HPDIA0202W An unknown user name was presented to Access Manager."This problem might be caused by the host name exceeding predefined limits with Tivoli Access Manager when it is configured against MS Active Directory. In WebSphere Application Server, the maximum length of the host name can not exceed 46 characters.
Check that the host name is not fully qualified. Configure the machine so that the host name does not include the host domain.
pdadmin -a administrator_name -p administrator_passwordThe pdadmin administrator_name prompt is displayed. For example:
pdadmin -a administrator1 -p passw0rd
user import user_name cn=user_name,o=organization_name,c=countryFor example:
user import jstar cn=jstar,o=ibm,c=us
user modify user_name account-valid yesFor example:
user modify jstar account-valid yes
For information on how to import a group from LDAP to Tivoli Access Manager, see the Tivoli Access Manager documentation.
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A Tivoli Access Manager exception was caught. Details are: "HPDAC0778E The specified user's account is set to invalid."
user modify user_name account-valid yesFor example:
user modify jstar account-valid yes
AWXJR0035E An error occurred while attempting to add member, cn=agent3,o=ibm,c=us, to role AgentRole HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry
To correct this error, create or import the user, that is mapped to the security role to the Tivoli Access Manager. For more information on propagating the security policy information, see the documentation for your authorization provider.
WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"; exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E: Cannot find a match for supplied option: "[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers
The $AdminApp MapRolesToUsers task option is no longer valid when Tivoli Access Manager is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.
AWXJR0044E: The access decision for Permission, {0}, was denied because either the PolicyConfiguration or RoleConfiguration objects did not get created successfully at application installation time. RoleConfiguration exists = {false}, PolicyConfiguration exists = {false}."
If the access denied exceptions are not expected for the application, check the SystemOut.log files to see if the security policy information was correctly propagated to the provider.
If the security policy information for the application is successfully propagated to the provider, the audit statements with the message key SECJ0415I appear. However, if there was a problem propagating the security policy information to the provider (for example: network problems, JACC provider is not available), the SystemOut.log files contain the error message with the message keys SECJ0396E (during install) or SECJ0398E (during modification). The installation of the application is not stopped due to a failure to propagate the security policy to the JACC provider. Also, in the case of failure, no exception or error messages appear during the save operation. When the problem causing this failure is fixed, run the propagatePolicyToJaccProvider tool to propagate the security policy information to the provider without reinstalling the application.
An error message (HPDBA0219E) might appear in dmgr SystemOut.log when you install an application on WebSphere Application Server, Network Deployment (ND) and a managed node with Tivoli Access Manager is enabled.
If the error occurs, then the security policy data of recently deployed applications might not be immediately available. The policy data is available based on the server replicate time of the Tivoli Access Manager. This is defaulted to 30 seconds after all updates have been completed. To ensure that the latest policy data is available, log on to the pdadmin console and type: server replicate.
When you use Tivoli Access Manager as the JACC provider and stop WebSphere Application Server using the administrative console or the wsadmin script, there is a clean up process that runs for Tivoli Access Manager. WebSphere Application Server is unable to complete the clean up process.
WebSphere Application Server uses a different port number for each new process. Eventually, the application server runs out of port numbers to connect to the Tivoli Access Manager server and displays a "There are no ports available in the port set" error.
If this error occurs, you must manually clean up the ports that are available to WebSphere Application Server processes. A script is provided to complete this process. For more information, see Cancelling multiple processes with Tivoli Access Manager as the Java Authorization Contract for Containers (JACC) provider might cause a "There are no ports available in the port set" error .