Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message indicates that an error occurred when creating a vault instance during initialization of the server. |
Action | Enable security. If security is already enabled, see the problem determination information on the WebSphere Application Server Support Web page: http://www.ibm.com/software/webservers/appserv/was/support. |
Explanation | This exception is unexpected. The cause is not immediately known. |
Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ . |
Explanation | This message indicates an internal error occurred when trying to create an instance of the LoginHelperImpl class. |
Action | The problem may be an out of memory error. Restart the server machine and try again. |
Explanation | This message indicates that a reference to the Object Request Broker (ORB) was null. |
Action | The problem may be an out of memory error. Restart the server machine and try again. |
Explanation | An internal exception occurred. Your server key ring is not valid, does not contain a server certificate, or cannot be found. |
Action | Check the SSL configuration to ensure that the SSL keyStore and trustStore properties are set properly. Ensure that the keystore has at least one personal certificate and that the signer for the personal certificate is added to the truststore. Attempt loading the keystore and truststore into IKeyMan and ensure that the file type specified in the configuration (usually JKS) is the correct file type. Make sure the password specified for the keystore and truststore is valid. Use the same password for both keystore and truststore. |
Explanation | An internal exception occurred. The probable cause is that a data string processed by the Object Request Broker (ORB), such as the server's realm/name, contains characters that are not consistent with the code pages supported by the ORB. |
Action | Check the security configuration files to ensure that data strings contain only characters from code pages that are supported by the Object Request Broker (ORB). |
Explanation | This message indicates an internal error occurred when trying to access the Current class via the resolve_initial_references method. |
Action | Check to ensure the correct java class files are in the program class path. Make sure you are not using the wrong version of SAS.JAR. |
Explanation | The outcome of the init_security_context method is not as expected. This error can be caused by any secure association issues with the target server. There are times when this is benign such as for method invocations that do not require security. |
Action | Check to ensure the user name and password are valid. Restart the client and retry the operation. |
Explanation | The authentication target is not of the type BasicAuth, LocalOS or LTPA. Sometimes only LocalOS or LTPA are valid authentication targets for certain methods. |
Action | Verify that the security configuration has a valid authentication target selected. |
Explanation | The credential token is null, expired, or has been tampered with. Since the token is digitally signed, any modification of the bytes in the token will not verify. The most common reason for this error is due to a null token. |
Action | Retry the operation after a few minutes. If using the request_login method for Domino, confirm that the Domino and WebSphere Signle Sign On (SSO) configuration has been configured correctly. |
Explanation | The credential token is null, expired, or has been tampered with. Since the token is digitally signed, any modification of the bytes in the token will not verify. The most common reason for this error is due to a null token. |
Action | Retry the operation after a few minutes. If using request_login for Domino, ensure that the Domino and WebSphere Signle Sign On (SSO) configuration has been configured correctly. |
Explanation | This error could occur for one of the following reasons: the credential is null, the credential is not a subtype of org.omg.SecurityLevel2.Credentials, the credential has been marked invalid during a failed login attempt, or when the security server was unavailable. |
Action | Retry the operation. Ensure the program is creating the credential properly before setting it as the invocation credential. You may need to restart the client or server which has the invalid credential. |
Explanation | This message indicates that the building of the security context was not successful. This exception can occur when the session cannot be found in the session table, or a java runtime exception occurs. |
Action | Occasionally, problems with the client or server configuration is responsible for these errors. This exception commonly occurs when SSL connections are not being created. That could be because of settings that are not valid in the security configuration, the sas.jar file might not be specified in the class path or the serer versions might be different. Confirm that the JDK you are using has the Java Secure Socket Extension (JSSE) extension classes in the /java/jre/lib/ext directory and that the java.security file includes the IBMJCE provider. |
Explanation | An attempt to communicate with the server was not successful. |
Action | Confirm that your server is running and that the port and host configurations are correct. |
Explanation | An attempt to establish a secure association with the server resulted with a NO_PERMISSION error. |
Action | Retry the client program after a few minutes wait. Ensure that the client program is using the correct version of the sas.jar file in the classpath. |
Explanation | The target security object retrieved from a security tagged component in the Interoperable Object Reference (IOR) is null. |
Action | Verify that the principalName field specified in the server configuration is valid. |
Explanation | This indicates that the credentials object being passed to the current object are not Security Authentication Service (SAS) credentials but of some other type or no type was specified. |
Action | Ensure that the client program is correctly following the Common Object Request Broker Architecture (CORBA) programming model. Also, verify that the correct version of the sas.jar file is in the client classpath. |
Explanation | A problem occurred while trying obtain the security context object when adding a new security session. This typically occurs when the client is trying to login. |
Action | Review the client security configuration file (sas.client.props) for recent changes. If recent changes have been made, you might want to undo these changes for troubleshooting purposes. |
Explanation | This message indicates that the client credentials were marked invalid. This could be because the credential token expired, the user name and password were not confirmed, or the security server was not available to verify the user information. |
Action | Restart the client so that it logs in with new credentials. Once client credentials are marked invalid, they must be thrown away and news ones created. |
Explanation | This error indicates that the session key was not found in the session table. This error may be a result of a different problem. Problems such as an invalid credential or a security service not being available are common causes for this error. |
Action | If the problem persists, check the client properties to ensure the login information is correct and restart the client program. |
Explanation | An attempt to access a security session from the session tables on the client or on the server was not successful. The session probably has already been deleted or has not been added. If the login fails, the session will be deleted on the client side and the credentials will be marked invalid. |
Action | Determine if a server process was stopped prior to receiving this error. If a server process was stopped, restart the server process and retry the operation. |
Explanation | The problem is typically related to the security configuration. |
Action | Check the security configuration to ensure that the authenticationTarget is set properly. |
Explanation | A BasicAuth token, consisting of only a user name and password, must be authenticated and can not be validated. |
Action | Confirm that the validate method is not being called. The request can be retried after waiting for a few minutes. |
Explanation | Trying to authenticate a BasicAuth token which consists of just a user name and password in either the LTPA or LocalOS PrincipalAuthenticator class. |
Action | Confirm the client code is not calling the wrong principal authenticator. Resubmit the request after waiting a few minutes. |
Explanation | The user name passed into the authenticate method was either null or not valid. |
Action | Confirm the operation was performed with a valid user name. If a properties login is performed, confirm the user name has been set in the sas.client.props file. |
Explanation | The user name or password passed into the authenticate method was either null or not valid. |
Action | Confirm the operation was performed with a valid user name and password. If a properties login is performed, confirm the user name and password have been set in the sas.client.props file. |
Explanation | The security server cannot be located. Ensure that the wssec.jar file is located in the classpath. |
Action | The probable cause for this problem is that the class com.ibm.WebSphereSecurityImpl.SecurityServerImpl can not be located. This is typically in the wssec.jar file. |
Explanation | The attempt to authenticate the client has not been accepted. |
Action | Verify that the user name and password are correct, as an incorrect user name or password is usually the source of the problem. It is also possible that the security server was not available. Retry the opertion after a few minutes. |
Explanation | Attempting a remote invocation over the Internet Inter-ORB Protocol (IIOP) using the Simple WebSphere Authentication Mechanism (SWAM) authentication mechanism is not supported. |
Action | Retry the remote invocation using LTPA authentication mechanism configured in Global Security. |
Explanation | The credential token associated with the user credential has expired. This is expected behavior when using the Lightweight Third-Party Authentication (LTPA). |
Action | Close the client and login again. |
Explanation | The native registry exceptions do not flow to a pure client for security reasons. If your environment is protected, you may enable this feature. |
Action | Set the property "com.ibm.websphere.security.registry.propagateExceptionsToClient=true" from the server's administrative console menu: Security -> Global Security -> Custom Properties. |
Explanation | This exception is unexpected. The cause is not immediately known. |
Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ . |
Explanation | This message indicates that the attempt at authenticating was not successful. |
Action | Verify the user name and password are correct. Check the sas.client.props properties file to ensure the login source is valid. If this error occurs on the server, check the sas.server.props properties file to ensure the principalName property has a valid realm and user name. |
Explanation | This message indicates that the LocalOS credential is trying to access a resource on a node other than the one it was authenticated on. |
Action | Verify your code to determine if there is a naming lookup or an Enterprise Java Bean (EJB) accessing another node. |
Explanation | The message from the server has been corrupted. This could be due to message tampering or possibly an electrical surge causing the bytes to be rearranged. |
Action | Retry the operation. If this problem persists, contact your network administrator to determine if any network problems occurred when the error occured. |
Explanation | The message type sent from the server to the client was not valid. This commonly occurs when an exception is created by the server while processing a request. When this occurs, the request normally does not complete. |
Action | Retry the operation after a few minutes. If the problem persists, there should be messages on the server system which may give a better indication of what the problem is. Further tracing on the server may be necessary. |
Explanation | A security attribute is a value stored in the credential object such as userid or groupid. Either the type trying to be accessed is not a valid credential attribute type or the attribute being accessed is null. |
Action | Verify the program to ensure that the attribute being accessed is a valid credential attribute. You may need to contact your system administrator to verify that all of the attributes you need have been set in the user registry. |
Explanation | The connection type was not SSL. |
Action | Ensure that the security configuration has the SSL keyStore and trustStore properties specified, and that the keystore file has valid, non-expired certificates. |
Explanation | The communication direction passed into the get_security_features method currently only the supports org.omg.Security.CommunicationDirection._SecDirectionBoth class. |
Action | Ensure the call to the method get_security_features method passes in the org.omg.Security.CommunicationDirection._SecDirectionBoth class. |
Explanation | A security attribute is a value stored in the credential object such as userid or groupid. Either the type trying to be accessed is not a valid credential attribute type or the attribute being accessed is null. |
Action | Verify the program to ensure that the attribute being accessed is a valid credential attribute. You may need to contact your system administrator to verify that all of the attributes you need have been set in the user registry. |
Explanation | This error indicates that the same attribute in the credential object is being accessed more than once for a single call to the get_attributes method. |
Action | Ensure that multiple attempts are not being made to retrieve a single attribute at the same time. |
Explanation | The attribute list was null when the call was made to the set_attributes method on the credential. |
Action | Verify that the list of attributes that is trying to be set is not null. Retry the operation. |
Explanation | The attribute list contained an attribute type which was null when the call was made to the set_attributes method on the credential. |
Action | Verify that the list of attributes that is trying to be set does not contain a null attribute type. Retry the operation. |
Explanation | The attribute list contained a member which was null when the call was made to the set_attributes method on the credential. |
Action | Verify that the list of attributes that is trying to be set does not contain a null member. Retry the operation. |
Explanation | A java I/O Exception occurred while trying to close the keyfile. |
Action | Processing should continue. |
Explanation | The option specified in the standardClaimQOPModels property is not valid. Valid options for this property include Authenticity, Integrity, Confidentiality, and Advanced. |
Action | Correct the value specified on the standardClaimQOPModels property if you do not want to use Confidentiality. |
Explanation | Valid delegateCredentials property values include None, Simple, Scoped, Traced, and MethodDefined. |
Action | Correct the value specified on the delegateCredentials property. The default is None. |
Explanation | Ensure the value specified is between 0 and 600 seconds. |
Action | Correct the value so that it falls between 0 and 600 specified in seconds. |
Explanation | An integer value must be specified for this property. |
Action | Confirm that the value specified in the property is an integer. |
Explanation | The option specified in the standardPerformQOPModels property is not valid. Valid options for this property include Authenticity, Integrity, Confidentiality, and Advanced. |
Action | Correct the value specified on the standardPerformQOPModels property if you do not want to use Confidentiality. |
Explanation | The valid range for the SSLCredentialsTimeout property is between 0 and 31,449,600 seconds. |
Action | Correct the value specified in the property so that it is in the valid range. |
Explanation | An integer value must be specified for this property. |
Action | Confirm that the value specified in the property is an integer. |
Explanation | An integer value must be specified for this property. |
Action | Confirm that the value specified in the property is an integer. |
Explanation | The valid range of values for the SSLV3SessionTimeout property is between 0 and 86,400 seconds. |
Action | Correct the value specified so that it is within the valid range. |
Explanation | An integer value must be specified for this property. |
Action | Confirm that the value specified in the property is an integer. |
Explanation | A java runtime exception occurred when processing the security configuration. |
Action | Review your security configuration to ensure that all the values are valid. |
Explanation | The verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. The default for com.ibm.CORBA.verificationLevel is Consistency. The valid verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. Based on the level you have selected, your configuration can not be verified as correct. |
Action | This error will be preceded by additional error messages with further information. |
Explanation | The verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. The default for com.ibm.CORBA.verificationLevel is Consistency. The valid verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. Based on the level you have selected, your configuration can not be verified as correct. |
Action | This error will be preceded by additional error messages with further information. |
Explanation | The verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. The default for com.ibm.CORBA.verificationLevel is Consistency. The valid verification levels are Completeness, Consistency, PassivelyCorrect and ActivelyCorrect. Based on the level you have selected, your configuration can not be verified as correct. |
Action | This error will be preceded by additional error messages with further information. |
Explanation | The expected verification result is Success(0). The other possible verification results are Unknown (-1), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
Action | This error will be preceded by additional error messages with further information. |
Explanation | This indicates that the security configuration has not been processed. |
Action | Verify the security configuration is complete in the sas.client.props file, including the location of the file specified by the com.ibm.CORBA.ConfigURL property. The most common location is <was_root>/properties. |
Explanation | At least one of the following association options must be set in the sas.client.props file: DCEClientAssociationEnabled, DCEServerAssociationEnabled, SSLTypeIClientAssociationEnabled, SSLTypeIServerAssociationEnabled, LTPAClientAssociationEnabled, LTPAServerAssociationEnabled, LocalOSClientAssociationEnabled, LocalOSServerAssociationEnabled. |
Action | Ensure that at least one of these association options are set. |
Explanation | A verification result of ConfigIncomplete (1) has been returned. |
Action | This error will be preceded by additional error messages with further information. The likely causes for this error are a missing Bootstrap Repository location, no association options selected, or the security configuration has not been initialized. |
Explanation | The expected verification result is Success(0). The other possible verification results are Unknown (-1), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
Action | This error will be preceded by additional error messages with further information. |
Explanation | This indicates an inconsistency in the configuration because a login source of properties needs to have a userid and password specified. |
Action | Specify a userid on the com.ibm.CORBA.loginUserid property and password on the com.ibm.CORBA.loginPassword password if you intend to use the login source of properties. |
Explanation | This message indicates an inconsistency in the configuration because a login source of the KeyTable type needs to have a KeyTable file specified. |
Action | Specify a KeyTable file on com.ibm.CORBA.keytabFileName if you intend to use the login source of KeyTable. |
Explanation | The com.ibm.CORBA.standardPerformQOPModels property is set to advanced. The following properties are not set consistently with that value: performClientAuthentication, performServerAuthentication, performMessageReplayDetection, performMessageOutOfSequenceDetection, performMessageIntegrity, and performMessageConfidentiality. |
Action | Verify that the above properties are consistent. |
Explanation | The com.ibm.CORBA.standardClaimQOPModels property is set to advanced. The following properties are not set consistently with that value: performClientAuthentication, performServerAuthentication, performMessageReplayDetection, performMessageOutOfSequenceDetection, performMessageIntegrity, and performMessageConfidentiality. |
Action | Verify that the above properties are consistent. |
Explanation | This error occurs when a dependency between two configuration options is not met. For example, if an SSL connection is configured but the keystore file does not exist. |
Action | This error will be preceded by additional error messages with further information. |
Explanation | The expected verification result is Success (0). The other possible verification results are: Unknown (-1), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
Action | This error will be preceded by additional error messages with further information. |
Explanation | The expected verification result is Success (0). The other possible verification results are: Unknown (-1), ConfigIncomplete (1), ConfigInconsistent (2), and ConfigWrong (3). |
Action | This error will be preceded by additional error messages with further information. |
Explanation | The property com.ibm.CORBA.performClientAuthentication is set. One of the following properties must also be set: SSLTypeIServerAssociationEnabled, SSLTypeIIServerAssociationEnabled, LTPAServerAssociationEnabled, or LocalOSServerAssociationEnabled. |
Action | Ensure that at least one of the server association properties are set to true. |
Explanation | The invalid flag on the credential object has been set to true. This usually means the credential was not accepted by the server when trying to authenticate. A NO_PERMISSION exception has likely been created by the server. |
Action | Log on again to pass new credentials. It might be needed to restart the client and the server to ensure that you are using the new credentials. Once credentials are marked invalid, they cannot become valid again. |
Explanation | This error indicates that the client or server configuration properties are not valid. Another possibility is that some of the configuration properties are conflicting with each other, as certain properties cannot be set together. |
Action | Review the sas.client.props file or the sas.server.props file for recent changes. If recent changes have been made, you might want to undo these changes for troubleshooting purposes. |
Explanation | A SystemException occurred when parsing the tagged component. |
Action | Confirm that you are connecting to a supported server version. Ensure that the sas.jar file you are using on the client side is compatible with that server. |
Explanation | This error indicates that the name passed into the "resolve_initial_references" method in the program is not valid or has not been registered. |
Action | Verify that that the com.ibm.CORBA.securityEnabled property is set to true in the client and server configuration. Confirm that a valid name is being passed to the "resolve_initial_references" method in the client program. |
Explanation | On the server side, there must be a set of received credentials when communicating over SSL and Mutual Authentication is enabled. Without the received credentials the server will throw a NO_PERMISSION exception. |
Action | Verify that the client set the credentials properly before invoking the request. Ensure that the correct user name and password were specified when logging in. |
Explanation | The ASSOC_ACCEPT message type is not expected to be received by the target server. |
Action | You should retry the operation after several minutes. Review the sas.client.props file on the client to ensure the settings are all valid. |
Explanation | The ASSOC_REJECT message type is not expected to be received by the target server. |
Action | You should retry the operation after several minutes. Review the sas.client.props file on the client to ensure the settings are all valid. |
Explanation | The key used to find the security context is not valid. |
Action | Ensure that the correct sas.jar file is in the server and client classpaths. |
Explanation | The host name could not be converted into the dotted IP address form. |
Action | An attempt will be made to use the host name, however, if this fails you'll need to take action. Contact your network administrator to ensure that the hostname and IP address which you have configured on the server is valid. |
Explanation | This indicates that the port specified in the server connection data is 0. |
Action | Confirm that a property was not set to a port that is already being used. The server should be stopped. After waiting about 2 minutes to allow the ports to be released, restart the server. |
Explanation | The SecurityTaggedComponentAssistorImpl.class file in the SAS.JAR is not valid. |
Action | Ensure that you have the same version of the sas.jar file as on the server. To confirm you are using the correct version, compare the dates to ensure that they match the dates of the other jar files on the server. |
Explanation | A SystemException error occurred when parsing the tagged component. |
Action | Confirm that you are connecting to a supported server version. Ensure that the sas.jar file you are using on the client side is compatible with that server. |
Explanation | This error indicates that a client is trying to establish a secure association with the server but was unable to authenticate. |
Action | Confirm that the user name and password specified during login are valid. |
Explanation | The public security name is the client's user name. In this case, a user name was not specified. |
Action | The client must specify a user name and password in most cases in order to authenticate. |
Explanation | This error typically occurs when adding a security session on the client or server. |
Action | Review the sas.client.props file and the sas.server.props file for recent changes. If recent changes have been made, you migh want to undo these changes for troubleshooting purposes. |
Explanation | The server credentials could not be found. |
Action | Check the security configuration for the com.ibm.CORBA.PrincipalName, com.ibm.CORBA.LoginUserid, and com.ibm.CORBA.LoginPassword properties to ensure they are all valid. For the com.ibm.CORBA.PrincipalName property, ensure the correct realm is specified in front of the user name. |
Explanation | This error indicates that a login attempt to the server was not successful. |
Action | Check the security configuration for the com.ibm.CORBA.PrincipalName, com.ibm.CORBA.UserID, and com.ibm.CORBA.Password properties to ensure they are all valid. For the com.ibm.CORBA.PrincipalName property, ensure the correct realm is specified in front of the user name. |
Explanation | A certificate in the keystore has expired. |
Action | Open the keystore and validate the expiration dates for all the certificates in the keystore. Remove any expired certificates. |
Explanation | A certificate in the keystore is about to expire. |
Action | Open the keystore and validate the expiration dates for all the certificates in the keystore. Generate new certificates to replace the certificates that are about to expire. |
Explanation | The credential token is null, expired, or has been tampered with. The token is digitally signed, so any modification of the bytes in the token can not be verified. The most common reason for this error is a null token. |
Action | Retry the operation after a few minutes. If using the request_login method for Domino, confirm that single signon (SSO) between the Domino server and the WebSphere Applpication Server has been configured correctly. |
Explanation | An error occurred while opening the file pointed to by the bootstrapRepositoryLocation property. |
Action | Check the bootstrapRepositoryLocation property in the security configuration to be sure it points to a valid filename and location. If the path is correct, rename the file to allow it to recreate a new file. |
Explanation | The file pointed to by the BootstrapRepositoryLocation property in the security configuration has been corrupted. |
Action | Stop the server and rename the file pointed to by the BootstrapRepositoryLocation class. After renaming the file, restart your server and the file should get recreated. Try running "java com.ibm.ISecurityUtilityImpl.BootstrapRepository %WAS_ROOT%/etc/secbootstrap" from the command line to see if the new file can be read. Make sure %WAS_ROOT% points to the correct installation path. |
Explanation | The file pointed to by BootstrapRepositoryLocation property in the security configuration has been corrupted. |
Action | Stop the server and rename the file pointed to by the BootstrapRepositoryLocation class. After renaming the file, restart your server and the file should get recreated. Try running "java com.ibm.ISecurityUtilityImpl.BootstrapRepository %WAS_ROOT%/etc/secbootstrap" from the command line to see if the new file can be read. Make sure %WAS_ROOT% points to the correct installation path. |
Explanation | This error indicates that security for this object request broker (ORB) has already been initialized and an attempt to initialize it again is occurring. |
Action | The ServiceInit method, the call that enables security, will return immediately without reinitializing the security. Enable trace to determine what called the ServiceInit method a second time. See the problem determination information on the WebSphere Application Server Support Web page: http://www.ibm.com/software/webservers/appserv/was/support. |
Explanation | A java InputStream read error occurred. |
Action | Retry the operation. |
Explanation | The host address of the server is null as read from the Interoperable Object Reference (IOR) that the server exported. |
Action | Make sure the version of the sas.jar file is valid for the application server you are using. Restart the server and try the operation again. |
Explanation | There are values in the Interoperable Object Reference (IOR) that require a value but are currently null. This usually indicates that an exception occurred while trying to read them or there is an interoperability problem with another version of the server. |
Action | Ensure that the client version you are using is supported by the server. Check the sas.jar file date and size and verify it is the same as that of the server. Check the classpath to ensure it includes the correct version of SAS.JAR. |
Explanation | The valid range for the requestCredsExpiration property is between 10 and 524160 minutes. |
Action | Correct the value specified in the requestCredsExpiration property so that it is within the valid range. |
Explanation | The com.ibm.CORBA.requestCredsExpiration property may not be smaller than the com.ibm.CORBA.requestTimeout property. |
Action | Ensure that the com.ibm.CORBA.requestTimeout property is smaller than the com.ibm.CORBA.requestCredsExpiration property. |
Explanation | The security mechanism is not a valid mechanism as defined in the mechanism factory. |
Action | Check the security configuration to ensure the properties are set correctly. Retry the operation. |
Explanation | The value passed into the is_valid method is negative. |
Action | Ensure the value passed into the is_valid method is not negative. |
Explanation | The credential object passed to the server is not a type that the server supports. |
Action | Ensure that the client authentication target in the client properties is set to a value that the server supports. |
Explanation | The credential is either null, not a subtype of the org.omg.SecurityLevel2.Credentials class, or marked invalid. The credential could have been marked invalid during a failed log in attempt or when the security server was not available. |
Action | Retry the operation. Ensure the program is creating the credential properly before setting it as the invocation credential. You might need to restart the client or server which has the invalid credential. |
Explanation | A java runtime exception occurred while a thread was trying to sleep for a specified number of seconds. |
Action | Restart the server. |
Explanation | The keyfile entry for the specified realm and security name was not found in the keyfile. |
Action | Ensure that the com.ibm.ssl.keyStoreFile property is pointing to a keyfile which contains the realm and security name that you intended. |
Explanation | A java runtime exception occurred while decoding the loginPassword property. |
Action | Retype the password on the loginPassword property and restart the program. |
Explanation | A java runtime exception occurred while decoding the keystore password property. |
Action | Retype the password on the keystore password property and restart the program. |
Explanation | A java runtime exception occurred while decoding the truststore password property. |
Action | Retype the password on the com.ibm. property and restart the program. |
Explanation | This error usually indicates a problem with the Object Request Broker (ORB). |
Action | Confirm that an orb.properties file exists in java/jre/lib directory. |
Explanation | The security configuration does not allow for an anonymous identity token. |
Action | Make sure the client gets prompted and enters valid credentials. |
Explanation | The type of credential is not one that is supported for Identity Assertion. |
Action | Review the client configuration, specifically the authenticationTarget property to ensure it contains a supported value. |
Explanation | The server does not support certificate based credentials. |
Action | In order to communicate with this downstream server using Identity Assertion, the originating client should try a different authentication mechanism such as BasicAuth. |
Explanation | The server does not support principal based credentials. |
Action | In order to communicate with this downstream server using Identity Assertion, the originating client should try a different authentication mechanism such as SSL client certificates. |
Explanation | The server does not support distinguished name based credentials. |
Action | In order to communicate with this downstream server using Identity Assertion, the originating client should try a different authentication mechanism which is principal based rather than DN based. |
Explanation | The server did not set the credentials during the bootstrap process. |
Action | Try restarting the server. Report the problem to customer support. |
Explanation | The server's credentials are invalid. |
Action | Try to log in again specifying a realm, user name, or both. |
Explanation | A method request could take longer than the credential expiration period. |
Action | Either increase the cache timeout or decrease the Object Request Broker (ORB) request timeout. |
Explanation | The password for the hardware crypto device could not be decoded properly. |
Action | Go back to the configuration and retype the password. |
Explanation | Valid loginSource options are: prompt, properties, stdin, key file, key table, and none. |
Action | Provide a valid source for the loginSource property. |
Explanation | The Common Secure Interoperability version 2 (CSIv2) inbound configuration panel does not have the noted server ID configured correctly. |
Action | Verify that the server ID that is listed in the message is added to the trusted server list in the CSIv2 inbound authentication panel. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The Interoperable Object Reference (IOR) from the server does not contain a Common Secure Interoperability version 2 (CSIv2) tagged component. |
Action | The server might need to be restarted. Also the check the client configuration and redeploy the object. |
Explanation | The implementation does not support Secure Inter-ORB Protocol (SECIOP). |
Action | Communication to a server over SECIOP is not valid. You must communicate to the server over IIOP. |
Explanation | The transport tag is not a recognized or supported transport. |
Action | Determine what transports are supported on the server you are connecting to by examining the security configuration and the sas.server.props file. |
Explanation | The connection was not successful because the client requires SSL but the server does not support it. |
Action | If SSL is not a requirement, change the client configuration to support, not require, SSL. If SSL is a requirement, configure the server to support SSL. |
Explanation | The server does not support SSL client authentication. |
Action | Connect using BasicAuth client authentication, specifying a user name and password. |
Explanation | The server will not authenticate the client using SSL client certificates. |
Action | Connect using BasicAuth client authentication, specifying a user name and password. |
Explanation | The client is not configured to use SSL client certificate authentication. |
Action | Review the client configuration to ensure it is set up to perform SSL client certificate authentication. |
Explanation | The client requires SSL confidentiality but the server does not support it. |
Action | Remove the SSL confidentiality requirement from the client. If this is not possible, configure the server to support it. |
Explanation | The server requires SSL confidentiality but the client does not support it. |
Action | Set the com.ibm.CSI.performTransportAssocSSLTLSSupported property to true in the sas.client.props file to support confidentiality. |
Explanation | The client requires SSL Integrity but the server does not support it. |
Action | Remove the integrity requirement from the client. If this is not possible, configure the server to support it. |
Explanation | The server requires SSL Integrity but the client does not support it. |
Action | Modify the client configuration to support Integrity. |
Explanation | The Common Secure Interoperability version 2 (CSIv2) tagged component did not specify an authentication mechanism. |
Action | Retry the client application or restart the server to export the Interoperable Object Reference (IOR) for the object again. |
Explanation | The server currently will not accept BasicAuth authentication or any other client authentication mechanism. |
Action | Configure the client for SSL client authentication or contact the server administrator. |
Explanation | The client currently will not accept BasicAuth authentication or any other client authentication mechanism. |
Action | Configure the client for BasicAuth aclient authentication or contact the server administrator. |
Explanation | The server is supplying an unsupported object ID (OID). |
Action | Try using SSL client certificate authentication. |
Explanation | The authentication mechanism of the server is not supported by the client. |
Action | Modify the authenticationTarget property in the client configuration to a value that is supported by the server. |
Explanation | The authentication mechanism of the server is not supported by the client. |
Action | Modify the authenticationTarget property in the client configuration to a value that is supported by the server. |
Explanation | The authentication mechanism of the server is not supported by the client. |
Action | Modify the authenticationTarget property in the client configuration to a value that is supported by the server. |
Explanation | A value in the Common Secure Interoperability version 2 (CSIv2) tagged component required for client authentication is null. |
Action | Try using SSL client authentication or contact the system administrator. |
Explanation | The receiving server has not been configured for Identity Assertion. It is a requirement of the sending server that the receiving server be configured for Identity Assertion. |
Action | Modify the configuration on the receiving server to support Identity Assertion. |
Explanation | A naming mechanism is needed to determine how to encode and decode the identity token. |
Action | The receiving server might not support Identity Assertion. Try contacting the system administrator of the receiving server. |
Explanation | The target server likely does not support Identity Assertion. |
Action | The target server might need to review how it exports the tagged components. Contact the system administrator of the target server. |
Explanation | An exception has occurred while encoding or decoding security information. |
Action | See the problem determination information on the WebSphere Application Server Support Web page: http://www.ibm.com/software/webservers/appserv/was/support. |
Explanation | Valid property values are activelycorrect, passivelycorrect, consistency, and completeness. |
Action | Specify a valid value for the verification level property. |
Explanation | The custom authentication mechanism when implements WSSecurityContext interface is having problems being instantiated. |
Action | Review the constructor of this class to confirm the proper class is specified in the security configuration. |
Explanation | The object ID (OID) specified in the credential does not have a corresponding WSSecurityContext implementation. |
Action | Ensure that the WSSecurityContext configuration specifies an implementation for this OID. |
Explanation | The credential has an object ID (OID) which does not match the configured authenticationTarget OID. |
Action | Modify the authenticationTarget property to support the credential OID. |
Explanation | The valid protocol values for the com.ibm.CSI.protocol property are ibm, csiv2, and both. |
Action | Specify a valid value for the com.ibm.CSI.protocol property. |
Explanation | The authenticationRetryCount property must contain an integer value. |
Action | Specify an integer value for the authenticationRetryCount property. |
Explanation | The value of the com.ibm.CORBA.ConfigURL property is not in a valid URL format. |
Action | Specify a valid value for the com.ibm.CORBA.ConfigURL property, and ensure there is only a single / after file: in the URL string. |
Explanation | The file specified by the com.ibm.CORBA.ConfigURL property does not exist or is not in a valid format. |
Action | Confirm the file exists in the location specified. If the file exists in that location, ensure the URL is in the valid format. |
Explanation | The file specified by the com.ibm.CORBA.ConfigURL property does not exist or is not in a valid format. |
Action | Confirm the file exists in the location specified. If the file exists in that location, ensure the URL is in the valid format. |
Explanation | The SecurityManager needs read access to read the com.ibm.CORBA.ConfigURL property. |
Action | Specify at least read access for this property in the java.security file. |
Explanation | This exception is occurs when a particular cryptographic algorithm is requested but is not available in the environment. |
Action | Confirm the cipher and security provider specified in the SSL configuration are valid. |
Explanation | This is a general exception that occurs when trying to access a keystore file. |
Action | Ensure the following are all correct: the location of the keystore, the password used to access the keystore and the keystore type. |
Explanation | This exception is created if a key in the keystore file can not be recovered. |
Action | This usually indicates the keystore file has been corrupted. Ensure that the keystore type specified is valid, as this is another possible cause for this exception. |
Explanation | This exception is created when a specific security provider is requested but it is not available in your environment. |
Action | Confirm that the keyStoreProvider, trustStoreProvider property, and sslContextProvider propreties have valid security providers specified. |
Explanation | This is the general key management exception for all operations dealing with key management. Subclasses include: KeyIDConflict, KeyAuthorizationFailureException, ExpiredKeyException. |
Action | Check that the certificates within the keystore are not expired and can all be viewed from within the IKeyMan program. |
Explanation | When client authentication is required at the server, a principal must be sent for the request to be handled. |
Action | Ensure that the client is configured with the correct credentials to issue a request to this server. |
Explanation | When the platform is z/OS and the Local Operating System is configured as the user realm, the asserted ID must have CONTROL authority for the CBIND profile in RACF in order for the server to establish trust. |
Action | Verify that the ID listed in the message has CONTROL permission to the CBIND profile in RACF. |
Explanation | The timestamp in the RSA token is later than the current time of the receiving server. |
Action | Ensure there are no clock skews between servers. Increase the RSA tokenExpiration if the default of 10 minutes is not sufficient for a one-time use token. |
Explanation | A nonce is a value that can be used only once to prevent replay attacks. This token uses a nonce for this purpose and has received the same nonce more than once. |
Action | A replay attack may have occurred. Some investigation of the sending process may be warrented. |
Explanation | The token received could not be validated. This will typically occur when the signer of the sending process was not stored in the admin trust store. |
Action | If there error is related to validating certificates, then find out the sending process and add the sending server's signer certificate to the receiving server's trust store. |
Explanation | The RSA token could not be created due to an error with the target certificate or the Subject. |
Action | Ensure there's a valid Subject on the thread or that the target certificate was received. Check FFDC logs for related errors. |
Explanation | This occurs when a tag contains an OID that does not match to target RSAToken OID. |
Action | No action required unless RSAToken OID never appears. In that case it should fall back to LTPA. |
Explanation | This occurs when a tag contains an OID that does not match to target LTPA OID. |
Action | The target server does not have LTPA configured. |
Explanation | This occurs when a tag contains an OID that does not match to target KRB5 OID. |
Action | The target server does not have KRB5 configured. |
Explanation | The supported admin authentication mechanisms are RSA, LTPA, and KRB5. |
Action | Another authentication mechanism besides one of the supported mechanisms is configured incorrectly. |
Explanation | The RSA authentication mechanism is only for admin requests but is being used for an application request. |
Action | If this continues, try changing the admin mechanism to LTPA and ensure the realm is trusted and LTPA keys are the same between processes. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The server credential needs to be refreshed so that the token does not expire. This message indicates that the refresh was not successful. This could be due to a problem logging into the server to get a new credential token or the credential has been marked invalid. The expiration time will be set explicitly to temporarily correct the problem. |
Action | Restart the server. |
Explanation | This logs any system exception which occurs on the server by the security interceptor or any other interceptor called after the security interceptor. |
Action | This exception is sometimes normal, such as a NO_PERMISSION exception occurring due to a user name and password that are not valid. Otherwise, see the problem determination information on the WebSphere Application Server Support Web page: http://www.ibm.com/software/webservers/appserv/was/support. |
Explanation | This logs any system exception which occurs on the server by the security request interceptor or any other request interceptor called after the security request interceptor. |
Action | This exception is sometimes normal, such as a NO_PERMISSION exception occurring due to a user name and password that are not valid. Otherwise, see the problem determination information on the WebSphere Application Server Support Web page: http://www.ibm.com/software/webservers/appserv/was/support. |
Explanation | The configuration on the client is not consistent with the configuration on the server for the specific reasons displayed after the warning message. |
Action | Use the specified reasons reported the warning message as a guideline to modify the client and server security configurations so that they match. |
Explanation | The com.ibm.CORBA.ConfigURL property specified in setupCmdLine.bat or on the java command line is not valid. |
Action | Confirm the file being specified for the com.ibm.CORBA.ConfigURL property exists. |
Explanation | The target realm does not match the current realm. The application server did not send the client request because the target realm might not be trusted. |
Action | Add the intended target realm to the Trusted target realms field using the admininstrative console at Security -> Global Security -> RMI/IIOP security -> CSIv2 Outbound Authentication. |
Explanation | The com.ibm.CORBA.ConfigURL property specified in setupCmdLine.bat or on the java command line is not set. |
Action | To enable security, set the com.ibm.CORBA.ConfigURL property to a properties file which exists, such as the sas.client.props file. |
Explanation | This exception is likely caused by an error in the security configuration or the registered factory did not implement the J2EEAuditEventFactory interface. |
Action | Check your security configuration, specifically the AuditEventFactory implementation. |
Explanation | This exception is likely caused by an error in the security configuration. |
Action | Check your security configuration, specifically the J2EEAuditEventFactory implementation. |
Explanation | Could not obtain a handle to the Audit context objects in order to be able to populate with event data. |
Action | Examine the exception for the cause of the problem. |
Explanation | A failure occurred in the auditing subsystem, preventing the event from being processed/logged. |
Action | Examine the exception for the cause of the problem. |
Explanation | The client and server do not support the same authentication target. |
Action | Examine the client and server authentication target. |
Explanation | The client and server do not support the same authentication target. |
Action | Examine the client and server authentication targets. |
Explanation | The client and server do not support the same authentication target. |
Action | Examine the client and server authentication targets. |
Explanation | The credentials supplied are either invalid or null. An attempt is being made to login as unauthenticated. If the resource is unprotected, the invocation should succeed. |
Action | Verify that the user name and password supplied are correct. Try restarting the client program to resolve the problem. Increasing the credential timeout value could reduce the likelihood of this error occurring. |
Explanation | The credentials supplied are either invalid or null. An attempt is being made to login as unauthenticated. If the resource is unprotected, the invocation should succeed. |
Action | Verify that the user name and password supplied are correct. Try restarting the client program to resolve the problem. Increasing the credential timeout value could reduce the likelihood of this error occurring. |
Explanation | The type of connection data object is not valid. There could be a problem with the classes loaded from the classpath. |
Action | Verify the classpath on the client and server both contain the same sas.jar file and have the same interim fixes. |
Explanation | This message indicates that the session being added has already been added. |
Action | Try to log in again. |
Explanation | The credentials list passed into the init_security_context method are null. An unauthenticated request will be attempted. |
Action | If you do not want to attempt an unauthenticated, confirm the user name and password used for the client login are correct. Review the login source property in the sas.client.props file. |
Explanation | The standardPerformQOPModels property in the sas.client.props file might not be set for mutual authentication. |
Action | If mutual authentication is intended, ensure the standardPerformQOPModels property is set to authenticity, integrity, or confidentiality. |
Explanation | The Interoperable Object Reference (IOR) does not contain a Distributed Computing Environment (DCE) security tag. This tag contains the target security name, mechanism and required quality of protection (QOP). |
Action | Verify that the client program is attempting to access the correct object. This message could be benign if the object method does not require security to be invoked. |
Explanation | The Interoperable Object Reference (IOR) does not contain an SSL security tag. This tag contains the port, required quality of protection (QOP) and supported QOP. |
Action | Verify that the client program is attempting to access the correct object. This message could be benign if the object method does not require security to be invoked. |
Explanation | This message indicates that the attributes stored in the credential can not be retrieved due to a java runtime exception. |
Action | Restart the client to create new credentials. Confirm that the user data provided is consistent with the data in the user registry. |
Explanation | The Interoperable Object Reference (IOR) does not contain an SSL security compound tag. This tag contains the port, required quality of protection (QOP) and supported QOP, target's client authentication type, realm name and full security name. |
Action | Verify that the client program is attempting to access the correct object. This message could be benign if the object method does not require security to be invoked. |