|
Problem |
WebSphere Application Server security was
enabled using the local operating system. In the admin tab of the Security
Center of the Application Server, user specified that user's id could
perform Admin functions (adminrole).
The Application Server was then stopped and restarted as root.
After logging in as root, and starting the admin Gui, a prompt window
displayed asking for
userid/pwd. Userid and password were entered, and the Admin Gui came up
with no problems.
User then logged on as own userid. Started Admin Gui, but the prompt
window asking for uid/pwd never appears, instead a prompt window displays
saying:
ADGU2009E Security Error: Either username/password is wrong or this user
is not authorized to connect to admin server
In tracefile were these msgs:
[01.11.27 16:13:42:564 GMT+11:00] 22609753 SecurityColla A SECJ0053E:
Authorization failed for /UNAUTHENTICATED while invoking
(Home)ejsadmin/homes/ClientAccessHome create:0 securityName:
/UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the
required roles: AdminRole
[01.11.27 16:13:42:589 GMT+11:00] 22609753 ExceptionUtil X CNTR0019E:
Non-application exception occurred while processing method create:
com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for
/UNAUTHENTICATED while invoking (Home)ejsadmin/homes/ClientAccessHome
create:0 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not
granted any of the required roles: AdminRole
at
com.ibm.ejs.security.SecurityCollaborator.performAuthorization(SecurityC
ollaborator.java:555)
at
com.ibm.ejs.security.EJSSecurityCollaborator.preInvoke(EJSSecurityCollab
orator.java(Compiled Code))
create:0 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not
granted any of the required roles: AdminRole
at
com.ibm.ejs.security.SecurityCollaborator.performAuthorization(SecurityC
ollaborator.java:555)
at
com.ibm.ejs.security.EJSSecurityCollaborator.preInvoke(EJSSecurityCollab
orator.java(Compiled Code))
at
com.ibm.ejs.container.EJSContainer.preInvokeForStatelessSessionCreate(EJ
SContainer.java:2231)
at
com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.java(Compiled
Code))
at
com.ibm.ejs.sm.beans.EJSRemoteStatelessClientAccessHome.create(EJSRemote
StatelessClientAccessHome.java:24)
at
com.ibm.ejs.sm.beans._EJSRemoteStatelessClientAccessHome_Tie._invoke(_EJ
SRemoteStatelessClientAccessHome_Tie.java:87)
at
com.ibm.CORBA.iiop.ExtendedServerDelegate.dispatch(ExtendedServerDelegat
e.java:506)
at com.ibm.CORBA.iiop.ORB.process(ORB.java:2294)
at com.ibm.CORBA.iiop.OrbWorker.run(OrbWorker.java:185)
at com.ibm.ejs.oa.pool.ThreadPool$PooledWorker.run(ThreadPool.java:95)
at com.ibm.ws.util.CachedThread.run(ThreadPool.java:122)
There are similar msgs in the activity.log file.
Here is a summary of when user was able to get Admin Gui to start:
No Security Security Enabled
---------------------------------------------------------
Logged on Yes yes
as root
---------------------------------------------------------
Logged on Yes no
as non root
userid |
|
|
|
Solution |
Change the
/usr/WebSphere/AppServer/properties files to have additional
read/write/execute permissions for a userid defined for admin role. Then
the admin console starts successfully when su is issued to this userid.
These are the steps to make this work:
1. Start adminserver as
root
2. Start admin console: enable security, localos, and
adminrole for 'myid' userid
3. Stop/start adminserver as root
4. cd /usr/WebSphere/AppServer/properties and change
permissions as mentioned above (rwx for properties files)
5. su myid
6. Start admin console (./adminclient.sh)
7. You will be prompted for userid/pw: enter userid/pw
defined for localos 8. Admin console starts and you can now modify the
configuration
|
|
|
|
|
|
|