Troubleshoot authorization providers
This article describes the issues you might encounter using a Java Authorization Contract for Containers (JACC) authorization provider. Tivoli Access Manager (TAM) is bundled with WAS as an authorization provider. However, you also can plug in your own authorization provider.
Use TAM as a JACC authorization provider
You might encounter the following issues when using TAM as a JACC authorization provider:
- The configuration of JACC might fail.
- The server might fail to start after configuring JACC.
- The application might not deploy properly.
- The startServer command might fail after you have configured TAM or a clean uninstall did not take place after unconfiguring JACC.
- An "HPDIA0202w An unknown user name was presented to Access Manager" error might occur.
- An "HPDAC0778E The specified user's account is set to invalid" error might occur.
- An WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl" error might occur.
Use an external provider for JACC authorization
You might encounter the following issues when you use an external provider for JACC authorization:
- An "HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry" error might occur.
The configuration of JACC might fail
If you are having problems configuring JACC, check the following:
- Ensure that the parameters are correct. For example, there should not be a number after...TAM_Policy_server_hostname:7135
...but there should be a number after...TAM_Authorization_server_hostname:7136
- If a message such as "server can't be contacted", it is possible that the host names or port numbers of the TAM servers are incorrect, or that the TAM servers have not been started.
- Ensure that the password for sec_master is correct.
- Check the SystemOut.log and search for the string AMAS to see if any error messages are present.
The server might fail to start after configuring JACC
If the server does not start after JACC has been configured, check the following:
- Ensure that the WAS and TAM use the same LDAP server.
- If the message "Policy Director Authentication failed" appears, ensure that the:
- WAS LDAP serverID is the same as the "Administrator user" in the TAM JACC configuration panel.
- TAM Administrator distinguished name (DN) is correct.
- Password of the TAM administrator has not expired and is valid.
- Account is valid for the TAM administrator.
- If a message such as "socket can't be opened for xxxx" (where xxxx is a number) appears, do the following:
- Go to...$WAS_HOME/profiles/profile/etc/tam
- Change xxxx to an available port number in...amwas.commomconfig.properties
...if dmgr failed to start. If Node failed to start, change xxx to an available port number in...amwas*cellName_nodeName_.properties
If appSever failed to start, change xxxx in...Amwas*cellname_nodeName_serverName.properties
The application might not deploy properly
When you click Save, the policy and role information is propagated to the TAM policy. It might take some time to finish. If the save fails, uninstall the application and then reinstall it.
To access an application after it is installed, wait 30 seconds (by default) to start the application after you save.
The startServer command might fail after you have configured TAM or a clean uninstall did not take place after unconfiguring JACC.
If the cleanup for JACC unconfiguration or start server fails after JACC has been configured, do the following:
- Remove TAM properties files from WAS. For each application server in a network deployment environment with N servers defined (for example, server1, server2), the following files must be removed:
- Use a utility to clear the security configuration and return the system to the state it was in before TAM JACC was configured. The utility removes all of the PDLoginModuleWrapper entries as well as the TAM authorization table entry from the security.xml file, effectively removing the TAM JACC provider. Backup security.xml before running this utility.
Enter the following commands:
An "HPDIA0202w An unknown user name was presented to Access Manager" error might occur
You might encounter the following error message if you are attempting to use an existing user in a LDAP user registry with TAM:
AWXJR0008E Failed to create a PDPrincipal for principal mgr1.:
AWXJR0007E A TAM exception was caught. Details are:
"HPDIA0202W An unknown user name was presented to Access Manager."
This problem might be caused by the hostname exceeding predefined limits with Tivoli Access Manager when it is configured against MS Active Directory. In WebSphere v6, the maximum length of the hostname can not exceed 46 characters.
Check that the hostname is not fully qualified. Configure the machine so that the hostname does not include the host domain.
To correct this error, complete the following steps:
- On the command line, type the following information to get a TAM command prompt:
pdadmin -a administrator_name -p administrator_password
The pdadmin administrator_name prompt is displayed. For example:
pdadmin -a administrator1 -p password
- At the pdadmin command prompt, import the user from the LDAP user registry to TAM by typing the following information:
user import user_name cn=user_name,o=organization_name,c=country
For example:user import jstar cn=jstar,o=ibm,c=us
After importing the user to TAM, use the user modify command to set the user account to valid. The following syntax shows how to use this command:
user modify user_name account-valid yes
For exampleuser modify jstar account-valid yes
For information on how to import a group from LDAP to TAM, see the TAM documentation.
An "HPDAC0778E The specified user's account is set to invalid" error might occur
You might encounter the following error message after you import a user to TAM and restart the clientAWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A TAM exception was caught. Details are: "HPDAC0778E The specified user's account is set to invalid."
To correct this error, use the user modify command to set the user account to valid. The following syntax shows how to use this commandFor exampleuser modify user_name account-valid yesuser modify jstar account-valid yes
An "HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry" error might occur
You might encounter an error similar to the following message when you propagate the security policy information from the application to the provider using the wsadmin command propagatePolicyToJACCProviderAWXJR0035E An error occurred while attempting to add member, cn=agent3,o=ibm,c=us, to role AgentRole HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry
To correct this error, create or import the user, which is mapped to the security role to the TAM. For more information on propagating the security policy information, see the documentation for your authorization provider.
An WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl" error might occur
After the JACC provider and TAM are enabled, when attempting to install the application (which is configured with security roles using the wsadmin command), the following error might occurWASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"; exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E: Cannot find a match for supplied option: "[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers
The $AdminApp task option MapRolesToUsers becomes invalid when TAM is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.
See AlsoAuthorization in WAS
TAM integration as the JACC provider
JACC support in WAS
Related TasksEnable an external JACC provider
Configure a JACC provider
Propagate security policy of installed applications to a JACC provider using wsadmin scripting
See AlsoInterfaces used to support JACC
Related InformationIBM TAM for e-business 5.1
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.