Admin Console Fails When Started With Adminrole Userid
 Technote (FAQ)
 
Problem
WebSphere Application Server security was enabled using the local operating system. In the admin tab of the Security Center of the Application Server, user specified that user's id could perform Admin functions (adminrole).

The Application Server was then stopped and restarted as root.

After logging in as root, and starting the admin Gui, a prompt window displayed asking for
userid/pwd. Userid and password were entered, and the Admin Gui came up with no problems.

User then logged on as own userid. Started Admin Gui, but the prompt window asking for uid/pwd never appears, instead a prompt window displays saying:

ADGU2009E Security Error: Either username/password is wrong or this user is not authorized to connect to admin server

In tracefile were these msgs:

[01.11.27 16:13:42:564 GMT+11:00] 22609753 SecurityColla A SECJ0053E:
Authorization failed for /UNAUTHENTICATED while invoking
(Home)ejsadmin/homes/ClientAccessHome create:0 securityName:
/UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the
required roles: AdminRole

[01.11.27 16:13:42:589 GMT+11:00] 22609753 ExceptionUtil X CNTR0019E:
Non-application exception occurred while processing method create:
com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for
/UNAUTHENTICATED while invoking (Home)ejsadmin/homes/ClientAccessHome
create:0 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not
granted any of the required roles: AdminRole
at com.ibm.ejs.security.SecurityCollaborator.performAuthorization(SecurityC
ollaborator.java:555)
at com.ibm.ejs.security.EJSSecurityCollaborator.preInvoke(EJSSecurityCollab
orator.java(Compiled Code))
create:0 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not
granted any of the required roles: AdminRole
at com.ibm.ejs.security.SecurityCollaborator.performAuthorization(SecurityC
ollaborator.java:555)
at com.ibm.ejs.security.EJSSecurityCollaborator.preInvoke(EJSSecurityCollab
orator.java(Compiled Code))
at com.ibm.ejs.container.EJSContainer.preInvokeForStatelessSessionCreate(EJ
SContainer.java:2231)
at com.ibm.ejs.container.EJSContainer.preInvoke(EJSContainer.java(Compiled
Code))
at com.ibm.ejs.sm.beans.EJSRemoteStatelessClientAccessHome.create(EJSRemote
StatelessClientAccessHome.java:24)
at com.ibm.ejs.sm.beans._EJSRemoteStatelessClientAccessHome_Tie._invoke(_EJ
SRemoteStatelessClientAccessHome_Tie.java:87)
at com.ibm.CORBA.iiop.ExtendedServerDelegate.dispatch(ExtendedServerDelegat
e.java:506)
at com.ibm.CORBA.iiop.ORB.process(ORB.java:2294)
at com.ibm.CORBA.iiop.OrbWorker.run(OrbWorker.java:185)
at com.ibm.ejs.oa.pool.ThreadPool$PooledWorker.run(ThreadPool.java:95)
at com.ibm.ws.util.CachedThread.run(ThreadPool.java:122)

There are similar msgs in the activity.log file.

Here is a summary of when user was able to get Admin Gui to start:

No Security Security Enabled
---------------------------------------------------------
Logged on Yes yes
as root
---------------------------------------------------------
Logged on Yes no
as non root
userid
 
 
Solution
Change the /usr/WebSphere/AppServer/properties files to have additional read/write/execute permissions for a userid defined for admin role. Then the admin console starts successfully when su is issued to this userid. These are the steps to make this work:
1. Start adminserver as root
2. Start admin console: enable security, localos, and adminrole for 'myid' userid
3. Stop/start adminserver as root
4. cd /usr/WebSphere/AppServer/properties and change permissions as mentioned above (rwx for properties files)
5. su myid
6. Start admin console (./adminclient.sh)
7. You will be prompted for userid/pw: enter userid/pw defined for localos 8. Admin console starts and you can now modify the configuration
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Solaris
Software version: 4.0.1
Software edition:
Reference #: 1047217
IBM Group: Software Group
Modified date: Aug 30, 2004