+

Search Tips   |   Advanced Search

Security components troubleshooting tips

Basic resources and steps for diagnosing security-related issues in WebSphere Application Server include:

For an overview of WAS security components such as Secure Authentication Services (SAS) and how they work, see Getting started with security.

SAS supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.


Log files

When troubleshooting the security component, browse the Java Virtual Machine (JVM) logs for the server that hosts the resource you are trying to access. The following is a sample of messages you would expect to see from a server in which the security service has started successfully:

The following is an example of messages from a server which cannot start the security service, in this case because the admin ID and password given to communicate with the user registry is wrong, or the user registry itself is down or misconfigured:

The following is an example of messages from a server for which LDAP has been specified as the security mechanism, but the LDAP keys have not been properly configured:

A problem with the SSL configuration might lead to the following message. Ensure that the keystore location and keystore passwords are valid. Also, ensure the keystore has a valid personal certificate and that the personal certificate public key or certificate authority (CA) root has been extracted on put into the truststore.


Use SDSF

When troubleshooting the security component, use System Display and Search Facility (SDSF) to browse logs for the server that hosts the resource you are trying to access. The following sample of messages helps you see from a server in which the security service has started successfully:


General approach for troubleshooting security-related issues

When troubleshooting security-related problems, the following questions are very helpful:

Does the problem occur when security is disabled?

This question is a good litmus test to determine that a problem is security related. However, just because a problem only occurs when security is enabled does not always make it a security problem. More troubleshooting is necessary to ensure the problem is really security-related.

Did security seem to initialize properly?

A lot of security code is visited during initialization. So we can see problems there first if the problem is configuration related.

The following sequence of messages that are generated in the SystemOut.log indicate normal code initialization of an application server. This sequence varies based on the configuration, but the messages are similar:

    SASRas A CWWSA0001I: Security configuration initialized.
    SASRas A CWWSA0002I: Authentication protocol: CSIV2/IBM
    SASRas A CWWSA0003I: Authentication mechanism: SWAM
    SASRas A CWWSA0004I: Principal name: BIRKT20/pbirk
    SASRas A CWWSA0005I: SecurityCurrent registered.
    SASRas A CWWSA0006I: Security connection interceptor initialized.
    SASRas A CWWSA0007I: Client request interceptor registered.
    SASRas A CWWSA0008I: Server request interceptor registered.
    SASRas A CWWSA0009I: IOR interceptor registered.
    NameServerImp I CWNMS0720I: Do Security service listener registration.
    SecurityCompo A CWSCJ0242A: Security service is starting
    UserRegistryI A CWSCJ0136I: Custom Registry:com.ibm.ws.security.registry.nt.NTLocalDomainRegistryImpl has been initialized
    SecurityCompo A CWSCJ0202A: Admin application initialized successfully
    SecurityCompo A CWSCJ0203A: Naming application initialized successfully
    SecurityCompo A CWSCJ0204A: Rolebased authorizer initialized successfully
    SecurityCompo A CWSCJ0205A: Security Admin mBean registered successfully
    SecurityCompo A CWSCJ0243A: Security service started successfully
    SecurityCompo A CWSCJ0210A: Security enabled true

The following sequence of messages generated in the SDSF active log indicate normal code initialization of an application server. Non-security messages have been removed from the sequence that follows. This sequence will vary based on the configuration, but the messages are similar:

    Trace: 2013/05/06 17:27:31.539 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: printProperties SourceId: com.ibm.ws390.orb.CommonBridge
    Category: AUDIT
    ExtendedMessage: BBOJ0077I java.security.policy = /WebSphere/V8R5M0/AppServer/profiles/default/pr
    Trace: 2013/05/06 17:27:31.779 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a
    FunctionName: printProperties SourceId: com.ibm.ws390.orb.CommonBridge
    Category: AUDIT ExtendedMessage: BBOJ0077I java.security.auth.login.config = /WebSphere/V8R5M0/AppServer/profiles/default/pr
    Trace: 2013/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (13007002) ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.SecurityDM SourceId: com.ibm.ws.security.core.SecurityDM
    Category: INFO ExtendedMessage: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Securred successfully: true.
    Trace: 2013/05/06 17:27:40.892 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp
    at line: 932 error message: BBOO0222I: SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.Securitd successfully: true.
    Trace: 2013/05/06 17:27:41.054 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.audit.AuditServiceImpl SourceId: com.ibm.ws.security.audit.AuditServiceImpl
    Category: AUDIT ExtendedMessage: BBOO0222I: SECJ6004I: Security Auditing is disabled.
    Trace: 2013/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl
    Category: INFO ExtendedMessage: BBOO0222I: SECJ0309I: Java 2 Security is disabled.
    Trace: 2013/05/06 17:27:41.282 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp
    at line: 932 error message: BBOO0222I: SECJ0309I: Java 2 Security is disabled.
    Trace: 2013/05/06 17:27:42.239 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.auth.login.Configuration SourceId: com.ibm.ws.security.auth.login.Configuration
    Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.securit Configuration.
    Trace: 2013/05/06 17:27:42.253 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl
    Category: INFO
    ExtendedMessage: BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider clas
    Trace: 2013/05/06 17:27:42.254 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp
    at line: 932 error message: BBOO0222I: SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class.
    Trace: 2013/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl
    Category: INFO
    ExtendedMessage: BBOO0222I: SECJ0240I: Security service initialization completed successfully
    Trace: 2013/05/06 17:27:42.306 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp
    at line: 932 error message: BBOO0222I: SECJ0240I: Security service initialization completed successfully
    Trace: 2013/05/06 17:27:42.952 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.objectpool.ObjectPoolService SourceId: com.ibm.ws.objectpool.ObjectPoolService
    Category: INFO
    ExtendedMessage: BBOO0222I: OBPL0007I: Object Pool Manager service is disabled.
    Trace: 2013/05/06 17:27:53.512 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.registry.UserRegistryImpl SourceId: com.ibm.ws.security.registry.UserRegistryImpl
    Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0136I: Custom Registry:com.ibm.ws.security.registry.zOS.SAFRegistryImpl has been init
    Trace: 2013/05/06 17:27:55.229 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.role.PluggableAuthorizationTableProxy SourceId: com.ibm.ws.security.role.PluggableAuthorizationTableProxy
    Category: AUDIT ExtendedMessage: BBOO0222I: SECJ0157I: Loaded Vendor AuthorizationTable: com.ibm.ws.security.core.SAFAuthorizationTab
    Trace: 2013/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl
    Category: INFO ExtendedMessage: BBOO0222I: SECJ0243I: Security service started successfully
    Trace: 2013/05/06 17:27:56.481 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp
    at line: 932 error message: BBOO0222I: SECJ0243I: Security service started successfully
    Trace: 2013/05/06 17:27:56.482 01 t=8E96E0 c=UNK key=P8 (13007002)
    ThreadId: 0000000a FunctionName: com.ibm.ws.security.core.distSecurityComponentImpl SourceId: com.ibm.ws.security.core.distSecurityComponentImpl
    Category: INFO ExtendedMessage: BBOO0222I: SECJ0210I: Security enabled true
    Trace: 2013/05/06 17:27:56.483 01 t=8E96E0 c=UNK key=P8 (0000000A) Description: Log Boss/390 Error from filename: ./bborjtr.cpp
    at line: 932 error message: BBOO0222I: SECJ0210I: Security enabled true

Is there a stack trace or exception printed in the system log file?

A single stack trace tells a lot about the problem. What code initiated the code that failed? What is the failing component? Which class did the failure actually come from? Sometimes the stack trace is all needed to solve the problem and it can pinpoint the root cause. Other times, it can only give us a clue, and can actually be misleading. When support analyzes a stack trace, they can request additional trace if it is not clear what the problem is. If it seems to be security-related and the solution cannot be determined from the stack trace or problem description, you are asked to gather the following trace specification:
SASRas=all=enabled:com.ibm.ws.security.*=all=enabled from all processes involved.

Is this a distributed security problem or a local security problem?

  • If the problem is local, that is the code involved does not make a remote method invocation, then troubleshooting is isolated to a single process.

    It is important to know when a problem is local versus distributed because the behavior of the object request broker (ORB), among other components, is different between the two. When a remote method invocation takes place, an entirely different security code path is entered.

  • When you know that the problem involves two or more servers, the techniques of troubleshooting change.

    You need to trace all the servers involved simultaneously so that the trace shows the client and server sides of the problem. Make sure the timestamps on all machines match as closely as possible so that we can find the request and reply pair from two different processes. Enable both Secure Authentication Services (SAS) or z/SAS and Security trace using the trace specification:

      SASRas=all=enabled:com.ibm.ws.security.*=all=enabled

Is the problem related to authentication or authorization?

Most security problems fall under one of these two categories.

Authentication is the process of determining who the caller is. Authorization is the process of validating that the caller has the proper authority to invoke the requested method. When authentication fails, typically this failure is related to either the authentication protocol, authentication mechanism or user registry. When authorization fails, this is usually related to the application bindings from assembly and deployment and to the caller's identity who is accessing the method and the roles required by the method.

Is this a web or EJB request?

Web requests have a completely different code path than EJB requests.

Different security features exist for web requests than for EJB requests, requiring a completely different body of knowledge to resolve. For example, when using the LTPA authentication mechanism, the single sign-on feature (SSO) is available for web requests but not for EJB requests. Web requests involve HTTP header information that is not required by EJB requests due to the protocol differences. Also, the web container or servlet engine is involved in the entire process. Any of these components can be involved in the problem and all require consideration during troubleshooting, based on the type of request and where the failure occurs.

Secure EJB requests heavily involve the ORB and Naming components since they flow over the RMI/IIOP protocol. In addition, when Workload Manager (WLM) is enabled, other behavior changes in the code can be observed. All of these components interact closely for security to work properly in this environment. At times, trace in any or all of these components might be necessary to troubleshoot problems in this area.

The trace specification to begin with is

    SASRas=all=enabled:com.ibm.ws.security.*=all=enabled

ORB trace is also very beneficial when the SAS/Security trace does not seem to pinpoint the problem.

(zos) Secure EJB requests are passed from the controller to the servant. Web requests are mostly ignored by the controller. As a result, EJB requests are first processed and authenticated by the zSAS or Common Security Interoperability Version 2 (CSIv2) layers of security. Authorization is done by the servant. If an authentication failure occurs, the zSAS type level of tracing must be turned on to diagnose the problem. Other problems can be diagnosed using the WebSphere Application Server component tracing (CTRACE) facility.

Does the problem seem to be related to the SSL?

SSL is a totally distinct separate layer of security. Troubleshooting SSL problems is usually separate from troubleshooting authentication and authorization problems, and we have many considerations. Usually, SSL problems are first-time setup problems because the configuration can be difficult. Each client must contain the signer certificate of the server. During mutual authentication, each server must contain the client's signer certificate. Also, there can be protocol differences (SSLv3 vs. Transport Layer Security (TLS)), and listener port problems related to stale Interoperable Object References (IORs), that is IORs from a server, that reflect the port prior to the server restarting.

(zos) In z/OS, two variations of SSL are used. To determine the cause of an SSL problem on z/OS, we have to be aware of what protocol is being used.

  • System SSL is used by the Internet Inter-ORB Protocol (IIOP) and HTTPS protocols

  • Java Secure Socket Extension (JSSE) is used by all other protocols, for example, SOAP.

  • System SSL requests are handled in the controller and are used by z/SAS and CSIv2 security.

  • SJSSE is predominately used by the servant, but cases exist where JSSE is used in the controller as well.

For SSL problems, sometimes you get a request for an SSL trace to determine what is happening with the SSL handshake. The SSL handshake is the process that occurs when a client opens a socket to a server. If anything goes wrong with the key exchange, cipher exchange, and so on, the handshake fails and the socket is not valid. Tracing JSSE (the SSL implementation used in WebSphere Application Server) involves the following steps:

  • Set the following system property on the client and server processes: -Djavax.net.debug=true. For the server, add the system property to the Generic JVM Arguments property of the JVM settings page.

  • Turn on ORB trace as well.

  • Recreate the problem.

The SystemOut.log of both processes contain the JSSE trace. We can find trace similar to the following example:

    SSLConnection: install <com.ibm.sslite.e@3ae78375> >>
    handleHandshakeV2 <com.ibm.sslite.e@3ae78375> >> handshakeV2 type = 1 >> clientHello: SSLv2. SSL client version: 3.0 ... ... ... JSSEContext: handleSession[Socket[addr=null,port=0,localport=0]] << sendServerHello. SSL version: 3.0 SSL_RSA_WITH_RC4_128_MD5 HelloRandom ...
    ...
    ...
    << sendCertificate.
    << sendServerHelloDone. >> handleData <com.ibm.sslite.e@3ae78375> >> handleHandshake
    <com.ibm.sslite.e@3ae78375> >> handshakeV3 type = 16 >> clientKeyExchange. >> handleData
    <com.ibm.sslite.e@3ae78375> >> handleChangeCipherSpec
    <com.ibm.sslite.e@3ae78375> >> handleData <com.ibm.sslite.e@3ae78375> >> handleHandshake
    <com.ibm.sslite.e@3ae78375> >> handshakeV3 type = 20 >> finished.
    << sendChangeCipherSpec. << sendFinished.


Trace security

The classes that implement WAS security are:

To view detailed information on the run time behavior of security...

Fine tuning SAS traces:

If a subset of classes need to be traced for the SAS/CSIv2 component, a system property can be specified with the class names comma separated:

    com.ibm.CORBA.securityTraceFilter=SecurityConnectionInterceptorImpl, VaultImpl,

Fine tuning Security traces:

If a subset of packages need to be traced, specify a trace specification more detailed than com.ibm.ws.security.*=all=enabled. For example, to trace just dynamic policy code, we can specify...

    com.ibm.ws.security.policy.*=all=enabled

To disable dynamic policy trace, we can specify...

    com.ibm.ws.security.policy.*=all=disabled

(zos) Configure CSIv2, or z/SAS Trace Settings

Situations arise where reviewing trace for the CSIv2 and z/SAS authentication protocols can assist in troubleshooting difficult problems.

Configure CSIv2, or SAS Trace Settings

Situations arise where reviewing trace for the CSIv2 or SAS authentication protocols can assist in troubleshooting difficult problems. This section describes how to enable to CSIv2 and SAS trace.

Enable Client-Side CSIv2 and SAS Trace

To enable CSIv2 and SAS trace on a pure client, the following steps need to be taken:

  • Edit...

      WebSphere/AppServer/properties/TraceSettings.properties

  • In this file, change traceFileName= to point to the path in which we want the ouput file created. Make sure you put a double backslash (\\) between each subdirectory. For example...

      traceFileName=c:\\WebSphere\\AppServer\\logs\\sas_client.log

  • In this file, add the trace specification string:

      SASRas=all=enabled

    Any additional trace strings can be added on separate lines.

  • Point to this file from within the client application. On the Java command line where you launch the client, add the following system property:

      -DtraceSettingsFile=TraceSettings.properties

    Do not give the fully qualified path to the TraceSettings.properties file. Make sure the TraceSettings.properties file is in the class path.

(iseries) Enable Client-Side CSIv2 and SAS Trace

To enable CSIv2 and SAS trace on a pure client, the following steps need to be taken:

  • Edit...

      /WebSphere/AppServer/properties/TraceSettings.properties

    For example, edit profile_root/properties/TraceSettings.properties.

  • In this file, change traceFileName= to point to the path in which we want the output file created. For example...

  • n this file, add the trace specification string:

      SASRas=all=enabled

    Any additional trace strings can be added on separate lines.

  • Point to this file from within the client application. On the Java command line where you launch the client, add the following system property:

      -DtraceSettingsFile=TraceSettings.properties

    Do not give the fully qualified path to the TraceSettings.properties file. Make sure the TraceSettings.properties file is in the class path.

Enable Server-Side CSIv2 and SAS Trace

To enable SAS trace in an application server, complete the following:

  • Add the trace specification, SASRas=all=enabled, to the server.xml file or add it to the Trace settings within the WebConsole GUI.

  • Typically it is best to also trace the authorization security runtime in addition to the authentication protocol runtime. To do this, use the following two trace specifications in combination:

      SASRas=all=enabled:com.ibm.ws.security.*=all=enabled

  • When troubleshooting a connection type problem, it is beneficial to trace both CSIv2 and SAS or CSIv2 and z/SAS and the ORB. To do this, use the following three trace specifications:

      SASRas=all=enabled:com.ibm.ws.security.*=all=enabled:ORBRas=all=enabled

  • In addition to adding these trace specifications, for ORB trace there are a couple of system properties that also need to be set. Go to the ORB settings in the GUI and add the following two properties:

      com.ibm.CORBA.Debug=true
      com.ibm.CORBA.CommTrace=true


CSIv2 CORBA minor codes

Whenever exceptions occur within the security code on either the client or server, the eventual exception becomes a Common Object Request Broker (CORBA) exception. Any exception that occurs gets embedded in a CORBA exception because the CORBA architecture is used by the security service for its own inter-process communication. CORBA exceptions are generic and indicate a problem in communication between two components. CORBA minor codes are more specific and indicate the underlying reason that a component could not complete a request.

The following shows the CORBA minor codes that a client can expect to receive after running a security-related request such as authentication. It also includes the CORBA exception type that the minor code appears in.

The following exception shows an example of a CORBA exception where the minor code is 49424300 and indicates Authentication Failure. Typically, a descriptive message is also included in the exception to assist in troubleshooting the problem. Here, the detailed message is: "Exception caught invoking authenticateBasicAuthData from SecurityServer for user jdoe. Reason: com.ibm.WebSphereSecurity.AuthenticationFailedException" which indicates that the authentication failed for user jdoe.

The completed field in the exception indicates whether the method was completed or not. In the case of a NO_PERMISSION, never invoke the message; therefore it is always completed:No. Other exceptions that are caught on the server side can have a completed status of "Maybe" or "Yes".

Minor code name Minor code value (in hex) Exception type (all in the package of org.omg.CORBA .*) Minor code description Retry performed by stand-alone client (when authenticationRetryEnabled = true) Retry performed by server acting as a client (when authenticationRetryEnabled = true)
AuthenticationFailed 49424300 NO_PERMISSION This code is a generic authentication failed error. It does not give any details about whether or not the user ID or password is valid. Some user registries can choose to use this type of error code, others can choose to use the next three types that are more specific. Yes Yes
InterceptLocateException 494210B8 INTERNAL Problem when processing an incoming locate request. No No
InvalidUserid 49424301 NO_PERMISSION This code occurs when the registry returns bad user ID. Yes No
InvalidPassword 49424302 NO_PERMISSION This code occurs when the registry returns a bad password. Yes No
InvalidSecurityCredentials 49424303 NO_PERMISSION This is a generic error indicating that the credentials are bad for some reason. It might be that the right attributes are not set. Yes, if client has BasicAuth credential (token based credential was rejected in the first place). Yes
InvalidRealm 49424304 NO_PERMISSION This code occurs when the REALM in the token received from the client does not match the server's current realm. No No
ValidationFailed 49424305 NO_PERMISSION A validation failure occurs when a token is sent from the client or server to a target server but the token format or the expiration is not valid. Yes, if client has BasicAuth credential (token based credential was rejected in the first place). Yes
CredentialTokenExpired 49424306 NO_PERMISSION This code is more specific about why the validation failed. In this case, the token has an absolute lifetime and the lifetime has expired. Therefore, it is no longer a valid token and cannot be used. Yes, if client has BasicAuth credential (token based credential was rejected in the first place). Yes
InvalidCredentialToken 49424307 NO_PERMISSION This is more specific about why the validation failed. In this case, the token cannot be decrypted or the data within the token is not readable. Yes, if client has BasicAuth credential (token based credential was rejected in the first place). No
SessionDoesNotExist 49424308 NO_PERMISSION The CSIv2 session does not exist on the server. Typically, a retry occurs automatically and successfully creates a new session. Yes Yes
SessionConflictingEvidence 49424309 NO_PERMISSION A session already exists on the server that matches the context_id sent over by the client. However, the information provided by the client for this EstablishContext message is different from the information originally provided to establish the session. Yes Yes
SessionRejected 4942430A NO_PERMISSION The session referenced by the client has been previously rejected by the server. Yes Yes
SecurityServerNotAvailable 4942430B NO_PERMISSION This error occurs when the server cannot contact the local or remote security server in order to authenticate or validate. No No
InvalidIdentityToken 4942430C NO_PERMISSION Identity cannot be obtained from the identity token when Identity Assertion is enabled. No No
IdentityServerNotTrusted 4942430D NO_PERMISSION The server ID of the sending server is not on the target server's trusted principal list.

(zos) Verify that the server ID of the sending server is permitted to the CBIND profile.

No No
InvalidMessage 4942430E NO_PERMISSION The CSIv2 message format is not valid for the receiving server. No No
MappingFailed 4942430F NO_PERMISSION An error occurred mapping an inbound subject using the RMI Inbound system login configuration. No No
RevokedSecurityName 49424310 NO_PERMISSION The user id is revoked. Yes No
ExpiredPassword 49424311 NO_PERMISSION The password is expired. Yes No
AuthenticationNotSupported 49421090 NO_PERMISSION This error occurs when a mechanism does not support authentication (very rare). No No
InvalidSecurityMechanism 49421091 NO_PERMISSION This is used to indicate that the specified security mechanism is not known. No No
CredentialNotAvailable 49421092 NO_PERMISSION Credential is not available when it is required. No No
SecurityMechanismNotSupported 49421093 NO_PERMISSION A security mechanism specified in the CSIv2 token is not implemented on the server. No No
ValidationNotSupported 49421094 NO_PERMISSION A mechanism does not support validation, such as LocalOS. This error does not occur since the LocalOS credential is not a forwardable credential, therefore, validation never needs to be called on this credential. No No
CredentialTokenNotSet 49421095 NO_PERMISSION This is used to indicate that the token inside the credential is null. No No
InvalidEvidence 49421096 NO_PERMISSION Client authentication is required at the server. However, authentication information is not present in the method request from the client. No No
UserRegistryMethod_Protected 49421098 NO_PERMISSION An attempt was made to remotely access a protected UserRegistry method. No No
ServerConnectionFailed 494210A0 COMM_FAILURE This error is used when a connection attempt fails. Yes (via ORB retry) Yes (via ORB retry)
CorbaSystemException 494210B0 INTERNAL This code is a generic CORBA specific exception in system code. No No
JavaException 494210B1 INTERNAL This is a generic error that indicated that an unexpected Java exception occurred. No No
ValueIsNull 494210B2 INTERNAL This code is used to indicate that a value or parameter that passed in is null. No No
EffectivePolicyNotPresent 494210B3 INTERNAL An effective policy object for CSIv2 is not present. This object is used to determine what security configuration features are specified. No No
NullPointerException 494210B4 INTERNAL This code is used to indicate that a NullPointerException is caught in the runtime. No No
ErrorGettingClassInstance 494210B5 INTERNAL Problem loading a class dynamically. No No
MalFormedParameters 494210B6 INTERNAL Parameters are not valid. No No
DuplicateSecurityAttributeType 494210B7 INTERNAL Duplicate credential attribute specified during the set_attributes operation. No No
MethodNotImplemented 494210C0 NO_IMPLEMENT Method invoked is not implemented. No No
GSSFormatError 494210C5 BAD_PARAM This code indicates that a Generic Security Services (GSS) encoding or decoding routine has created an exception. No No
TagComponentFormatError 494210C6 BAD_PARAM This code indicates that a tag component cannot be read properly. No No
InvalidSecurityAttributeType 494210C7 BAD_PARAM This code indicates an attribute type specified during the set_attributes operation is not a valid type. No No
SecurityConfigError 494210CA INITIALIZE This code indicates a problem exists between the client and server configuration. No No

For current information available from IBM Support on known problems and their resolution, see the IBM Support page.

IBM Support has documents that can save you time gathering information needed to resolve this problem. Before opening a PMR, see the IBM Support page.


Related concepts

Troubleshooting help from IBM
  • Object Request Broker service settings
  • Diagnose and fix problems: Resources for learning