Security authorization provider troubleshooting tips


This article describes the issues we might encounter using a Java Authorization Contract for Containers (JACC) authorization provider. TAM is bundled with WAS as an authorization provider. However, you also can plug in the own authorization provider.

 

TAM as a Java Authorization Contract for Containers authorization provider

We might encounter the following issues when using TAM as a JACC authorization provider:

 

External providers for Java Authorization Contract for Containers authorization provider

We might encounter the following issues when you use an external provider for JACC authorization:

 

The configuration of JACC might fail

If we have problems configuring JACC, check the following items:

 

The server might fail to start after configuring JACC

If the server does not start after JACC is configured, check the following items:

 

The application might not deploy properly

When you click Save, the policy and role information is propagated to the TAM policy. This process might take some time to finish. If the save fails, uninstall the application and then reinstall it.

To access an application after it is installed, wait 30 seconds, by default, to start the application after you save.

 

The startServer command might fail after you configure TAM or a clean uninstall did not take place after unconfiguring JACC.

If the cleanup for JACC unconfiguration or start server fails after JACC is configured, take the following actions:

 

An "HPDIA0202w An unknown user name was presented to Access Manager" error might occur

We might encounter the following error message if we try to use an existing user in a Local Directory Access Protocol (LDAP) user registry with TAM:

AWXJR0008E   Failed to create a PDPrincipal for principal mgr1.:  AWXJR0007E   A TAM exception was caught. Details are:
"HPDIA0202W  An unknown user name was presented to Access Manager."
This problem might be caused by the host name exceeding predefined limits with TAM when it is configured against MS Active Directory. In WAS, the maximum length of the host name can not exceed 46 characters.

Check that the host name is not fully qualified. Set the machine so that the host name does not include the host domain. To correct this error...

  1. On the command line, type the following information to get a TAM command prompt:

    pdadmin -a administrator_name -p administrator_password
    
    The pdadmin administrator_name prompt is displayed. For example:

    pdadmin -a administrator1 -p passw0rd
    

  2. At the pdadmin command prompt, import the user from the LDAP user registry to TAM by typing the following information:

    user import user_name cn=user_name,o=organization_name,c=country
    
    For example:

    user import jstar cn=jstar,o=ibm,c=us
    

After importing the user to TAM, use the user modify command to set the user account to valid.

The following syntax shows how to use this command:

user modify user_name account-valid yes
For example:

user modify jstar account-valid yes

For information on how to import a group from LDAP to TAM, see the TAM documentation.

 

An "HPDAC0778E The specified user's account is set to invalid" error might occur

We might encounter the following error message after you import a user to TAM and restart the client:

AWXJR0008E    Failed to create a PDPrincipal for principal mgr1.:  AWXJR0007E    A TAM exception was caught.  Details are: "HPDAC0778E   The specified user's account is set to invalid."

To correct this error, use the user modify command to set the user account to valid.

The following syntax shows how to use this command:

user modify user_name account-valid yes
For example:

user modify jstar account-valid yes

 

An "HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry" error might occur

We might encounter an error similar to the following message when you propagate the security policy information from the application to the provider using the wsadmin propagatePolicyToJACCProvider command:

AWXJR0035E   An error occurred while  attempting to add member, 
                cn=agent3,o=ibm,c=us, to role AgentRole HPDJA0506E   Invalid argument: Null or zero-length user name field for 
                the ACL entry

To correct this error, create or import the user, that is mapped to the security role to the TAM.

See on propagating the security policy information, see the documentation for your authorization provider.

 

An WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl" error might occur

After the JACC provider and TAM are enabled, when attempting to install the application, which is configured with security roles using the wsadmin command, the following error might occur:

WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl";  exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E:  Cannot find a match for supplied option: 
"[RuleManager, , , cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers

The $AdminApp MapRolesToUsers task option is no longer valid when TAM is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.

 

Access denied exceptions accessing applications when using JACC

In the case of TAM, we might see the following error message.

AWXJR0044E: The access decision for Permission, {0}, was denied because either the  PolicyConfiguration or RoleConfiguration objects did not get created successfully at  application installation time. RoleConfiguration exists = {false}, PolicyConfiguration  exists = {false}."

If the access denied exceptions are not expected for the application, check SystemOut.logs to see if the security policy information was correctly propagated to the provider.

If the security policy information for the application is successfully propagated to the provider, the audit statements with the message key SECJ0415I appear. However, if there was a problem propagating the security policy information to the provider (for example: network problems, JACC provider is not available), SystemOut.logs contain the error message with the message keys SECJ0396E (during install) or SECJ0398E (during modification). The installation of the application is not stopped due to a failure to propagate the security policy to the JACC provider. Also, in the case of failure, no exception or error messages appear during the save operation. When the problem causing this failure is fixed, run the propagatePolicyToJaccProvider tool to propagate the security policy information to the provider without reinstalling the application.

 

An "HPDBA0219E: An error occurred reading data from an SSL connection" might occur

An error message (HPDBA0219E) might appear in dmgr SystemOut.log when you install an application on WAS for ND (ND) and a managed node with TAM is enabled.

If the error occurs, then the security policy data of recently deployed applications might not be immediately available. The policy data is available based on the server replicate time of the TAM. This is defaulted to 30 seconds after all updates have been completed. To verify the latest policy data is available, log on to the pdadmin console and type: server replicate.



 

Related concepts


Authorization providers
TAM integration as the JACC provider
JACC providers
JACC support in WAS

 

Related tasks


Enable an external JACC provider
Authorizing access to J2EE resources using TAM
Propagating security policy of installed applications to a JACC provider using wsadmin scripting
Troubleshooting security configurations

 

Related


Interfaces that support JACC

 

Related information


IBM TAM for e-business information center