Unable to authenticate when a repository is down

If one or more configured repository is down, you are unable to authenticate or stop WebSphere Application Server.

Problem

The following exception or a similar exception may occur, which indicates that a connection to the back-end repository cannot be established:

CWWIM4520E The 'javax.naming.CommunicationException:                      
Extdomain1.altext.ibm.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]' 
naming exception occurred during processing.  
at  com.ibm.ws.wim.adapter.ldap.LdapConnection.reCreateDirContext(LdapConnection.java:613)  
at com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:2419)

Solution

Ensure that your back-end repository is running, and you are able to connect to it. In case more than one repository is configured, all of the configured repositories should be up and running.

If the problem persists, it is due to a security feature of virtual member manager. If one or more configured repository is down, you cannot log in (even as admin) or stop WebSphere Application Server, regardless of the repository in which your particular ID is stored. Virtual member manager always checks all repositories before authenticating.

To disable this security feature, use the createIdMgrRealm or updateIdMgrRealm wsadmin command to set the –allowOperationIfReposDown parameter to true. The default value of the allowOperationIfReposDown parameter is false. After you disable this security feature, even if one of the configured repositories is down, virtual member manager works with the other active repositories. You can login successfully, as long as the login user ID and password are in a repository that is active.

If you set the value of allowOperationIfReposDown parameter to true, the following behavior can be expected:

Starting WebSphere Application Server
The allowOperationIfReposDown parameter is not applicable when the server is starting up. Whether the server can startup successfully or not with offline repositories depends entirely on the repository type. LDAP repositories do not require the LDAP servers to be up for successful server startup. Depending on your context pool settings, an LDAP repository may not even try to communicate with the LDAP server until the first request is made to read a user's profile. During server startup, WebSphere Application Server looks up the administrator's profile. If your LDAP server is offline, you may experience delays. Other repository types (including custom) may fail server startup if the repository is offline. This behavior is entirely dependent on the repository type.
Logging into to WebSphere Application Server
The allowOperationIfReposDown parameter applies when you log into the WebSphere Application Server. After WebSphere Application Server has started successfully, even if one or more of the repositories go down, but if your user ID is in one of the active repositories, you can login and perform any operation including stopping the server.
Stopping WebSphere Application Server
The allowOperationIfReposDown parameter applies when you are shutting down the server using wasadmin -userid -password. See the previous subheading, Logging into the WebSphere Application Server, for behavior during login.

For more information about the allowOperationIfReposDown parameter and the createIdMgrRealm or updateIdMgrRealm wsadmin commands, see IdMgrRealmConfig command group for the AdminTask objectin the WebSphere Application Server information center. (If you are using WebSphere Application Server version 6.1, to disable this security feature, first apply the PK78677 patch or install WebSphere Application Server fixpack 6.1.0.23 or above, and then change the configuration accordingly.)



Terms of use | Feedback