Troubleshoot security
- Warning when running configuration tasks to enable security
- Unable to deploy portlets after configuring LDAP
- Creating users when specifying a preferred language in Microsoft Active Directory fails
- The "<" and ">" characters display incorrectly
- Pipe character used with the Credential Vault
- The validate-ldap task fails when configuring Active Directory over SSL
- Unable to use some functions using Tivoli Directory Server Web Administration (Solaris only)
- Special characters limitation in Member Distinguished Name
- Syntax error on Sun ONE LDAP when importing PortalUsers.ldif
- Unable to see pages in Pixo browser
- Browser back button can show secured page after logout
- Failed Stop Operation
- Debugging the IBM Tivoli Access Manager for e-business Login Module
- Single sign-on not functioning between WebSphere Portal and other applications on the same WAS installation
- Cannot use the XML configuration interface if it is externalized in security
- When using Lotus Domino, cannot create users and groups
- Collaborative portlets require additional configuration for compatibility with eTrust SiteMinder
- Collaborative portlets require additional configuration for compatibility with Tivoli Access Manager
- Collaborative portlets require an interim fix to STlinks applet to work in Mozilla
- Distinguished names containing escape characters cause people awareness to function incorrectly in several Domino and Extended Products Portlets
- SSO for Domino and Extended Products fails for users containing LDAP special characters in their distinguished names
- Data backend exception while creating new users
- SSL Connection fails after configuring SSL to LDAP
- Membership of deleted user not removed from target repository
- Can not logon to the WAS Administrative Console with short name
- Users and groups not moved to new registry after running enable-security-xxx tasks
Warning when running configuration tasks to enable security
You might receive a warning message stating that it is not possible to modify credential-segment resources when running either of the following configuration tasks:
Solution:
Ignore the warning message.
This can happen if you perform these steps:
- Install WebSphere Portal and WAS.
- Enable security, for example, by running the enable-security-wmmur-db configuration task.
- Uninstall WebSphere Portal and do not uninstall WAS.
- Install WebSphere Portal again.
- Enable security again, by running the enable-security-wmmur-db configuration task. After running this task you might see a message stating that it is not possible to modify credential-segment resources.
Unable to deploy portlets after configuring LDAP
During the enable-security-ldap configuration task, one of the final actions to be run is...
action-create-deployment-credentialsIf this last action fails, it leaves the portal in a state in which you are able to authenticate successfully against the LDAP that you configured but the administrative user is unable to deploy portlets because the three deployment credential vault slots have not been created.
Cause:
The failure of this task is usually due to incorrect settings in wpconfig.properties, especially in the Advanced LDAP settings.
Solution:
Perform the following steps:
- Check...
createDeploymentCredential.xml...to ensure the information in the file is correct. If there are any errors, fix them.
- Execute...
createDeploymentCredential.xml...using the XML configuration interface.
Creating users when specifying a preferred language in Microsoft Active Directory fails
If Microsoft Active Directory in Windows 2000 or Windows 2003 is the LDAP server for the portal and we need to specify a preferred language when you create users, perform the workaround before you create any users. Otherwise, the attempt to create the users will fail and the following message will be displayed:
Backend storage system failed. Please try again later.Solution:
- Add preferredLanguage to the Microsoft Active Directory user schema.
- Add or uncomment the following mapping to...
wmmLDAPServerAttributes.xml...on the WebSphere Portal machine...
<attributeMap wmmAttributeName="preferredLanguage" pluginAttributeName="preferredLanguage" applicableMemberTypes="Person" dataType="String" valueLength="256" multiValued="false" readOnly="false"/>
The "<" and ">" characters display incorrectly
In WP ConfigurationService, there is a flag to enable or disable the Cross Site Scripting (CSS) security protection.
Solution:
It might be desirable to disable CSS if you use form input fields containing the signs < and >
During the POST of a form containing such characters to a portlet, the output of the < will be seen as < and > as >.
Other non-alphabetical characters like &, ', and " appear as intended.
Disabling CSS allows the < and > characters to appear as intended. Characters such as < and > will be encoded to minimize the security risk of typing markup in a field that could disrupt portal content.
Disabling CSS is done at the portal level and not just the portlet level.
While it might be convenient to disable the CSS protection in some circumstances, it exposes a potential vulnerability when passing form input into a Web application. Some secure programs could unwittingly accept data from an untrusted user (the attacker) and pass that data on to a different user's application (the victim). If the secure program does not protect the victim, the victim's application (in this case, his or her Web browser) can then process that data in a way harmful to the victim.
This is a particularly common problem for all web applications using HTML or XML, where the problem is known by several names including...
- cross-site scripting
- malicious HTML tags
- malicious content
...and can happen on SSL and non-SSL connections.
While activating portal CSS protection automatically prevents a good deal of CSS attacks, it cannot prevent all of them. The web developer must always validate all user-provided data and correct character escaping prior to writing user-provided data to the markup stream. With a successful CSS attack, the hacker could gain complete access to some pages. Here are some of the problems associated with not implementing this security feature:
- SSL-encrypted connections might be exposed
- Attacks might be persistent through poisoned cookies
- Attacker might access restricted web sites from the client
- Domain-based security policies might be violated
- Use of less-common character sets might present additional risk
- Attacker might alter the behavior of forms
See Prevent a cross-site scripting attack
The relevant entry in WP ConfigurationService is:
# Flag whether Cross-Site-Scripting security protection is turned on. # # Default: true security.css.protection = trueVerify this property value entry in Configuration Service, as described in Setting configuration properties.
Pipe character used with the Credential Vault
Solution:
The vertical pipe | character can be used in the description, but cannot be used in the names of...
- vault segments
- vault slots
- resources
The validate-ldap task fails when configuring Active Directory over SSL
If configuring Active Directory over SSL, the validate-ldap task might fail with the following message:
javax.naming.CommunicationException: Request: lcancelled"Solution:
Apply Windows 2000 Service Pack 4 to Active Directory.
See Accessing Active Directory with LDAP by Using Sun JNDI Calls May Not Work.
Unable to use some functions using Tivoli Directory Server Web Administration (Solaris only)
Solution:
To be able to use more functions of Tivoli Directory Server Web Administration, use Tivoli Directory Server in English mode by completing the following steps:
- Edit...
ihs_root/conf/httpd.conf
- Change the following line:
* Old line: SetEnv LANG ja_JP.PCK * New line: SetEnv LANG C
- Restart httpd daemon.
Special characters limitation in Member Distinguished Name
Member Manager cannot be used to create a member entry in a repository if the entry has RDN attributes with values which contain the following special characters:
# , + " \ < > ;Solution:
To allow the creation of special characters in member entries, create the entry directly into the repository not using Member Manager although Member Manager can be used to read, update, remove, and search the entry. For example, for an LDAP server, use an LDAP server tool or another LDAP application instead of Member Manager to create the entry into the LDAP server.
Syntax error on Sun ONE LDAP when importing PortalUsers.ldif
You might get a syntax error when importing the shipped sample PortalUsers.ldif into Sun One.
Solution:
Comment out...
dc=example,dc=com...to avoid a syntax error.
dn: dc=example,dc=com objectclass: domain objectclass: top #Add lines according to this scheme that correspond to the suffix dc: example,dc=com <-- Remove this line to avoid syntax error dc:example
Unable to see pages in Pixo browser
When using the Pixo Internet Microbrowser 2.1 device emulator on a PC, you will not be able to see any pages on the secure portal. This problem is caused by a defect in the Pixo simulator that affects supported cookies. WebSphere Portal with WAS global security enabled requires two cookies,...
The JSESSIONID cookie is used to identify the WebSphere Portal session in the browser.
LtpaToken is used to identify the user for WAS global security.
Although two valid cookies are set for this domain, the Pixo browser only sends the most recently set cookie, which causes LtpaToken to replace JSESSIONID. Although LtpaToken allows the user to access WebSphere Portal, the browser is unidentified; therefore, the user will not be able to see any pages.
Solution:
Use a real device, or use a different device emulator for cHTML testing.
Browser back button can show secured page after logout
With some browsers you might be able to view the information from a previous portal session by using the back button after logout. When you log out and click the back button, we can see the page that was last viewed.
Example scenario: You view an e-mail and click Log out. The portal returns to the Login panel. If you then click the back button, you might be able to view the e-mail again, depending on the browser.
The problem concerns only the display and view of data. The portal or the displayed data cannot be modified as clicking the back button does not undo the logout.
Cause:
When we click the back button, the browser returns to the data cached by the browser.
Solution:
To prevent the display of secured pages...
- Close the browser after logout
- Clear the browser cache
Failed Stop Operation
In stopServer.log you find...
A ADMU0111E: Program exiting with error: javax.management.JMRuntimeException:
ADMN0022E: Access denied for the stop operation on Server MBean due to insufficient or empty credentials.Solution:
Choose one of the following options:
- Modify the SOAP Client Security Enablement section of...
was_profile_root/properties/soap.client.props...and verify valid values are in place for...
com.ibm.SOAP.loginUserid=
com.ibm.SOAP.loginPassword=This option may require a stop and restart of the application server.
- Stop the application server on the command line and specify a valid userid and password. For example,
was_profile_root/bin/stopServer WebSphere_Portal userid password
Debug the IBM TAM for e-business Login Module
The WAS Administrative Console maintains the login modules for WebSphere Portal. To debug the Tivoli Access Manager supplied PDLoginModule...
- Access the WAS Administrative Console
- Look for the application Portal_Login JAAS Login
- Add the following custom property to PDLoginModule...
debug = trueThe output is written to standard out for the Portal Server Application Server.
Single sign-on not functioning between WebSphere Portal and other applications on the same WAS installation
Problems with single sign-on between WebSphere Portal and other applications on the same WAS installation.
For example, logging into WAS Admin console and then logging into a portal running on the same application server, the portal displays a misleading error message saying that the user's portal session has timed out. The portal then prompts the user to log in again.
Cause:
The session cookie of the other application is not properly specified (the cookie path is too general) and is therefore also sent to the portal. In most cases, the cookie is specified as a simple slash (/). The portal application mistakes this as an old, invalid portal session cookie.
Solution:
Follow these steps to ensure that the application's session cookie is scoped to that application only:
- Log in to the WAS Administrative console.
- Navigate to...
Applications | Enterprise Applications | application | Session Management
- Click the Enable Cookies link (not the check box).
- Set the cookie path value to the complete application base path. For example, the Administrative console of the application server would be /admin.
- Click Apply to save the changes and then restart the application.
Cannot use the XML configuration interface if it is externalized in security
If the virtual resource XML_ACCESS that represents access to the XML configuration interface is externalized to Computer Associates eTrust SiteMinder and therefore put under the protection of eTrust SiteMinder, we can no longer use the XML configuration interface.
Solution:
If the access rights ofWebSphere Portal are externalized to eTrust SiteMinder, do not externalize the XML configuration interface virtual resource.
When using Lotus Domino, cannot create users and groups
If you are using IBM Lotus Domino and edit the access control list of NAMES.NSF so that...
Maximum Internet name and password...is set to "Reader", you may no longer able to create users and groups in WebSphere Portal.
Solution:
The recommended setting for...
Maximum Internet name and password...is "Author" or higher.
By setting this field to "Reader", you would be overriding the regular settings in the access control list and thereby limiting the Author/Editor access that is necessary for WebSphere Portal to function successfully with Lotus Domino as the LDAP server.
To access the settings...
Maximum Internet name and password...open NAMES.NSF with a Lotus Notes client by selecting...
File | Database | Open | File | Database | Access Control | AdvancedOptions for this setting range from "No Access" to "Manager".
Collaborative portlets require additional configuration for compatibility with eTrust SiteMinder
Many features of the Domino and Extended Products Portlets will not work if the eTrust SiteMinder-protected portal environment is not properly configured. Problems include...
- Failure of awareness
- Failure of the IBM Lotus Sametime server to authenticate with the Lotus Web Conferencing portlet
- Failure of the My Lotus QuickPlaces portlet to connect to the IBM Lotus QuickPlace server
- Inability of the Domino Web Access and Lotus Notes View portlets to find mail files for the current user
Solution:
Edit the CSEnvironment.properties file to use the eTrust SiteMinder token.
For more details, refer to...
Technote 1190655: Awareness, connection and authentication problems if Collaborative Portlets v5.1 not configured for eTrust SiteMinder properly
Collaborative portlets require additional configuration for compatibility with Tivoli Access Manager
Many features of the Domino and Extended Products Portlets will not work if the Tivoli Access Manager -protected portal environment is not properly configured. Problems include failure of awareness, failure of the Lotus Sametime server to authenticate with the Lotus Web Conferencing portlet, and failure of the My Lotus QuickPlaces portlet to connect to the Lotus QuickPlace server.
Solution:
An interim fix is available on the IBM Support Web site. Refer to...
Technote 1191185: Awareness, Connection and Authentication Problems if Collaborative Portlets v5.1 not Configured for Tivoli Access Manager
Collaborative portlets require an interim fix to STlinks applet to work in Mozilla
In the Mozilla browser, many problems in collaborative portlets result from the version of the STlinks applet configured on the IBM Lotus Sametime server, as well as versions of other related files. For example, a timing problem prevents the Who Is Here and Lotus Web Conferencing portlets from working if deployed on the same page, awareness may fail, the Chat button in the Domino Web Access portlet may not work, and the Who Is Here portlet may be unable to display the membership list.
Solution:
An interim fix for the STlinks applet is available on the IBM Support Web site. Corrected files are available to solve the problems above. Refer to the following troubleshooting technote:
Technote 1191188: Lotus Collaborative Portlets v5.1 Exhibit Problems when Accessed via Mozilla Browser
Distinguished names containing escape characters cause people awareness to function incorrectly in several Domino and Extended Products Portlets
Portlets with this problem include...
- Lotus Web Conferencing
- My Lotus QuickPlaces
- Sametime
- Contact List
Solution:
An interim fix is available on the IBM Support Web site...
Technote 1191190: People Awareness in v5.1 of Lotus Collaboration Center Portlets Does not Function Properly
SSO for Domino and Extended Products fails for users containing LDAP special characters in their distinguished names
LDAP special characters existing in distinguished names of either users or groups prevent Single Sign-On from working correctly between...
- WebSphere Portal
- IBM Lotus Sametime
- IBM Lotus QuickPlace
- Lotus Domino
...unless configuration fixes are applied to the servers.
For example, a user whose name contains special characters may be asked to authenticate with the Mail, Calendar, or Address book instances of the Domino and Extended Products Portlets.
The LDAP special characters are:
- A space or # character occurring at the beginning of the string
- A space character occurring at the end of the string
- One of the characters ",", "+", """, "\", ">", "<", or ";"
Also, the / and @ are Lotus Domino special characters and will cause the same problems without the interim fixes available from Lotus Technical Support.
Solution:
Interim fixes are available on the IBM SupportWweb site. Refer to...
Technote 1191194: SSO for Domino Extended Products Fails for Users Containing LDAP Special Characters in their Distinguished Names
Data backend exception while creating new users
Within WebSphere Portal we can set a password's minimum and maximum length. If the set password lengths differ from the LDAP server's policy, you might see the following exception when creating a user:
EJPSG0015E: Data Backend Problem com.ibm.websphere.wmm.exception.WMMSystemException: The following Naming Exception occurred during processing: "javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'cn=see1anna,cn=users,dc=wps510,dc=rtp,dc=raleigh,dc=ibm,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@7075b1b4".Solution:
Check and/or modify...
- puma.PASSWORD.min
- puma.PASSWORD.max
within Puma as described in Portal service configuration. The keys should match the LDAP server's policy.
SSL Connection fails after configuring SSL to LDAP
Messages about invalid or missing certificates.
The certificate truststore is set in wmm.xml via the sslTrustStore property. This truststore will be used by all applications in the portal server JVM, including portlets, themes, and skins.
If you used the default Java truststore...
app_server_root/java/jre/lib/security/cacerts.jks
...before switching to LDAP with SSL, these certificates will no longer be found.
Solutions include...
- Import the trusted certificate to the cacerts truststore and configure Member Manager to use this truststore.
- Import the trusted certificate to the truststore used by Member Manager.
- Adapt the application code to explicitly specify the truststore to use when opening the SSL connection.
Membership of deleted user not removed from target repository
When deleting a user or group from an LDAP using the WebSphere Portal administrator functions, some LDAP servers do not clean up the user or group's membership. If a new user or group is created with the same name, it is placed in the existing membership. For example, the new user would belong to the same groups as the deleted user.
Solution:
Configure Member Manager to update the repository...
- Edit wmm.xml
- Add...
updateGroupMembership="true"...as an attribute to the ldaprepository tag.
If using the SUN ONE and Domino adapters, this parameter will be set to true by default.
Can not logon to the WAS Administrative Console with short name
We can not logon to the WAS Administrative Console with the short name when using an Oracle database and LookAside is set to true in the wpconfig.properties file with LDAP configured with realm support.
Solution:
Logon to the WAS Administrative Console with the full administrator DN name.
Users and groups not moved to new registry after running enable-security-xxx tasks
The enable-security-xxx tasks do not move users and groups from one registry to another. For example, running the enable-security-ldap task does not move users and groups from the Cloudscape database to an LDAP user registry.
Solution:
Manually move users and groups to the final user registry as soon as possible after installation. If you use an LDAP user registry or a customer-supplied custom user registry, use registry-specific tools to recreate the users and groups. If you use a database user registry configuration (an IBM -supplied custom user registry), create the users and groups after running the enable-security-xxx task.