Use this information if you are experiencing errors after security is enabled.
For general tips on
diagnosing and resolving security-related problems, see the topic Troubleshooting the
security component.
If the user registry
configuration, user ID, and password appear correct, use the WebSphere Application Server trace to determine
the cause of the problem. To enable security trace, use the com.ibm.ws.security.*=all=enabled trace
specification.
If a user who is supposed to have access to a resource does not, a configuration step is probably missing. Review Authorizing access to administrative roles.
If the user is granted
required roles, but still fails to access the secured resources, enable
security trace, using com.ibm.ws.security.*=all=enabled as
the trace specification. Collect trace information for further resolution.
Error Message: CWSCJ0314E: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information. {0}Permission/:{1}Code/:{2}{3}Stack Trace/:{4}Code Base Location/:{5}The Java security manager checkPermission method has reported a SecurityException exception .
The reported exception might be critical to the secure system. Turn on security trace to determine the potential code that might have violated the security policy. Once the violating code is determined, verify if the attempted operation is permitted with respect to Java 2 Security, by examining all applicable Java 2 security policy files and the application code.
For a review of Java security policies, see the Java 2 Security documentation at http://java.sun.com/j2se/1.3/docs/guide/security/index.html.
This error can result from installing the Java Message Service (JMS) API sample and then enabling security. You can follow the instructions in the Configure and Run page of the corresponding JMS sample documentation to configure the sample to work with WebSphere Application Server security.
You can verify the installation of the message-driven bean sample by launching the installation program, selecting Custom, and browsing the components which are already installed in the Select the features you like to install panel. The JMS sample is shown as Message-Driven Bean Sample, under Embedded Messaging.
You can also verify this installation by using the administrative console to open the properties of the application server that contains the samples. Select MDBSamples and click uninstall.
This error message can result from selecting Lightweight Third Party Authentication (LTPA) as the authentication mechanism, but not generating the LTPA keys. The LTPA keys encrypt the LTPA token.
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet:
java.security.AccessControlException: access denied
(java.io.FilePermission
app_server_root/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet:
java.security.AccessControlException: access denied
(java.io.FilePermission
/WebSphere/V6R1M0/AppServer/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
CWSRV0020E: [Servlet Error]-[validator]: Failed to load servlet:
java.security.AccessControlException: access denied
(java.io.FilePermission
app_server_root/systemApps/isclite.ear/isclite.war/WEB-INF/validation.xml read)
For an explanation of Java 2 security, how and why to
enable or disable it, how it relates to policy files, and how to edit
policy files, see the Java 2 security topic
in the information center navigation. The topic explains that Java 2
security is not only used by this product, but developers can also
implement it for their business applications. Administrators might
need to involve developers, if this exception is created when a client
tries to access a resource that is hosted by WebSphere Application Server.
CWSCJ0189E: Caught ParserException while creating template for application policy
profile_root/config/cells/cell_name/nodes/node_name/app.policy
CWSCJ0189E: Caught ParserException while creating template for application policy
/WebSphere/V6R1M0/AppServer1/profiles/profile_name/config/cells/cell_name/nodes/node_name/app.policy.
CWSCJ0189E: Caught ParserException while creating template for application policy
profile_root/config/cells/cell_name/nodes/node_name/app.policy
Permission: app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:app_server_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar } Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete ) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:/app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:/app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
Permission: /WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:/WebSphere/AppServer/installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission /WebSphere/AppServer/logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:/WebSphere/AppServer/lib/securityimpl.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:/WebSphere/AppServer/lib/securityimpl.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
Permission: profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar } Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete ) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.) Permission: profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root/installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root/logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.) Permission: profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log : access denied (java.io.FilePermission profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log delete) Code: com.ibm.ejs.ras.RasTestHelper$7 in {file:profile_root /installedApps/app1/JrasFVTApp.ear/RasLib.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission profile_root /logs/server1/SystemOut_02.08.20_11.19.53.log delete) at java.security.AccessControlContext.checkPermission (AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission (AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission (SecurityManager.java(Compiled Code)) . Code Base Location: com.ibm.ws.security.core.SecurityManager : file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar ClassLoader: com.ibm.ws.bootstrap.ExtClassLoader Permissions granted to CodeSource (file:app_server_root/plugins/com.ibm.ws.runtime_6.1.0.jar <no certificates> { (java.util.PropertyPermission java.vendor read); (java.util.PropertyPermission java.specification.version read); (java.util.PropertyPermission line.separator read); (java.util.PropertyPermission java.class.version read); (java.util.PropertyPermission java.specification.name read); (java.util.PropertyPermission java.vendor.url read); (java.util.PropertyPermission java.vm.version read); (java.util.PropertyPermission os.name read); (java.util.PropertyPermission os.arch read); } ( This list continues.)
If there are any syntax errors in the policy file or the ra.xml file, correct them with the policytool. Avoid editing the policy manually, because syntax errors can result.
# # The fully qualified class name of the default JASPI factory implementation class. # authconfigprovider.factory=com.ibm.ws.security.jaspi.ProviderRegistry
This error message occurs if the JASPI factory implementation is not defined. The default JASPI factory implementation has been set in the server runtime. However, JASPI might not function for a client.
# # The fully qualified class name of the default JASPI factory implementation class. # authconfigprovider.factory=com.ibm.ws.security.jaspi.ProviderRegistry
Make sure the users matching the pattern exist in the registry. Contact your service representative if the problem persists.
This
additional information might not provide a clear user action if the
user account repository is corrupted or the user loses connectivity
between WebSphere Application Server and
an external user account repository. The external user account repository,
which is referred to as a repository in this document, might be a
Lightweight Directory Access Protocol (LDAP) product. If the security context deserialization of an LTPA token fails with a WSSecurityException containing this message: Validation of LTPA token failed due to invalid keys or token type, set the com.ibm.websphere.security.recoverContextWithNewKeys property to true.
When you create a new profile using either the Profile Management tool or the command-line manageprofiles utility, an error message displays that indicates either partial success or failure. The error message, which is located in the install_dir/logs/manageprofiles/profile_name_create.log file, might point to an error in either the generateKeysforSingleProfile task or the generateKeysForCellProfile task.
The Profile Creation tool and the manageprofiles utility invoke several tasks. The generateKeysForSingleProfile task is invoked when you create a stand-alone application server or a deployment manager profile. The generateKeysForCellProfile task is invoked when you create a cell profile. Both of these tasks are the first tasks to invoke the wsadmin commands. Although the log indicates an error in one of these tasks, the error might actually result from a wsadmin command failure and not an error in the security tasks.
To determine the actual cause of the problem, review the information that is provided in the following log files:
In some instances, some security roles might not be immediately available when you deploy a secured application where LDAP has Tivoli® Access Manager enabled.
"Exception: java.lang.OutOfMemoryError"
com.tivoli.pd.as.jacc.DBRefresh=0
com.tivoli.pd.as.jacc.AuthTableRemoteMode=yes
com.tivoli.pd.as.rbpf.NoUncheckedRoles=true
This helps when embedded Tivoli Access Manager is re-configured
com.tivoli.pd.as.jacc.DBRefresh=0
com.tivoli.pd.as.jacc.AuthTableRemoteMode=yes
com.tivoli.pd.as.rbpf.NoUncheckedRoles=true
appsvr-dbrefresh=0
appsvr-mode=remote
If you add a trusted domain realm and later on decide to set this realm to "Not Trusted" from the administrative console, an empty inboundTrustedAuthenticationRealm entry might be generated in the domain-security.xml file. This empty inbound or outbound trusted realm definition in the domain-security.xml file blocks this domain from using global security settings.
When the global security realm names are updated, the realm names of the application security domain are also updated with the same realm names
In WebSphere Application Server Version 8.0, you can configure a unique instance of a federated repository at the domain level in a multiple security domain environment in addition to having an instance at the global level. However, if the federated repositories user registry is configured at the global level, or if the realm names are changed at the global level after configuring security domains, the realm names for all security domains using federated repositories are also updated. This causes all of the domains using federated repository to use the federated repository that is defined at the global level.
To resolve this issue, update security domains using federated repository with the original realm name after you create federated repositories or change realm names at the global level. The problem can be avoided if a federated repository at the global level is configured before you configure a federated repository in a security domain.
SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:{<user>}
To resolve this issue, ensure that the previous user is logged out before another user logs in using the same user ID.
If security is not enabled either with zPMT dialogs or with ISPF customization dialogs immediately at installation time of the WebSphere Application Server for z/OS, the RACF® definitions will not have been completely generated. When security is enabled later using the administrative console, a missing RACF statement prevents the WebSphere Application Server control region from starting. Review APAR PK36598 for more details on resolving this problem.