This article describes the issues you might encounter using
a Java Authorization Contract for Containers (JACC)
authorization provider. Tivoli® Access Manager is bundled
with WebSphere® Application Server as an
authorization provider. However, you also can plug in your own authorization
provider.
Tivoli Access Manager as a Java Authorization
Contract for Containers authorization provider
New feature: This topic
references one or more of the application server log files. Beginning
in WebSphere Application Server Version 8.0 you can configure the
server to use the High Performance Extensible Logging (HPEL) log and
trace infrastructure instead of using
SystemOut.log ,
SystemErr.log,
trace.log, and
activity.log files or native z/OS logging
facilities. If you are using HPEL, you can access all of your log
and trace information using the LogViewer command-line tool from your
server profile bin directory. See the information about using HPEL
to troubleshoot applications for more information on using HPEL.
newfeat
You might
encounter the following issues when using Tivoli Access
Manager as a JACC authorization provider:
External providers for Java Authorization
Contract for Containers authorization provider
You might
encounter the following issues when you use an external provider for
JACC authorization:
The server might fail to start after
configuring JACC
If the server does not start after JACC
is configured, check the following items:
- Ensure that WebSphere Application Server and Tivoli Access
Manager use the same Lightweight Directory Access Protocol (LDAP)
server.
- If the message “Policy Director Authentication failed" is displayed,
ensure that the:
- WebSphere Application Server LDAP server
ID is the same as the “Administrator user” in the Tivoli Access
Manager JACC configuration panel.
- Verify that the Tivoli Access Manager Administrator
distinguished name (DN) is correct.
- Verify that the password of the Tivoli Access
Manager administrator has not expired and is valid.
- Ensure that the account is valid for the Tivoli Access
Manager administrator.
- If a message such as socket
can't be opened for xxxx (where xxxx is
a number) is displayed, take the following actions:
- Go to the profile_root/etc/tam directory.
- Change xxxx to an available port number in the amwas.commomconfig.properties file.
If the node failed to start, change xxx to an available
port number in the amwas*cellName_nodeName_.properties file.
If the Application Server failed to start, change xxxx in
the amwas*cellname_nodeName_serverName.properties file.
The application might not deploy
properly
When you click Save, the policy
and role information is propagated to the Tivoli Access
Manager policy. This process might take some time to finish. If the
save fails, you must uninstall the application and then reinstall
it.
To access an application after it is installed, you must
wait 30 seconds, by default, to start the application after you save.
The startServer command might
fail after you configure Tivoli Access Manager or a clean
uninstall did not take place after unconfiguring JACC.
If
the cleanup for JACC unconfiguration or start server fails after JACC
is configured, take the following actions:
- Remove Tivoli Access
Manager properties files from WebSphere Application Server.
The following
files must be removed.
profile_root/etc/pd/PolicyDirector/PDPerm.properties
profile_root/etc/pd/PolicyDirector/PdPerm.ks
profile_root/etc/tam/*
- Use a utility to clear the security configuration and return the
system to the state it was in before you configure the JACC provider
for Tivoli Access Manager. The utility removes
all of the PDLoginModuleWrapper entries as well as the Tivoli Access
Manager authorization table entry from the security.xml file,
effectively removing the JACC provider for Tivoli Access
Manager. Backup the security.xml file before
running this utility.
Enter the following commands:
java -Djava.version=1.5 -classpath
"app_server_root/lib/AMJACCProvider.jar:CLASSPATH"
com.tivoli.pd.as.jacc.cfg.CleanSecXML fully_qualified_path/security.xml
An "HPDIA0202w An unknown user name
was presented to Access Manager" error might occur
You might
encounter the following error message if you try to use an existing
user in a Local Directory Access Protocol (LDAP) user registry with Tivoli Access
Manager:
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught. Details are:
"HPDIA0202W An unknown user name was presented to Access Manager."
This
problem might be caused by the host name exceeding predefined limits
with Tivoli Access Manager when it is configured
against MS Active Directory. In
WebSphere Application Server, the maximum length
of the host name can not exceed 46 characters.
Check that the
host name is not fully qualified. Configure the machine so that the
host name does not include the host domain.
To correct this
error, complete the following steps:
- On the command line, type the following information to get a Tivoli Access
Manager command prompt:
pdadmin -a administrator_name -p administrator_password
The
pdadmin administrator_name prompt is displayed. For example:pdadmin -a administrator1 -p passw0rd
- At the pdadmin command prompt, import the user from the LDAP user
registry to Tivoli Access Manager by typing the following
information:
user import user_name cn=user_name,o=organization_name,c=country
For
example:user import jstar cn=jstar,o=ibm,c=us
After importing the user to Tivoli Access
Manager, you must use the
user modify command to
set the user account to
valid. The following syntax
shows how to use this command:
user modify user_name account-valid yes
For
example:
user modify jstar account-valid yes
For
information on how to import a group from LDAP to Tivoli Access
Manager, see the Tivoli Access Manager documentation.
An "HPDAC0778E The specified user's
account is set to invalid" error might occur
You might encounter
the following error message after you import a user to Tivoli Access
Manager and restart the client:
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A Tivoli Access Manager exception was caught.
Details are: "HPDAC0778E The specified user's account is set to invalid."
To
correct this error, use the
user modify command
to set the user account to valid. The following syntax shows how to
use this command:
user modify user_name account-valid yes
For
example:
user modify jstar account-valid yes
An "HPDJA0506E Invalid argument: Null or
zero-length user name field for the ACL entry" error might occur
You
might encounter an error similar to the following message when you
propagate the security policy information from the application to
the provider using the wsadmin
propagatePolicyToJACCProvider command:
AWXJR0035E An error occurred while attempting to add member,
cn=agent3,o=ibm,c=us, to role AgentRole
HPDJA0506E Invalid argument: Null or zero-length user name field for
the ACL entry
To correct this error, create or import the user,
that is mapped to the security role to the Tivoli Access
Manager. For more information on propagating the security policy information,
see the documentation for your authorization provider.
An WASX7017E: Exception received while
running file "InsuranceServicesSingle.jacl" error might occur
After
the JACC provider and Tivoli Access Manager are enabled,
when attempting to install the application, which is configured with
security roles using the wsadmin command, the following error might
occur:
WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl";
exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E:
Cannot find a match for supplied option:
"[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro
up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers
The
$AdminApp MapRolesToUsers task option is no longer valid when Tivoli Access
Manager is used as the authorization server. To correct the error,
change MapRolesToUsers to TAMMapRolesToUsers.
Access denied exceptions accessing applications
when using JACC
In the case of Tivoli Access
Manager, you might see the following error message.
AWXJR0044E: The access decision for Permission, {0}, was denied because either the
PolicyConfiguration or RoleConfiguration objects did not get created successfully at
application installation time. RoleConfiguration exists = {false}, PolicyConfiguration
exists = {false}."
If the access denied exceptions are
not expected for the application, check the SystemOut.log files to
see if the security policy information was correctly propagated to
the provider.
If the security policy information for the application
is successfully propagated to the provider, the audit statements with
the message key SECJ0415I appear. However, if there was a problem
propagating the security policy information to the provider (for example:
network problems, JACC provider is not available), the SystemOut.log
files contain the error message with the message keys SECJ0396E (during
install) or SECJ0398E (during modification). The installation of the
application is not stopped due to a failure to propagate the security
policy to the JACC provider. Also, in the case of failure, no exception
or error messages appear during the save operation. When
the problem causing this failure is fixed, run the propagatePolicyToJaccProvider tool
to propagate the security policy information to the provider without
reinstalling the application.