Errors after enabling security

 

Common Errors

  1. Authentication error accessing a Web page

  2. Authorization error accessing a Web page

  3. Error Message: SECJ0314E... Current Java 2 security policy reported a potential violation

  4. MSGS0508E: The JMS Server security service was unable to authenticate user ID: error displayed in SystemOut.log when starting an appserver

  5. Error Message: SECJ0237E... One or more vital LTPAServerObject configuration attributes are null or not available after enabling security and starting the appserver.

  6. An AccessControlException is reported in the SystemOut.log.

  7. Error Message: SECJ0336E... Authentication failed for user {0} because of the following exception {1}

 

Authentication error accessing a Web page

Possible causes for authentication errors include...

If the user registry configuration, user ID, and password appear correct, use the WAS trace to determine the cause of the problem. To enable security trace, use the com.ibm.ws.security.*=all=enabled trace specification.

 

Authorization error accessing a Web page

If a user who should have access to a resource does not, there is probably a missing configuration step. Review the steps for securing and granting access to resources.

Specifically...

If the user is granted required roles, but still fails to access the secured resources, enable security trace, using com.ibm.ws.security.*=all=enabled as the trace specification. Collect trace information for further resolution.

 

Error Message: SECJ0314E: Current Java 2 security policy reported a potential violation on server

If you find errors on your server similar to

Error Message: SECJ0314E: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Refer to Problem Determination Guide for further information.
{0}Permission\:{1}Code\:{2}{3}Stack Trace\:{4}Code Base Location\:{5}

The Java security manager checkPermission() method has reported an exception, SecurityException.

The reported exception might be critical to the secure system. Turn on security trace to determine the potential code that might have violated the security policy. Once the violating code is determined, verify if the attempted operation is permitted with respect to Java 2 Security, by examining all applicable Java 2 security policy files and the application code.

A more detailed report is enabled by either configuring RAS trace into debug mode, or specifying a Java property.

For a review of Java security policies and what they mean , see the Java 2 Security documentation at http://java.sun.com/j2se/1.3/docs/guide/security/index.html .

Tip: If the application is running with a Java Mail API, this message might be benign. You can update the installed Enterprise Application root/META-INF/was.policy file to grant the following permissions to the application:

 

Error message: MSGS0508E: The JMS Server security service was unable to authenticate user ID:" error displayed in SystemOut.log when starting an appserver

This error can result from installing the JMS messaging API sample and then enabling security. You can follow the instructions in the Configure and Run page of the corresponding JMS sample documentation to configure the sample to work with WebSphere Application Server security.

You can verify the installation of the message-driven bean sample by launching the installation program, selecting Custom, and browsing the components which are already installed in the Select the features you like to install panel. The JMS sample is shown as Message-Driven Bean Sample, under Embedded Messaging.

You can also verify this installation by using the administrative console to open the properties of the appserver which contains the samples. Select MDBSamples and click uninstall.

If the problem persists, review the section Messaging (JMS) component troubleshooting tips

 

Error message: SECJ0237E: One or more vital LTPAServerObject configuration attributes are null or not available after enabling security and starting the appserver.

This error message can result from selecting LTPA as the authentication mechanism, but not generating the LTPA keys. The LTPA keys encrypt the LTPA token.

To resolve this problem...

  1. Click System Administration > Console users > LTPA

  2. Enter a password, which can be anything.

  3. Enter the same password in Confirm Password.

  4. Click Apply.

  5. Click Generate Keys.

  6. Click on Save.

 

The exception AccessControlException, is reported in the SystemOut.log

The problem is related to the Java 2 Security feature of WAS, the API-level security framework that is implemented in WebSphere Application Server Version 5. An exception similar to the following example displays. The error message and number can vary.

E SRVE0020E: [Servlet Error]-[validator]: Failed to load servlet: 
java.security.AccessControlException: 
access denied  java.io.FilePermission(
C:\WebSphere\AppServer\installedApps\maeda\adminconsole.ear\adminconsole.war\ 
WEB-INF\validation.xml read) 


Java 2 security is not only used by WAS, but developers can also implement it for their business applications. Administrators might need to involve developers, if this exception is thrown when a client tries to access a resource hosted by WAS.

Possible causes of these errors include...

To resolve these problems...

Tip: If the application is running with the Java Mail API, you can update the installed Enterprise Application root/META-INF/was.policy file to grant the following permissions to the application:

 

Error Message: SECJ0336E: Authentication failed for user {0} because of the following exception {1}

This error message results if the user ID indicated is not found in the LDAP user registry. To resolve this problem...

  1. Verify that your user ID and password are correct.

  2. Verify that the user ID exists in the registry.

  3. Verify that the base distinguished name (DN) is correct.

  4. Verify that the user filter is correct.

  5. Verify that the bind DN and the password for the bind DN are correct. If the bind DN and password are not specified, add the missing information and retry.

  6. Verify that the host name and LDAP type are correct.

Consult with the administrator of the user registry if the problem persists.

 

See Also

  1. Troubleshooting by component: What is not working?
  2. Access problems after enabling security
  3. Troubleshooting the security component.
  4. Obtaining help from IBM