For general tips on diagnosing and resolving security-related problems, see the topic Troubleshooting the security component.
If you do not see a problem that resembles yours, or if the information provided does not solve your problem, see Troubleshooting help from IBM.
I cannot access all or part of the administrative console or use the wsadmin tool after enabling security
I cannot access a Web page after enabling security
The client cannot access an enterprise bean after enabling security
Browse the server JVM logs for errors relating to enterprise bean access and security. Look up any errors in the message table.
To resolve this problem, secure the servlet that is accessing the protected enterprise bean. Make sure that the runAs property for the servlet is set to an ID that can access the enterprise bean.
To resolve this problem, make sure that the sas.client.props file on the client side has its securityEnabled flag set to true.
authentication failed error.In this case the user ID or password supplied by the client program is probably not valid:
org.omg.CORBA.NO_PERMISSION: Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: Major Code[0] Minor Code[0] Message[ Exception caught invoking authenticateBasicAuthData from SecurityServer for user jdoe. Reason: com.ibm.WebSphereSecurity.AuthenticationFailedException] minor code: 49424300 completed: No at com.ibm.ISecurityLocalObjectBaseL13Impl. PrincipalAuthFailReason.map_auth_fail_to_minor_code (PrincipalAuthFailReason.java:83)
A CORBA INITIALIZE exception with CWWSA1477W: SECURITY CLIENT/SERVER CONFIGURATION MISMATCH error embedded, is received by client program from the server.
Exception received: org.omg.CORBA.INITIALIZE: CWWSA1477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: The client security configuration (sas.client.props or outbound settings in administrative console) does not support the server security configuration for the following reasons: ERROR 1: CWWSA0607E: The client requires SSL Confidentiality but the server does not support it. ERROR 2: CWWSA0610E: The server requires SSL Integrity but the client does not support it. ERROR 3: CWWSA0612E: The client requires client (e.g., userid/password or token), but the server does not support it. minor code: 0 completed: No at com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityConnectionInterceptor.getConnectionKey(SecurityConnectionInterceptor.java:1770)
In general, resolving the problem requires a change to the security configuration of either the client or the server. To determine which configuration setting is involved, look at the text following the CWWSA error message. For more detailed explanations and instructions, look in the message reference, by selecting the Reference view of the information center navigation and expanding Messages in the navigation tree.
Similarly, an exception like org.omg.CORBA.INITIALIZE: JSAS0477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: appearing on the server trying to service a client request indicates a security configuration mismatch between client and server. The steps for resolving the problem are the same as for the JSAS1477W exceptions previously described.
Client program never gets prompted when accessing secured enterprise bean
Even though it seems that security is enabled and an enterprise bean is secured, occasions can occur when the client runs the remote method without prompting. If the remote method is protected, an authorization failure results. Otherwise, run the method as an unauthenticated user.
An
example of a valid property is C:/WebSphere/AppServer/properties/sas.client.props.
Cannot stop an application server, node manager, or node after enabling security
If you use command-line utilities to stop WebSphere Application Server processes, apply additional parameters after enabling security to provide authentication and authorization information.
Use the ./stopServer -help command to display the parameters to use.
If you use the Windows service panel or the net stop command to stop the WebSphere Application Server processes, update the existing Application Server service using an additional stop argument. Use the -stopArgs and the-encodeParams parameters to update the service as described in the "Updating an existing Application Server service" example in the WASService command article.
After enabling single signon, I cannot logon to the administrative console
This problem occurs when single signon (SSO) is enabled, and you attempt to access the administrative console using the short name of the server, for example http://myserver:port_number/ibm/console. The server accepts your user ID and password, but returns you to the logon page instead of the administrative console.
To correct this problem, use the fully qualified host name of the server, for example http://myserver.mynetwork.mycompany.com:9060/ibm/console.
Related tasks
Troubleshooting by task
Troubleshooting by component
Troubleshooting security configurations
Related reference
Errors after enabling security
WASService command