WebSphere

 

Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

 

Troubleshoot security

 

+

Search Tips   |   Advanced Search

 

This section contains information that can assist you in preventing, identifying, and correcting problems related to IBM® WebSphere® Portal Express.

For information related to specific components, see the appropriate troubleshooting topic.

 

Problem: LDAP configuration via wizard fails because of transaction time-out

LDAP configuration via the configuration wizard fails if the transaction times out before the task can be completed.

 

Solution: Use the WebSphere Application Server Administrative Console to increase the value of the WebSphere Portal Express server's Total transaction lifetime timeout setting and Client inactivity timeout setting.

 

Problem: Creating users when specifying a preferred language in Microsoft Active Directory fails

If Microsoft® Active Directory in Windows 2000 or Windows 2003 is the LDAP server for the portal and you need to specify a preferred language when you create users, perform the workaround before you create any users. Otherwise, the attempt to create the users will fail and the following message will be displayed: 

Backend storage system failed. Please try again later.

 

Solution:

  1. Add preferredLanguage to the Active Directory user schema. Refer to the Microsoft Active Directory documentation for specific instructions.

  2. Add or uncomment the following mapping to the wmmLDAPServerAttributes.xml file on the WebSphere Portal Express machine: 

    <attributeMap  wmmAttributeName="preferredLanguage"
               pluginAttributeName="preferredLanguage"
               applicableMemberTypes="Person"
               dataType="String"
               valueLength="256"
               multiValued="false"
               readOnly="false"/>

 

Problem: When using Active Directory, resetting an attribute to an empty string does not work

It is not possible to set an attribute to an empty string in combination with using the Active Directory LDAP. For example, in the Selfcare portlet, you cannot reset the preferred language to Nothing selected if the attribute is retrieved from Active Directory where the preferred language is set to a specific language.

 

Solution: This is a limitation with Active Directory.

 

Problem: The "<" and ">" characters display incorrectly

In WP ConfigurationService, there is a flag to enable or disable the Cross Site Scripting (CSS) security protection.

 

Solution: It might be desirable to disable CSS if you use form input fields containing "less than" and "greater than" signs. During the POST of a form containing such characters to a portlet, the output of the "<" will be seen as "&lt;" and ">" as "&gt;". Other non-alphabetical characters like "&", single quotes, and double quotes appear as intended. Disabling CSS allows the "<" and ">" characters to appear as intended. Characters such as "<" and ">" will be encoded to minimize the security risk of typing markup in a field that could disrupt portal content.

Disabling CSS is done at the portal level and not just the portlet level. While it might be convenient to disable the CSS protection in some circumstances, it exposes a potential vulnerability when passing form input into a Web application.

Some secure programs could unwittingly accept data from an untrusted user (the attacker) and pass that data on to a different user's application (the victim). If the secure program does not protect the victim, the victim's application (in this case, his or her Web browser) can then process that data in a way harmful to the victim.

This is a particularly common problem for all web applications using HTML or XML, where the problem is known by several names including "cross-site scripting," "malicious HTML tags," or "malicious content," and can happen on SSL and non-SSL connections. While activating portal CSS protection automatically prevents a good deal of CSS attacks, it cannot prevent all of them. The web developer must always validate all user-provided data and correct character escaping prior to writing user-provided data to the markup stream. With a successful CSS attack, the hacker could gain complete access to some pages. Here are some of the problems associated with not implementing this security feature:

See http://www-128.ibm.com/developerworks/web/library/wa-secxss/?ca=dnt-55 for additional information.

The relevant entry in WP ConfigurationService is: 

# Flag whether Cross-Site-Scripting security protection is turned on.
#
# Default: true security.css.protection = true

Verify this property value entry in Configuration service, as described in Setting configuration properties.

 

Problem: Pipe character used with the Credential Vault

 

Solution: Only the names of vault segments, vault slots, and resources cannot use the pipe character. The vertical or | character can be used in the description.

 

Problem: The validate-ldap task fails when configuring Active Directory over SSL

If configuring Active Directory over SSL, the validate-ldap task might fail with the following message: 

javax.naming.CommunicationException: Request: lcancelled"

 

Solution: Apply Windows 2000 Service Pack 4 to Active Directory to correct this issue.

Details can be found in Microsoft Knowledge Base Article - 320711 Accessing Active Directory with LDAP by Using Sun JNDI Calls May Not Work.

 

Problem: Special characters limitation in Member Distinguished Name

Member Manager cannot be used to create a member entry in a repository if the entry has RDN attributes with values which contain the following special characters: "#", ",", "+", """, "\", "<", ">", or ";".

 

Solution: If you want to allow the creation of special characters in member entries, create the entry directly into the repository not using Member Manager although Member Manager can be used to read, update, remove, and search the entry. For example, for an LDAP server, use an LDAP server tool or another LDAP application instead of Member Manager to create the entry into the LDAP server.

 

Problem: Syntax error on Sun ONE LDAP when importing PortalUsers.ldif

You might get a syntax error when importing the shipped sample PortalUsers.ldif into Sun One.

 

Solution: Comment out dc=example,dc=com to avoid a syntax error. 

dn: dc=example,dc=com objectclass: domain objectclass: top #Add lines according to this scheme that correspond to your suffix dc: example,dc=com <-- should remove this line to avoid syntax error dc:example

 

Problem: Unable to see pages in Pixo browser

When using the Pixo Internet Microbrowser 2.1 device emulator on a PC, you will not be able to see any pages on your secure portal. This problem is caused by a defect in the Pixo simulator that affects supported cookies. WebSphere Portal Express with WebSphere Application Server global security enabled requires two cookies, JSESSIONID and LtpaToken . The JSESSIONID cookie is used to identify the WebSphere Portal Express session in the browser. LtpaToken is used to identify the user for WebSphere Application Server global security. Although two valid cookies are set for this domain, the Pixo browser only sends the most recently set cookie, which causes LtpaToken to replace JSESSIONID. Although LtpaToken allows the user to access WebSphere Portal Express, the browser is unidentified; therefore, the user will not be able to see any pages.

 

Solution: Use a real device, or use a different device emulator for cHTML testing.

 

Problem: Browser back button can show secured page after logout

With some browsers you might be able to view the information from a previous portal session by using the back button after logout. When you log out and click the back button, you can see the page that was last viewed.

 

Example scenario: You view an e-mail and click Log out. The portal returns to the Login panel. If you then click the back button, you might be able to view the e-mail again, depending on your browser.

The problem concerns only the display and view of data. The portal or the displayed data cannot be modified as clicking the back button does not undo the logout.

 

Cause: When you click the back button, the browser returns to the data cached by the browser.

 

Solution: Users can prevent the display of secured pages by either closing the browser after logout or clearing the browser cache.

 

Problem: Failed Stop Operation

If you receive the following stopServer.log file: 

A ADMU0111E: Program exiting with error:
javax.management.JMRuntimeException:
ADMN0022E: Access denied for the stop operation on Server MBean due to insufficient 
	or empty credentials.

 

Solution: Choose one of the following options:

 

Problem: Single sign-on not functioning between WebSphere Portal Express and other applications on the same WebSphere Application Server installation

Under certain circumstances, there is a problem with single sign-on between WebSphere Portal Express and other applications on the same WebSphere Application Server installation. When this problem occurs, you are unable to log into an application on an application server; for example, the WebSphere Application Server Admin console and then logging into a portal running on the same application server without renewed authentication (single sign-on fails). The portal displays a misleading error message saying that the user's portal session has timed out. The portal then prompts the user to log in again.

 

Cause: The session cookie of the other application is not properly specified (the cookie path is too general) and is therefore also sent to the portal. In most cases, the cookie is specified as a simple slash (/). The portal application mistakes this as an old, invalid portal session cookie.

 

Solution: Follow these steps to ensure that the application's session cookie is scoped to that application only:

  1. Log in to the WebSphere Application Server Administrative console.

  2. Navigate to Applications>Enterprise Applications>respective application>Session Management, where respective application is the application with which single sign-on does not work.

  3. Click the Enable Cookies link (not the check box).

  4. Set the cookie path value to the complete application base path.

    For example, the Administrative console of the application server would be /admin.

  5. Click Apply to save the changes and then restart the application.

 

Problem: Cannot use the XML configuration interface if it is externalized in security

If the virtual resource XML_ACCESS that represents access to the XML configuration interface is externalized to Computer Associates eTrust SiteMinder and therefore put under the protection of eTrust SiteMinder, you can no longer use the XML configuration interface.

 

Solution: If the access rights ofWebSphere Portal Express are externalized to eTrust SiteMinder, do not externalize the XML configuration interface virtual resource.

 

Problem: When using Lotus Domino, cannot create users and groups

If you are using IBM Lotus® Domino® and edit the access control list of NAMES.NSF so that "Maximum Internet name and password" is set to "Reader", you may notice that you are no longer able to create users and groups in WebSphere Portal Express.

 

Solution: The recommended setting for "Maximum Internet name and password" is "Author" or higher. By setting this field to "Reader", you would be overriding the regular settings in the access control list and thereby limiting the Author/Editor access that is necessary for WebSphere Portal Express to function successfully with Lotus Domino as the LDAP server.

To access the "Maximum Internet name and password" setting, open NAMES.NSF with a Lotus Notes client by selecting File > Database > Open and then File > Database > Access Control > Advanced. Options for this setting range from "No Access" to "Manager".

 

Problem: Collaborative portlets require additional configuration for compatibility with eTrust SiteMinder

Many features of the Domino and Extended Products Portlets will not work if your eTrust SiteMinder-protected portal environment is not properly configured. Problems include failure of awareness, failure of the IBM Lotus Sametime® server to authenticate with the Lotus Web Conferencing portlet, failure of the My Lotus QuickPlaces portlet to connect to the IBM Lotus QuickPlace® server, and inability of the Domino Web Access and Lotus Notes View portlets to find mail files for the current user.

 

Solution: You need to edit the CSEnvironment.properties file to use the eTrust SiteMinder token. See Customizing Collaborative Services user credentials for eTrust SiteMinder.

For more details, refer to the following troubleshooting technote:

Technote 1190655: Awareness, connection and authentication problems if Collaborative Portlets v5.1 not configured for eTrust SiteMinder properly

 

Problem: Collaborative portlets require additional configuration for compatibility with Tivoli Access Manager

Many features of the Domino and Extended Products Portlets will not work if your Tivoli Access Manager-protected portal environment is not properly configured. Problems include failure of awareness, failure of the Lotus Sametime server to authenticate with the Lotus Web Conferencing portlet, and failure of the My Lotus QuickPlaces portlet to connect to the Lotus QuickPlace server.

Solution: An interim fix is available on the IBM Support Web site. Refer to the following troubleshooting technote:

Technote 1191185: Awareness, Connection and Authentication Problems if Collaborative Portlets v5.1 not Configured for Tivoli Access Manager

 

Problem: Collaborative portlets require an interim fix to STlinks applet to work in Mozilla

In the Mozilla browser, many problems in collaborative portlets result from the version of the STlinks applet configured on the IBM Lotus Sametime server, as well as versions of other related files. For example, a timing problem prevents the Who Is Here and Lotus Web Conferencing portlets from working if deployed on the same page, awareness may fail, the Chat button in the Domino Web Access portlet may not work, and the Who Is Here portlet may be unable to display the membership list.

Solution: An interim fix for the STlinks applet is available on the IBM Support Web site.

Corrected files are available to solve the problems above. Refer to the following troubleshooting technote:

Technote 1191188: Lotus Collaborative Portlets v5.1 Exhibit Problems when Accessed via Mozilla Browser

 

Problem: Distinguished names containing escape characters cause people awareness to function incorrectly in several Domino and Extended Products Portlets

Portlets with this problem include Lotus Web Conferencing, My Lotus QuickPlaces, and Sametime Contact List.

Solution: An interim fix is available on the IBM Support Web site. Read the following technote:

Technote 1191190: People Awareness in v5.1 of Lotus Collaboration Center Portlets Does not Function Properly

 

Problem: SSO for Domino and Extended Products fails for users containing LDAP special characters in their distinguished names

LDAP (Lightweight Directory Access Protocol) special characters existing in distinguished names of either users or groups prevent Single Sign-On (SSO) from working correctly between WebSphere Portal Express, IBM Lotus Sametime, IBM Lotus QuickPlace and Lotus Domino databases unless configuration fixes are applied to the servers.

For example, a user whose name contains special characters may be asked to authenticate with the Mail, Calendar, or Address book instances of the Domino and Extended Products Portlets. The LDAP special characters are:

Also, the / and @ are Lotus Domino special characters and will cause the same problems without the interim fixes available from Lotus Technical Support.

Solution: Interim fixes are available on the IBM Support Web site. Refer to the following troubleshooting technote:

Technote 1191194: SSO for Domino Extended Products Fails for Users Containing LDAP Special Characters in their Distinguished Names

 

Problem: Data backend exception while creating new users

Within WebSphere Portal Express you can set a password's minimum and maximum length. If the set password lengths differ from your LDAP server's policy, you might see the following exception when creating a user: 

EJPSG0015E: Data Backend Problem com.ibm.websphere.wmm.exception.WMMSystemException: 
	The following Naming Exception occurred during processing: 
	"javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: 
	SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=see1anna,cn=users,dc=wps510,dc=rtp,dc=raleigh,dc=ibm,dc=com'; 
	resolved object com.sun.jndi.ldap.LdapCtx@7075b1b4".

Solution: Check and/or modify the puma.PASSWORD.min and puma.PASSWORD.max properties within Puma. The keys should match your LDAP server's policy.

 

Problem: SSL Connection fails after configuring SSL to LDAP

If you configured the connection to LDAP via SSL in Member Manager, connection fails because of invalid or missing certificates.

When a certificate truststore is configured within the wmm.xml file via the sslTrustStore property, this truststore will be used as default truststore by all applications in the Portal Server Java Virtual Machine. This includes all portlets deployed on the Portal Server as well as the themes and skins. If you used the default Java truststore, cacerts, to store your trusted certificates before switching to LDAP via SSL, these certificates will no longer be found, which causes the SSL connection to fail.

 

Solution: Use one of the following three solutions:

 

Problem: Membership of deleted user not removed from target repository

When deleting a user/group from an LDAP using the WebSphere Portal Express administrator functions, some LDAP servers do not clean up the user/group's membership. Therefore, if a new user/group is created with the same name, it is placed in the existing membership. For example, the new user would belong to the same groups as the deleted user.

 

Solution: Configure Member Manager to update the repository. Follow these steps to enable this feature:

  1. Open the wmm.xml file.

  2. Add updateGroupMembership="true" as an attribute to the ldaprepository tag.

If using the SUN ONE and Domino adapters, this parameter will be set to true by default.

 

Problem: Cannot logon to the WebSphere Application Server Administrative Console with short name

You can not logon to the WebSphere Application Server Administrative Console with the short name when using an Oracle database and LookAside is set to true in the wpconfig.properties file with LDAP configured with realm support.

 

Solution: Logon to the WebSphere Application Server Administrative Console with the full administrator DN name.

 

Problem: Users and groups not moved to new registry after running enable-security-xxx tasks

The enable-security-xxx tasks do not move users and groups from one registry to another. For example, running the enable-security-ldap task does not move users and groups from the default database to an LDAP user registry.

 

Solution: Manually move users and groups to the final user registry as soon as possible after installation. If you use an LDAP user registry or a customer-supplied custom user registry, use registry-specific tools to recreate the users and groups.

If you use a database user registry configuration (an IBM-supplied custom user registry), create your users and groups after running the enable-security-xxx task.

 

Problem: Validation of userid does not work as expected

User attribute validation is only performed for mandatory attributes. These attributes are defined in the wmmAttibutes.xml file.

 

Solution: Verify that the attribute you are using for the user logon id is marked as mandatory in the wmmAttibutes.xml file.

 

Problem: validate-ldap task fails if password contains $

Passwords containing $ in the wpconfig.properties file cause problems because of a limitation or special use of the $ character in ANT.

 

Solution: To maintain backward compatibility with older ANT releases, a single $ character encountered apart from a property-like construct (including a matched pair of french braces) is interpreted literally; that is as $. Therefore, use the escaping mechanism unconditionally to specify the character so that $$$$ results in $$.Warning: Mixing the two approaches yields unpredictable results. $$$ results in $$.

 

Parent topic:

Search the product documentation for a solution