Security authorization provider troubleshooting tips

If we have problems configuring JACC, check the following items:

• Ensure that the parameters are correct. For example, we do not want a number after TAM_Policy_server_hostname:7135, but we do want be a number after TAM_Authorization_server_hostname:7136 (for example, TAM_Authorization_server_hostname:7136:1).

• If a message such as "server can't be contacted" is displayed, it is possible that the host names or port numbers of the ISAM servers are incorrect, or that the ISAM servers have not started.

• Ensure that the password for the sec_master user is correct.

• Check SystemOut.log and search for the AMAS string to see if any error messages are present.

If the server does not start after JACC is configured:

• Ensure that WAS and ISAM use the same LDAP server.

• If the message "Policy Director Authentication failed" is displayed, ensure that:
  • WAS LDAP server ID is the same as the "Administrator user" in the ISAM JACC configuration panel.
  • Verify that the ISAM Administrator distinguished name (DN) is correct.
  • Verify that the password of the ISAM administrator has not expired and is valid.
  • Ensure that the account is valid for the ISAM administrator.

• If a message such as socket can't be opened for xxxx (where xxxx is a number) is displayed:
  1. cd profile_root/etc/tam

  2. If the deployment manager failed to start, change xxxx to an available port number in amwas.commomconfig.properties and amwas*cellName_dmgr.properties.

  3. If the node failed to start, change xxx to an available port number in amwas*cellName_nodeName_.properties.

  4. If the Application Server failed to start, change xxxx in amwas*cellname_nodeName_serverName.properties.

The application might not deploy properly

When we click Save, the policy and role information is propagated to the ISAM policy. This process might take some time to finish. If the save fails, uninstall the application and then reinstall it.

To access an application after it is installed, we must wait 30 seconds, by default, to start the application after you save.

The startServer command might fail

The startServer command might fail after configuring ISAM or a clean uninstall did not take place after unconfiguring JACC.

If the cleanup for JACC unconfiguration or start server fails after JACC is configured, take the following actions:

• Remove ISAM properties files from WAS.

  For each application server in a WAS ND (ND) environment with N servers defined (for example, server1, server2) remove the following files:

  install_root/tivoli/tam/PdPerm.properties
  install_root/tivoli/tam/PdPerm.ks
  profile_root/etc/tam/*

• Clear the security configuration and return the system to the state it was in before configuring the JACC provider for ISAM.
  install_root/java/jre/bin/java -classpath "install_root/lib/AMJACCProvider.jar:CLASSPATH" com.tivoli.pd.as.jacc.cfg.CleanSecXML /path/to/security.xml

  The utility removes all of the PDLoginModuleWrapper entries as well as the ISAM authorization table entry from security.xml, effectively removing the JACC provider for ISAM. Backup security.xml before running.

"HPDIA0202 An unknown user name was presented to Access Manager"

We might encounter the following error message if we try to use an existing user in a LDAP user registry with ISAM:

AWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A ISAM exception was caught. Details are: "HPDIA0202W An unknown user name was presented to Access Manager."

This problem might be caused by the host name exceeding predefined limits with ISAM when it is configured against MS Active Directory. In WAS, the maximum length of the host name can not exceed 46 characters.

Check that the host name is not fully qualified. Configure the machine so that the host name does not include the host domain.

To correct this error:

1. On the command line, type the following information to get an ISAM command prompt:
   pdadmin -a administrator_name -p administrator_password

   The pdadmin administrator_name prompt is displayed. For example:

   pdadmin -a administrator1 -p passw0rd

2. At the pdadmin command prompt, import the user from the LDAP user registry to ISAM by typing the following information:
   user import user_name cn=user_name,o=organization_name,c=country

   For example:

   user import jstar cn=jstar,o=ibm,c=us

After importing the user to ISAM, use the user modify command to set the user account to valid. The following syntax shows how to use this command:

user modify user_name account-valid yes

For example:

user modify jstar account-valid yes

For information on how to import a group from LDAP to ISAM, see the ISAM documentation.

"HPDAC0778E: The specified user's account is set to invalid"

We might encounter the following error message after we import a user to ISAM and restart the client:

AWXJR0008E Failed to create a PDPrincipal for principal mgr1.: AWXJR0007E A ISAM exception was caught. Details are: "HPDAC0778E The specified user's account is set to invalid."

To correct this error, use the user modify command to set the user account to valid. The following syntax shows how to use this command:

user modify user_name account-valid yes

For example:

user modify jstar account-valid yes

"HPDJA0506E: Invalid argument: Null or zero-length user name field for the ACL entry"

We might encounter an error similar to the following message when you propagate the security policy information from the application to the provider using the wsadmin propagatePolicyToJACCProvider command:

AWXJR0035E An error occurred while attempting to add member, cn=agent3,o=ibm,c=us, to role AgentRole HPDJA0506E Invalid argument: Null or zero-length user name field for the ACL entry

To correct this error, create or import the user, that is mapped to the security role to the ISAM. For more information on propagating the security policy information, see the documentation for our authorization provider.

WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"

After the JACC provider and ISAM are enabled, when attempting to install the application, which is configured with security roles using the wsadmin command, the following error might occur:

WASX7017E: Exception received while running file "InsuranceServicesSingle.jacl"; exception information: com.ibm.ws.scripting.ScriptingException: WASX7111E: Cannot find a match for supplied option: "[RuleManager,,, cn=mgr3,o=ibm,c=us|cn=agent3,o=ibm,c=us, cn=ManagerGro up,o=ibm,c=us|cn=AgentGroup,o=ibm,c=us]" for task "MapRolesToUsers"

The $AdminApp MapRolesToUsers task option is no longer valid when ISAM is used as the authorization server. To correct the error, change MapRolesToUsers to TAMMapRolesToUsers.

Access denied exceptions accessing applications when using JACC

In the case of ISAM, we might see the following error message.

AWXJR0044E: The access decision for Permission, {0}, was denied because either the PolicyConfiguration or RoleConfiguration objects did not get created successfully at application installation time. RoleConfiguration exists = {false}, PolicyConfiguration exists = {"false"}.

If the access denied exceptions are not expected for the application, check SystemOut.log to see if the security policy information was correctly propagated to the provider.

If the security policy information for the application is successfully propagated to the provider, the audit statements with the message key SECJ0415I appear. However, if there was a problem propagating the security policy information to the provider (for example: network problems, JACC provider is not available), check SystemOut.log for error message with the message keys SECJ0396E (during install) or SECJ0398E (during modification). The installation of the application is not stopped due to a failure to propagate the security policy to the JACC provider. Also, in the case of failure, no exception or error messages appear during the save operation. When the problem causing this failure is fixed, run the propagatePolicyToJaccProvider tool to propagate the security policy information to the provider without reinstalling the application.

"HPDBA0219E: An error occurred reading data from an SSL connection"

An error message (HPDBA0219E) might appear in dmgr SystemOut.log when we install an application on WAS ND (ND) and a managed node with ISAM is enabled.

If the error occurs, then the security policy data of recently deployed applications might not be immediately available. The policy data is available based on the server replicate time of the ISAM. This is defaulted to 30 seconds after all updates have been completed. To ensure that the latest policy data is available, log on to the pdadmin console and type: server replicate.

Related:

Authorization providers

ISAM integration as the JACC provider

JACC providers

JACC support in WAS

Troubleshoot security configurations

Enable an external JACC provider

Authorizing access to Java EE resources using ISAM

Propagating security policy of installed applications to a JACC provider

Interfaces that support JACC

IBM ISAM for e-business information center

High Performance Extensible Logging