Service integration bus security: Troubleshooting tips

Use this set of specific tips to help you troubleshoot problems you experience when working with a secure service integration bus.

[z/OS]To help you identify and resolve service integration bus security-related problems, use the WebSphere® Application Server trace and logging facilities as described in Setting up component trace (CTRACE).

If you encounter a problem that you think might be related to service integration bus security, you can check for error messages in the WebSphere Application Server administrative console, and in the application server SystemOut.log file. You can also enable the application server debug trace to provide a detailed exception dump.
Note: 這個主題參照一或多個應用程式伺服器日誌檔。 此外,在分散式和 IBM® i 系統上,另外也建議您可以配置伺服器來使用「高效能可延伸記載 (HPEL)」日誌和追蹤基礎架構,而不使用 SystemOut.logSystemErr.log, trace.logactivity.log 檔案。HPEL 與原生 z/OS 記載機能也可以一起使用。如果您使用 HPEL,則可以從伺服器設定檔 bin 目錄,利用 LogViewer 指令行工具來存取您所有的日誌和追蹤資訊。請參閱有關利用 HPEL 疑難排解應用程式的資訊,以取得更多使用 HPEL 的相關資訊。

WebSphere Application Server system messages are logged from a variety of sources, including application server components and applications. Messages logged by application server components and associated IBM products start with a unique message identifier that indicates the component or application that issued the message. The prefix for the service integration bus security component is CWSII.

The Troubleshooter reference: Messages contains information about all WebSphere Application Server messages, indexed by message prefix. For each message there is an explanation of the problem, and details of any action that you can take to resolve the problem.

Migrating a 5.1 版 application server to WebSphere Application Server 7.0 版或更新版本

Before you migrated the 5.1 版 application server, no user ID or password was required on the target MQ Series queue. After the application server is migrated to 7.0 版或更新版本, and to use the default messaging provider (the service integration bus), client requests fail because basic authentication is now enabled. The problem appears as a log message:
SibMessage    W   [:] CWSIT0009W: A client request failed in the application 
server with endpoint <endpoint_name> in bus your_bus with reason: CWSIT0016E: 
The user ID null failed authentication in bus your_bus.

In WebSphere Application Server 7.0 版或更新版本, when you use a service integration bus and WebSphere Application Server security is enabled for the server or cell, by default the service integration bus queue destination inherits the security characteristics of the server or cell. So if the server or cell has basic authentication enabled, then the client request fails.

To resolve the problem, you have three choices (in order of security, from least secure to most secure):
  • Disable security.
  • For an equivalent level of security to the configuration on 5.1 版, modify the settings for the service integration bus that hosts the queue destination so that bus security is disabled and therefore the bus does not inherit security characteristics from the server or cell.
  • For a greater level of security than the configuration on 5.1 版, configure basic authentication on each client that uses the service.

To disable WebSphere Application Server security, refer to Enabling and disabling security using scripting, or Global security settings.

To disable bus security, use the administrative console to complete the following steps:
  1. Navigate to 服務整合 -> 匯流排 -> bus_name.
  2. Clear the Secure check box.
  3. Save your changes.
To configure basic authentication on each client, use either the administrative console or the wsadmin tool. To complete the task by using the wsadmin tool, see Configuring web service client port information using wsadmin scripting and use the WebServicesClientBindPortInfo wsadmin task option. To complete the task by using the administrative console, complete the following steps:
  1. Navigate to 應用程式 -> 應用程式類型 -> WebSphere 企業應用程式 -> application_name -> Web 模組或 EJB 模組 > module_name > Web 服務:用戶端安全連結.
  2. Click HTTP basic authentication to access the "Configuring HTTP basic authentication with the administrative console" panel.
  3. Enter the values in the panel.
  4. 儲存對主要配置所做的變更。

Making a connection by using a user ID in an authorized group, access is denied when using LDAP

One of the possible causes is the group name, if you are using an Lightweight Directory Access Protocol (LDAP) registry. When you specify the group authorization permissions, the distinguished name (DN) should be used as the group name. If you specify a common name (CN) for the group name users in that group cannot be authorized.

Steps to change the group name from CN to DN depends on where the problem occurred.

指出主題類型的圖示 參照主題



時間戳記圖示 前次更新: July 9, 2016 11:12
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rjr_prob0
檔名:rjr_prob0.html